v11.0.0-beta.3
Breaking Changes📦 pnpmView on GitHub →
⚠ 21 breaking✨ 11 features⚡ 1 deprecations🔧 32 symbols
Summary
This major release introduces significant architectural changes to the content-addressable store using SQLite and optimizes metadata storage, alongside isolating global package installations for better stability. Configuration handling has been overhauled, moving away from rc files and project-specific .npmrcs in favor of centralized workspace configuration.
⚠️ Breaking Changes
- The standalone exe version of pnpm requires at least glibc 2.27.
- Node.js v18, v19, v20, and v21 support has been discontinued. Users must upgrade Node.js.
- pnpm config get (without --json) no longer prints INI formatted text; it now prints JSON for objects/arrays and raw strings for primitives. If you relied on INI output, use --json.
- pnpm config get <array> now prints a JSON array instead of INI format.
- pnpm config list now prints a JSON object instead of INI formatted text.
- pnpm config list and pnpm config get (without argument) now hide auth-related settings.
- pnpm config list and pnpm config get (without argument) now show top-level keys as camelCase (unless they start with @ or //).
- pnpm config get and pnpm config list no longer load non camelCase options from the workspace manifest (pnpm-workspace.yaml).
- pnpm no longer loads non-auth and non-registry settings from rc files. Other settings must be defined in pnpm-workspace.yaml.
- Workspace project specific .npmrc files are replaced by the packageConfigs field in pnpm-workspace.yaml. Migrate settings from .npmrc files into packageConfigs.
- The lockfile format for patchedDependencies is simplified from Record<string, { path: string, hash: string }> to Record<string, string> (selector to hash). Existing lockfiles are migrated automatically.
- The deprecated build dependency settings: onlyBuiltDependencies, onlyBuiltDependenciesFile, neverBuiltDependencies, and ignoredBuiltDependencies are removed. Use the allowBuilds setting instead.
- The deprecated allowNonAppliedPatches is completely removed in favor of allowUnusedPatches.
- ignorePatchFailures is removed; all patch application failures will now throw an error.
- The pnpm server command has been removed.
- Support for the useNodeVersion and executionEnv.nodeVersion fields has been removed. Use devEngines.runtime and engines.runtime instead.
- Support for hooks.fetchers has been removed. Use the fetchers field of pnpmfile for custom fetchers and resolvers.
- The default value of the type field in package.json initialized by pnpm init is now "module".
- pnpm add command aliases changed: -p is now an alias for --save-prod (was --parseable), and -d is now an alias for --save-dev (was --loglevel=info).
- pnpm publish now reads OTP from PNPM_CONFIG_OTP instead of NPM_CONFIG_OTP.
- pnpm no longer reads settings from the pnpm field of package.json. Settings must be defined in pnpm-workspace.yaml.
Migration Steps
- If you relied on INI output from `pnpm config get` without `--json`, update scripts to use `--json` or handle JSON output.
- Migrate configuration settings from the `pnpm` field in `package.json` to `pnpm-workspace.yaml`.
- Replace deprecated build dependency settings (`onlyBuiltDependencies`, etc.) with the `allowBuilds` map in configuration files.
- Replace usage of deprecated `allowNonAppliedPatches` with `allowUnusedPatches`.
- If you relied on undocumented features of `pnpm publish` that used `npm publish` internally, consider using the workaround: `pnpm pack && npm publish *.tgz`.
- Update scripts that relied on the old aliases for `pnpm add`: `-p` is now `--save-prod`, `-d` is now `--save-dev`.
- If using global packages, note that they are now isolated and stored in `{pnpmHomeDir}/global/v11/{hash}/`. If you need the old behavior, set `enableGlobalVirtualStore: false`.
- If you were using `.npmrc` files per workspace project, migrate those settings to the `packageConfigs` field in `pnpm-workspace.yaml`.
✨ New Features
- Runtime dependencies are always linked from the global virtual store.
- Optimized index file format in the content-addressable store: stores hash algorithm once per file, and file entries store only the hex digest, improving performance by eliminating base64-to-hex conversion.
- Store version bumped to v11.
- Bundled manifest (package.json contents) is stored directly in the package index file, reducing I/O during resolution/installation.
- SQLite is used for storing the package index in the content-addressable store ($STORE/index.db), improving performance and space efficiency.
- Global installs (pnpm add -g pkg) and pnpm dlx now use the global virtual store by default (packages stored at {storeDir}/links). This can be disabled via setting enableGlobalVirtualStore: false.
- Global packages are now isolated: each globally installed package (or group) gets its own isolated installation directory with its own node_modules/ and lockfile to prevent interference.
- Default value for optimisticRepeatInstall is changed to true.
- Default value for verifyDepsBeforeRun is changed to install.
- pnpm add command now supports lowercase aliases: -d, -p, -o, -e.
- pnpm publish now works without the npm CLI, handling OTP via PNPM_CONFIG_OTP or prompting, and displaying QR codes for web authentication.
Affected Symbols
pnpm config getpnpm config listpnpm add -gpnpm dlxpnpm remove -gpnpm update -gpnpm list -gpnpm install -gpatchedDependencies (lockfile format)onlyBuiltDependenciesonlyBuiltDependenciesFileneverBuiltDependenciesignoredBuiltDependenciesallowBuildsallowNonAppliedPatchesallowUnusedPatchesignorePatchFailurespnpm serveruseNodeVersionexecutionEnv.nodeVersiondevEngines.runtimeengines.runtimehooks.fetchersfetchers (pnpmfile field)pnpm init (default type)pnpm add -ppnpm add -dpnpm publishNPM_CONFIG_OTPPNPM_CONFIG_OTPpnpm field (package.json)pnpm-workspace.yaml
⚡ Deprecations
- pnpm install -g (with no arguments) is no longer supported; use pnpm add -g <pkg> instead.