跳到主内容

pnpm 11.9

· 一分钟阅读
Zoltan Kochan
pnpm 的首席维护者

pnpm 11.9 针对无法发布校验和的注册源计算缺失的 tarball 完整性哈希值,新增 pnpm sbom --exclude-peers 选项,优化了包含循环依赖的锁文件的审计性能,修复了对等依赖解析的不确定性问题,并收紧了 minimumReleaseAgetrustPolicy 的排除逻辑。

次要更改

针对生成的注册源 tarball 的完整性校验

某些注册源会按需生成 tarball,且无法在包元数据中提供完整性校验和。 pnpm 现在会根据下载的 tarball 计算完整性值并将其存储在锁文件中,以便后续安装时能验证该条目。

此机制同样适用于 --lockfile-only:pnpm 会在必要时下载 tarball 以获取并记录其完整性信息。 如果锁文件条目仍缺失完整性信息,lockfile 校验过程将报错 ERR_PNPM_MISSING_TARBALL_INTEGRITY,而不会静默重新获取。

pnpm sbom --exclude-peers

pnpm sbom 现支持 --exclude-peers。 当启用 auto-install-peers 时,对等依赖会被解析并写入锁文件,在 SBOM 中它们看起来与普通依赖无异。 该标志会移除对等依赖以及仅通过这些依赖可达的传递性依赖子树。

该标志名称与 pnpm list --exclude-peers 保持一致;但在 SBOM 中的处理更为严格,因为 CycloneDX 1.7 缺乏一种简洁的方式来表示由消费者提供的对等依赖关系。

补丁更改

  • pnpm audit --fix now writes one combined minimumReleaseAgeExclude entry per package, such as axios@0.18.1 || 0.21.1, matching the documented setting format. Existing per-version entries are merged into the combined form (#12534).
  • Fixed nondeterministic peer resolution that could add or remove an optional transitive peer from a package's peer-dependency suffix across identical installs, causing lockfile churn and intermittent pnpm dedupe --check failures.
  • Fixed Windows pnpm dlx flakiness where cleanup of a failed install could mask the original error with EBUSY.
  • Shortened the pnpm dlx cache path so deep dependency trees are less likely to exceed Windows MAX_PATH.
  • Fixed pnpm hanging or crashing with an unhandled rejection when a non-retryable network error, such as SELF_SIGNED_CERT_IN_CHAIN, occurs while fetching from a registry.
  • Fixed a pnpm audit performance regression on lockfiles with dependency cycles. Reachability is now computed with Tarjan's strongly connected components algorithm, and the path walk no longer recurses, keeping time and memory linear in cyclic graphs (#12212).
  • Fixed failed optional dependency updates rewriting unrelated dependency specs (#11267).
  • When enableGlobalVirtualStore is turned on for a project previously installed without it, stale hoisted symlinks under node_modules/.pnpm/node_modules are now replaced (#9739).
  • Fixed pnpm install --ignore-workspace overwriting the allowBuilds map in pnpm-workspace.yaml (#12469).
  • Fixed minimumReleaseAgeExclude and trustPolicyExclude so multiple exact-version entries for the same package behave like a single || disjunction entry (#12463).
  • Populated the in-memory package metadata cache on the exact-version disk fast path, avoiding repeated disk reads during large monorepo installs. The cache key now includes the registry, so the same package name from different registries cannot share cached metadata.
  • Fixed pnpm patch dropping the package name and leaking internal option fields when the patched dependency resolves to a single git-hosted version.
  • Moved pnpr resolver endpoints under the reserved /-/pnpr namespace: POST /v1/resolve is now POST /-/pnpr/v0/resolve, and POST /v1/verify-lockfile is now POST /-/pnpr/v0/verify-lockfile.
  • Removing a runtime dependency now removes the matching devEngines.runtime or engines.runtime entry that was materialized from it. Blank runtime selectors are normalized to latest.
  • pnpm sbom now emits a CycloneDX issue-tracker external reference for components whose package.json declares a bugs URL.
  • Added @pnpm/resolving.tarball-url, which builds and recognizes canonical npm tarball URLs. Custom pnpmfile resolvers can use it to rewrite proxy tarball URLs to canonical registry URLs so host-specific URLs are not persisted to the lockfile.
  • Lockfile verification no longer reports registry metadata fetch failures as ERR_PNPM_TARBALL_URL_MISMATCH. The install now aborts with the registry fetch error, and registry fetch errors no longer leak basic-auth credentials embedded in the registry URL.