Change8

v10.29.0

📦 pnpmView on GitHub →
3 features🐛 10 fixes🔧 15 symbols

Summary

This release introduces support for the `catalog:` protocol in `pnpx` and allows configuring `auditLevel` in `pnpm-workspace.yaml`. Numerous bugs were fixed, including issues related to JSON output, store path resolution, audit command behavior, and dependency hoisting configuration.

Migration Steps

  1. If you rely on `shamefullyHoist` being set in `.pnpmfile.cjs`, update your configuration to use `publicHoistPattern` instead.

✨ New Features

  • The `pnpm dlx` / `pnpx` command now supports the `catalog:` protocol (e.g., `pnpm dlx shx@catalog:`).
  • Support configuring `auditLevel` in the `pnpm-workspace.yaml` file.
  • Support bare `workspace:` protocol without version specifier; it is now treated as `workspace:*` and resolves to the concrete version during publish.

🐛 Bug Fixes

  • Fixed `pnpm list --json` returning incorrect paths when using global virtual store.
  • Fix `pnpm store path` and `pnpm store status` using workspace root for path resolution when `storeDir` is relative.
  • Fixed `pnpm run -r` failing with "No projects matched the filters" when an empty `pnpm-workspace.yaml` exists.
  • Fixed a bug where `catalogMode: strict` would write the literal string `"catalog:"` to `pnpm-workspace.yaml` instead of the resolved version specifier when re-adding an existing catalog dependency.
  • Fixed the documentation URL shown in `pnpm completion --help` to point to the correct page at https://pnpm.io/completion.
  • Skip local `file:` protocol dependencies during `pnpm fetch`. This fixes an issue where `pnpm fetch` would fail in Docker builds when local directory dependencies were not available.
  • Fixed `pnpm audit --json` to respect the `--audit-level` setting for both exit code and output filtering.
  • Fix `pnpm audit --fix` replacing reference overrides (e.g. `$foo`) with concrete versions.
  • Fix `shamefullyHoist` set via `updateConfig` in `.pnpmfile.cjs` not being converted to `publicHoistPattern`.
  • Add a warning when the current directory contains the PATH delimiter character, which breaks PATH injection for `node_modules/.bin` on POSIX systems.

Affected Symbols