Skip to content

chore(release): 11.5.3#12305

Merged
zkochan merged 2 commits into
mainfrom
release-pr/main
Jun 10, 2026
Merged

chore(release): 11.5.3#12305
zkochan merged 2 commits into
mainfrom
release-pr/main

Conversation

@zkochan

@zkochan zkochan commented Jun 10, 2026

Copy link
Copy Markdown
Member

Automated release PR created by the create-release-pr workflow.

Releasing main as pnpm v11.5.3. Merging this PR consumes the pending changesets and records them in the .changeset-released ledger under main.

@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown

Important

Review skipped

Too many files!

This PR contains 300 files, which is 150 over the limit of 150.

To get a review, narrow the scope:
• coderabbit review --type committed # exclude uncommitted changes
• coderabbit review --dir # limit to a subdirectory
• coderabbit review --base # compare against a closer base

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7d644ecb-4491-4fc1-be47-0be8bafb2708

📥 Commits

Reviewing files that changed from the base of the PR and between 65443f4 and aeee7b6.

📒 Files selected for processing (300)
  • .changeset-released/main.txt
  • .changeset/clean-package-manager-registries.md
  • .changeset/clever-rocks-listen.md
  • .changeset/deps-status-no-manifest.md
  • .changeset/dollar-overrides-deprecation.md
  • .changeset/fix-config-globalconfig.md
  • .changeset/fuzzy-color-flags.md
  • .changeset/gvs-toggle-detection.md
  • .changeset/loose-meteors-travel.md
  • .changeset/pacquet-install-engine-identity.md
  • .changeset/pnpr-client-ndjson-resolve.md
  • .changeset/pnpr-resolve-only.md
  • .changeset/quiet-peers-settle.md
  • .changeset/sharp-registry-env-placeholders.md
  • .changeset/stale-stage-tarballs.md
  • .changeset/store-discl.md
  • .changeset/strange-bin-segments.md
  • .changeset/tough-allow-builds-identities.md
  • .changeset/verify-node-runtime-shasums.md
  • .meta-updater/CHANGELOG.md
  • .meta-updater/package.json
  • __utils__/assert-project/CHANGELOG.md
  • __utils__/assert-project/package.json
  • __utils__/assert-store/CHANGELOG.md
  • __utils__/assert-store/package.json
  • __utils__/jest-config/CHANGELOG.md
  • __utils__/jest-config/package.json
  • __utils__/prepare/CHANGELOG.md
  • __utils__/prepare/package.json
  • __utils__/scripts/CHANGELOG.md
  • __utils__/scripts/package.json
  • auth/commands/CHANGELOG.md
  • auth/commands/package.json
  • bins/linker/CHANGELOG.md
  • bins/linker/package.json
  • bins/remover/CHANGELOG.md
  • bins/remover/package.json
  • bins/resolver/CHANGELOG.md
  • bins/resolver/package.json
  • building/after-install/CHANGELOG.md
  • building/after-install/package.json
  • building/commands/CHANGELOG.md
  • building/commands/package.json
  • building/during-install/CHANGELOG.md
  • building/during-install/package.json
  • building/pkg-requires-build/CHANGELOG.md
  • building/pkg-requires-build/package.json
  • building/policy/CHANGELOG.md
  • building/policy/package.json
  • cache/api/CHANGELOG.md
  • cache/api/package.json
  • cache/commands/CHANGELOG.md
  • cache/commands/package.json
  • cli/commands/CHANGELOG.md
  • cli/commands/package.json
  • cli/common-cli-options-help/CHANGELOG.md
  • cli/common-cli-options-help/package.json
  • cli/default-reporter/CHANGELOG.md
  • cli/default-reporter/package.json
  • cli/meta/CHANGELOG.md
  • cli/meta/package.json
  • cli/utils/CHANGELOG.md
  • cli/utils/package.json
  • config/commands/CHANGELOG.md
  • config/commands/package.json
  • config/normalize-registries/CHANGELOG.md
  • config/normalize-registries/package.json
  • config/package-is-installable/CHANGELOG.md
  • config/package-is-installable/package.json
  • config/pick-registry-for-package/CHANGELOG.md
  • config/pick-registry-for-package/package.json
  • config/reader/CHANGELOG.md
  • config/reader/package.json
  • config/version-policy/CHANGELOG.md
  • config/version-policy/package.json
  • config/writer/CHANGELOG.md
  • config/writer/package.json
  • core/core-loggers/CHANGELOG.md
  • core/core-loggers/package.json
  • core/types/CHANGELOG.md
  • core/types/package.json
  • crypto/shasums-file/CHANGELOG.md
  • crypto/shasums-file/package.json
  • deps/compliance/audit/CHANGELOG.md
  • deps/compliance/audit/package.json
  • deps/compliance/commands/CHANGELOG.md
  • deps/compliance/commands/package.json
  • deps/compliance/license-scanner/CHANGELOG.md
  • deps/compliance/license-scanner/package.json
  • deps/compliance/sbom/CHANGELOG.md
  • deps/compliance/sbom/package.json
  • deps/graph-builder/CHANGELOG.md
  • deps/graph-builder/package.json
  • deps/graph-hasher/CHANGELOG.md
  • deps/graph-hasher/package.json
  • deps/inspection/commands/CHANGELOG.md
  • deps/inspection/commands/package.json
  • deps/inspection/list/CHANGELOG.md
  • deps/inspection/list/package.json
  • deps/inspection/outdated/CHANGELOG.md
  • deps/inspection/outdated/package.json
  • deps/inspection/peers-checker/CHANGELOG.md
  • deps/inspection/peers-checker/package.json
  • deps/inspection/peers-issues-renderer/CHANGELOG.md
  • deps/inspection/peers-issues-renderer/package.json
  • deps/inspection/tree-builder/CHANGELOG.md
  • deps/inspection/tree-builder/package.json
  • deps/path/CHANGELOG.md
  • deps/path/package.json
  • deps/security/signatures/CHANGELOG.md
  • deps/security/signatures/package.json
  • deps/status/CHANGELOG.md
  • deps/status/package.json
  • engine/pm/commands/CHANGELOG.md
  • engine/pm/commands/package.json
  • engine/runtime/bun-resolver/CHANGELOG.md
  • engine/runtime/bun-resolver/package.json
  • engine/runtime/commands/CHANGELOG.md
  • engine/runtime/commands/package.json
  • engine/runtime/deno-resolver/CHANGELOG.md
  • engine/runtime/deno-resolver/package.json
  • engine/runtime/node-resolver/CHANGELOG.md
  • engine/runtime/node-resolver/package.json
  • engine/runtime/system-version/CHANGELOG.md
  • engine/runtime/system-version/package.json
  • exec/commands/CHANGELOG.md
  • exec/commands/package.json
  • exec/lifecycle/CHANGELOG.md
  • exec/lifecycle/package.json
  • exec/prepare-package/CHANGELOG.md
  • exec/prepare-package/package.json
  • fetching/binary-fetcher/CHANGELOG.md
  • fetching/binary-fetcher/package.json
  • fetching/directory-fetcher/CHANGELOG.md
  • fetching/directory-fetcher/package.json
  • fetching/fetcher-base/CHANGELOG.md
  • fetching/fetcher-base/package.json
  • fetching/git-fetcher/CHANGELOG.md
  • fetching/git-fetcher/package.json
  • fetching/pick-fetcher/CHANGELOG.md
  • fetching/pick-fetcher/package.json
  • fetching/tarball-fetcher/CHANGELOG.md
  • fetching/tarball-fetcher/package.json
  • fs/indexed-pkg-importer/CHANGELOG.md
  • fs/indexed-pkg-importer/package.json
  • fs/symlink-dependency/CHANGELOG.md
  • fs/symlink-dependency/package.json
  • global/commands/CHANGELOG.md
  • global/commands/package.json
  • global/packages/CHANGELOG.md
  • global/packages/package.json
  • hooks/pnpmfile/CHANGELOG.md
  • hooks/pnpmfile/package.json
  • hooks/read-package-hook/CHANGELOG.md
  • hooks/read-package-hook/package.json
  • hooks/types/CHANGELOG.md
  • hooks/types/package.json
  • installing/client/CHANGELOG.md
  • installing/client/package.json
  • installing/commands/CHANGELOG.md
  • installing/commands/package.json
  • installing/context/CHANGELOG.md
  • installing/context/package.json
  • installing/dedupe/check/CHANGELOG.md
  • installing/dedupe/check/package.json
  • installing/deps-installer/CHANGELOG.md
  • installing/deps-installer/package.json
  • installing/deps-resolver/CHANGELOG.md
  • installing/deps-resolver/package.json
  • installing/deps-restorer/CHANGELOG.md
  • installing/deps-restorer/package.json
  • installing/env-installer/CHANGELOG.md
  • installing/env-installer/package.json
  • installing/linking/direct-dep-linker/CHANGELOG.md
  • installing/linking/direct-dep-linker/package.json
  • installing/linking/hoist/CHANGELOG.md
  • installing/linking/hoist/package.json
  • installing/linking/modules-cleaner/CHANGELOG.md
  • installing/linking/modules-cleaner/package.json
  • installing/linking/real-hoist/CHANGELOG.md
  • installing/linking/real-hoist/package.json
  • installing/modules-yaml/CHANGELOG.md
  • installing/modules-yaml/package.json
  • installing/package-requester/CHANGELOG.md
  • installing/package-requester/package.json
  • installing/read-projects-context/CHANGELOG.md
  • installing/read-projects-context/package.json
  • lockfile/detect-dep-types/CHANGELOG.md
  • lockfile/detect-dep-types/package.json
  • lockfile/filtering/CHANGELOG.md
  • lockfile/filtering/package.json
  • lockfile/fs/CHANGELOG.md
  • lockfile/fs/package.json
  • lockfile/make-dedicated-lockfile/CHANGELOG.md
  • lockfile/make-dedicated-lockfile/package.json
  • lockfile/merger/CHANGELOG.md
  • lockfile/merger/package.json
  • lockfile/preferred-versions/CHANGELOG.md
  • lockfile/preferred-versions/package.json
  • lockfile/pruner/CHANGELOG.md
  • lockfile/pruner/package.json
  • lockfile/settings-checker/CHANGELOG.md
  • lockfile/settings-checker/package.json
  • lockfile/to-pnp/CHANGELOG.md
  • lockfile/to-pnp/package.json
  • lockfile/types/CHANGELOG.md
  • lockfile/types/package.json
  • lockfile/utils/CHANGELOG.md
  • lockfile/utils/package.json
  • lockfile/verification/CHANGELOG.md
  • lockfile/verification/package.json
  • lockfile/walker/CHANGELOG.md
  • lockfile/walker/package.json
  • modules-mounter/daemon/CHANGELOG.md
  • modules-mounter/daemon/package.json
  • network/auth-header/CHANGELOG.md
  • network/auth-header/package.json
  • network/fetch/CHANGELOG.md
  • network/fetch/package.json
  • patching/commands/CHANGELOG.md
  • patching/commands/package.json
  • patching/config/CHANGELOG.md
  • patching/config/package.json
  • pkg-manifest/commands/CHANGELOG.md
  • pkg-manifest/commands/package.json
  • pkg-manifest/reader/CHANGELOG.md
  • pkg-manifest/reader/package.json
  • pkg-manifest/utils/CHANGELOG.md
  • pkg-manifest/utils/package.json
  • pnpm/CHANGELOG.md
  • pnpm/artifacts/darwin-arm64/package.json
  • pnpm/artifacts/exe/package.json
  • pnpm/artifacts/linux-arm64-musl/package.json
  • pnpm/artifacts/linux-arm64/package.json
  • pnpm/artifacts/linux-x64-musl/package.json
  • pnpm/artifacts/linux-x64/package.json
  • pnpm/artifacts/win32-arm64/package.json
  • pnpm/artifacts/win32-x64/package.json
  • pnpm/dev/CHANGELOG.md
  • pnpm/dev/package.json
  • pnpm/package.json
  • pnpr/client/CHANGELOG.md
  • pnpr/client/package.json
  • registry-access/client/CHANGELOG.md
  • registry-access/client/package.json
  • registry-access/commands/CHANGELOG.md
  • registry-access/commands/package.json
  • releasing/commands/CHANGELOG.md
  • releasing/commands/package.json
  • releasing/exportable-manifest/CHANGELOG.md
  • releasing/exportable-manifest/package.json
  • resolving/default-resolver/CHANGELOG.md
  • resolving/default-resolver/package.json
  • resolving/git-resolver/CHANGELOG.md
  • resolving/git-resolver/package.json
  • resolving/local-resolver/CHANGELOG.md
  • resolving/local-resolver/package.json
  • resolving/npm-resolver/CHANGELOG.md
  • resolving/npm-resolver/package.json
  • resolving/registry/pkg-metadata-filter/CHANGELOG.md
  • resolving/registry/pkg-metadata-filter/package.json
  • resolving/registry/types/CHANGELOG.md
  • resolving/registry/types/package.json
  • resolving/resolver-base/CHANGELOG.md
  • resolving/resolver-base/package.json
  • resolving/tarball-resolver/CHANGELOG.md
  • resolving/tarball-resolver/package.json
  • store/cafs/CHANGELOG.md
  • store/cafs/package.json
  • store/commands/CHANGELOG.md
  • store/commands/package.json
  • store/connection-manager/CHANGELOG.md
  • store/connection-manager/package.json
  • store/controller-types/CHANGELOG.md
  • store/controller-types/package.json
  • store/controller/CHANGELOG.md
  • store/controller/package.json
  • store/create-cafs-store/CHANGELOG.md
  • store/create-cafs-store/package.json
  • store/pkg-finder/CHANGELOG.md
  • store/pkg-finder/package.json
  • testing/command-defaults/CHANGELOG.md
  • testing/command-defaults/package.json
  • testing/mock-agent/CHANGELOG.md
  • testing/mock-agent/package.json
  • testing/registry-mock/CHANGELOG.md
  • testing/registry-mock/package.json
  • testing/temp-store/CHANGELOG.md
  • testing/temp-store/package.json
  • worker/CHANGELOG.md
  • worker/package.json
  • workspace/commands/CHANGELOG.md
  • workspace/commands/package.json
  • workspace/injected-deps-syncer/CHANGELOG.md
  • workspace/injected-deps-syncer/package.json
  • workspace/project-manifest-reader/CHANGELOG.md
  • workspace/project-manifest-reader/package.json
  • workspace/project-manifest-writer/CHANGELOG.md
  • workspace/project-manifest-writer/package.json
  • workspace/projects-filter/CHANGELOG.md

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch release-pr/main

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 10, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

Grey Divider


Remediation recommended

1. Stale packageManager pin 🐞 Bug ≡ Correctness
Description
pnpm is bumped to 11.6.0 in this release, but the repo root still pins the CLI via
packageManager/devEngines.packageManager.version to 11.5.2, so corepack/devEngines-based
auto-switching can keep selecting the old pnpm version. This can cause inconsistent behavior between
the repo’s intended released pnpm and the version actually used when working in the workspace.
Code

pnpm/package.json[3]

+  "version": "11.6.0",
Evidence
The PR updates the published pnpm version to 11.6.0, while the workspace root manifest still pins
pnpm 11.5.2 via packageManager and devEngines.packageManager.version. The pnpm changelog states
that these fields are used for automatic version switching/self-update, so leaving them stale can
keep the repo on the old pnpm version.

pnpm/package.json[1-4]
package.json[64-75]
pnpm/CHANGELOG.md[3-25]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
This PR releases `pnpm` as `11.6.0`, but the repository root `package.json` still pins `pnpm@11.5.2` in `packageManager` and `devEngines.packageManager.version`. As a result, environments using Corepack and/or pnpm's devEngines auto-switch behavior may continue to use `11.5.2` instead of the released `11.6.0`.
### Issue Context
- `pnpm/CHANGELOG.md` explicitly documents that `packageManager` / `devEngines.packageManager` controls automatic version switch/self-update behavior.
### Fix Focus Areas
- package.json[64-70]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Previous review results

Review updated until commit aeee7b6

Results up to commit 7c0e8e5


🐞 Bugs (1) 📘 Rule violations (0)


Remediation recommended
1. Stale packageManager pin 🐞 Bug ≡ Correctness
Description
pnpm is bumped to 11.6.0 in this release, but the repo root still pins the CLI via
packageManager/devEngines.packageManager.version to 11.5.2, so corepack/devEngines-based
auto-switching can keep selecting the old pnpm version. This can cause inconsistent behavior between
the repo’s intended released pnpm and the version actually used when working in the workspace.
Code

pnpm/package.json[3]

+  "version": "11.6.0",
Evidence
The PR updates the published pnpm version to 11.6.0, while the workspace root manifest still pins
pnpm 11.5.2 via packageManager and devEngines.packageManager.version. The pnpm changelog states
that these fields are used for automatic version switching/self-update, so leaving them stale can
keep the repo on the old pnpm version.

pnpm/package.json[1-4]
package.json[64-75]
pnpm/CHANGELOG.md[3-25]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
This PR releases `pnpm` as `11.6.0`, but the repository root `package.json` still pins `pnpm@11.5.2` in `packageManager` and `devEngines.packageManager.version`. As a result, environments using Corepack and/or pnpm's devEngines auto-switch behavior may continue to use `11.5.2` instead of the released `11.6.0`.

### Issue Context
- `pnpm/CHANGELOG.md` explicitly documents that `packageManager` / `devEngines.packageManager` controls automatic version switch/self-update behavior.

### Fix Focus Areas
- package.json[64-70]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Qodo Logo

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

PR Summary by Qodo

chore(release): pnpm v11.6.0
✨ Enhancement 🐞 Bug fix ⚙️ Configuration changes 🕐 10-20 Minutes

Grey Divider

Walkthroughs

Description
• **Security hardening**: verifies npm registry signatures of package-manager binaries (pacquet,
  pnpm self-update) and OpenPGP signatures of Node.js SHASUMS256.txt before execution; stops env-var
  expansion in repo-controlled registry/proxy URLs and credentials.
• **pnpr accelerator refactor**: two-phase flow — server resolves lockfile only, client fetches
  tarballs directly from registries in parallel (eliminates bandwidth bottleneck on cold/WAN
  installs); pnpr client now reads POST /v1/resolve as ndjson stream.
• **allowBuilds identity enforcement**: package-name entries can no longer approve lifecycle
  scripts for git/tarball/directory artifacts; lockfile verification rejects name@semver dep-paths
  backed by non-registry resolutions (ERR_PNPM_RESOLUTION_SHAPE_MISMATCH).
• **Bug fixes**: pnpm config get globalconfig returns correct path; bare --color flag no longer
  consumes the next CLI flag; enableGlobalVirtualStore toggle now included in workspace state check;
  peer-dependent deduplication made deterministic.
• **Deprecation warning**: $ version reference syntax in overrides now warns; reserved bin
  names ("", ".", "..") rejected to prevent global bin-dir deletion;
  packageManagerDependencies no longer written when onFail: ignore.
• Bumps pnpm from 11.5.211.6.0 and cascades version bumps across ~130 internal packages.
Diagram
graph TD
    pnpm["pnpm 11.6.0"] --> config["@pnpm/config.reader\n1101.7.0 minor"]
    pnpm --> sigs["@pnpm/deps.security.signatures\n1101.2.0 minor"]
    pnpm --> shasums["@pnpm/crypto.shasums-file\n1100.1.0 minor"]
    pnpm --> pnprclient["@pnpm/pnpr.client\n1.2.0 minor"]
    pnpm --> installer["@pnpm/installing.deps-installer\n1101.8.0 minor"]
    config -->|"stops env-var expansion\nin registry URLs"| sec1(["Security: registry\ncredential isolation"])
    sigs -->|"verifies npm signatures\nbefore binary exec"| sec2(["Security: PM binary\nsignature check"])
    shasums -->|"verifies OpenPGP sig\nof SHASUMS256.txt"| sec3(["Security: Node.js\nruntime integrity"])
    pnprclient -->|"resolve-only phase\n+ ndjson streaming"| perf(["Perf: two-phase\npnpr install"])
    installer -->|"allowBuilds identity\nenforcement"| sec4(["Security: build\npolicy hardening"])
    subgraph Legend
      direction LR
      _pkg["Package"] ~~~ _feat(["Feature / Outcome"])
    end
Loading
High-Level Assessment

This is an automated release PR generated by the create-release-pr workflow. The approach — consuming changesets, bumping ~130 package versions, and recording them in the ledger — is the standard and optimal release process for this monorepo. No alternative approach is warranted.

Grey Divider

File Changes

Enhancement (8)
CHANGELOG.md Add minor release entry for registry signature verification of PM binaries +17/-0

Add minor release entry for registry signature verification of PM binaries

• Documents the new feature in @pnpm/deps.security.signatures@1101.2.0: verifies npm registry signatures of pacquet and pnpm self-update binaries before execution, using embedded npm public keys, failing closed if verification cannot complete.

deps/security/signatures/CHANGELOG.md


CHANGELOG.md Add minor release entry for Node.js SHASUMS OpenPGP signature verification +16/-0

Add minor release entry for Node.js SHASUMS OpenPGP signature verification

• Documents @pnpm/crypto.shasums-file@1100.1.0: pnpm now fetches SHASUMS256.txt.sig and verifies the detached OpenPGP signature against embedded Node.js release team public keys before trusting integrity hashes of downloaded Node.js runtimes.

crypto/shasums-file/CHANGELOG.md


CHANGELOG.md Add minor release entry for pnpr two-phase install and ndjson streaming +12/-0

Add minor release entry for pnpr two-phase install and ndjson streaming

• Documents @pnpm/pnpr.client@1.2.0: accelerator now only resolves the lockfile server-side; client fetches tarballs directly from registries. Also fixes the client to read POST /v1/resolve as an ndjson stream.

pnpr/client/CHANGELOG.md


CHANGELOG.md Add minor release entry for env-var expansion stop and multiple config fixes +21/-0

Add minor release entry for env-var expansion stop and multiple config fixes

• Documents @pnpm/config.reader@1101.7.0: stops expanding env vars in repo-controlled registry/proxy URLs and credentials; fixes globalconfig path, --color flag parsing, $-override deprecation warning, packageManagerDependencies lockfile write, and bootstrap registry trust.

config/reader/CHANGELOG.md


CHANGELOG.md Add minor release entry for pnpr two-phase install and allowBuilds identity enforcement +54/-0

Add minor release entry for pnpr two-phase install and allowBuilds identity enforcement

• Documents @pnpm/installing.deps-installer@1101.8.0: integrates the pnpr two-phase lockfile-only resolution flow and enforces trusted package identity for allowBuilds entries.

installing/deps-installer/CHANGELOG.md


CHANGELOG.md Add patch entry for Node.js SHASUMS OpenPGP verification in node-resolver +25/-0

Add patch entry for Node.js SHASUMS OpenPGP verification in node-resolver

• Documents @pnpm/engine.runtime.node-resolver@1101.1.5 consuming the new crypto.shasums-file OpenPGP verification capability.

engine/runtime/node-resolver/CHANGELOG.md


CHANGELOG.md Add patch entries for PM binary signature verification and lockfile fix +45/-0

Add patch entries for PM binary signature verification and lockfile fix

• Documents @pnpm/engine.pm.commands@1101.1.21: integrates registry signature verification for pacquet/pnpm binaries and stops writing packageManagerDependencies when policy is onFail: ignore.

engine/pm/commands/CHANGELOG.md


CHANGELOG.md Add patch entry for allowBuilds identity type changes +6/-0

Add patch entry for allowBuilds identity type changes

• Documents @pnpm/types@1101.3.1 type changes supporting the allowBuilds trusted identity enforcement.

core/types/CHANGELOG.md


Bug fix (5)
CHANGELOG.md Add patch entry for deterministic peer deduplication and allowBuilds identity +25/-0

Add patch entry for deterministic peer deduplication and allowBuilds identity

• Documents @pnpm/installing.deps-resolver@1100.2.1: makes peer-suffixed package variant deduplication deterministic across machines and enforces trusted identity for allowBuilds.

installing/deps-resolver/CHANGELOG.md


CHANGELOG.md Add patch entry rejecting reserved bin names +8/-0

Add patch entry rejecting reserved bin names

• Documents @pnpm/bins.resolver@1100.0.7: rejects reserved manifest bin names ("", ".", "..", scoped forms) that could resolve to the global bin directory and cause recursive deletion.

bins/resolver/CHANGELOG.md


CHANGELOG.md Add patch entry for enableGlobalVirtualStore toggle fix +15/-0

Add patch entry for enableGlobalVirtualStore toggle fix

• Documents @pnpm/workspace.state@1100.0.20: includes enableGlobalVirtualStore in workspace state settings check so pnpm install no longer ignores the toggle.

workspace/state/CHANGELOG.md


CHANGELOG.md Add patch entry rejecting invalid staged tarball manifest names/versions +39/-0

Add patch entry rejecting invalid staged tarball manifest names/versions

• Documents @pnpm/releasing.commands@1100.4.3: validates package names and versions from staged tarball manifests before deriving filenames for pnpm stage download.

releasing/commands/CHANGELOG.md


CHANGELOG.md Add patch entry for enableGlobalVirtualStore and manifest-less status fix +24/-0

Add patch entry for enableGlobalVirtualStore and manifest-less status fix

• Documents @pnpm/deps.status@1100.0.23: fixes enableGlobalVirtualStore toggle detection and avoids auto-install when dependency status is unavailable without a manifest.

deps/status/CHANGELOG.md


Documentation (2)
CHANGELOG.md Add pnpm 11.6.0 changelog entry +39/-0

Add pnpm 11.6.0 changelog entry

• Documents all minor and patch changes for 11.6.0: pnpr two-phase install, env-var expansion stop, registry signature verification for PM binaries, Node.js SHASUMS OpenPGP verification, allowBuilds identity enforcement, deterministic peer deduplication, bin-name guard, globalconfig fix, --color flag fix, enableGlobalVirtualStore fix, and store help clarification.

pnpm/CHANGELOG.md


CHANGELOG.md Add patch entry clarifying store integrity help text +6/-0

Add patch entry clarifying store integrity help text

• Documents @pnpm/cli.common-cli-options-help@1100.0.2: clarifies that store integrity checks are corruption detection, not a tamper boundary for untrusted store writers.

cli/common-cli-options-help/CHANGELOG.md


Other (15)
main.txt Record 18 new changesets as released in the ledger +18/-0

Record 18 new changesets as released in the ledger

• Appends 18 new changeset IDs (e.g. clean-package-manager-registries, pacquet-install-engine-identity, verify-node-runtime-shasums, etc.) to the released ledger for the main branch, marking them as consumed by this release.

.changeset-released/main.txt


package.json Bump pnpm version to 11.6.0 +1/-1

Bump pnpm version to 11.6.0

• Increments the main pnpm package version from 11.5.2 to 11.6.0.

pnpm/package.json


package.json Bump @pnpm/macos-arm64 artifact to 11.6.0 +1/-1

Bump @pnpm/macos-arm64 artifact to 11.6.0

• Version bump for the macOS ARM64 native binary artifact package.

pnpm/artifacts/darwin-arm64/package.json


package.json Bump @pnpm/exe artifact to 11.6.0 +1/-1

Bump @pnpm/exe artifact to 11.6.0

• Version bump for the cross-platform executable artifact package.

pnpm/artifacts/exe/package.json


package.json Bump @pnpm/linux-arm64 artifact to 11.6.0 +1/-1

Bump @pnpm/linux-arm64 artifact to 11.6.0

• Version bump for the Linux ARM64 native binary artifact package.

pnpm/artifacts/linux-arm64/package.json


package.json Bump @pnpm/linuxstatic-arm64 artifact to 11.6.0 +1/-1

Bump @pnpm/linuxstatic-arm64 artifact to 11.6.0

• Version bump for the Linux ARM64 musl static binary artifact package.

pnpm/artifacts/linux-arm64-musl/package.json


package.json Bump @pnpm/linux-x64 artifact to 11.6.0 +1/-1

Bump @pnpm/linux-x64 artifact to 11.6.0

• Version bump for the Linux x64 native binary artifact package.

pnpm/artifacts/linux-x64/package.json


package.json Bump @pnpm/linuxstatic-x64 artifact to 11.6.0 +1/-1

Bump @pnpm/linuxstatic-x64 artifact to 11.6.0

• Version bump for the Linux x64 musl static binary artifact package.

pnpm/artifacts/linux-x64-musl/package.json


package.json Bump @pnpm/win-arm64 artifact to 11.6.0 +1/-1

Bump @pnpm/win-arm64 artifact to 11.6.0

• Version bump for the Windows ARM64 native binary artifact package.

pnpm/artifacts/win32-arm64/package.json


package.json Bump @pnpm/win-x64 artifact to 11.6.0 +1/-1

Bump @pnpm/win-x64 artifact to 11.6.0

• Version bump for the Windows x64 native binary artifact package.

pnpm/artifacts/win32-x64/package.json


package.json Bump @pnpm/deps.security.signatures to 1101.2.0 +1/-1

Bump @pnpm/deps.security.signatures to 1101.2.0

• Minor version bump reflecting the new registry signature verification feature for package-manager binaries.

deps/security/signatures/package.json


package.json Bump @pnpm/crypto.shasums-file to 1100.1.0 +1/-1

Bump @pnpm/crypto.shasums-file to 1100.1.0

• Minor version bump for the new OpenPGP signature verification capability.

crypto/shasums-file/package.json


package.json Bump @pnpm/pnpr.client to 1.2.0 +1/-1

Bump @pnpm/pnpr.client to 1.2.0

• Minor version bump for the two-phase pnpr install flow and ndjson streaming fix.

pnpr/client/package.json


package.json Bump @pnpm/config.reader to 1101.7.0 +1/-1

Bump @pnpm/config.reader to 1101.7.0

• Minor version bump for the env-var expansion security change and associated config fixes.

config/reader/package.json


package.json Bump @pnpm/installing.deps-installer to 1101.8.0 +1/-1

Bump @pnpm/installing.deps-installer to 1101.8.0

• Minor version bump for the pnpr two-phase install integration.

installing/deps-installer/package.json


Grey Divider

Qodo Logo

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 10, 2026

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit aeee7b6

@zkochan zkochan changed the title chore(release): 11.6.0 chore(release): 11.5.3 Jun 10, 2026
@zkochan zkochan merged commit b7195db into main Jun 10, 2026
19 checks passed
@zkochan zkochan deleted the release-pr/main branch June 10, 2026 10:40
KSXGitHub pushed a commit that referenced this pull request Jun 10, 2026
Integrate the 9 commits main gained (#12271, #12294, #12301, #12303,
#12305, #12312, #12315, #12316, and the release/version bumps).

Conflict resolution: all four conflicts (record_lockfile_verified,
build_modules, hoisted_dep_graph, install) were between this branch's
lint edits and main's feature changes — took main's authoritative
versions; lint compliance is re-derived by re-running clippy in the
follow-up commit.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant