Update dependency pnpm to v6.35.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	6.23.6 -> 6.35.1

---

Release Notes

pnpm/pnpm (pnpm)

v6.35.1

Compare Source

Patch Changes

• Replace environment variable placeholders with their values, when reading .npmrc files in subdirectories inside a workspace #​2570.
• Don't fail if cannot override the name field of the error object #​5572.

v6.35.0

Compare Source

Patch Changes

• Installing a package with bin that points to an .exe file on Windows #​5159.

• Ignore the always-auth setting.

  pnpm will never reuse the registry auth token for requesting the package tarball, if the package tarball is hosted on a different domain.

  So, for example, if your registry is at https://company.registry.com/ but the tarballs are hosted at https://tarballs.com/, then you will have to configure the auth token for both domains in your .npmrc:

  @​my-company:registry=https://company.registry.com/
  //company.registry.com/=SOME_AUTH_TOKEN
  //tarballs.com/=SOME_AUTH_TOKEN
  

• When an error happens during installation of a subdependency, print some context information in order to be able to locate that subdependency. Print the exact chain of packages that led to the problematic dependency.

v6.34.0

Compare Source

Minor Changes

• When ignore-compatibility-db is set to true, the compatibility database will not be used to patch dependencies #​5132.

Full Changelog: pnpm/pnpm@v6.33.1...v6.34.0

v6.33.1

Compare Source

Patch Changes

• Don't print any info messages about .pnpmfile.cjs #​5027.
• Do not print a package with unchanged version in the installation summary #​5032.
• Remove file reporter logging. Logged file is not useful #​4949.

v6.33.0

Compare Source

v6.32.25

Compare Source

Patch Changes

• pnpm audit --fix should not add an override for a vulnerable package that has no fixes released.
• Resolve native workspace path for case-insensitive file systems #​4904.
• pnpm env use should throw an error on a system that use the MUSL libc.

v6.32.24

Compare Source

Patch Changes

• Don't crash when pnpm update --interactive is cancelled with Ctrl+c.

• The use-node-version setting should work with prerelease Node.js versions. For instance:

  use-node-version=18.0.0-rc.3
  

v6.32.23

Compare Source

Patch Changes

• Packages that should be built are always cloned or copied from the store. This is required to prevent the postinstall scripts from modifying the original source files of the package #​4898.

v6.32.22

Compare Source

Patch Changes

• Don't fail when the cafile setting is specified #​4877. This fixes a regression introduced in pnpm v6.32.21.
• Add better hints to the peer dependency issue errors.

v6.32.21

Compare Source

Patch Changes

• Report only the first occurence of a deprecated package.

v6.32.20

Compare Source

Patch Changes

• Suggest to update using Corepack when pnpm was installed via Corepack.
• It should be possible to install a git-hosted package that has no package.json file #​4822.
• When the same package is found several times in the dependency graph, correctly autoinstall its missing peer dependencies at all times #​4820.

v6.32.19

Compare Source

Patch Changes

• Improve the performance of the build sequence calculation step #​4815.
• Correctly detect repeated dependency sequence during resolution #​4813.

v6.32.18

Compare Source

Patch Changes

• Don't fail on projects with linked dependencies, when auto-install-peers is set to true #​4796.
• NODE_ENV=production pnpm install --dev should only install dev deps #​4745.

Full Changelog: pnpm/pnpm@v6.32.17...v6.32.18

v6.32.17

Compare Source

Patch Changes

• Correctly detect the active Node.js version, when the pnpm CLI is bundled to an executable #​4203.

v6.32.16

Compare Source

Patch Changes

• When auto-install-peers is set to true, automatically install missing peer dependencies without writing them to package.json as dependencies. This makes pnpm handle peer dependencies the same way as npm v7 #​4776.

v6.32.15

Compare Source

Patch Changes

• Don't fail to create the command shim files if the target directory doesn't exist.
• pnpm setup should not fail on Windows if PNPM_HOME is not yet in the system registry #​4757
• pnpm dlx shouldn't modify the lockfile in the current working directory #​4743.

v6.32.14

Compare Source

Patch Changes

• Sanitize the directory names created inside node_modules/.pnpm and inside the global store #​4716
• Resolve commits from GitHub via https #​4734.

Full Changelog: pnpm/pnpm@v6.32.13...v6.32.14

v6.32.13

Compare Source

Patch Changes

• pnpm setup should update the config of the current shell, not the preferred shell.
• pnpm dlx should work with git-hosted packages. For example: pnpm dlx gengjiawen/envinfo #​4714.
• pnpm setup should not override the PNPM_HOME env variable on Windows, unless --force is used.
• All arguments after pnpm create <pkg> should be passed to the executed create app package. So pnpm create next-app --typescript should work`.
• pnpm run --stream should prefix the output with directory #​4702

Full Changelog: pnpm/pnpm@v6.32.12...v6.32.13

v6.32.12

Compare Source

Patch Changes

• Use Yarn's compatibility database to patch broken packages in the ecosystem with package extensions.
• pnpm dlx should work when the bin name of the executed package isn't the same as the package name #​4672.
• pnpm prune works in a workspace #​4647.
• pnpm prune does not remove hoisted dependencies.
• pnpm dlx should print messages about installation to stderr #​1698.

v6.32.11

Compare Source

Patch Changes

• pnpm publish should work correctly in a workspace, when the latest npm CLI is installed #​4348.
• Installation shouldn't fail when a package from node_modules is moved to the node_modules/.ignored subfolder and a package with that name is already present in `node_modules/.ignored' #​4626.

v6.32.10

Compare Source

Patch Changes

• It should be possible to use a chain of local file dependencies #​4611.
• Filtering by directory should work with directories that have unicode chars in the name #​4595.

v6.32.9

Compare Source

Patch Changes

• Fix an error with peer resolutions, which was happening when there was a circular dependency and another dependency that had the name of the circular dependency as a substring.

• When pnpm exec is running a command in a workspace project, the commands that are in the dependencies of that workspace project should be in the PATH #​4481.

• Hide "WARN deprecated" messages on loglevel error #​4507

  Don't show the progress bar when loglevel is set to warn or error.

v6.32.8

Compare Source

Patch Changes

• Don't check the integrity of the store with the package version from the lockfile, when the package was updated #​4580.
• Don't update a direct dependency that has the same name as a dependency in the workspace, when adding a new dependency to a workspace project #​4575.

v6.32.7

Compare Source

Patch Changes

• Setting the auto-install-peers to true should work.

v6.32.6

Compare Source

Patch Changes

• Linked in dependencies should be considered when resolving peer dependencies #​4541.
• Peer dependency should be correctly resolved from the workspace, when it is declared using a workspace protocol #​4529.

v6.32.5

Compare Source

Patch Changes

• dependenciesMeta should be saved into the lockfile, when it is added to the package manifest by a hook.

v6.32.4

Compare Source

Patch Changes

• Show a friendly error message when it is impossible to get the current Git branch name during publish #​4488.
• When checking if the lockfile is up-to-date, an empty dependenciesMeta field in the manifest should be satisfied by a not set field in the lockfile #​4463.
• It should be possible to reference a workspace project that has no version specified in its package.json #​4487.

v6.32.3

Compare Source

Patch Changes

• 4941f31: The location of an injected directory dependency should be correctly located, when there is a chain of local dependencies (declared via the file: protocol`).

  The next scenario was not working prior to the fix. There are 3 projects in the same folder: foo, bar, qar.

  foo/package.json:

  {
    "name": "foo",
    "dependencies": {
      "bar": "file:../bar"
    },
    "dependenciesMeta": {
      "bar": {
        "injected": true
      }
    }
  }

  bar/package.json:

  {
    "name": "bar",
    "dependencies": {
      "qar": "file:../qar"
    },
    "dependenciesMeta": {
      "qar": {
        "injected": true
      }
    }
  }

  qar/package.json:

  {
    "name": "qar"
  }

  Related PR: #​4415.

v6.32.2

Compare Source

Patch Changes

• In order to guarantee that only correct data is written to the store, data from the lockfile should not be written to the store. Only data directly from the package tarball or package metadata #​4395.
• Throw a meaningful error message on pnpm install when the lockfile is broken and node-linker is set to hoisted #​4387.

v6.32.1

Compare Source

Patch Changes

• pnpm publish should work correctly in a workspace, when the latest npm CLI is installed #​4348.
• Installation shouldn't fail when a package from node_modules is moved to the node_modules/.ignored subfolder and a package with that name is already present in `node_modules/.ignored' #​4626.

v6.32.0

Compare Source

Minor Changes

• A new setting is supported in the pnpm section of the package.json file #​4001. onlyBuiltDependencies is an array of package names that are allowed to be executed during installation. If this field exists, only mentioned packages will be able to run install scripts.

  {
    "pnpm": {
      "onlyBuiltDependencies": ["fsevents"]
    }
  }

• -F is a short alias of --filter #​3467.

• When adding a new dependency, use the version specifier from the overrides, when present #​4313.

  Normally, if the latest version of foo is 2.0.0, then pnpm add foo installs foo@^2.0.0. This behavior changes if foo is specified in an override:

  {
    "pnpm": {
      "overrides": {
        "foo": "1.0.0"
      }
    }
  }

  In this case, pnpm add foo will add [email protected] to the dependency. However, if a version is explicitly specifying, then the specified version will be used and the override will be ignored. So pnpm add foo@0 will install v0 and it doesn't matter what is in the overrides.

Patch Changes

• Ignore case, when verifying package name in the store #​4367.
• When a peer dependency range is extended with *, just replace any range with *.
• When some dependency types are skipped, let the user know via the installation summary.

v6.31.0

Compare Source

Minor Changes

• Added --shell-mode/-c option support to pnpm exec #​4328

  • --shell-mode: shell interpreter. See: https://github.com/sindresorhus/execa/tree/484f28de7c35da5150155e7a523cbb20de161a4f#shell

  Usage example:

  pnpm -r --shell-mode exec -- echo \"\$PNPM_PACKAGE_NAME\"
  pnpm -r -c exec -- echo \"\$PNPM_PACKAGE_NAME\"

  {
    "scripts": {
      "check": " pnpm -r --shell-mode exec -- echo \"\\$PNPM_PACKAGE_NAME\""
    }
  }

Patch Changes

• Remove meaningless keys from publishConfig when the pack or publish commands are used #​4311
• The pnpx, pnpm dlx, pnpm create, and pnpm exec commands should set the npm_config_user_agent env variable #​3985.

v6.30.1

Compare Source

Patch Changes

• This fixes an issue introduced in pnpm v6.30.0.

  When a package is not linked to node_modules, no info message should be printed about it being "relinked" from the store #​4314.

v6.30.0

Compare Source

Minor Changes

• When checking that a package is linked from the store, check the existence of the package and read its stats with a single filesystem operation #​4304.

v6.29.2

Compare Source

Patch Changes

• node_modules directories inside injected dependencies should not be overwritten #​4299.

v6.29.1

Compare Source

Patch Changes

• Installation should not hang when there are broken symlinks in node_modules.

v6.29.0

Compare Source

Minor Changes

• Add support of the update-notifier configuration option #​4158.

Patch Changes

• A package should be able to be a dependency of itself.

v6.28.0

Compare Source

Minor Changes

• New option added: embed-readme. When false, pnpm publish doesn't save the readme file's content to package.json before publish #​4265.

Patch Changes

• pnpm exec should look for the executed command in the node_modules/.bin directory that is relative to the current working directory. Only after that should it look for the executable in the workspace root.

v6.27.2

Compare Source

Patch Changes

• Injected dependencies should work properly in projects that use the hoisted node linker #​4259.

v6.27.1

Compare Source

Patch Changes

• peerDependencyRules should work when both overrides and packageExtensions are present as well #​4255.
• pnpm list should show information whether a package is private or not #​4246.

v6.27.0

Compare Source

Minor Changes

• Side effects cache is not an experimental feature anymore.

  Side effects cache is saved separately for packages with different dependencies. So if foo has bar in the dependencies, then a separate cache will be created each time foo is installed with a different version of bar #​4238.

Patch Changes

• Update command should work when there is a dependency with empty version in devDependencies #​4196.
• Side effects cache should work in a workspace.

v6.26.1

Compare Source

Patch Changes

• During installation, override any symlinks in node_modules. This was an issue only with node-linker=hoisted #​4229.
• Print warnings about deprecated subdependencies #​4227.

v6.26.0

Compare Source

Minor Changes

• In order to mute some types of peer dependency warnings, a new section in package.json may be used for declaring peer dependency warning rules. For example, the next configuration will turn off any warnings about missing babel-loader peer dependency and about @angular/common, when the wanted version of @angular/common is not v13.

  {
    "name": "foo",
    "version": "0.0.0",
    "pnpm": {
      "peerDependencyRules": {
        "ignoreMissing": ["babel-loader"],
        "allowedVersions": {
          "@​angular/common": "13"
        }
      }
    }
  }

• New setting supported: auto-install-peers. When it is set to true, pnpm add <pkg> automatically installs any missing peer dependencies as devDependencies #​4213.

v6.25.1

Compare Source

Patch Changes

• Run the install scripts of hoisted dependencies in a workspace with no root project #​4209.

v6.25.0

Compare Source

Minor Changes

• New installation mode added that creates a flat node_modules directory without the usage of symlinks. This is similar to the one created by npm and Yarn Classic.

  To use this new installation mode, set the node-linker setting to hoisted. These are the supported values of node-linker:

  • isolated - the default value.
  • hoisted - flat node_modules without symlinks.
  • pnp - no node_modules. Yarn's Plug'n'Play managed by pnpm.

  Related issue: #​4073

• Add support for token helper, a command line tool to obtain a token.

  A token helper is an executable, set in the user's .npmrc which outputs an auth token. This can be used in situations where the authToken is not a constant value, but is something that refreshes regularly, where a script or other tool can use an existing refresh token to obtain a new access token.

  The configuration for the path to the helper must be an absolute path, with no arguments. In order to be secure, it is only permitted to set this value in the user .npmrc, otherwise a project could place a value in a project local .npmrc and run arbitrary executables.

  Usage example:

  ; Setting a token helper for the default registry
  tokenHelper=/home/ivan/token-generator
  
  ; Setting a token helper for the specified registry
  //registry.corp.com:tokenHelper=/home/ivan/token-generator

  Related PRs:

  • pnpm/credentials-by-uri#2
  • #​4163

• New CLI option: --ignore-workspace. When used, pnpm ignores any workspace configuration found in the current or parent directories.

• If use-beta-cli is true, then don't set npm_config_argv env variable for scripts #​4175.

v6.24.4

Compare Source

Patch Changes

• Don't throw an error during install when the bin of a dependency points to a path that doesn't exist #​3763.

• When reporting unmet peer dependency issues, if the peer dependency is resolved not from a dependency installed by the user, then print the name of the parent package that has the bad peer dependency installed as a dependency.

  

• Injected subdependencies should be hard linked as well. So if button is injected into card and card is injected into page, then both button and card should be injected into page #​4167.

v6.24.3

Compare Source

Patch Changes

• Install with --frozen-lockfile should not fail when the project has injected dependencies and a dedicated lockfile #​4098.

v6.24.2

Compare Source

Patch Changes

• If pnpm previously failed to install node when the use-node-version option is set, that download and install will now be re-attempted when pnpm is ran again #​4104.

• Don't warn about unmet peer dependency when the peer is resolved from a prerelease version #​4144.

  For instance, if a project has react@* as a peer dependency, then react 16.0.0-rc.0 should not cause a warning.

• pnpm update pkg should not fail if pkg not found as a direct dependency, unless --depth=0 is passed as a CLI option #​4122.

• When printing peer dependency issues, print the "*" range in double quotes. This will make it easier to copy the package resolutions and put them to the end of a pnpm add command for execution.

v6.24.1

Compare Source

Patch Changes

• If making an intersection of peer dependency ranges does not succeed, install should not crash #​4134.
• A new line should be between the summary about conflicting peers and non-conflicting ones.
• Always return an error message when the preparation of a package fails.
• pnpm publish should add the content of the README.md file to the readme field of the published package's package.json files #​4117.
• pnpm publish should work with the --otp option #​4115.

v6.24.0

Compare Source

Minor Changes

• Peer dependency issues are grouped and rendered in a nice hierarchy view.

  This is how the peer dependency issues were printed in previous versions:

  

  This is how they are displayed in pnpm v6.24:

  

• New option added for: node-mirror:<releaseDir> #​4083. The string value of this dynamic option is used as the base URL for downloading node when use-node-version is specified. The <releaseDir> portion of this argument can be any dir in https://nodejs.org/download. Which <releaseDir> dynamic config option gets selected depends on the value of use-node-version. If 'use-node-version' is a simple x.x.x version string, <releaseDir> becomes release and node-mirror:release is read. Defaults to https://nodejs.org/download/<releaseDir>/.

• 927c4a0: A new option --aggregate-output for append-only reporter is added. It aggregates lifecycle logs output for each command that is run in parallel, and only prints command logs when command is finished.

  Related discussion: #​4070.

Patch Changes

• Don't fail when the version of a package in the store is not a semver version #​4077.

• pnpm store prune should not fail if there are unexpected subdirectories in the content-addressable store #​4072.

• Don't make unnecessary retries when fetching Git-hosted packages #​2731.

• pnpm should read the auth token of a github-registry-hosted package, when the registry path contains the owner #​4034.

  So this should work:

  @​owner:registry=https://npm.pkg.github.com/owner
  //npm.pkg.github.com/:_authToken=<token>
  

• When strict-peer-dependencies is used, don't fail on the first peer dependency issue. Print all the peer dependency issues and then stop the installation process #​4082.

• When sorting workspace projects, don't ignore the manifests of those that don't have a version field #​3933.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.