pnpm

This release introduces several new native commands like `pnpm stage`, `pnpm pkg`, and `pnpm repo`, alongside a new `trustLockfile` setting to optimize supply-chain verification performance. Several critical bugs related to dependency resolution non-determinism and dependency addition regressions have also been fixed.

This release introduces experimental support for delegating the installation materialization phase to the Rust-based pacquet engine when configured. It also improves flag forwarding to pacquet during installation and fixes an issue with outdated lockfile checks when using pacquet.

This release introduces an experimental opt-in preview of the Rust install engine (@pnpm/pacquet) for dependency materialization. It also includes several bug fixes related to lockfile consistency and registry resolution for npm aliases.

This release introduces an experimental opt-in preview of the Rust install engine via @pnpm/pacquet and enhances support for platform-specific dependencies within configuration dependencies. Several critical bugs related to configuration loading, login commands, and lockfile pruning stability have also been resolved.

This patch significantly enhances lockfile verification against age and trust policies during installation, introduces strict/loose modes for handling immature dependency versions, and corrects cache hashing to align with the actual script execution environment.

This patch release addresses several bugs related to metadata handling, upgrade commands, and lockfile resolution, including stripping problematic HTTP headers for better compatibility with Azure DevOps Artifacts.

This patch release focuses on fixing spurious warnings during dependency status checks and resolving issues with package resolution involving named registries and Windows shell execution via cmd-shim.

This major release introduces significant features like registry signature verification, enhanced named registry support (including GitHub Packages), and new commands like `pnpm bugs` and `pnpm owner`. It also fixes several bugs related to global installs, proxy usage during publishing, and CLI version reporting.

This patch addresses several critical bugs, including fixes for GitLab dependency installation, correct handling of semver build metadata during publishing, and restoring compatibility with custom npm configuration paths in CI environments. It also improves the Node.js version check error message.

This patch restores critical tarball URL preservation logic to fix fetch errors on certain registries and resolves issues related to compressed tarball size validation during installation.

This patch release fixes critical issues related to execute permissions on Windows binaries, restores expected JSON output for `pnpm publish`, and enhances configuration flexibility by allowing global user preferences. It also improves lockfile security by pinning git dependency integrity.

This patch enhances security by pinning the integrity of git-hosted tarballs in the lockfile and fixes a bug where the workspace root was incorrectly included when using negative recursive filters.

This patch release improves configuration loading robustness by correctly handling environment variables and fixes several issues related to workspace file ordering, self-updates on v10 installations, and configuration validation errors.

This patch addresses a critical self-update issue for Intel macOS users by switching to a JS-only binary when upgrading from v10, and prevents accidental downgrades during standard self-updates.

This patch addresses critical issues related to Intel Mac binary stability, fixes global listing commands to output valid JSON/parseable formats, and improves build approval handling in `pnpm dlx`.

This patch fixes an issue where `pnpm ci` failed to reinstall workspace dependencies after cleaning, and adjusts the behavior of `pnpm self-update` regarding downgrades. Additionally, the default for `minimumReleaseAgeStrict` is now true when `minimumReleaseAge` is configured.

This patch release addresses two specific bugs: one related to file handle limits on Windows and another concerning fetching dependencies with file: tarballs in the lockfile.

This patch release addresses several bugs, including fixing an ENOENT symlink failure on Windows during global installs and ensuring package manager version checks remain accurate when using corepack. It also improves handling of publish summaries and platform filtering.

This patch release improves error handling for workspace manifests, updates SBOM generation for git dependencies, and refines how `pnpm self-update` manages version fields in package.json.

This major release upgrades pnpm to pure ESM, requires Node.js 22+, and introduces significant security enhancements like default supply-chain protection and a new SQLite-backed store index for performance gains. Configuration handling has also been streamlined, restricting `.npmrc` usage and replacing old build dependency settings.

This patch release fixes critical bugs related to globally installed binaries failing under specific conditions and resolves an infinite fork-bomb scenario involving conflicting pnpm version specifications in projects.

This patch fixes an issue where certain npm-like commands were incorrectly delegated to npm instead of the native pnpm implementation when using pnpm v11 or newer.

This patch addresses critical startup crashes in the `@pnpm/exe` SEA executable when running on Node.js v25.7+ by fixing SEA blob serialization mismatches and updating the CJS entry shim loading mechanism.

This release significantly speeds up Node.js runtime installations by excluding bundled tools like npm and npx, and introduces the flexible `--runtime` flag for packaging apps. It also restores compatibility for older `pnpm self-update` versions by reverting a recent package name change.

This release introduces the `pnpm pack-app` command for creating standalone executables and significantly enhances `pnpm version` to better align with npm's CLI behavior. It also refines security auditing, dependency resolution for git sources, and updates internal platform naming conventions.

This release removes several legacy configuration settings in favor of the unified `pmOnFail` setting and introduces the powerful `pnpm with` command for running specific pnpm versions. New native commands for managing package manager stars were also implemented.

This release updates `pnpm audit` to use the modern registry bulk endpoint, replacing CVE filtering with GHSA filtering, and introduces several new native CLI commands like `pnpm docs`, `pnpm ping`, and `pnpm search`.

This major release enforces Node.js 22+ compatibility, transitions pnpm to pure ESM, and significantly enhances security by enabling supply-chain protection defaults. It also overhauls configuration handling, moving most settings out of .npmrc, and introduces a new SQLite-backed store index for faster installations.

This release introduces major architectural changes, including migrating the package index store to SQLite and isolating global package installations for better stability. Configuration handling has been significantly updated, moving most settings away from .npmrc files to pnpm-workspace.yaml and standardizing CLI output formats.

This release introduces major architectural changes focused on performance and security, including migrating the store index to SQLite, isolating global packages, and hardening configuration loading by deprecating reliance on `.npmrc` for non-auth settings. CLI output has also been cleaned up.

This release introduces significant performance improvements via a new SQLite-backed store index and isolated global package installations. It also cleans up CLI output, updates configuration handling (especially around build dependencies and workspace configs), and drops support for older Node.js versions.

This release introduces major architectural changes, including migrating the content-addressable store index to SQLite (Store v11) and isolating global package installations for better stability. Configuration handling has been significantly overhauled, moving project-specific settings from `.npmrc` to `pnpm-workspace.yaml` and changing CLI output formats.

This release introduces significant internal changes, including a new SQLite-based store index format (Store v11) and isolated global package installations for better stability. Configuration handling has been overhauled, moving away from rc files and standardizing CLI output formats to

This major release introduces significant architectural changes to the content-addressable store using SQLite and optimizes metadata storage, alongside isolating global package installations for better stability. Configuration handling has been overhauled, moving away from rc files and project-specific .npmrcs in favor of centralized workspace configuration.

This release introduces the `dedupePeers` setting to significantly reduce peer dependency duplication and includes numerous fixes for concurrent operations, Windows command execution, and lockfile handling.

This major release introduces significant architectural changes to the content-addressable store using SQLite and optimizes metadata storage, alongside isolating global package installations for better stability. Many deprecated configuration options and commands have been removed, and pnpm is now pure ESM.

This major release introduces significant architectural changes to the content-addressable store using SQLite and optimizes metadata storage, while isolating global package installations for better stability. Configuration handling has been overhauled, moving project-specific settings out of `.npmrc` and standardizing CLI output formats.

This major release introduces significant performance improvements via a new SQLite-backed content-addressable store index and isolates global package installations. Configuration handling has been overhauled, moving project-specific settings from `.npmrc` to `pnpm-workspace.yaml` and standardizing CLI output formats.

This release introduces major architectural changes to the pnpm store, moving to SQLite for metadata indexing and isolating global package installations for better stability. Configuration commands and build dependency handling have also been significantly overhauled, and support for older Node.js versions has been dropped.

This release introduces major architectural changes to the pnpm store, moving to SQLite for indexing and isolating global packages for better stability. Configuration handling has been significantly overhauled, moving away from rc files and standardizing output formats.

This patch release fixes a regression related to how pnpm handles `pnpm-workspace.yaml` files that omit the `packages` field, ensuring configuration-only files do not incorrectly define workspace roots.

This release introduces major architectural changes to the content-addressable store using SQLite and optimizes metadata storage, alongside isolating global package installations for better stability. Configuration handling has been significantly overhauled, moving settings out of rc files and standardizing output formats.

This release introduces the --all flag for approving builds non-interactively and reverts two recent changes that caused regressions, including one related to npm config file path setting and another concerning lockfile-include-tarball-url.

This patch release improves configuration preservation in pnpm-workspace.yaml, fixes several critical bugs related to linking, race conditions during store imports, and patch operations, and adds a short alias for the --filter option.

This release introduces major architectural changes to the pnpm store, moving to SQLite for metadata indexing and isolating global package installations for improved stability. Configuration handling has been significantly overhauled, favoring JSON output and consolidating workspace settings into `pnpm-workspace.yaml`.

This release introduces major architectural changes focused on performance and isolation, including switching internal store formats to MessagePack, isolating global packages, and updating configuration handling. Several deprecated features and configuration options related to build dependencies and linking have been removed.

This patch release fixes an issue where version switching failed when pnpm was installed as a standalone executable without a system Node.js environment.

This release introduces major performance improvements across the store by switching to MessagePack and optimizing index formats, alongside significant changes to configuration loading, moving away from INI/rc files towards YAML for pnpm-specific settings. Many deprecated configuration options and commands have been removed, and the package is now pure ESM.

This patch release fixes an issue where auto-installed peer dependencies ignored overrides and resolves an input line length error on Windows when using the global virtual store. It also includes a dependency update to patch a moderate vulnerability.

This release introduces major performance improvements by switching internal store formats to MessagePack and optimizing index storage. Configuration handling has been significantly overhauled, moving away from rc files and standardizing on YAML for pnpm-specific settings, alongside dropping support for older Node.js versions.

This patch release updates the primary endpoint used for fetching security audits to improve reliability.

This release updates pnpm why to display a reverse dependency tree for better readability and reverts a dependency pruning change in pnpm why to ensure correctness. Performance for pnpm why and pnpm list in large workspaces has also been improved.

This major release introduces significant performance improvements by switching internal store formats to MessagePack and optimizing index storage. It also brings substantial changes to configuration handling, replacing INI formats with JSON for config commands and standardizing workspace configuration via `pnpm-workspace.yaml`.

This major release introduces significant performance improvements by switching internal store formats to MessagePack and optimizing index storage. Configuration handling has been overhauled, moving project-specific settings out of .npmrc files into pnpm-workspace.yaml and changing CLI output formats.

This patch release resolves several bugs, including an out-of-memory error in dependency listing commands and issues with configuration settings in `.pnpmfile.cjs` and `pnpm dlx`. Additionally, `pnpm deploy` behavior is corrected regarding the global virtual store setting.

This patch release reverts a previous fix (from v10.29.1) that was causing issues, restoring functionality for 'pnpm run -r' when an empty workspace file is present.

This release introduces support for the `catalog:` protocol in `pnpx` and allows configuring `auditLevel` in `pnpm-workspace.yaml`. Numerous bug fixes address issues related to JSON output, store path resolution, audit command behavior, and dependency handling.

This release introduces support for the `catalog:` protocol in `pnpx` and allows configuring `auditLevel` in `pnpm-workspace.yaml`. Numerous bugs were fixed, including issues related to JSON output, store path resolution, audit command behavior, and dependency hoisting configuration.

This patch release focuses on security improvements by preventing path traversal in `directories.bin` and securing symlink handling for local dependencies. It also fixes an issue related to optional dependency metadata fetching for platform checks.

This patch release focuses heavily on security by fixing multiple path traversal vulnerabilities in ZIP and binary fetching, and improves dependency resolution by supporting plain HTTP/HTTPS git URLs. It also adjusts the exit code behavior for filtered script execution.

This release introduces significant configuration restructuring, replacing project-specific .npmrc files with packageConfigs in pnpm-workspace.yaml and restricting configuration loading from rc files. It also updates default behaviors, removes deprecated build dependency settings, and shifts the runtime environment to a bundled Node.js version.

This release adds trust‑policy ignore options, project registry and mark‑and‑sweep pruning for the global virtual store, and includes several bug fixes, with a semi‑breaking change to unscoped package storage layout.

This patch release improves error messages, fixes Git annotated‑tag handling, writes runtime binaries earlier in the install lifecycle, and reduces network calls when `preferOffline` is used.

Patch release fixing pnpm add behavior with blockExoticSubdeps and improving git reference resolution to full commits.

pnpm 9.x introduces pure ESM packaging, a bundled Node runtime, JSON‑based config output, camelCase keys, and V8‑binary store, while dropping Node 18/19 support and changing several CLI behaviours.

This release adds supply‑chain security features like `blockExoticSubdeps` and integrity hashing, introduces the unified `allowBuilds` config, and brings several usability improvements such as `--dry‑run` for `pack` and better deprecation displays.

This release adds certificate loading via `cert`, `ca`, and `key` fields and a `--bare` flag for `pnpm init`, plus several bug fixes around script reporting, build handling, forced publishing, and trust‑policy time errors.

This release adds automatic network concurrency scaling for high‑core systems and includes several bug fixes around trust policies, file linking, self‑update behavior, package detection, and auth token handling.

This release adds a new `--lockfile-only` flag to `pnpm list`, improves self‑update handling, displays npm protocols for aliased packages, and includes several bug fixes and stricter trust‑policy enforcement.

pnpm 9 introduces pure ESM, JSON‑based config output, V8‑serialized store files, and drops Node.js v18/v19 support, requiring migration of config files, imports, and runtime versions.

This release introduces `trustPolicyExclude` and `publishConfig.engines` support, and fixes a hardlinking crash.

This release adds automatic Node.js runtime installation for dependencies, introduces a new \"trustPolicy\" setting, and adds a command to retrieve the global config path, while fixing several bugs around update behavior, hardlinking, and workspace configuration.

This release adds the `--all` option to `pnpm --help` and includes several bug fixes related to version selection, the `create` command, and package manager version handling.

This release introduces version‑specific controls for postinstall scripts and release‑age exclusions, enhancing security and flexibility in dependency management.

This patch release fixes several bugs related to configuration handling, publishing, bin linking, and workspace behavior, improving the stability of pnpm commands.

This patch release fixes several command issues, reduces the CLI bundle size by swapping ndjson for split2, and improves metadata handling for pnpm dlx.

This patch release silences an unnecessary warning for `--lockfile-only`, adds a Windows shim for `pnpm setup` to support self‑updates, and corrects catalog warning behavior.

This release adds network performance monitoring with configurable thresholds and includes several bug fixes such as retrying EAGAIN filesystem errors and respecting `minimumReleaseAge` in various commands.

This patch release fixes error messaging, workspace state file creation, and improves handling of `minimumReleaseAge` for selecting the latest version.

This release adds pattern support to the `minimumReleaseAgeExclude` configuration and fixes two bugs related to minimumReleaseAge handling and prerelease downgrades.

This patch release resolves a metadata cache bug and ensures patch diffs are generated without ANSI color codes.

This release adds a `minimumReleaseAge` safety setting and custom finder support, while fixing several bugs such as Node.js 24 deprecation warnings and improving error handling for `nodeVersion`.

This patch release fixes a crash in `.pnp.cjs` and improves peer dependency resolution in workspaces.

This release adds several new configuration capabilities, improves config handling, restores glibc 2.26 support, and includes a semi‑breaking change to peer‑dependency resolution.

This release adds JavaScript runtime installation support and new CLI flags for architecture selection, plus several bug fixes and integrity improvements.

This release adds new CLI flags for architecture selection, introduces devEngines‑based Node.js runtime resolution, improves dlx flag parsing, and fixes several bugs around package downloading and production installs.

This patch updates pnpm to run user‑defined pnpmfiles after plugin pnpmfiles.

This release adds support for multiple pnpmfiles and automatic loading of pnpmfile.cjs from config dependencies, while fixing several configuration conflicts, sorting behavior, rebuild handling, and command quoting.

This patch release resolves several bugs: the `pnpm licenses` command for local dependencies, incorrect JSON output for non‑existent filters, a peer‑dependency deadlock, and restores proper hoisting after `pnpm fetch`.

This patch restores the hoisting of optional peer dependencies when using an outdated lockfile, fixing a regression introduced in v10.12.2.

This patch release fixes several CLI bugs, including hoisting with `enableGlobalVirtualStore`, help flag handling for `pnpm create`, incorrect license list paths, and a deployment failure caused by outdated lockfiles.

This release introduces experimental global virtual stores, catalog enhancements, new CLI options, and a new CI flag, while changing side‑effects cache keys (requiring cache cleanup) and fixing several regressions.

This patch release resolves multiple regressions and bugs affecting pnpm deploy, URL‑based dependencies, strict peer dependency handling, environment variable naming, lockfile generation, overrides handling, URL parsing, and silent run output.

This release adds several new features such as module‑type init, Nushell support, audit ignore flags, recursive packing, and improves workspace behavior, while also fixing bugs related to peer dependencies, configuration loading, Node.js 24 warnings, and script execution.

This release adds support for loading preResolution, importPackage, and fetchers hooks from a local pnpmfile and includes several bug fixes such as the cd command with shellEmulator, workspace yaml key sorting, and npm_package_json propagation.

This release adds JSR package installation support and a new `dangerouslyAllowAllBuilds` setting, fixes a verifyDepsBeforeRun false negative, and drops verifyDepsBeforeRun support for nodeLinker "pnp".

This patch release removes bright white highlighting, adds automatic writing of `onlyBuiltDependencies` to `pnpm-workspace.yaml` when no config exists, and ensures patch file paths are stored as relative paths.

This release adds an experimental configuration hook and a new --config flag for pnpm add, and includes several bug fixes around workspace globs, audit overrides, and link behavior.

Patch release that corrects config type conversion, auth config retrieval, and expands `~/` in .npmrc paths.