跳到主内容

pnpm 11.1

· 一分钟阅读
Zoltan Kochan
Zoltan Kochan
pnpm 的首席维护者

pnpm 11.1 新增了一些命令——pnpm audit signaturespnpm bugspnpm owner——同时还支持从任意名称的注册表安装(包括 GitHub Packages npm 注册源的内置别名),能够在 CI 中跳过运行时安装,以及修复了一些问题。

次要更改

pnpm audit signatures

一个新的 pnpm audit signatures 子命令会根据 /-/npm/v1/keys #7909 上发布的密钥,验证已安装软件包的 ECDSA 注册源签名。 会尊重已定义范围的注册表;不会发布签名密钥的注册表将被跳过。

pnpm audit signatures

命名注册表(以及内置的 gh: 别名)

现在,你可以通过内置的 gh: 前缀从 GitHub Packages npm 注册表 安装软件包,更广泛地说,还可以像 vlt 的命名注册源别名 那样,从任意命名的注册表安装软件包:

pnpm add gh:@acme/private

身份验证来自现有的每个 URL 的 .npmrc 条目(例如 //npm.pkg.github.com/:_authToken=...),因此不需要单独的身份验证机制。

可以在 pnpm-workspace.yaml 文件中的 namedRegistries 下配置其他别名,或者覆盖内置的 gh 别名(例如 GitHub Enterprise Server):

pnpm-workspace.yaml
namedRegistries:
  gh: https://npm.pkg.github.example.com/
  work: https://npm.work.example.com/

这样,work:@corp/lib@^2.0.0 就对应到 https://npm.work.example.com/。 请参阅 #8941

--sbom-spec-version

pnpm sbom 现在接受一个 --sbom-spec-version 标志来选择 CycloneDX 规范版本(1.51.61.7 — 默认为 1.7)。 该标志仅在使用 --sbom-format cyclonedx 时有效。 请参阅 #11389

用于 CI 矩阵的 --no-runtime

新增的 --no-runtime 标志(配置:runtime=false)会跳过安装运行时条目(例如通过 devEngines.runtime 下载的 Node.js),而不会修改锁文件。 The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and .bin linking are skipped. This is useful in CI matrices where the runtime is provisioned externally (e.g. via pnpm runtime -g set node <version>) before pnpm install runs.

pnpm bugs

The new pnpm bugs command opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's package.json; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. It falls back to <repository>/issues when the bugs field is missing. 请参阅 #11279

pnpm owner

The new pnpm owner command manages package owners on the registry:

pnpm owner ls <package>
pnpm owner add <package> <user>
pnpm owner rm <package> <user>

补丁更改

  • pnpm view now prints "published X ago by Y" alongside the rest of its output, mirroring npm view. This is useful when comparing against minimumReleaseAge. For example, pnpm view pnpm now shows published 17 hours ago by GitHub Actions.

  • pnpm publish now honors the configured HTTP/HTTPS proxy (including the https_proxy / http_proxy / no_proxy environment variables) when polling the registry's doneUrl during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond 403 from a different source IP and the login to never complete #11561.

  • pnpm add -g now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so they share dependencies and are removed together), pass them as a comma-separated list. 例如:

    • pnpm add -g foo bar installs foo and bar as two independent globals — removing one does not affect the other.
    • pnpm add -g foo,bar qar bundles foo and bar into a single isolated install while qar is installed on its own.

    相关:#11587

  • pnpm runtime set <name> <version> no longer fails in the root of a multi-package workspace with the ADDING_TO_ROOT error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.

  • Fixed pnpm --version hanging for the lifetime of the worker pool after the version was printed. The CLI entry now runs finishWorkers() from its own finally, so every exit path tears the pool down.