chore(deps): update pnpm to v7.19.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pnpm (source)	7.12.2 -> 7.19.0

---

Release Notes

pnpm/pnpm

v7.19.0

Compare Source

Minor Changes

• New setting supported in the package.json that is in the root of the workspace: pnpm.requiredScripts. Scripts listed in this array will be required in each project of the worksapce. Otherwise, pnpm -r run <script name> will fail #​5569.
• When the hoisted node linker is used, preserve node_modules directories when linking new dependencies. This improves performance, when installing in a project that already has a node_modules directory #​5795.
• When the hoisted node linker is used, pnpm should not build the same package multiple times during installation. If a package is present at multipe locations because hoisting could not hoist them to a single directory, then the package should only built in one of the locations and copied to the rest #​5814.

Patch Changes

• pnpm rebuild should work in projects that use the hoisted node linker #​5560.
• pnpm patch should print instructions about how to commit the changes #​5809.
• Allow the -S flag in command shims pnpm/cmd-shim#​42.
• Don't relink injected directories if they were not built #​5792.

Our Gold Sponsors

Our Silver Sponsors

v7.18.2

Compare Source

Patch Changes

• Added --json to the pnpm publish --help output #​5773.
• pnpm update should not replace workspace:*, workspace:~, and workspace:^ with workspace:<version> #​5764.
• The fatal error should be printed in JSON format, when running a pnpm command with the --json option #​5710.
• Throw an error while missing script start or file server.js #​5782.
• pnpm license list should not fail if a license file is an executable #​5740.

Our Gold Sponsors

Our Silver Sponsors

v7.18.1

Compare Source

Patch Changes

• The update notifier should suggest using the standalone script, when pnpm was installed using a standalone script #​5750.
• Vulnerabilities that don't have CVEs codes should not be skipped by pnpm audit if an ignoreCves list is declared in package.json #​5756.
• It should be possible to use overrides with absolute file paths #​5754.
• pnpm audit --json should ignore vulnerabilities listed in auditConfig.ignoreCves #​5734.
• pnpm licenses should print help, not just an error message #​5745.

Our Gold Sponsors

Our Silver Sponsors

v7.18.0

Compare Source

Minor Changes

• Overrides may be defined as a reference to a spec for a direct dependency by prefixing the name of the package you wish the version to match with a `# pnpm.

  {
    "dependencies": {
      "foo": "^1.0.0"
    },
    "overrides": {
      // the override is defined as a reference to the dependency
      "foo": "$foo",
      // the referenced package does not need to match the overridden one
      "bar": "$foo"
    }
  }

  Issue: #​5703

Patch Changes

• pnpm audit should work when the project's package.json has no version field #​5728
• Dependencies specified via * should be updated to semver ranges by pnpm update #​5681.
• It should be possible to override a dependency with a local package using relative path from the workspace root directory #​5493.
• Exit with non-zero exit code when child process exits with a non-zero exit clode #​5525.
• pnpm add should prefer local projects from the workspace, even if they use prerelease versions #​5316

Our Gold Sponsors

Our Silver Sponsors

v7.17.1

Compare Source

Patch Changes

• pnpm set-script and pnpm pkg are passed through to npm #​5683.
• pnpm publish <tarball path> should exit with non-0 exit code when publish fails #​5396.
• readPackage hooks should not modify the package.json files in a workspace #​5670.
• Comments in package.json5 are preserver #​2008.
• pnpm setup should create PNPM_HOME as a non-expandable env variable on Windows #​4658.
• Fix the CLI help of the pnpm licenses command.

Our Gold Sponsors

Our Silver Sponsors

v7.17.0

Compare Source

Minor Changes

• Added a new command pnpm licenses list, which displays the licenses of the packages #​2825

Patch Changes

• pnpm update --latest !foo should not update anything if the only dependency in the project is the ignored one #​5643.
• pnpm audit should send the versions of workspace projects for audit.
• Hoisting with symlinks should not override external symlinks and directories in the root of node_modules.
• The pnpm.updateConfig.ignoreDependencies setting should work with multiple dependencies in the array #​5639.

Our Gold Sponsors

Our Silver Sponsors

v7.16.1

Compare Source

Patch Changes

• Sync all injected dependencies when hoisted node linker is used #​5630

Our Gold Sponsors

Our Silver Sponsors

v7.16.0

Compare Source

Minor Changes

• Support pnpm env list to list global or remote Node.js versions #​5546.

Patch Changes

• Replace environment variable placeholders with their values, when reading .npmrc files in subdirectories inside a workspace #​2570.
• Fix an error that sometimes happen on projects with linked local dependencies #​5327.

Our Gold Sponsors

Our Silver Sponsors

v7.15.0

Compare Source

Minor Changes

• Support --format=json option to output outdated packages in JSON format with outdated command #​2705.

  pnpm outdated --format=json
  #or
  pnpm outdated --json

• A new setting supported for ignoring vulnerabilities by their CVEs. The ignored CVEs may be listed in the pnpm.auditConfig.ignoreCves field of package.json. For instance:

  {
    "pnpm": {
      "auditConfig": {
        "ignoreCves": [
          "CVE-2019-10742",
          "CVE-2020-28168",
          "CVE-2021-3749",
          "CVE-2020-7598"
        ]
      }
    }
  }

Patch Changes

• The reporter should not crash when the CLI process is kill during lifecycle scripts execution #​5588.
• Installation shouldn't fail when the injected dependency has broken symlinks. The broken symlinks should be just skipped #​5598.

Our Gold Sponsors

Our Silver Sponsors

v7.14.2

Compare Source

Patch Changes

• Don't fail if cannot override the name field of the error object #​5572.
• Don't fail on rename across devices.

Our Gold Sponsors

Our Silver Sponsors

v7.14.1

Compare Source

Patch Changes

• pnpm list --long --json should print licenses and authors of packages #​5533.
• Don't crash on lockfile with no packages field #​5553.
• Version overrider should have higher priority then custom read package hook from .pnpmfile.cjs.
• Don't print context information when running install for the pnpm dlx command.
• Print a warning if a package.json has a workspaces field but there is no pnpm-workspace.yaml file #​5363.
• It should be possible to set a custom home directory for pnpm by changing the PNPM_HOME environment variable.

Our Gold Sponsors

Our Silver Sponsors

v7.14.0

Compare Source

Minor Changes

• Add pnpm doctor command to do checks for known common issues

Patch Changes

• Ignore the always-auth setting.

  pnpm will never reuse the registry auth token for requesting the package tarball, if the package tarball is hosted on a different domain.

  So, for example, if your registry is at https://company.registry.com/ but the tarballs are hosted at https://tarballs.com/, then you will have to configure the auth token for both domains in your .npmrc:

  @​my-company:registry=https://company.registry.com/
  //company.registry.com/=SOME_AUTH_TOKEN
  //tarballs.com/=SOME_AUTH_TOKEN
  

Our Gold Sponsors

Our Silver Sponsors

v7.13.6

Compare Source

Patch Changes

• Downgrade @pnpm/npm-conf to remove annoying builtin warning #​5518.
• pnpm link --global <pkg> should not change the type of the dependency #​5478.
• When the pnpm outdated command fails, print in which directory it failed.

Our Gold Sponsors

Our Silver Sponsors

v7.13.5

Compare Source

Patch Changes

• Print a warning when cannot read the built-in npm configuration.
• Also include missing deeply linked workspace packages at headless installation #​5034.
• pnpm outdated should work when the package tarballs are hosted on a domain that differs from the registry's domain #​5492.
• strict-peer-dependencies is set to false by default.

Our Gold Sponsors

Our Silver Sponsors

v7.13.4

Compare Source

Patch Changes

• pnpm link <pkg> --global should work when a custom target directory is specified with the --dir CLI option #​5473.
• It should be possible to override dependencies with local packages using overrides #​5443.

Our Gold Sponsors

Our Silver Sponsors

Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. If you want to rebase/retry this PR, check this box This PR has been generated by Mend Renovate using a preset from . View repository job log here

[github-actions]

🎉 This PR is included in version 2.1.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀