pnpm 10.19
This release adds version-scoped controls to two settings: [onlyBuiltDependencies
] and [minimumReleaseAgeExclude
].
This release adds version-scoped controls to two settings: [onlyBuiltDependencies
] and [minimumReleaseAgeExclude
].
Added network performance monitoring to pnpm by implementing warnings for slow network requests, including both metadata fetches and tarball downloads.
Added configuration options for warning thresholds: fetchWarnTimeoutMs
and fetchMinSpeedKiBps
.
Warning messages are displayed when requests exceed time thresholds or fall below speed minimums
Related PR: #10025.
minimumReleaseAge
configuration #10030.cleanupUnusedCatalogs
configuration when removing dependent packages.scriptShell
is set to false
#8748.pnpm dlx
should not fail when minimumReleaseAge
is set #10037.The minimumReleaseAgeExclude
setting now supports patterns.
There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.
Added the cleanupUnusedCatalogs
configuration. When set to true
, pnpm will remove unused catalog entries during installation #9793.
Declare Node.js, Deno, or Bun in devEngines.runtime
(inside package.json
) and let pnpm download and pin it automatically.