Change8

v11.0.0

Breaking Changes
📦 pnpmView on GitHub →
9 breaking13 features🔧 13 symbols

Summary

This major release upgrades pnpm to pure ESM, requires Node.js 22+, and introduces significant security enhancements like default supply-chain protection and a new SQLite-backed store index for performance gains. Configuration handling has also been streamlined, restricting `.npmrc` usage and replacing old build dependency settings.

⚠️ Breaking Changes

  • Support for Node.js v18, 19, 20, and 21 is dropped; pnpm is now pure ESM.
  • The standalone executable now requires glibc 2.27.
  • `.npmrc` is now restricted to authentication and registry settings; all other configuration must move to `pnpm-workspace.yaml` or the new global `config.yaml`.
  • Environment variables for configuration must now use the `pnpm_config_*` prefix.
  • Deprecated build dependency settings (`onlyBuiltDependencies`, `onlyBuiltDependenciesFile`, `neverBuiltDependencies`, `ignoredBuiltDependencies`, and `ignoreDepScripts`) have been removed and replaced by the `allowBuilds` setting.
  • Removed `allowNonAppliedPatches`; use `allowUnusedPatches` instead.
  • Patch application failures now throw an error; `ignorePatchFailures` has been removed.
  • npm passthrough commands (other than the newly implemented native flow commands) now throw "not implemented".
  • CVE-based filtering in `pnpm audit` is removed; migrate `auditConfig.ignoreCves` entries to use GHSA filtering via `auditConfig.ignoreGhsas`.

Migration Steps

  1. Review and update configuration: Move settings from `.npmrc` (excluding auth/registry) to `pnpm-workspace.yaml` or the new global `config.yaml`.
  2. Update environment variables from `pnpm_*` prefix to `pnpm_config_*` prefix.
  3. Replace deprecated build dependency settings (`onlyBuiltDependencies`, etc.) with the `allowBuilds` map in configuration.
  4. If using CVE filtering in audits, migrate `auditConfig.ignoreCves` entries to `auditConfig.ignoreGhsas`.
  5. If relying on patch failures not throwing errors, note that `ignorePatchFailures` is removed and failures now throw.
  6. If using older Node.js versions (18-21), upgrade to Node.js 22+.
  7. If using the standalone executable on Linux, ensure glibc version is 2.27 or higher.
  8. If you need to opt out of the 1-day minimum release age protection, set `minimumReleaseAge: 0` in `pnpm-workspace.yaml`.
  9. Review global package usage; global installs now use an isolated virtual store by default, which can be disabled via `enableGlobalVirtualStore: false`.

✨ New Features

  • Supply-chain protection is enabled by default: `minimumReleaseAge` defaults to 1 day (24 hours) and `blockExoticSubdeps` defaults to `true`.
  • Introduced `allowBuilds` setting to control which packages can run build scripts, replacing several deprecated settings.
  • Global installs now use an isolated global virtual store by default, giving each global installation its own `package.json`, `node_modules`, and lockfile.
  • New SQLite-backed store index (store v11) with bundled manifests and hex digests for faster installation and reduced filesystem syscalls.
  • Native implementation for several publishing commands: `pnpm publish`, `login`, `logout`, `view`, `deprecate`, `unpublish`, `dist-tag`, and `version` no longer delegate to the npm CLI.
  • `pnpm audit` now uses npm's bulk advisories endpoint and supports GHSA-based filtering.
  • Runtime installations via `node@runtime:<version>` are slimmer as bundled npm, npx, and corepack are no longer extracted.
  • New commands added: `pnpm ci`, `pnpm sbom`, `pnpm clean`, `pnpm peers check`, `pnpm runtime set`, `pnpm docs`/`home`, `pnpm ping`, `pnpm search`, `pnpm star`/`unstar`/`stars`, `pnpm whoami`, `pnpm with`, and `pnpm pack-app`, plus `pn`/`pnx` short aliases.
  • Support for ESM pnpmfiles via `.pnpmfile.mjs`, which takes precedence over `.pnpmfile.cjs`.
  • `pnpm audit --fix=update` fixes vulnerabilities by updating packages in the lockfile instead of using overrides.
  • `pnpm audit --fix --interactive` allows selection of advisories to fix.
  • `pnpm pack-app` can pack a CommonJS entry into a standalone executable using Node.js Single Executable Applications.
  • Performance improvements via undici with Happy Eyeballs, direct-to-CAS writes, skipped staging directory, pre-allocated tarball downloads, and an NDJSON metadata cache.

Affected Symbols

pnpm publishpnpm loginpnpm logoutpnpm viewpnpm deprecatepnpm unpublishpnpm dist-tagpnpm versionpnpm auditpnpm add -gpnx.pnpmfile.cjs.pnpmfile.mjs