본문으로 건너뛰기

pnpm 11.10

· 1분 소요
Zoltan Kochan
Lead maintainer of pnpm

pnpm 11.10 adds the _auth setting for CI-friendly registry authentication, new pnpm prefix and pnpm issues commands, and the ability for pnpm self-update to install pnpm v12 (the Rust port). It also improves pnpm up accuracy, speeds up resolution against registries that ignore abbreviated metadata, and hardens global package management, pnpm deploy, and pnpm pack-app.

Minor Changes

The _auth setting for CI

pnpm now supports an _auth setting for configuring registry authentication as a single structured, URL-keyed value. It can be set in the global pnpm config (config.yaml) or, for CI, via the pnpm_config__auth environment variable.

The env form sidesteps a long-standing limitation: environment variable names containing /, :, or . are silently dropped by GitHub Actions, bash, and zsh, which broke the existing pnpm_config_//host/:_authToken=… form. The _auth env variable has an ordinary name, so it survives:

export pnpm_config__auth='{"https://registry.npmjs.org":{"@":{"authToken":"npm-token"},"@org":{"authToken":"org-token"}}}'

The equivalent in the global config.yaml:

_auth:
https://registry.npmjs.org:
"@":
authToken: npm-token
"@org":
authToken: org-token

Within each registry URL, @ means registry-wide credentials and a scope like @org binds credentials to that scope on the same host. Because the credential and its destination host arrive together in one trusted value, a repo-controlled pnpm-workspace.yaml or .npmrc cannot redirect the token to a different host — _auth is honored only from the environment variable and the global config, never from project files. Closes #12314.

pnpm self-update can install pnpm v12 (the Rust port)

pnpm self-update and packageManager version-switching can now install and link pnpm v12, the Rust port, published under both the pnpm and @pnpm/exe names on the next-12 dist-tag:

pnpm self-update next-12

Its native binaries ship as @pnpm/exe.<platform>-<arch> packages, which pnpm's built-in installer links directly — there is no Node.js launcher, so the command pays no Node.js startup cost. From v12 onward the install converges on the unscoped pnpm package (the Rust executable), even when updating from the SEA @pnpm/exe build.

pnpm prefix

The new pnpm prefix command prints the current package prefix directory, or the global prefix directory with -g / --global.

pnpm issues

pnpm issues is now an alias of pnpm bugs, opening the package's bug tracker URL in the browser.

JSON output for web authentication

When OTP is required in a non-interactive terminal, the web authentication authUrl and doneUrl are now exposed in JSON error output (#12724).

Patch Changes

  • Fixed pnpm up -r <pkg> bumping unrelated packages that have open semver ranges. The install layer now always seeds preferredVersions from the lockfile, so packages with ^x.y.z ranges no longer re-resolve to newer compatible versions when you only asked to update a specific package (#10662).
  • Fixed pnpm up <pkg> producing a different result than a fresh install of the same manifests. The targeted package now re-resolves exactly as if its lockfile entries were deleted, while preferred versions a fresh install would apply stay in effect.
  • pnpm update <dep>@<version> now prints a warning when <dep> is only present as a transitive dependency, recommending pnpm.overrides instead (#12744).
  • Sped up resolution and reduced memory use against registries that ignore npm's abbreviated metadata format and always return the full package document (for example, Azure DevOps Artifacts). pnpm strips such documents down to the abbreviated field set before caching them.
  • Sped up offline and --prefer-offline resolution on large workspaces. Package metadata loaded from the local cache is now kept in memory, so each package's metadata is parsed once per command instead of once per dependent.
  • Hardened global package management: bins are cleaned up correctly on Windows (node.exe flavor), pnpm add -g pnpm@<version> is rejected in favor of pnpm self-update, dependency aliases from a global manifest are validated before being joined onto paths, each install group gets its own fresh directory, and removing a global package no longer unlinks a bin belonging to a different one.
  • Hardened pnpm deploy --force so it refuses unsafe deploy targets such as workspace roots, parent directories, out-of-workspace paths, and symlinked target parents.
  • pnpm pack-app now rejects --entry / --output-dir values that are absolute or escape the project directory, refuses to overwrite a non-regular target file, and resolves the macOS codesign / ldid signers outside the project so a repo-controlled node_modules/.bin cannot hijack them. New error codes: ERR_PNPM_PACK_APP_ENTRY_OUTSIDE_PROJECT, ERR_PNPM_PACK_APP_OUTPUT_DIR_OUTSIDE_PROJECT, ERR_PNPM_PACK_APP_OUTPUT_FILE_NOT_REGULAR.
  • pnpm pack and pnpm publish no longer follow a symlinked workspace LICENSE when injecting it into a package, and no longer fail when prepack generates included files that postpack cleans up.
  • pnpm now rejects jsr: and named-registry (e.g. gh:) specifiers whose package name is not a valid npm package name, with ERR_PNPM_INVALID_JSR_PACKAGE_NAME / ERR_PNPM_INVALID_NAMED_REGISTRY_PACKAGE_NAME, instead of silently producing a malformed name.
  • Fixed a prototype-pollution hazard when seeding preferred versions: a dependency named __proto__ in a manifest or lockfile can no longer write through Object.prototype.
  • Relative paths in patchedDependencies are now resolved against the lockfile directory when computing patch file hashes, so running pnpm install from a subdirectory no longer fails with ENOENT (#12762).
  • pnpm peers no longer reports a conflict for a missing peer dependency that is ignored via pnpm.peerDependencyRules.ignoreMissing.
  • Fixed the topological order of --filtered commands when selected projects depend on each other only transitively through unselected projects. This now also holds for --filter-prod and mixed selections (#8335).
  • pnpm no longer warns about ignored project-level auth settings when PNPM_CONFIG_NPMRC_AUTH_FILE points at the project .npmrc — an explicit opt-in to trusting it (#12480).
  • When a dependency cannot be found in the registry (404) and a workspace project with the same name exists only at non-matching versions, the error now reports the available workspace versions (ERR_PNPM_NO_MATCHING_VERSION_INSIDE_WORKSPACE) (#1379).
  • When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request — only the Authorization header identifying the caller to pnpr is sent.
  • Added the Node.js release team's new signing key (Stewart X Addison) to the embedded Node.js release keys, so runtimes whose SHASUMS256.txt is signed by the new releaser verify successfully.
  • node-gyp's gyp_main.py and gyp entrypoints are now packed with the executable bit in the pnpm and @pnpm/exe tarballs, so building native addons from source no longer fails with a permission error.
  • Fixed shell tab completion not suggesting workspaces after the -F alias for --filter.
  • Restored differential rendering (ansi-diff) to fix duplicated output lines.