Changelog

pnpm/pnpm · · 6 commits

GVS parity, policy fixes, and a new fetcher

Major pnpm internals work landed: GVS hashing now tracks the right Node, minimum-release-age is revalidated from lockfiles, and pacquet gains directory fetch support.

zkochan ryo-manba btea HaleTom

GVS hash now follows the script-runner Node (zkochan3ddde2b)

pnpm now anchors the side-effects-cache key and global virtual store hash to the Node that will actually run lifecycle scripts: a pinned engines.runtime Node when present, otherwise the shell node used to spawn pnpm. That fixes cache/GVS churn caused by pnpm’s own runtime version and should make installs line up across SEA bundles and pinned-runtime projects.

minimumReleaseAge is enforced again on locked versions (ryo-manba31538bf)

pnpm now re-checks every pnpm-lock.yaml entry against resolver policy before any tarball is fetched, so a version that later becomes too fresh can no longer slip through just because it was already pinned. Installs now fail fast with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION, closing a policy bypass for CI and other consumers of existing lockfiles.

pacquet gains directory fetch support for injected workspace deps (zkochan29a42ef)

A new pacquet-directory-fetcher crate ports pnpm’s directory fetcher and wires LockfileResolution::Directory into package installation. That unblocks injected workspace dependencies like file:./local-pkg with dependenciesMeta[*].injected = true, which previously errored as unsupported.

pacquet’s symlink layout now matches pnpm (zkochanc178d13)

pacquet’s directory symlink writer now mirrors upstream symlink-dir semantics, including relative symlink targets on Unix and the Windows symlink/junction fallback behavior. This matters for portability and parity: moved projects keep working, and on-disk link contents now match pnpm’s layout expectations.

Global installs respect build policy with GVS enabled (HaleTomd3f8408)

The GVS default allowBuilds value is now applied after workspace and global config build settings are re-applied, so dangerouslyAllowAllBuilds from config.yaml is no longer accidentally masked. Global installs should once again run build scripts when policy allows it instead of silently skipping them.

Other misc changes

  • pnpm link now validates missing params earlier (btea496e655)
  • Several build/test/config updates supporting the higher-impact changes
  • Changeset and workspace metadata updates