Change8

v11.0.0-beta.7

Breaking Changes
📦 pnpmView on GitHub →
8 breaking21 features🐛 1 fixes1 deprecations🔧 9 symbols

Summary

This release introduces major architectural changes focused on performance and security, including migrating the store index to SQLite, isolating global packages, and hardening configuration loading by deprecating reliance on `.npmrc` for non-auth settings. CLI output has also been cleaned up.

⚠️ Breaking Changes

  • pnpm no longer populates `npm_config_*` environment variables from the pnpm config during lifecycle scripts. Only well-known `npm_*` env vars are set, matching Yarn's behavior. Users relying on `npm_config_*` variables set by pnpm must switch to using `pnpm_config_*` environment variables instead.
  • pnpm no longer reads all settings from `.npmrc` files. Only auth and registry settings are read from `.npmrc`. Configuration settings like `hoistPattern`, `nodeLinker`, etc., must now be configured in `pnpm-workspace.yaml` or the global config file.
  • pnpm no longer reads `npm_config_*` environment variables. Use `pnpm_config_*` environment variables instead (e.g., `pnpm_config_registry` instead of `npm_config_registry`).
  • pnpm no longer reads the npm global config at `$PREFIX/etc/npmrc`.
  • Workspace project specific `.npmrc` files are replaced by the `packageConfigs` setting in `pnpm-workspace.yaml`.
  • Deprecated build dependency settings (`onlyBuiltDependencies`, `onlyBuiltDependenciesFile`, `neverBuiltDependencies`, and `ignoredBuiltDependencies`) are removed. Use the `allowBuilds` setting instead.
  • The standalone exe version of pnpm requires at least glibc 2.27.
  • Node.js v18, v19, v20, and v21 support is discontinued.

Migration Steps

  1. If you relied on `npm_config_*` environment variables being set by pnpm in lifecycle scripts, switch to using `pnpm_config_*` variables.
  2. Move configuration settings (like `hoistPattern`, `nodeLinker`, `shamefullyHoist`) previously set in `.npmrc` files (outside of auth/registry settings) to `pnpm-workspace.yaml` or the global config file.
  3. If you need to allow specific packages to run build scripts, use the `allowBuilds` map in your configuration, replacing deprecated build dependency settings.
  4. If you use global installs, note that they now use an isolated virtual store structure. If you need to disable this, set `enableGlobalVirtualStore: false`.
  5. If you were using `pnpm install -g`, change this command to `pnpm add -g <pkg>`.
  6. If you were using per-project `.npmrc` files for configuration, migrate those settings into the `packageConfigs` section of `pnpm-workspace.yaml`.
  7. If you rely on the output format of `pnpm config get` (without `--json`), be aware it now outputs JSON/raw values instead of INI format, and update parsing logic if necessary.

✨ New Features

  • CLI now uses cleaner output for script execution, printing `$ command` to stderr.
  • During install, pnpm suggests running `pnpm peers check` instead of rendering the full peer dependency issues tree.
  • Runtime dependencies are always linked from the global virtual store.
  • Optimized index file format in the content-addressable store: file entries now store only the hex digest instead of the full integrity string, improving performance.
  • Store version bumped to v11.
  • Package manifest (package.json contents) is now stored directly in the package index file in the store, reducing I/O during resolution/installation.
  • Package index in the content-addressable store now uses SQLite (`$STORE/index.db`) instead of individual JSON files, improving performance and space efficiency.
  • Global installs (`pnpm add -g pkg`) and `pnpm dlx` now use the global virtual store by default, storing packages at `{storeDir}/links` (can be disabled via `enableGlobalVirtualStore: false`).
  • Global packages are now isolated: each globally installed package (or group) gets its own installation directory with its own node_modules/ and lockfile to prevent interference.
  • Default value for `optimisticRepeatInstall` changed to `true`.
  • Default value for `verifyDepsBeforeRun` changed to `install`.
  • Default value for `minimumReleaseAge` changed to `1440` (1 day) to protect against supply chain attacks.
  • `pnpm config get` (without `--json`) now prints JSON for objects/arrays and raw values for strings/numbers/booleans/nulls.
  • `pnpm config get <array>` now prints a JSON array.
  • `pnpm config list` now prints a JSON object instead of INI format.
  • `pnpm config list` and `pnpm config get` (without argument) now hide auth-related settings.
  • `pnpm config list` and `pnpm config get` (without argument) now show top-level keys as camelCase (except keys starting with @ or //).
  • Auth tokens written by `pnpm login` now go to `~/.config/pnpm/auth.ini`.
  • Introduced `registries` setting in `pnpm-workspace.yaml` for defining named registries.
  • Introduced `packageConfigs` in `pnpm-workspace.yaml` to configure settings per workspace project, replacing per-project `.npmrc` files.
  • Lockfile format for `patchedDependencies` simplified from `{ path: string, hash: string }` to just a hash string.

🐛 Bug Fixes

  • Packages missing from the new SQLite index are now re-fetched on demand.

Affected Symbols

pnpm config getpnpm config listpnpm loginpnpm add -gpnpm dlxpnpm remove -gpnpm update -gpnpm list -gpnpm install -g

⚡ Deprecations

  • `pnpm install -g` (with no arguments) is no longer supported for global installs; use `pnpm add -g <pkg>` instead.