chore(deps): bump @pnpm/exportable-manifest from 7.0.3 to 1000.4.2

[dependabot]

Bumps @pnpm/exportable-manifest from 7.0.3 to 1000.4.2.

Release notes

Sourced from @​pnpm/exportable-manifest's releases.

pnpm 11 Beta 7

Major Changes

CLI Output

• Use cleaner output for script execution. Print $ command instead of > pkg@version stage path\n> command. Show project name and path only when running in a different directory. The $ command line is printed to stderr to keep stdout clean for piping #11132.
• During install, instead of rendering the full peer dependency issues tree, suggest running pnpm peers check to view the issues #11133.

Lifecycle Scripts

• pnpm no longer populates npm_config_* environment variables from the pnpm config during lifecycle scripts. Only well-known npm_* env vars are now set, matching Yarn's behavior #11116.

Store

• Runtime dependencies are always linked from the global virtual store #10233.
• Optimized index file format to store the hash algorithm once per file instead of repeating it for every file entry. Each file entry now stores only the hex digest instead of the full integrity string (<algo>-<digest>). Using hex format improves performance since file paths in the content-addressable store use hex representation, eliminating base64-to-hex conversion during path lookups.
• Store version bumped to v11.
• Store the bundled manifest (name, version, bin, engines, scripts, etc.) directly in the package index file, eliminating the need to read package.json from the content-addressable store during resolution and installation. This reduces I/O and speeds up repeat installs #10473.
• Use SQLite for storing package index in the content-addressable store. Instead of individual JSON files under $STORE/index/, package metadata is now stored in a single SQLite database at $STORE/index.db with MessagePack-encoded values. This reduces filesystem syscall overhead, improves space efficiency for small metadata entries, and enables concurrent access via SQLite's WAL mode. Packages missing from the new index are re-fetched on demand #10500 #10826.

Global Packages

• Global installs (pnpm add -g pkg) and pnpm dlx now use the global virtual store by default. Packages are stored at {storeDir}/links instead of per-project .pnpm directories. This can be disabled by setting enableGlobalVirtualStore: false #10694.

• Isolated global packages. Each globally installed package (or group of packages installed together) now gets its own isolated installation directory with its own package.json, node_modules/, and lockfile. This prevents global packages from interfering with each other through peer dependency conflicts, hoisting changes, or version resolution shifts.

  Key changes:

  • pnpm add -g <pkg> creates an isolated installation in {pnpmHomeDir}/global/v11/{hash}/
  • pnpm remove -g <pkg> removes the entire installation group containing the package
  • pnpm update -g [pkg] re-installs packages in new isolated directories
  • pnpm list -g scans isolated directories to show all installed global packages
  • pnpm install -g (no args) is no longer supported; use pnpm add -g <pkg> instead

Configuration

• Changed default values: optimisticRepeatInstall is now true, verifyDepsBeforeRun is now install, and minimumReleaseAge is now 1440 (1 day). Newly published packages will not be resolved until they are at least 1 day old. This protects against supply chain attacks by giving the community time to detect and remove compromised versions. To opt out, set minimumReleaseAge: 0 in pnpm-workspace.yaml #11158.

• pnpm config get (without --json) no longer print INI formatted text. Instead, it would print JSON for both objects and arrays and raw string for strings, numbers, booleans, and nulls. pnpm config get --json would still print all types of values as JSON like before.

• pnpm config get <array> now prints a JSON array.

• pnpm config list now prints a JSON object instead of INI formatted text.

• pnpm config list and pnpm config get (without argument) now hide auth-related settings.

• pnpm config list and pnpm config get (without argument) now show top-level keys as camelCase. Exception: Keys that start with @ or // would be preserved (their cases don't change).

• pnpm config get and pnpm config list no longer load non camelCase options from the workspace manifest (pnpm-workspace.yaml).

• pnpm no longer reads all settings from .npmrc. Only auth and registry settings are read from .npmrc files. All other settings (like hoistPattern, nodeLinker, shamefullyHoist, etc.) must be configured in pnpm-workspace.yaml or the global ~/.config/pnpm/config.yaml #11189.

  pnpm no longer reads npm_config_* environment variables. Use pnpm_config_* environment variables instead (e.g., pnpm_config_registry instead of npm_config_registry).

... (truncated)

Commits

• See full diff in compare view