Change8

v11.0.0-beta.1

Breaking Changes
📦 pnpmView on GitHub →
20 breaking13 features1 deprecations🔧 32 symbols

Summary

This major release introduces significant architectural changes to the content-addressable store using SQLite and optimizes metadata storage, while isolating global package installations for better stability. Configuration handling has been overhauled, moving project-specific settings out of `.npmrc` and standardizing CLI output formats.

⚠️ Breaking Changes

  • The standalone exe version of pnpm requires at least glibc 2.27.
  • Node.js v18, 19, 20, and 21 support has been discontinued. Upgrade your Node.js version.
  • pnpm config get (without --json) no longer prints INI formatted text; it now prints JSON for objects/arrays and raw strings for primitives. If you relied on INI output, use `pnpm config get --json`.
  • pnpm config list now prints a JSON object instead of INI formatted text. If you relied on INI output, this has changed.
  • pnpm config list and pnpm config get (without argument) now hide auth-related settings.
  • pnpm config list and pnpm config get (without argument) now show top-level keys as camelCase, except for keys starting with @ or //.
  • pnpm config get and pnpm config list no longer load non camelCase options from the workspace manifest (`pnpm-workspace.yaml`).
  • pnpm no longer loads non-auth and non-registry settings from rc files. Other settings must be defined in `pnpm-workspace.yaml`.
  • Replaced workspace project specific `.npmrc` with `packageConfigs` in `pnpm-workspace.yaml`. You must migrate configuration settings from `.npmrc` files in project directories to the `packageConfigs` field in `pnpm-workspace.yaml`.
  • The lockfile format for `patchedDependencies` changed from `Record<string, { path: string, hash: string }>` to `Record<string, string>`. Existing lockfiles are migrated automatically.
  • The deprecated build dependency settings (`onlyBuiltDependencies`, `onlyBuiltDependenciesFile`, `neverBuiltDependencies`, and `ignoredBuiltDependencies`) have been removed. Use the `allowBuilds` setting in configuration instead.
  • The deprecated `allowNonAppliedPatches` is completely removed in favor of `allowUnusedPatches`.
  • The `ignorePatchFailures` setting is removed; all patch application failures will now throw an error.
  • The `pnpm server` command has been removed.
  • Support for `useNodeVersion` and `executionEnv.nodeVersion` fields has been removed. Use `devEngines.runtime` and `engines.runtime` instead.
  • Support for `hooks.fetchers` has been removed. Use the new API via the `fetchers` field of `pnpmfile`.
  • The default value of the `type` field in the `package.json` file initialized by `pnpm init` is now `module`.
  • Lowercase options for `pnpm add` are now aliases: `-p` is now `--save-prod` (was `--parseable`), and `-d` is now `--save-dev` (was `--loglevel=info`).
  • The One-time Password feature for `pnpm publish` now reads from `PNPM_CONFIG_OTP` instead of `NPM_CONFIG_OTP`.
  • pnpm no longer reads settings from the `pnpm` field of `package.json`. Settings must be defined in `pnpm-workspace.yaml`.

Migration Steps

  1. If you relied on INI output from `pnpm config get` (without `--json`), switch to using `pnpm config get --json`.
  2. Migrate configuration settings defined in project-specific `.npmrc` files into the `packageConfigs` field within your root `pnpm-workspace.yaml`.
  3. Replace usage of deprecated build dependency settings (`onlyBuiltDependencies`, etc.) with the `allowBuilds` setting in your configuration, mapping package patterns to `true` (allowed to build) or `false` (denied build).
  4. If you used `allowNonAppliedPatches`, rename this configuration to `allowUnusedPatches`.
  5. Remove any usage of the `ignorePatchFailures` setting.
  6. If you used `useNodeVersion` or `executionEnv.nodeVersion` fields, replace them with `devEngines.runtime` or `engines.runtime`.
  7. If you used `hooks.fetchers` in `pnpmfile`, migrate to the new API using the `fetchers` field in `pnpmfile`.
  8. If you relied on settings in the `pnpm` field of `package.json`, move them to `pnpm-workspace.yaml`.
  9. If you relied on the old behavior of `pnpm add -p` (as `--parseable`) or `pnpm add -d` (as `--loglevel=info`), update scripts to use the new aliases (`--save-prod` and `--save-dev` respectively) or the full flags.
  10. For publishing requiring OTP, use the `PNPM_CONFIG_OTP` environment variable or the `--otp` flag instead of `NPM_CONFIG_OTP`.
  11. If you were using global installs and relied on them being in project-local `.pnpm` directories, note that they now use the global virtual store at `{storeDir}/links` (unless `enableGlobalVirtualStore: false` is set).
  12. If you used `pnpm install -g` without arguments, change this to `pnpm add -g <pkg>`.

✨ New Features

  • Runtime dependencies are always linked from the global virtual store.
  • Optimized index file format in the content-addressable store: stores hash algorithm once per file, and file entries store only hex digests, improving performance by eliminating base64-to-hex conversion.
  • Store version bumped to v11.
  • Bundled manifest (name, version, bin, engines, scripts, etc.) is now stored directly in the package index file, reducing I/O during resolution/installation.
  • Store now uses SQLite for package index metadata storage (`$STORE/index.db`), improving efficiency and enabling concurrent access.
  • Global installs (`pnpm add -g pkg`) and `pnpm dlx` now use the global virtual store by default, storing packages at `{storeDir}/links`.
  • Global packages are now isolated: each globally installed package (or group) gets its own isolated installation directory with its own `package.json`, `node_modules/`, and lockfile to prevent interference.
  • `optimisticRepeatInstall` default value changed to `true`.
  • `verifyDepsBeforeRun` default value changed to `install`.
  • pnpm publish now works without the `npm` CLI.
  • The `pnpm publish` OTP feature now reads from `PNPM_CONFIG_OTP` environment variable or prompts directly.
  • If the registry requests web-based authentication for publish, pnpm prints a scannable QR code and URL.
  • Lowercase options `-d`, `-p`, `-o`, `-e` are now supported for `pnpm add`.

Affected Symbols

pnpm config getpnpm config listpnpm add -gpnpm dlxpnpm remove -gpnpm update -gpnpm list -gpnpm install -gpatchedDependencies (lockfile format)onlyBuiltDependenciesonlyBuiltDependenciesFileneverBuiltDependenciesignoredBuiltDependenciesallowBuildsallowNonAppliedPatchesallowUnusedPatchesignorePatchFailurespnpm serveruseNodeVersionexecutionEnv.nodeVersiondevEngines.runtimeengines.runtimehooks.fetchersfetchers (pnpmfile field)pnpm init (default type)pnpm add -ppnpm add -dpnpm publishNPM_CONFIG_OTPPNPM_CONFIG_OTPpnpm field (package.json)pnpm-workspace.yaml (packageConfigs)

⚡ Deprecations

  • The `pnpm install -g` command (with no arguments) is no longer supported; use `pnpm add -g <pkg>` instead for global package management.