v10.29.0
📦 pnpmView on GitHub →
✨ 3 features🐛 10 fixes🔧 15 symbols
Summary
This release introduces support for the `catalog:` protocol in `pnpx` and allows configuring `auditLevel` in `pnpm-workspace.yaml`. Numerous bugs were fixed, including issues related to JSON output, store path resolution, audit command behavior, and dependency hoisting configuration.
Migration Steps
- If you rely on `shamefullyHoist` being set in `.pnpmfile.cjs`, update your configuration to use `publicHoistPattern` instead.
✨ New Features
- The `pnpm dlx` / `pnpx` command now supports the `catalog:` protocol (e.g., `pnpm dlx shx@catalog:`).
- Support configuring `auditLevel` in the `pnpm-workspace.yaml` file.
- Support bare `workspace:` protocol without version specifier; it is now treated as `workspace:*` and resolves to the concrete version during publish.
🐛 Bug Fixes
- Fixed `pnpm list --json` returning incorrect paths when using global virtual store.
- Fix `pnpm store path` and `pnpm store status` using workspace root for path resolution when `storeDir` is relative.
- Fixed `pnpm run -r` failing with "No projects matched the filters" when an empty `pnpm-workspace.yaml` exists.
- Fixed a bug where `catalogMode: strict` would write the literal string `"catalog:"` to `pnpm-workspace.yaml` instead of the resolved version specifier when re-adding an existing catalog dependency.
- Fixed the documentation URL shown in `pnpm completion --help` to point to the correct page at https://pnpm.io/completion.
- Skip local `file:` protocol dependencies during `pnpm fetch`. This fixes an issue where `pnpm fetch` would fail in Docker builds when local directory dependencies were not available.
- Fixed `pnpm audit --json` to respect the `--audit-level` setting for both exit code and output filtering.
- Fix `pnpm audit --fix` replacing reference overrides (e.g. `$foo`) with concrete versions.
- Fix `shamefullyHoist` set via `updateConfig` in `.pnpmfile.cjs` not being converted to `publicHoistPattern`.
- Add a warning when the current directory contains the PATH delimiter character, which breaks PATH injection for `node_modules/.bin` on POSIX systems.