Change8

v11.0.0-alpha.16

Breaking Changes
📦 pnpmView on GitHub →
21 breaking11 features1 deprecations🔧 18 symbols

Summary

This release introduces major architectural changes to the pnpm store, moving to SQLite for metadata indexing and isolating global package installations for better stability. Configuration commands and build dependency handling have also been significantly overhauled, and support for older Node.js versions has been dropped.

⚠️ Breaking Changes

  • The `pnpm config get` command (without `--json`) now outputs JSON for objects/arrays and raw strings for primitives, instead of INI formatted text. Use `pnpm config get --json` if you require JSON output for all types.
  • The `pnpm config list` command now outputs a JSON object instead of INI formatted text.
  • Auth-related settings are hidden when running `pnpm config list` or `pnpm config get` (without arguments).
  • Top-level keys in `pnpm config list` and `pnpm config get` (without arguments) are now shown as camelCase, except for keys starting with `@` or `//`.
  • pnpm no longer loads non-auth and non-registry settings from rc files; these settings must now be defined in `pnpm-workspace.yaml`.
  • Workspace project specific `.npmrc` files are replaced by the `packageConfigs` field in `pnpm-workspace.yaml`.
  • The lockfile format for `patchedDependencies` is simplified from `Record<string, { path: string, hash: string }>` to `Record<string, string>`. Existing lockfiles are migrated.
  • This package is now pure ESM; ensure your environment supports ESM.
  • Node.js v18, v19, v20, and v21 support is discontinued. Upgrade to a supported Node.js version.
  • The standalone executable version of pnpm requires at least glibc 2.27.
  • Deprecated build dependency settings (`onlyBuiltDependencies`, `onlyBuiltDependenciesFile`, `neverBuiltDependencies`, and `ignoredBuiltDependencies`) are removed. Use the `allowBuilds` setting instead.
  • The deprecated `allowNonAppliedPatches` is completely removed in favor of `allowUnusedPatches`.
  • The `ignorePatchFailures` setting is removed; all patch application failures will now throw an error.
  • The `pnpm server` command is removed.
  • Support for `useNodeVersion` and `executionEnv.nodeVersion` fields is removed. Use `devEngines.runtime` and `engines.runtime` instead.
  • Support for `hooks.fetchers` is removed. Use the new API via the `fetchers` field of `pnpmfile`.
  • The default value for the `type` field in `package.json` initialized by `pnpm init` is changed to `module`.
  • Lowercase options for `pnpm add` have new meanings: `-p` is now an alias for `--save-prod` (was `--parseable`), and `-d` is now an alias for `--save-dev` (was `--loglevel=info`).
  • `pnpm link <pkg-name>` no longer resolves packages from the global store; only relative or absolute paths are accepted (e.g., use `pnpm link ./foo`).
  • `pnpm link --global` is removed. Use `pnpm add -g .` to register a local package's bins globally.
  • `pnpm link` (no arguments) is removed. Use `pnpm link <dir>` with an explicit directory.

Migration Steps

  1. If you relied on INI output from `pnpm config get` (without `--json`), switch to using `pnpm config get --json` or update scripts to handle JSON output.
  2. Update configuration logic that relied on `.npmrc` files in workspace projects to use the `packageConfigs` field in `pnpm-workspace.yaml`.
  3. Replace usage of deprecated build dependency settings (`onlyBuiltDependencies`, etc.) with the `allowBuilds` map in configuration.
  4. If you used `pnpm link <pkg-name>` where `<pkg-name>` referred to a globally installed package, change it to use a path, e.g., `pnpm link ./foo`.
  5. If you used `pnpm link --global`, switch to using `pnpm add -g .`.
  6. If you relied on `pnpm link` without arguments, use `pnpm link <dir>` explicitly.
  7. Update scripts that relied on `NPM_CONFIG_OTP` for publishing to use `PNPM_CONFIG_OTP`.
  8. Ensure your Node.js version is supported (not v18, v19, v20, or v21).
  9. If using the standalone executable, ensure glibc version is 2.27 or higher.

✨ New Features

  • Runtime dependencies are always linked from the global virtual store.
  • Optimized index file format in the content-addressable store: stores hash algorithm once per file, and file entries store only the hex digest, improving performance by eliminating base64-to-hex conversion.
  • Store version bumped to v11.
  • Bundled manifest (name, version, bin, engines, scripts, etc.) is stored directly in the package index file, reducing I/O during resolution/installation.
  • SQLite is used for storing package index metadata in the content-addressable store, improving efficiency and enabling concurrent access.
  • Global installs (`pnpm add -g pkg`) and `pnpm dlx` now use the global virtual store by default (can be disabled via `enableGlobalVirtualStore: false`).
  • Global packages are now isolated: each globally installed package/group gets its own installation directory (`{pnpmHomeDir}/global/v11/{hash}/`) to prevent interference.
  • `pnpm config get <array>` now prints a JSON array.
  • The `allowBuilds` setting replaces deprecated build dependency settings, allowing fine-grained control over which packages can run build scripts.
  • `pnpm publish` now works without the `npm` CLI.
  • The One-time Password feature for `pnpm publish` now reads from `PNPM_CONFIG_OTP` instead of `NPM_CONFIG_OTP`.

Affected Symbols

`pnpm config get``pnpm config list`Global package installation mechanism`patchedDependencies` lockfile format`pnpm link``pnpm publish` OTP handling`pnpm init` default type`onlyBuiltDependencies``onlyBuiltDependenciesFile``neverBuiltDependencies``ignoredBuiltDependencies``allowNonAppliedPatches``ignorePatchFailures``pnpm server``useNodeVersion``executionEnv.nodeVersion``hooks.fetchers``fetchers` field in `pnpmfile`

⚡ Deprecations

  • The `pnpm install -g` command (with no arguments) is no longer supported; use `pnpm add -g <pkg>` instead for global package installation.