Langsung ke konten utama

pnpm 10.29

· Satu menit membaca
Zoltan Kochan
Zoltan Kochan
Lead maintainer of pnpm

pnpm 10.29 adds catalog: protocol support to pnpm dlx, allows configuring auditLevel in pnpm-workspace.yaml, supports a bare workspace: specifier, and includes several bug fixes.

Minor Changes

catalog: Protocol in pnpm dlx

The pnpm dlx / pnpx command now supports the catalog: protocol, allowing you to reference versions defined in your workspace catalogs:

pnpm dlx shx@catalog:

auditLevel Setting

auditLevel can now be configured in the pnpm-workspace.yaml file, so you don't need to pass --audit-level on every pnpm audit invocation #10540:

pnpm-workspace.yaml
auditLevel: high

Bare workspace: Protocol

A bare workspace: specifier without a version range is now supported. It is treated as workspace:* and resolves to the concrete version during publish #10436:

{
  "dependencies": {
    "foo": "workspace:"
  }
}

Patch Changes

  • Fixed an out-of-memory error in pnpm list (and pnpm why) on large dependency graphs by replacing the recursive tree builder with a two-phase approach: a BFS dependency graph followed by cached tree materialization. Duplicate subtrees are now deduplicated in the output #10586.
  • Fixed allowBuilds not working when set via .pnpmfile.cjs #10516.
  • When enableGlobalVirtualStore is set, pnpm deploy now ignores it and always creates a localized virtual store within the deploy directory to keep it self-contained.
  • Fixed minimumReleaseAgeExclude not being respected by pnpm dlx #10338.
  • Fixed pnpm list --json returning incorrect paths when using global virtual store #10187.
  • Fixed pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #10290.
  • Fixed catalogMode: strict writing the literal string catalog: to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #10176.
  • Skip local file: protocol dependencies during pnpm fetch, fixing Docker builds when local directory dependencies are not available #10460.
  • Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #10540.
  • Updated tar to version 7.5.7 to fix a security vulnerability (CVE-2026-24842).
  • Fixed pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #10325.
  • Fixed shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #10271.
  • pnpm help now correctly reports if the currently running pnpm CLI is bundled with Node.js #10561.
  • Added a warning when the current directory contains the PATH delimiter character, which can break node_modules/.bin path injection #10457.
  • Fixed the documentation URL shown in pnpm completion --help to point to the correct page #10281.