Langsung ke konten utama

pnpm 11.1

· Satu menit membaca
Zoltan Kochan
Zoltan Kochan
Lead maintainer of pnpm

pnpm 11.1 adds a few new commands — pnpm audit signatures, pnpm bugs, and pnpm owner — alongside support for installing from arbitrary named registries (including a built-in alias for the GitHub Packages npm registry), the ability to skip runtime installation in CI, and several fixes.

Minor Changes

pnpm audit signatures

A new pnpm audit signatures subcommand verifies ECDSA registry signatures for installed packages against keys published at /-/npm/v1/keys #7909. Scoped registries are respected; registries that don't publish signing keys are skipped.

pnpm audit signatures

Named registries (and a built-in gh: alias)

You can now install packages from the GitHub Packages npm registry via a built-in gh: prefix, and — more broadly — from arbitrary named registries in the style of vlt's named-registry aliases:

pnpm add gh:@acme/private

Authentication is picked up from existing per-URL .npmrc entries (e.g. //npm.pkg.github.com/:_authToken=...), so no separate auth mechanism is required.

Additional aliases — or an override for the built-in gh alias, for GitHub Enterprise Server — can be configured under namedRegistries in pnpm-workspace.yaml:

pnpm-workspace.yaml
namedRegistries:
  gh: https://npm.pkg.github.example.com/
  work: https://npm.work.example.com/

With this, work:@corp/lib@^2.0.0 resolves against https://npm.work.example.com/. See #8941.

--sbom-spec-version

pnpm sbom now accepts a --sbom-spec-version flag to choose the CycloneDX specification version (1.5, 1.6, or 1.7 — default 1.7). The flag is only valid with --sbom-format cyclonedx. See #11389.

--no-runtime for CI matrices

A new --no-runtime flag (config: runtime=false) skips installing runtime entries (e.g. Node.js downloaded via devEngines.runtime) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and .bin linking are skipped. This is useful in CI matrices where the runtime is provisioned externally (e.g. via pnpm runtime -g set node <version>) before pnpm install runs.

pnpm bugs

The new pnpm bugs command opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's package.json; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. It falls back to <repository>/issues when the bugs field is missing. See #11279.

pnpm owner

The new pnpm owner command manages package owners on the registry:

pnpm owner ls <package>
pnpm owner add <package> <user>
pnpm owner rm <package> <user>

Patch Changes

  • pnpm view now prints "published X ago by Y" alongside the rest of its output, mirroring npm view. This is useful when comparing against minimumReleaseAge. For example, pnpm view pnpm now shows published 17 hours ago by GitHub Actions.

  • pnpm publish now honors the configured HTTP/HTTPS proxy (including the https_proxy / http_proxy / no_proxy environment variables) when polling the registry's doneUrl during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond 403 from a different source IP and the login to never complete #11561.

  • pnpm add -g now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so they share dependencies and are removed together), pass them as a comma-separated list. For example:

    • pnpm add -g foo bar installs foo and bar as two independent globals — removing one does not affect the other.
    • pnpm add -g foo,bar qar bundles foo and bar into a single isolated install while qar is installed on its own.

    Related: #11587.

  • pnpm runtime set <name> <version> no longer fails in the root of a multi-package workspace with the ADDING_TO_ROOT error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.

  • Fixed pnpm --version hanging for the lifetime of the worker pool after the version was printed. The CLI entry now runs finishWorkers() from its own finally, so every exit path tears the pool down.