pnpm 11.9
· 一分钟阅读
pnpm 11.9 针对无法发布校验和的注册源计算缺失的 tarball 完整性哈希值,新增 pnpm sbom --exclude-peers 选项,优化了包含循环依赖的锁文件的审计性能,修复了对等依赖解析的不确定性问题,并收紧了 minimumReleaseAge 和 trustPolicy 的排除逻辑。
次要更改
针对生成的注册源 tarball 的完整性校验
某些注册源会按需生成 tarball,且无法在包元数据中提供完整性校验和。 pnpm 现在会根据下载的 tarball 计算完整性值并将其存储在锁文件中,以便后续安装时能验证该条目。
此机制同样适用于 --lockfile-only:pnpm 会在必要时下载 tarball 以获取并记录其完整性信息。 如果锁文件条目仍缺失完整性信息,lockfile 校验过程将报错 ERR_PNPM_MISSING_TARBALL_INTEGRITY,而不会静默重新获取。
pnpm sbom --exclude-peers
pnpm sbom 现支持 --exclude-peers。 当启用 auto-install-peers 时,对等依赖会被解析并写入锁文件,在 SBOM 中它们看起来与普通依赖无异。 该标志会移除对等依赖以及仅通过这些依赖可达的传递性依赖子树。
该标志名称与 pnpm list --exclude-peers 保持一致;但在 SBOM 中的处理更为严格,因为 CycloneDX 1.7 缺乏一种简洁的方式来表示由消费者提供的对等依赖关系。
补丁更改
pnpm audit --fixnow writes one combinedminimumReleaseAgeExcludeentry per package, such asaxios@0.18.1 || 0.21.1, matching the documented setting format. Existing per-version entries are merged into the combined form (#12534).- Fixed nondeterministic peer resolution that could add or remove an optional transitive peer from a package's peer-dependency suffix across identical installs, causing lockfile churn and intermittent
pnpm dedupe --checkfailures. - Fixed Windows
pnpm dlxflakiness where cleanup of a failed install could mask the original error withEBUSY. - Shortened the
pnpm dlxcache path so deep dependency trees are less likely to exceed WindowsMAX_PATH. - Fixed
pnpmhanging or crashing with an unhandled rejection when a non-retryable network error, such asSELF_SIGNED_CERT_IN_CHAIN, occurs while fetching from a registry. - Fixed a
pnpm auditperformance regression on lockfiles with dependency cycles. Reachability is now computed with Tarjan's strongly connected components algorithm, and the path walk no longer recurses, keeping time and memory linear in cyclic graphs (#12212). - Fixed failed optional dependency updates rewriting unrelated dependency specs (#11267).
- When
enableGlobalVirtualStoreis turned on for a project previously installed without it, stale hoisted symlinks undernode_modules/.pnpm/node_modulesare now replaced (#9739). - Fixed
pnpm install --ignore-workspaceoverwriting theallowBuildsmap inpnpm-workspace.yaml(#12469). - Fixed
minimumReleaseAgeExcludeandtrustPolicyExcludeso multiple exact-version entries for the same package behave like a single||disjunction entry (#12463). - Populated the in-memory package metadata cache on the exact-version disk fast path, avoiding repeated disk reads during large monorepo installs. The cache key now includes the registry, so the same package name from different registries cannot share cached metadata.
- Fixed
pnpm patchdropping the package name and leaking internal option fields when the patched dependency resolves to a single git-hosted version. - Moved pnpr resolver endpoints under the reserved
/-/pnprnamespace:POST /v1/resolveis nowPOST /-/pnpr/v0/resolve, andPOST /v1/verify-lockfileis nowPOST /-/pnpr/v0/verify-lockfile. - Removing a runtime dependency now removes the matching
devEngines.runtimeorengines.runtimeentry that was materialized from it. Blank runtime selectors are normalized tolatest. pnpm sbomnow emits a CycloneDXissue-trackerexternal reference for components whosepackage.jsondeclares abugsURL.- Added
@pnpm/resolving.tarball-url, which builds and recognizes canonical npm tarball URLs. Custompnpmfileresolvers can use it to rewrite proxy tarball URLs to canonical registry URLs so host-specific URLs are not persisted to the lockfile. - Lockfile verification no longer reports registry metadata fetch failures as
ERR_PNPM_TARBALL_URL_MISMATCH. The install now aborts with the registry fetch error, and registry fetch errors no longer leak basic-auth credentials embedded in the registry URL.
