chore(release): 11.5.3#12305
Conversation
|
Important Review skippedToo many files! This PR contains 300 files, which is 150 over the limit of 150. To get a review, narrow the scope: ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (300)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Code Review by Qodo
1. Stale packageManager pin
|
PR Summary by Qodochore(release): pnpm v11.6.0 WalkthroughsDescription• **Security hardening**: verifies npm registry signatures of package-manager binaries (pacquet,
pnpm self-update) and OpenPGP signatures of Node.js SHASUMS256.txt before execution; stops env-var
expansion in repo-controlled registry/proxy URLs and credentials.
• **pnpr accelerator refactor**: two-phase flow — server resolves lockfile only, client fetches
tarballs directly from registries in parallel (eliminates bandwidth bottleneck on cold/WAN
installs); pnpr client now reads POST /v1/resolve as ndjson stream.
• **allowBuilds identity enforcement**: package-name entries can no longer approve lifecycle
scripts for git/tarball/directory artifacts; lockfile verification rejects name@semver dep-paths
backed by non-registry resolutions (ERR_PNPM_RESOLUTION_SHAPE_MISMATCH).
• **Bug fixes**: pnpm config get globalconfig returns correct path; bare --color flag no longer
consumes the next CLI flag; enableGlobalVirtualStore toggle now included in workspace state check;
peer-dependent deduplication made deterministic.
• **Deprecation warning**: $ version reference syntax in overrides now warns; reserved bin
names ("", ".", "..") rejected to prevent global bin-dir deletion;
packageManagerDependencies no longer written when onFail: ignore.
• Bumps pnpm from 11.5.2 → 11.6.0 and cascades version bumps across ~130 internal packages.
Diagramgraph TD
pnpm["pnpm 11.6.0"] --> config["@pnpm/config.reader\n1101.7.0 minor"]
pnpm --> sigs["@pnpm/deps.security.signatures\n1101.2.0 minor"]
pnpm --> shasums["@pnpm/crypto.shasums-file\n1100.1.0 minor"]
pnpm --> pnprclient["@pnpm/pnpr.client\n1.2.0 minor"]
pnpm --> installer["@pnpm/installing.deps-installer\n1101.8.0 minor"]
config -->|"stops env-var expansion\nin registry URLs"| sec1(["Security: registry\ncredential isolation"])
sigs -->|"verifies npm signatures\nbefore binary exec"| sec2(["Security: PM binary\nsignature check"])
shasums -->|"verifies OpenPGP sig\nof SHASUMS256.txt"| sec3(["Security: Node.js\nruntime integrity"])
pnprclient -->|"resolve-only phase\n+ ndjson streaming"| perf(["Perf: two-phase\npnpr install"])
installer -->|"allowBuilds identity\nenforcement"| sec4(["Security: build\npolicy hardening"])
subgraph Legend
direction LR
_pkg["Package"] ~~~ _feat(["Feature / Outcome"])
end
High-Level AssessmentThis is an automated release PR generated by the create-release-pr workflow. The approach — consuming changesets, bumping ~130 package versions, and recording them in the ledger — is the standard and optimal release process for this monorepo. No alternative approach is warranted. File ChangesEnhancement (8)
Bug fix (5)
Documentation (2)
Other (15)
|
|
Code review by qodo was updated up to the latest commit aeee7b6 |
Integrate the 9 commits main gained (#12271, #12294, #12301, #12303, #12305, #12312, #12315, #12316, and the release/version bumps). Conflict resolution: all four conflicts (record_lockfile_verified, build_modules, hoisted_dep_graph, install) were between this branch's lint edits and main's feature changes — took main's authoritative versions; lint compliance is re-derived by re-running clippy in the follow-up commit.
Automated release PR created by the create-release-pr workflow.
Releasing
mainas pnpm v11.5.3. Merging this PR consumes the pending changesets and records them in the.changeset-releasedledger undermain.