diff --git a/CHANGELOG.md b/CHANGELOG.md index 53dbcad..4626a1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## v0.1.13 - 20/05/2026 + +### Documentation +- `README` — add `lockfile=true` to the recommended `NPM_CONFIG_FILE` template. Pnpm `< 11.0.0` interprets the preceding `package-lock=false` line as `lockfile=false`, disabling `pnpm-lock.yaml` reads and breaking `pnpm install --frozen-lockfile` in `javascript/base`. The new line re-enables pnpm's lockfile explicitly on pnpm 10.x and is harmless on pnpm `>= 11`, where `lockfile=true` is already the default and `package-lock` is scoped to npm's lockfile only. + ## v0.1.12 - 20/05/2026 ### Documentation diff --git a/README.md b/README.md index 5c62d77..81882e3 100644 --- a/README.md +++ b/README.md @@ -246,6 +246,7 @@ fund=false audit=false ignore-scripts=true package-lock=false +lockfile=true prefer-online=true ``` @@ -257,6 +258,7 @@ prefer-online=true | `audit=false` | `osv-scanner` (in `security.yml`) covers vulnerability scans natively. | | `ignore-scripts=true` | Belt-and-suspenders against postinstall supply-chain attacks — backs up the `--ignore-scripts` flag already passed by `javascript/base` on every `pnpm install`. | | `package-lock=false` | Prevent `npm` from emitting a parasitic `package-lock.json` in pnpm repos. | +| `lockfile=true` | Explicit `pnpm-lock.yaml` enablement. Required on pnpm `< 11.0.0` consumers, where the preceding `package-lock=false` is interpreted as `lockfile=false` and collides with `pnpm install --frozen-lockfile`. Pnpm `>= 11` already defaults to `true` and ignores `package-lock` for `pnpm-lock.yaml`, so the line is harmless there. | | `prefer-online=true` | Re-fetch dep metadata each install — local cache cannot mask a yanked or republished version. | diff --git a/package.json b/package.json index 0835a9e..f9f5197 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@coroboros/ci", - "version": "0.1.12", + "version": "0.1.13", "private": true, "description": "Reusable GitHub Actions CI for the Coroboros stack.", "license": "SEE LICENSE IN LICENSE.md",