build: update pnpm to v10.33.4#3651
Conversation
See associated pull request for more information.
angular-robot
added
action: merge
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the pnpm version from 10.33.3 to 10.33.4 across multiple package.json and MODULE.bazel files. The reviewer noted that the corresponding pnpm-lock.yaml files were not updated in this PR, which is necessary to maintain consistency and leverage new security features provided by the updated pnpm version.
| "version": "0.0.0-{SCM_HEAD_SHA}", | ||
| "private": true, | ||
| "packageManager": "pnpm@10.33.3", | ||
| "packageManager": "pnpm@10.33.4", |
There was a problem hiding this comment.
The pnpm-lock.yaml files (at the root and in the bazel/rules/rules_angular and bazel/rules/rules_browsers directories) are missing from this pull request. Updating the packageManager version in package.json should be accompanied by a lockfile update to maintain consistency and to enable the new security features (integrity pinning for git-hosted tarballs) mentioned in the release notes for pnpm 10.33.4.
|
This PR was merged into the repository. The changes were merged into the following branches:
|
2 participants
This PR contains the following updates:
10.33.3→10.33.4Release Notes
pnpm/pnpm (pnpm)
v10.33.4: pnpm 10.33.4Compare Source
Patch Changes
Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
A new
gitHosted: truefield is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.Fix a regression where
pnpm --recursive --filter '!<pkg>' run/exec/test/addwould include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative--filterarguments are provided, matching the documented behavior. To include the root, pass--include-workspace-root#11341.Platinum Sponsors
Gold Sponsors