Improvements to the worst package manager#199
Merged
zkochan merged 1 commit intopnpm:masterfrom Dec 15, 2025
Merged
Conversation
This was referenced Dec 15, 2025
Contributor
Author
|
Since this is going to take a while to do and not just do, but also the time it will take to update to use a newer version which has the uses pinned, I'll create and update the below list of the PRs to check the overall progress: actions/checkout#2346 |
This was referenced Dec 15, 2025
Member
|
That's a very provocative title to use in an org of a package manager. |
zkochan
approved these changes
Dec 15, 2025
This was referenced Dec 15, 2025
LinnJS
added a commit
to suncoast-innovation-guild/action-setup
that referenced
this pull request
Feb 15, 2026
* Fix multiline run_install example in README.md (pnpm#167) * Remove --frozen-lockfile from examples (pnpm#171) * feat: support installation from custom NPM registry (pnpm#179) copy .npmrc from GitHub workspace if it exists so that PNPM respects custom registry configurations when self-installing * Update README.md (pnpm#175) fix the string run_install example * Remove unused `@types/node-fetch` dependency (pnpm#186) * Clarify that package_json_file is relative to GITHUB_WORKSPACE (pnpm#184) * Clarify that package_json_file is relative to GITHUB_WORKSPACE Clarify the description for package_json_file parameter to specify that the path must be relative to the repository root. * Apply suggestion from @zkochan --------- Co-authored-by: Zoltan Kochan <z@kochan.io> * feat: store caching (pnpm#188) * add pnpm store caching * style: format * no semicolons * no star imports * import order * style: no star imports --------- Co-authored-by: khai96_ <hvksmr1996@gmail.com> * refactor: remove star imports (pnpm#196) * fix(ci): exclude macos (pnpm#197) * ci: pin github actions (pnpm#199) * fix: regenerate lockfile to match package.json overrides * fix(security): override fast-xml-parser to >=5.3.4 Resolves GHSA-37qj-frw5-hhjh (RangeError DoS via numeric entities) in transitive dependency @actions/cache > @azure/storage-blob > @azure/core-xml > fast-xml-parser. * fix: resolve lint, build, and security audit failures - Fix prefer-const lint error in cache-restore/run.ts - Override undici to >=6.23.0 (GHSA-g9mf-h72j-4rw9) - Rebuild dist to match source changes * fix(ci): exclude dist from CodeQL analysis dist/index.js is generated by ncc bundling — CodeQL flags dependency code as security issues. Ignore the dist directory since it's not source code. --------- Co-authored-by: Matthias <matthias.dailey@gmail.com> Co-authored-by: Adrian Riedel <Eynorey@users.noreply.github.com> Co-authored-by: Roman Usherenko <roman.usherenko@gmail.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Chris Martin <ch.martin@gmail.com> Co-authored-by: Zoltan Kochan <z@kochan.io> Co-authored-by: Jeremiasz Major <jrh.mjr@gmail.com> Co-authored-by: khai96_ <hvksmr1996@gmail.com> Co-authored-by: Boosted-Bonobo <boostedbonobo1@outlook.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I was surprised to see that this article is right.
This pull request aims to improve the ecosystem as this is quite a commonly used github action.
I'd also like to refer you to immutable releases which should be done from now on.