Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
/pnpmPublic

pnpm 10.26

Latest

Choose a tag to compare

@github-actionsgithub-actions released this 15 Dec 12:20
· 153 commits to main since this release
v10.26.0
This tag was signed with the committer’sverified signature.
zkochan Zoltan Kochan
GPG key ID:649E4D4AF74E7DEC
Verified
Learn about vigilant mode.
244e33b
This commit was signed with the committer’sverified signature.
zkochan Zoltan Kochan
GPG key ID:649E4D4AF74E7DEC
Verified
Learn about vigilant mode.

Minor Changes

  • Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed inonlyBuiltDependencies#10288.

  • Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs#10287.

  • Added a new settingblockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

    When set totrue, direct dependencies (those listed in your rootpackage.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

    This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

    Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

    Related PR:#10265.

  • Added support forallowBuilds, which is a new field that can be used instead ofonlyBuiltDependencies andignoredBuiltDependencies. The newallowBuilds field in yourpnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

    Example Usage. To explicitly allow all versions ofesbuild to run scripts and preventcore-js from running them:

    allowBuilds:esbuild:truecore-js:false

    The example above achieves the same result as the previous configuration:

    onlyBuiltDependencies:  -esbuildignoredBuiltDependencies:  -core-js

    Related PR:#10311

  • Added support for--dry-run to thepack command#10301.

Patch Changes

  • Show deprecation in table/list formats when latest version is deprecated#8658.
  • Remove theinjectWorkspacePackages setting from the lockfile on thedeploy command#10294.
  • Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https#10273.
  • When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved topackage.json#10197.

Platinum Sponsors

Bit

Gold Sponsors

DiscordCodeRabbitWorkleap
StackblitzVite
Assets10
Loading
sergiocarneiro, Jerboas86, theoludwig, Gruak, andriyor, Silic0nS0ldier, ThisWillDoIt, TechQuery, almeidx, quentinmcq, and voytxt reacted with thumbs up emojiEDM115, ValentinGurkov, and quentinmcq reacted with hooray emojimaxdzin, AxelHuerta, andriyor, minijus, y-noah0, and quentinmcq reacted with heart emoji
17 people reacted
[8]ページ先頭
©2009-2025 Movatter.jp