New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update pnpm to v8 #139
Conversation
|
To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is an install script?Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts. Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
7ff075c
to
b8b6775
Compare
Codecov ReportPatch and project coverage have no change.
Additional details and impacted files@@ Coverage Diff @@
## main #139 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 2 2
Lines 39 39
Branches 6 6
=========================================
Hits 39 39
|
d39a408
to
15cd680
Compare
98f5b4f
to
7f890eb
Compare
73e61c3
to
c7a86ae
Compare
ade1696
to
1f781f6
Compare
07e92a1
to
a0a6f3b
Compare
6a5579c
to
fc6ef17
Compare
b782604
to
c3d4fb1
Compare
|
New dependencies detected. Learn more about Socket for GitHub ↗︎
|
5a0d705
to
288891d
Compare
642162c
to
0e82195
Compare
0e82195
to
8253d88
Compare
8253d88
to
c35eab9
Compare
This PR contains the following updates:
7.33.2->8.6.5Release Notes
pnpm/pnpm (pnpm)
v8.6.5Compare Source
Patch Changes
Our Gold Sponsors
Our Silver Sponsors
v8.6.4Compare Source
Patch Changes
.npmrcfile #6354.Our Gold Sponsors
Our Silver Sponsors
v8.6.3Compare Source
Patch Changes
APPDATAenv variable is not set on Windows #6659.node-linkeris set tohoisted#6680.pnpm update --global --latestshould work #3779.pnpm license lsshould work even when there is a patched git protocol dependency #6595Our Gold Sponsors
Our Silver Sponsors
v8.6.2Compare Source
Patch Changes
Our Gold Sponsors
Our Silver Sponsors
v8.6.1Compare Source
Patch Changes
When
dedupe-peer-dependentsis enabled (default), use the path (not id) to determine compatibility.When multiple dependency groups can be deduplicated, the latter ones are sorted according to number of peers to allow them to benefit from deduplication.
Resolves: #6605
Some minor performance improvements by removing await from loops #6617.
Our Gold Sponsors
Our Silver Sponsors
v8.6.0Compare Source
Minor Changes
Some settings influence the structure of the lockfile, so we cannot reuse the lockfile if those settings change. As a result, we need to store such settings in the lockfile. This way we will know with which settings the lockfile has been created.
A new field will now be present in the lockfile:
settings. It will store the values of two settings:autoInstallPeersandexcludeLinksFromLockfile. If someone tries to perform afrozen-lockfileinstallation and their active settings don't match the ones in the lockfile, then an error message will be thrown.The lockfile format version is bumped from v6.0 to v6.1.
Related PR: #6557
Related issue: #6312
A new setting,
exclude-links-from-lockfile, is now supported. When enabled, specifiers of local linked dependencies won't be duplicated in the lockfile.This setting was primarily added for use by Bit CLI, which links core aspects to
node_modulesfrom external directories. As such, the locations may vary across different machines, resulting in the generation of lockfiles with differing locations.Patch Changes
npm:foo@1.0.0becomesnpm:foo@1.1.0.workspace:protocol is not found in the workspace #4477.pnpm rebuildshould not fail whennode-linkeris set tohoistedand there are skipped optional dependencies #6553.Our Gold Sponsors
Our Silver Sponsors
v8.5.1Compare Source
Patch Changes
package.jsonfile(s), print out what are the differences #6536.Our Gold Sponsors
Our Silver Sponsors
v8.5.0Compare Source
Minor Changes
pnpm patch-removecommand added #6521.Patch Changes
pnpm link -g <pkg-name>should not modify thepackage.jsonfile #4341.node_modulesdirectory #6510.enginesfield should match prerelease versions #6509.Our Gold Sponsors
Our Silver Sponsors
v8.4.0Compare Source
Minor Changes
pnpm publishsupports the--provenanceCLI option #6435.Patch Changes
node-linkeris set tohoisted6486.node_modulesdirectory unless the--forceoption is passed.node_modulesfolder with a.modules.yamlfile if there are no dependencies insidenode_modules.Our Gold Sponsors
Our Silver Sponsors
v8.3.1Compare Source
Patch Changes
node-fetchto fix an error that happens on Node.js 20 #6424.Our Gold Sponsors
Our Silver Sponsors
v8.3.0Compare Source
Minor Changes
pnpm packcommand using thepack-gzip-levelsetting #6393.--checkflag topnpm dedupe. No changes will be made tonode_modulesor the lockfile. Exits with a non-zero status code if changes are possible.pnpm install --resolution-onlyre-runs resolution to print out any peer dependency issues #6411.Patch Changes
publishConfig.directoryof an injected workspace dependency does not exist #6396.Our Gold Sponsors
Our Silver Sponsors
v8.2.0Compare Source
Minor Changes
.npmrc. This is a convention used by Yarn too.Using
${NAME-fallback}will returnfallbackifNAMEisn't set.${NAME:-fallback}will returnfallbackifNAMEisn't set, or is an empty string #6018.Patch Changes
-gto mismatch registries error info when original command has-goption #6224.pnpm config get <key>should print boolean values #6360link:protocol inpackage.json#6372Our Gold Sponsors
Our Silver Sponsors