Changelog

pnpm/pnpm · · 27 commits

Security fixes and major install parity

CodeQL-driven hardening lands alongside big pnpm parity work for patches, bins, side-effects cache, and lifecycle behavior.

zkochan monsonego KSXGitHub

Security hardening across manifests, resolvers, and CI (zkochan50b33c1, zkochan9cad827, zkochan6b2a955, zkochan6335860)

Closed the day’s biggest risk area: multiple CodeQL findings in product code and workflow security issues. The fixes tighten prototype-pollution-sensitive writes, harden GitHub Actions against injection and credential leakage, and add ongoing zizmor analysis so regressions are caught earlier.

Patched dependencies now apply before postinstall (zkochan13082fc, zkochanf2d4141)

Pacquet now actually applies patchedDependencies to extracted package directories before lifecycle scripts run, and includes those patched packages in build triggering and cache-keying. This is a major install-behavior change that brings the Rust implementation much closer to pnpm’s real patch workflow.

Bin linking and command shims land (KSXGitHubbbfa18f)

Adds a new pacquet-cmd-shim crate plus bin resolution/linking logic, so packages with bin fields and .bin entries are wired up during install. That’s core user-facing functionality for running package executables and a prerequisite for realistic workspace installs.

Side-effects cache write path is implemented (zkochan57174b8, zkochan03bb90a, zkochane164bdb)

Pacquet now supports both reading and writing the side-effects cache, so warm installs can skip rebuilds and successful postinstalls can persist build artifacts for future runs. This is a meaningful performance and correctness milestone for install parity.

Lifecycle execution now mirrors pnpm’s env and path handling (zkochan1452682, zkochan2f64c72)

Lifecycle hooks got pnpm-like environment setup, PATH construction, shell selection, and optional-dependency failure swallowing. Together these changes make postinstall behavior much closer to upstream and reduce spurious install failures.

Workspace config gained build and patch knobs (zkochan2291bc6, zkochanc4fce79, zkochanf2d4141)

Configuration now covers child concurrency, unsafe-perm auto-detection on POSIX, scriptsPrependNodePath, allowBuilds, and patch resolution from pnpm-workspace.yaml. These are important parity additions that let more real-world workspace settings behave as expected.

Other misc changes

  • CI workflow migration to pnpm/setup (1 commit)
  • Release/versioning chores and changelog updates (3 commits)
  • Minor docs/help text and typo cleanup (3 commits)
  • Named-registry/local-resolver fix and release workflow tag_name tweak (2 commits)