Update pnpm to v7.17.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pnpm (source)	7.12.2 -> 7.17.0

---

Release Notes

pnpm/pnpm

v7.17.0

Compare Source

Minor Changes

• Added a new command pnpm licenses list, which displays the licenses of the packages #​2825

Patch Changes

• pnpm update --latest !foo should not update anything if the only dependency in the project is the ignored one #​5643.
• pnpm audit should send the versions of workspace projects for audit.
• Hoisting with symlinks should not override external symlinks and directories in the root of node_modules.
• The pnpm.updateConfig.ignoreDependencies setting should work with multiple dependencies in the array #​5639.

Our Gold Sponsors

Our Silver Sponsors

v7.16.1

Compare Source

Patch Changes

• Sync all injected dependencies when hoisted node linker is used #​5630

Our Gold Sponsors

Our Silver Sponsors

v7.16.0

Compare Source

Minor Changes

• Support pnpm env list to list global or remote Node.js versions #​5546.

Patch Changes

• Replace environment variable placeholders with their values, when reading .npmrc files in subdirectories inside a workspace #​2570.
• Fix an error that sometimes happen on projects with linked local dependencies #​5327.

Our Gold Sponsors

Our Silver Sponsors

v7.15.0

Compare Source

Minor Changes

• Support --format=json option to output outdated packages in JSON format with outdated command #​2705.

  pnpm outdated --format=json
  #or
  pnpm outdated --json

• A new setting supported for ignoring vulnerabilities by their CVEs. The ignored CVEs may be listed in the pnpm.auditConfig.ignoreCves field of package.json. For instance:

  {
    "pnpm": {
      "auditConfig": {
        "ignoreCves": [
          "CVE-2019-10742",
          "CVE-2020-28168",
          "CVE-2021-3749",
          "CVE-2020-7598"
        ]
      }
    }
  }

Patch Changes

• The reporter should not crash when the CLI process is kill during lifecycle scripts execution #​5588.
• Installation shouldn't fail when the injected dependency has broken symlinks. The broken symlinks should be just skipped #​5598.

Our Gold Sponsors

Our Silver Sponsors

v7.14.2

Compare Source

Patch Changes

• Don't fail if cannot override the name field of the error object #​5572.
• Don't fail on rename across devices.

Our Gold Sponsors

Our Silver Sponsors

v7.14.1

Compare Source

Patch Changes

• pnpm list --long --json should print licenses and authors of packages #​5533.
• Don't crash on lockfile with no packages field #​5553.
• Version overrider should have higher priority then custom read package hook from .pnpmfile.cjs.
• Don't print context information when running install for the pnpm dlx command.
• Print a warning if a package.json has a workspaces field but there is no pnpm-workspace.yaml file #​5363.
• It should be possible to set a custom home directory for pnpm by changing the PNPM_HOME environment variable.

Our Gold Sponsors

Our Silver Sponsors

v7.14.0

Compare Source

Minor Changes

• Add pnpm doctor command to do checks for known common issues

Patch Changes

• Ignore the always-auth setting.

  pnpm will never reuse the registry auth token for requesting the package tarball, if the package tarball is hosted on a different domain.

  So, for example, if your registry is at https://company.registry.com/ but the tarballs are hosted at https://tarballs.com/, then you will have to configure the auth token for both domains in your .npmrc:

  @​my-company:registry=https://company.registry.com/
  //company.registry.com/=SOME_AUTH_TOKEN
  //tarballs.com/=SOME_AUTH_TOKEN
  

Our Gold Sponsors

Our Silver Sponsors

v7.13.6

Compare Source

Patch Changes

• Downgrade @pnpm/npm-conf to remove annoying builtin warning #​5518.
• pnpm link --global <pkg> should not change the type of the dependency #​5478.
• When the pnpm outdated command fails, print in which directory it failed.

Our Gold Sponsors

Our Silver Sponsors

v7.13.5

Compare Source

Patch Changes

• Print a warning when cannot read the built-in npm configuration.
• Also include missing deeply linked workspace packages at headless installation #​5034.
• pnpm outdated should work when the package tarballs are hosted on a domain that differs from the registry's domain #​5492.
• strict-peer-dependencies is set to false by default.

Our Gold Sponsors

Our Silver Sponsors

v7.13.4

Compare Source

Patch Changes

• pnpm link <pkg> --global should work when a custom target directory is specified with the --dir CLI option #​5473.
• It should be possible to override dependencies with local packages using overrides #​5443.

Our Gold Sponsors

Our Silver Sponsors

v7.13.3

Compare Source

Patch Changes

• Don't crash when auto-install-peers is set to true and installation is done on a workspace with that has the same dependencies in multiple projects #​5454.
• Add global option in pnpm link --help #​5461.
• Show execution time on install, update, add, and remove #​1021.
• Fix the return path of pnpm pack, when a custom destination directory is used #​5471.

Our Gold Sponsors

Our Silver Sponsors

v7.13.2

Compare Source

Patch Changes

• When linking commands to a directory, remove any .exe files that are already present in that target directory by the same name.

  This fixes an issue with pnpm global update on Windows. If pnpm was installed with the standalone script and then updated with pnpm using pnpm add --global pnpm, the exe file initially created by the standalone script should be removed.

• When a direct dependency fails to resolve, print the path to the project directory in the error message.

• pnpm patch-commit should work when the patch directory is specified with a trailing slash #​5449.

Our Gold Sponsors

Our Silver Sponsors

v7.13.1

Compare Source

Patch Changes

• pnpm update --interactive should not list dependencies ignored via the pnpm.updateConfig.ignoreDependencies setting.

Our Gold Sponsors

Our Silver Sponsors

v7.13.0

Compare Source

Minor Changes

• Ignore packages listed in package.json > pnpm.updateConfig.ignoreDependencies fields on update/outdated command #​5358

  For instance, if you don't want webpack automatically to be updated when you run pnpm update --latest, put this to your package.json:

  {
    "pnpm": {
      "updateConfig": {
        "ignoreDependencies": ["webpack"]
      }
    }
  }

  Patterns are also supported, so you may ignore for instance any packages from a scope: @babel/*.

• It is possible now to update all dependencies except the listed ones using !. For instance, update all dependencies, except lodash:

    pnpm update !lodash
  

  It also works with pattends, for instance:

    pnpm update !@​babel/*
  

  And it may be combined with other patterns:

    pnpm update @​babel/* !@​babel/core
  

Patch Changes

• Hooks should be applied on pnpm deploy #​5306.

• Stop --filter-prod option to run command on all the projects when used on workspace. --filter-prod option now only filter from dependencies and omit devDependencies instead of including all the packages when used on workspace. So what was happening is that if you use --filter-prod on workspace root like this:

  pnpm --filter-prod ...build-modules exec node -e 'console.log(require(`./package.json`).name)'

  it was printing all the package of workspace, where it should only print the package name of itself and packages where it has been added as dependency (not as devDependencies)

• Don't override the root dependency when auto installing peer dependencies #​5412.

Our Gold Sponsors

Our Silver Sponsors

What's Changed

• GitHub Workflows security hardening by @​sashashuhttps://github.com/pnpm/pnpm/pull/5405l/5405
• feat: merge readPackage hook from opts and pnpmfile by @​AGrzhttps://github.com/pnpm/pnpm/pull/5403l/5403
• feat: excluding deps from update by @​zkochhttps://github.com/pnpm/pnpm/pull/5432l/5432
• fix: dir path repeated join in link global by @​lvhttps://github.com/pnpm/pnpm/pull/5434l/5434
• fix: filter-prod flag including all workspace pkgs by @​noorulhhttps://github.com/pnpm/pnpm/pull/5437l/5437
• Feature: ignore packages listed in package.json > pnpm.updateConfig.ignoreDependencies on update/outdated commands by @​Shinyaigehttps://github.com/pnpm/pnpm/pull/5408l/5408
• fix: don't override root deps when auto installing peers by @​zkochhttps://github.com/pnpm/pnpm/pull/5442l/5442

New Contributors

• @​sashashura made their first contributihttps://github.com/pnpm/pnpm/pull/5405l/5405
• @​AGrzes made their first contributihttps://github.com/pnpm/pnpm/pull/5403l/5403
• @​noorulh06 made their first contributihttps://github.com/pnpm/pnpm/pull/5437l/5437

Full Changelog: pnpm/pnpm@v7.12.2...v7.13.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.