Resolver behavior is now more deterministic and parity-aligned (
9b35a60,
d2b42c2,
a751c7f,
6648b53,
ce9c096)
Shared children resolution no longer depends on async timing, and pacquet’s resolver got several lockfile-parity fixes around preferred-version folding, peer context reuse, owner-generation records, and peer/engine handling. These changes reduce lockfile churn and make repeated installs more byte-stable.
Custom resolvers and frozen-lockfile verification got sharper concurrency (
a9d2ec8,
c16eb0a)
Pacquet now supports .pnpmfile.cjs custom resolver hooks end-to-end, including shouldRefreshResolution forcing re-resolution past frozen-path shortcuts. Separately, lockfile verification runs alongside fetch/link work instead of blocking the whole install, which should noticeably improve frozen-lockfile installs without weakening the verification gate.
Repeat installs and metadata caching are faster (
1310ab5,
43b5bf7)
The install fast path now avoids eagerly parsing the lockfile when pnpm can decide “already up to date” from manifest mtimes, and cached registry metadata renews freshness on 304 Not Modified responses. Together these trim no-op install latency and prevent stale packument cache entries from being revalidated forever.
pnpm can now install against read-only stores (
61810aa)
A new --frozen-store option lets installs run with a package store on a read-only filesystem by switching store access to immutable mode and avoiding write paths that would otherwise fail. This is especially useful for Nix-style stores, RO bind mounts, and OCI layers.
Security hardening closes alias and patch-remove escape paths (
f648e9b,
612a2e6)
Hoisted installs now validate lockfile-derived dependency aliases before joining them into node_modules, blocking traversal and reserved-name escapes. Patch removal also got containment checks so deletion can’t escape the intended patched subtree.
Scoped registries and musl binary resolution are fixed (
66a9078,
dfa91df)
Pacquet now routes scoped packages through the correct scoped registry, and musl-based systems no longer look for the glibc binary package. These are practical install-failure fixes for real-world environments.
Other misc changes
- Dependency bumps (2 commits)
- Clippy lint enablements and related comment/test cleanup (1 commit)
- Git-wt PR agent selection tweak for contributing workflows (1 commit)
- Audit/compliance test fixture refactor (1 commit)
- Misc benchmark/test adjustments and small internal refactors