pnpm 11.10
pnpm 11.10 adds the _auth setting for CI-friendly registry authentication, new pnpm prefix and pnpm issues commands, and the ability for pnpm self-update to install pnpm v12 (the Rust port). It also improves pnpm up accuracy, speeds up resolution against registries that ignore abbreviated metadata, and hardens global package management, pnpm deploy, and pnpm pack-app.
次要更改
The _auth setting for CI
pnpm now supports an _auth setting for configuring registry authentication as a single structured, URL-keyed value. It can be set in the global pnpm config (config.yaml) or, for CI, via the pnpm_config__auth environment variable.
The env form sidesteps a long-standing limitation: environment variable names containing /, :, or . are silently dropped by GitHub Actions, bash, and zsh, which broke the existing pnpm_config_//host/:_authToken=… form. The _auth env variable has an ordinary name, so it survives:
export pnpm_config__auth='{"https://registry.npmjs.org":{"@":{"authToken":"npm-token"},"@org":{"authToken":"org-token"}}}'
The equivalent in the global config.yaml:
_auth:
https://registry.npmjs.org:
"@":
authToken: npm-token
"@org":
authToken: org-token
Within each registry URL, @ means registry-wide credentials and a scope like @org binds credentials to that scope on the same host. Because the credential and its destination host arrive together in one trusted value, a repo-controlled pnpm-workspace.yaml or .npmrc cannot redirect the token to a different host — _auth is honored only from the environment variable and the global config, never from project files. Closes #12314.
pnpm self-update can install pnpm v12 (the Rust port)
pnpm self-update and packageManager version-switching can now install and link pnpm v12, the Rust port, published under both the pnpm and @pnpm/exe names on the next-12 dist-tag:
pnpm self-update next-12
Its native binaries ship as @pnpm/exe.<platform>-<arch> packages, which pnpm's built-in installer links directly — there is no Node.js launcher, so the command pays no Node.js startup cost. From v12 onward the install converges on the unscoped pnpm package (the Rust executable), even when updating from the SEA @pnpm/exe build.
pnpm prefix
The new pnpm prefix command prints the current package prefix directory, or the global prefix directory with -g / --global.
pnpm issues
pnpm issues is now an alias of pnpm bugs, opening the package's bug tracker URL in the browser.
JSON output for web authentication
When OTP is required in a non-interactive terminal, the web authentication authUrl and doneUrl are now exposed in JSON error output (#12724).
补丁更改
- Fixed
pnpm up -r <pkg>bumping unrelated packages that have open semver ranges. The install layer now always seedspreferredVersionsfrom the lockfile, so packages with^x.y.zranges no longer re-resolve to newer compatible versions when you only asked to update a specific package (#10662). - Fixed
pnpm up <pkg>producing a different result than a fresh install of the same manifests. The targeted package now re-resolves exactly as if its lockfile entries were deleted, while preferred versions a fresh install would apply stay in effect. pnpm update <dep>@<version>now prints a warning when<dep>is only present as a transitive dependency, recommendingpnpm.overridesinstead (#12744).- Sped up resolution and reduced memory use against registries that ignore npm's abbreviated metadata format and always return the full package document (for example, Azure DevOps Artifacts). pnpm strips such documents down to the abbreviated field set before caching them.
- Sped up offline and
--prefer-offlineresolution on large workspaces. Package metadata loaded from the local cache is now kept in memory, so each package's metadata is parsed once per command instead of once per dependent. - Hardened global package management: bins are cleaned up correctly on Windows (
node.exeflavor),pnpm add -g pnpm@<version>is rejected in favor ofpnpm self-update, dependency aliases from a global manifest are validated before being joined onto paths, each install group gets its own fresh directory, and removing a global package no longer unlinks a bin belonging to a different one. - Hardened
pnpm deploy --forceso it refuses unsafe deploy targets such as workspace roots, parent directories, out-of-workspace paths, and symlinked target parents. pnpm pack-appnow rejects--entry/--output-dirvalues that are absolute or escape the project directory, refuses to overwrite a non-regular target file, and resolves the macOScodesign/ldidsigners outside the project so a repo-controllednode_modules/.bincannot hijack them. New error codes:ERR_PNPM_PACK_APP_ENTRY_OUTSIDE_PROJECT,ERR_PNPM_PACK_APP_OUTPUT_DIR_OUTSIDE_PROJECT,ERR_PNPM_PACK_APP_OUTPUT_FILE_NOT_REGULAR.pnpm packandpnpm publishno longer follow a symlinked workspaceLICENSEwhen injecting it into a package, and no longer fail whenprepackgenerates included files thatpostpackcleans up.- pnpm now rejects
jsr:and named-registry (e.g.gh:) specifiers whose package name is not a valid npm package name, withERR_PNPM_INVALID_JSR_PACKAGE_NAME/ERR_PNPM_INVALID_NAMED_REGISTRY_PACKAGE_NAME, instead of silently producing a malformed name. - Fixed a prototype-pollution hazard when seeding preferred versions: a dependency named
__proto__in a manifest or lockfile can no longer write throughObject.prototype. - Relative paths in
patchedDependenciesare now resolved against the lockfile directory when computing patch file hashes, so runningpnpm installfrom a subdirectory no longer fails withENOENT(#12762). pnpm peersno longer reports a conflict for a missing peer dependency that is ignored viapnpm.peerDependencyRules.ignoreMissing.- Fixed the topological order of
--filtered commands when selected projects depend on each other only transitively through unselected projects. This now also holds for--filter-prodand mixed selections (#8335). - pnpm no longer warns about ignored project-level auth settings when
PNPM_CONFIG_NPMRC_AUTH_FILEpoints at the project.npmrc— an explicit opt-in to trusting it (#12480). - When a dependency cannot be found in the registry (404) and a workspace project with the same name exists only at non-matching versions, the error now reports the available workspace versions (
ERR_PNPM_NO_MATCHING_VERSION_INSIDE_WORKSPACE) (#1379). - When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request — only the
Authorizationheader identifying the caller to pnpr is sent. - Added the Node.js release team's new signing key (Stewart X Addison) to the embedded Node.js release keys, so runtimes whose
SHASUMS256.txtis signed by the new releaser verify successfully. - node-gyp's
gyp_main.pyandgypentrypoints are now packed with the executable bit in thepnpmand@pnpm/exetarballs, so building native addons from source no longer fails with a permission error. - Fixed shell tab completion not suggesting workspaces after the
-Falias for--filter. - Restored differential rendering (
ansi-diff) to fix duplicated output lines.
