跳到主内容

pnpm 11.8

· 一分钟阅读
Zoltan Kochan
pnpm 的首席维护者

pnpm 11.8 引入了安装“预演”功能、Node.js 包映射生成、更丰富的 SBOM 输出,使 pnpm view 默认指向当前包,并修正了 pnpm run --no-bail 的退出码。 此外,该版本还修复了配置依赖项的锁文件遍历问题,以及多项关于安装/更新确定性的修复。

次要更改

pnpm install --dry-run

pnpm install 现已支持 --dry-run。 它会执行完整的依赖解析并报告实际安装将带来的变更,但不会向磁盘写入任何内容:不生成锁文件或清单文件,也不更新 node_modules

预演完成后,进程将以退出码 0 结束,这与 npm install --dry-run 的预演行为一致 (#7340)。

Node.js 包映射

在执行隔离式或扁平化安装时,pnpm 现在会生成 node_modules/.package-map.json 文件。 该映射描述了包应如何通过已安装的 node_modules 布局进行解析。

新增的 nodeExperimentalPackageMap 设置会将生成的映射注入到由 pnpm 管理的 Node.js 脚本环境中,具体做法是将 Node 的 --experimental-package-map 选项添加到 NODE_OPTIONS 环境变量中。 nodePackageMapType 设置允许在两种映射类型间选择:标准映射(仅暴露声明的依赖项)或宽松映射(同时也映射可通过安装布局访问的包)。

SBOM 改进

pnpm sbom 现支持通过 --out 将 SBOM 写入文件,通过 --split 为每个选定的工作区包生成单独的 SBOM;当使用 --filter 选中单个包时,它会使用该包的元数据作为根组件。

CycloneDX 输出现在会将仅可通过 devDependencies 访问的组件标记为 scope: "excluded",并添加 cdx:npm:package:development 属性。 运行时组件,包括已安装的可选依赖项,保持默认所需范围。

CLI 行为

pnpm run --no-bail 现在继续运行每个匹配的脚本,但如果任何脚本失败,则以非零代码退出。 递归运行模式此前已具备此行为,非递归运行模式现已与之保持一致 (#8013)。

pnpm view 现在无需指定包名即可运行。 在此情况下,它会向上查找最近的项目清单文件,并使用其中的 name 字段。

补丁更改

  • 安全性:在使用环境变量锁文件中的配置依赖项名称和版本构建文件系统路径之前,先对其进行验证。 已提交的锁文件不再允许使用包含路径遍历特征的 configDependencies 名称或版本,以防止写入 node_modules/.pnpm-config 或存储目录之外的位置。 名称必须是合法的 npm 包名,版本必须是精确的 semver 版本号。 参见 GHSA-qrv3-253h-g69c
  • 修复了 pnpm update 覆盖命名目录版本范围策略的问题——当目录名称本身看起来像版本号时(例如 catalog:express4-21)会发生此问题 (#10321)。
  • 修复了在设置 injectWorkspacePackages: true 且目标工作区依赖项自身也有依赖项的情况下,执行 pnpm rmlink: 工作区协议依赖项变为 file: 协议的问题。
  • Stopped warning about matching packageManager and devEngines.packageManager values when both pin the same package manager, version, and integrity hash (#12028).
  • Fixed interactive progress output leaving characters behind when external processes write to the terminal, such as SSH passphrase prompts (#12350).
  • Fixed pnpm approve-builds missing packages whose build approval was revoked and then re-added (#12221).
  • Skipped the redundant Windows warning about an existing node.exe when it already matches the target (#12203).
  • Fixed macOS Gatekeeper blocking native binaries imported from the store by removing the com.apple.quarantine extended attribute from native binaries after import (#11056).
  • Fixed optimisticRepeatInstall incorrectly reporting "Already up to date" when only pnpm-lock.yaml changed, and fixed the same checks for git branch lockfiles (#12100).
  • Fixed recursive updates that mix transitive dependency patterns with direct dependency selectors, such as pnpm up -r "@babel/core" uuid (#12103).
  • Registered pnpm update --no-save in CLI help and option parsing.
  • Fixed pnpm import for Yarn v2 lockfiles when js-yaml v4 is installed.
  • Fixed repeated reinstall prompts when enableGlobalVirtualStore is enabled by keeping the virtual store directory recorded during post-install builds aligned with the install step (#12307).
  • Documented the --cpu, --os, and --libc flags in pnpm install --help (#12359).
  • Avoided reading README.md from disk during publish when the publish manifest already provides a readme field.
  • Fixed pnpm peers check rejecting loose peer dependency ranges that the installed peer satisfies (#12149).
  • Preserved workspace: dependencies that point at local paths during pnpm update (#3902).
  • Fixed a lockfile non-convergence case where incremental installs could keep a duplicate transitive dependency that a fresh install would remove.
  • pnpm install detects changes inside local file: dependencies and local tarballs again, bypassing the optimistic fast path for those projects (#11795).
  • Preserved the existing Node.js runtime version prefix when resolving node@runtime:<range> to a concrete version.
  • Shortened CAFS temporary package directories to leave room for lifecycle scripts that create IPC socket paths under TMPDIR.
  • Reporter output for pnpm store and pnpm config subcommands now goes to stderr, so scripts can safely capture stdout.
  • Avoided relinking unchanged child dependencies and removed stale child links during warm installs.
  • Fixed lockfile churn where transitivePeerDependencies could be dropped or shifted when a package participates in a dependency cycle (#5108).
  • Fixed pnpm install reporting "Already up to date" after a catalog entry in pnpm-workspace.yaml was reverted to a previous version (#12418).
  • Kept lockfile overrides that resolve through a catalog in sync when pnpm update bumps the catalog entry.
  • Fixed pnpm version --recursive so it honors workspace selection instead of always bumping every workspace package (#11348).