This PR contains the following updates:
Release Notes
pnpm/pnpm (pnpm)
Compare Source
Minor Changes
Packages executed viapnpm dlx andpnpm create are allowed to be built (run postinstall scripts) by default.
If the packages executed bydlx orcreate have dependencies that have to be built, they should be listed via the--allow-build flag. For instance, if you want to run a package calledbundle that hasesbuild in dependencies and want to allowesbuild to run postinstall scripts, run:
pnpm --allow-build=esbuild dlx bundle
Related PR:#9026.
Patch Changes
- Quote args for scripts with shell-quote to support new lines (on POSIX only)#8980.
- Fix a bug in which
pnpm deploy fails to read the correctprojectId when the deploy source is the same as the workspace directory#9001. - Proxy settings should be respected, when resolving Git-hosted dependencies#6530.
- Prevent
overrides from adding invalid version ranges topeerDependencies by keeping thepeerDependencies and overriding them with proddependencies#8978. - Sort the package names in the "pnpm.onlyBuiltDependencies" list saved by
pnpm approve-builds.
Compare Source
Minor Changes
- Added a new command for printing the list of dependencies with ignored build scripts:
pnpm ignored-builds#8963. - Added a new command for approving dependencies for running scripts during installation:
pnpm approve-builds#8963. - Added a new setting called
optimistic-repeat-install. When enabled, a fast check will be performed before proceeding to installation. This way a repeat install or an install on a project with everything up-to-date becomes a lot faster. But some edge cases might arise, so we keep it disabled by default for now#8977. - Added a new field "pnpm.ignoredBuiltDependencies" for explicitly listing packages that should not be built. When a package is in the list, pnpm will not print an info message about that package not being built#8935.
Patch Changes
- Verify that the package name is valid when executing the publish command.
- When running
pnpm install, thepreprepare andpostprepare scripts of the project should be executed#8989. - Allow
workspace: andcatalog: to be part of wider version range inpeerDependencies. pnpm deploy should inherit thepnpm object from the rootpackage.json#8991.- Make sure that the deletion of a
node_modules in a sub-project of a monorepo is detected as out-of-date#8959. - Fix infinite loop caused by lifecycle scripts using
pnpm to execute other scripts duringpnpm install withverify-deps-before-run=install#8954. - Replace
strip-ansi with the built-inutil.stripVTControlCharacters#9009. - Do not print patched dependencies as ignored dependencies that require a build#8952.
Compare Source
Major Changes
Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in thepnpm.onlyBuiltDependencies field ofpackage.json#8897. For example:
{"pnpm": {"onlyBuiltDependencies": ["fsevents"] }}pnpm link behavior updated:
Thepnpm link command now adds overrides to the rootpackage.json.
- In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.
- Global linking: To link a package globally, run
pnpm link from the package’s directory. Previously, you needed to usepnpm link -g.
Related PR:#8653
Secure hashing with SHA256:
Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:
- Long paths inside
node_modules/.pnpm are now hashed with SHA256. - Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)
- The hash stored in the
packageExtensionsChecksum field ofpnpm-lock.yaml is now SHA256. - The side effects cache keys now use SHA256.
- The pnpmfile checksum in the lockfile now uses SHA256 (#8530).
Configuration updates:
manage-package-manager-versions: enabled by default. pnpm now manages its own version based on thepackageManager field inpackage.json by default.
public-hoist-pattern: nothing is hoisted by default. Packages containingeslint orprettier in their name are no longer hoisted to the root ofnode_modules. Related Issue:#8378
Upgraded@yarnpkg/extensions to v2.0.3. This may alter your lockfile.
virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.
Reduced environment variables for scripts:
During script execution, fewernpm_package_* environment variables are set. Onlyname,version,bin,engines, andconfig remain.
Related Issue:#8552
All dependencies are now installed even ifNODE_ENV=production. Related Issue:#8827
Changes to the global store:
Store version bumped to v10.
Some registries allow identical content to be published under different package names or versions. To accommodate this, index files in the store are now stored using both the content hash and package identifier.
This approach ensures that we can:
- Validate that the integrity in the lockfile corresponds to the correct package, which might not be the case after a poorly resolved Git conflict.
- Allow the same content to be referenced by different packages or different versions of the same package.
Related PR:#8510
Related Issue:#8204
More efficient side effects indexing. The structure of index files in the store has changed. Side effects are now tracked more efficiently by listing only file differences rather than all files.
Related PR:#8636
A newindex directory stores package content mappings. Previously, these files were infiles.
Other breaking changes:
- The
# character is now escaped in directory names withinnode_modules/.pnpm.
Related PR:#8557 - Running
pnpm add --global pnpm orpnpm add --global @​pnpm/exe now fails with an error message, directing you to usepnpm self-update instead.
Related PR:#8728 - Dependencies added via a URL now record the final resolved URL in the lockfile, ensuring that any redirects are fully captured.
Related Issue:#8833 - The
pnpm deploy command now only works in workspaces that haveinject-workspace-packages=true. This limitation is introduced to allow us to create a proper lockfile for the deployed project using the workspace lockfile. - Removed conversion from lockfile v6 to v9. If you need v6-to-v9 conversion, use pnpm CLI v9.
pnpm test now passes all parameters after thetest keyword directly to the underlying script. This matches the behavior ofpnpm run test. Previously you needed to use the-- prefix.
Related PR:#8619
node-gyp updated to version 11.
pnpm deploy now tries creating a dedicated lockfile from a shared lockfile for deployment. It will fallback to deployment without a lockfile if there is no shared lockfile orforce-legacy-deploy is set totrue.
Minor Changes
Added support for a new type of dependencies called "configurational dependencies". These dependencies are installed before all the other types of dependencies (before "dependencies", "devDependencies", "optionalDependencies").
Configurational dependencies cannot have dependencies of their own or lifecycle scripts. They should be added using exact version and the integrity checksum. Example:
{"pnpm": {"configDependencies": {"my-configs":"1.0.0+sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==" } }}Related RFC:#8.
Related PR:#8915.
New settings:
Newverify-deps-before-run setting. This setting controls howpnpm checksnode_modules before running scripts:
install: Automatically runpnpm install ifnode_modules is outdated.warn: Print a warning ifnode_modules is outdated.prompt: Prompt the user to confirm runningpnpm install ifnode_modules is outdated.error: Throw an error ifnode_modules is outdated.false: Disable dependency checks.
Related Issue:#8585
Newinject-workspace-packages setting enables hard-linking all local workspace dependencies instead of symlinking them. Previously, this could be achieved usingdependenciesMeta[].injected, which remains supported.
Related PR:#8836
Faster repeat installs:
On repeated installs,pnpm performs a quick check to ensurenode_modules is up to date.
Related PR:#8838
pnpm add integrates with default workspace catalog:
When adding a dependency,pnpm add checks the default workspace catalog. If the dependency and version requirement match the catalog,pnpm add uses thecatalog: protocol. Without a specified version, it matches the catalog’s version. If it doesn’t match, it falls back to standard behavior.
Related Issue:#8640
pnpm dlx now resolves packages to their exact versions and uses these exact versions for cache keys. This ensurespnpm dlx always installs the latest requested packages.
Related PR:#8811
Nonode_modules validation on certain commands. Commands that should not modifynode_modules (e.g.,pnpm install --lockfile-only) no longer validate or purgenode_modules.
Related PR:#8657
Configuration
📅Schedule: Branch creation - "* 0-3 * * 1" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.
This PR contains the following updates:
9.15.5->10.2.0Release Notes
pnpm/pnpm (pnpm)
v10.2.0Compare Source
Minor Changes
Packages executed via
pnpm dlxandpnpm createare allowed to be built (run postinstall scripts) by default.If the packages executed by
dlxorcreatehave dependencies that have to be built, they should be listed via the--allow-buildflag. For instance, if you want to run a package calledbundlethat hasesbuildin dependencies and want to allowesbuildto run postinstall scripts, run:Related PR:#9026.
Patch Changes
pnpm deployfails to read the correctprojectIdwhen the deploy source is the same as the workspace directory#9001.overridesfrom adding invalid version ranges topeerDependenciesby keeping thepeerDependenciesand overriding them with proddependencies#8978.pnpm approve-builds.v10.1.0Compare Source
Minor Changes
pnpm ignored-builds#8963.pnpm approve-builds#8963.optimistic-repeat-install. When enabled, a fast check will be performed before proceeding to installation. This way a repeat install or an install on a project with everything up-to-date becomes a lot faster. But some edge cases might arise, so we keep it disabled by default for now#8977.Patch Changes
pnpm install, thepreprepareandpostpreparescripts of the project should be executed#8989.workspace:andcatalog:to be part of wider version range inpeerDependencies.pnpm deployshould inherit thepnpmobject from the rootpackage.json#8991.node_modulesin a sub-project of a monorepo is detected as out-of-date#8959.pnpmto execute other scripts duringpnpm installwithverify-deps-before-run=install#8954.strip-ansiwith the built-inutil.stripVTControlCharacters#9009.v10.0.0Compare Source
Major Changes
Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the
pnpm.onlyBuiltDependenciesfield ofpackage.json#8897. For example:{"pnpm": {"onlyBuiltDependencies": ["fsevents"] }}pnpm linkbehavior updated:The
pnpm linkcommand now adds overrides to the rootpackage.json.pnpm linkfrom the package’s directory. Previously, you needed to usepnpm link -g.Related PR:#8653
Secure hashing with SHA256:
Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:
node_modules/.pnpmare now hashed with SHA256.packageExtensionsChecksumfield ofpnpm-lock.yamlis now SHA256.Configuration updates:
manage-package-manager-versions: enabled by default. pnpm now manages its own version based on thepackageManagerfield inpackage.jsonby default.public-hoist-pattern: nothing is hoisted by default. Packages containingeslintorprettierin their name are no longer hoisted to the root ofnode_modules. Related Issue:#8378Upgraded
@yarnpkg/extensionsto v2.0.3. This may alter your lockfile.virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.Reduced environment variables for scripts:
During script execution, fewer
npm_package_*environment variables are set. Onlyname,version,bin,engines, andconfigremain.Related Issue:#8552
All dependencies are now installed even if
NODE_ENV=production. Related Issue:#8827Changes to the global store:
Store version bumped to v10.
Some registries allow identical content to be published under different package names or versions. To accommodate this, index files in the store are now stored using both the content hash and package identifier.
This approach ensures that we can:
Related PR:#8510
Related Issue:#8204
More efficient side effects indexing. The structure of index files in the store has changed. Side effects are now tracked more efficiently by listing only file differences rather than all files.
Related PR:#8636
A new
indexdirectory stores package content mappings. Previously, these files were infiles.Other breaking changes:
#character is now escaped in directory names withinnode_modules/.pnpm.Related PR:#8557
pnpm add --global pnpmorpnpm add --global @​pnpm/exenow fails with an error message, directing you to usepnpm self-updateinstead.Related PR:#8728
Related Issue:#8833
pnpm deploycommand now only works in workspaces that haveinject-workspace-packages=true. This limitation is introduced to allow us to create a proper lockfile for the deployed project using the workspace lockfile.pnpm testnow passes all parameters after thetestkeyword directly to the underlying script. This matches the behavior ofpnpm run test. Previously you needed to use the--prefix.Related PR:#8619
node-gypupdated to version 11.pnpm deploynow tries creating a dedicated lockfile from a shared lockfile for deployment. It will fallback to deployment without a lockfile if there is no shared lockfile orforce-legacy-deployis set totrue.Minor Changes
Added support for a new type of dependencies called "configurational dependencies". These dependencies are installed before all the other types of dependencies (before "dependencies", "devDependencies", "optionalDependencies").
Configurational dependencies cannot have dependencies of their own or lifecycle scripts. They should be added using exact version and the integrity checksum. Example:
{"pnpm": {"configDependencies": {"my-configs":"1.0.0+sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==" } }}Related RFC:#8.
Related PR:#8915.
New settings:
New
verify-deps-before-runsetting. This setting controls howpnpmchecksnode_modulesbefore running scripts:install: Automatically runpnpm installifnode_modulesis outdated.warn: Print a warning ifnode_modulesis outdated.prompt: Prompt the user to confirm runningpnpm installifnode_modulesis outdated.error: Throw an error ifnode_modulesis outdated.false: Disable dependency checks.Related Issue:#8585
New
inject-workspace-packagessetting enables hard-linking all local workspace dependencies instead of symlinking them. Previously, this could be achieved usingdependenciesMeta[].injected, which remains supported.Related PR:#8836
Faster repeat installs:
On repeated installs,
pnpmperforms a quick check to ensurenode_modulesis up to date.Related PR:#8838
pnpm addintegrates with default workspace catalog:When adding a dependency,
pnpm addchecks the default workspace catalog. If the dependency and version requirement match the catalog,pnpm adduses thecatalog:protocol. Without a specified version, it matches the catalog’s version. If it doesn’t match, it falls back to standard behavior.Related Issue:#8640
pnpm dlxnow resolves packages to their exact versions and uses these exact versions for cache keys. This ensurespnpm dlxalways installs the latest requested packages.Related PR:#8811
No
node_modulesvalidation on certain commands. Commands that should not modifynode_modules(e.g.,pnpm install --lockfile-only) no longer validate or purgenode_modules.Related PR:#8657
Configuration
📅Schedule: Branch creation - "* 0-3 * * 1" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.