Saltar al contenido principal

pnpm 11.9

· 4 minutos de lectura
Zoltan Kochan
Zoltan Kochan
Lead maintainer of pnpm

pnpm 11.9 computes missing tarball integrity for registries that cannot publish checksums, adds pnpm sbom --exclude-peers, improves audit performance on cyclic lockfiles, fixes peer-resolution nondeterminism, and tightens exclusion handling for minimumReleaseAge and trustPolicy.

Minor Changes

Integrity for generated registry tarballs

Some registries generate tarballs on demand and cannot provide an integrity checksum in package metadata. pnpm now computes the integrity from the downloaded tarball and stores it in the lockfile, so later installs can verify the entry.

This also applies to --lockfile-only: pnpm downloads the tarball when needed so the lockfile can include its integrity. If a lockfile entry is still missing integrity, lockfile verification rejects it with ERR_PNPM_MISSING_TARBALL_INTEGRITY instead of silently refetching.

pnpm sbom --exclude-peers

pnpm sbom now supports --exclude-peers. With auto-install-peers enabled, peer dependencies are resolved into the lockfile and otherwise look like regular dependencies in an SBOM. The flag removes peer dependencies and any transitive subtree reachable only through them.

The flag name matches pnpm list --exclude-peers; the SBOM behavior is stricter because CycloneDX 1.7 has no clean way to represent a consumer-provided peer relationship.

Patch Changes

  • pnpm audit --fix now writes one combined minimumReleaseAgeExclude entry per package, such as axios@0.18.1 || 0.21.1, matching the documented setting format. Existing per-version entries are merged into the combined form (#12534).
  • Fixed nondeterministic peer resolution that could add or remove an optional transitive peer from a package's peer-dependency suffix across identical installs, causing lockfile churn and intermittent pnpm dedupe --check failures.
  • Fixed Windows pnpm dlx flakiness where cleanup of a failed install could mask the original error with EBUSY.
  • Shortened the pnpm dlx cache path so deep dependency trees are less likely to exceed Windows MAX_PATH.
  • Fixed pnpm hanging or crashing with an unhandled rejection when a non-retryable network error, such as SELF_SIGNED_CERT_IN_CHAIN, occurs while fetching from a registry.
  • Fixed a pnpm audit performance regression on lockfiles with dependency cycles. Reachability is now computed with Tarjan's strongly connected components algorithm, and the path walk no longer recurses, keeping time and memory linear in cyclic graphs (#12212).
  • Fixed failed optional dependency updates rewriting unrelated dependency specs (#11267).
  • When enableGlobalVirtualStore is turned on for a project previously installed without it, stale hoisted symlinks under node_modules/.pnpm/node_modules are now replaced (#9739).
  • Fixed pnpm install --ignore-workspace overwriting the allowBuilds map in pnpm-workspace.yaml (#12469).
  • Fixed minimumReleaseAgeExclude and trustPolicyExclude so multiple exact-version entries for the same package behave like a single || disjunction entry (#12463).
  • Populated the in-memory package metadata cache on the exact-version disk fast path, avoiding repeated disk reads during large monorepo installs. The cache key now includes the registry, so the same package name from different registries cannot share cached metadata.
  • Fixed pnpm patch dropping the package name and leaking internal option fields when the patched dependency resolves to a single git-hosted version.
  • Moved pnpr resolver endpoints under the reserved /-/pnpr namespace: POST /v1/resolve is now POST /-/pnpr/v0/resolve, and POST /v1/verify-lockfile is now POST /-/pnpr/v0/verify-lockfile.
  • Removing a runtime dependency now removes the matching devEngines.runtime or engines.runtime entry that was materialized from it. Blank runtime selectors are normalized to latest.
  • pnpm sbom now emits a CycloneDX issue-tracker external reference for components whose package.json declares a bugs URL.
  • Added @pnpm/resolving.tarball-url, which builds and recognizes canonical npm tarball URLs. Custom pnpmfile resolvers can use it to rewrite proxy tarball URLs to canonical registry URLs so host-specific URLs are not persisted to the lockfile.
  • Lockfile verification no longer reports registry metadata fetch failures as ERR_PNPM_TARBALL_URL_MISMATCH. The install now aborts with the registry fetch error, and registry fetch errors no longer leak basic-auth credentials embedded in the registry URL.