12 posts tagged with "release"

pnpm 10.25 improves certificate handling, adds a bare pnpm init, and ships several quality-of-life fixes.

pnpm now scales network concurrency automatically on high-core machines and ships several reliability fixes.

Added --lockfile-only option to pnpm list and various improvements to pnpm self-update.

Added support for excluding packages from trust policy and overriding the engines field on publish.

Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.

This release adds a --all flag for the pnpm help command to print all commands.

This release adds version-scoped controls to two settings: [onlyBuiltDependencies] and [minimumReleaseAgeExclude].

Minor Changes​

Added network performance monitoring to pnpm by implementing warnings for slow network requests, including both metadata fetches and tarball downloads.

Added configuration options for warning thresholds: fetchWarnTimeoutMs and fetchMinSpeedKiBps. Warning messages are displayed when requests exceed time thresholds or fall below speed minimums

Related PR: #10025.

Patch Changes​

• Retry filesystem operations on EAGAIN errors #9959.
• Outdated command respects minimumReleaseAge configuration #10030.
• Correctly apply the cleanupUnusedCatalogs configuration when removing dependent packages.
• Don't fail with a meaningless error when scriptShell is set to false #8748.
• pnpm dlx should not fail when minimumReleaseAge is set #10037.

Minor Changes​

The minimumReleaseAgeExclude setting now supports patterns.

Minor Changes​

New setting for delayed dependency updates​

There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.