v11.0.0-rc.1
Breaking Changes📦 pnpmView on GitHub →
⚠ 3 breaking✨ 3 features🐛 1 fixes🔧 4 symbols
Summary
This release updates `pnpm audit` to use the modern registry bulk endpoint, replacing CVE filtering with GHSA filtering, and introduces several new native CLI commands like `pnpm docs`, `pnpm ping`, and `pnpm search`.
⚠️ Breaking Changes
- The registry retired legacy audit endpoints, causing `pnpm audit` to switch to the bulk endpoint (`/-/npm/v1/security/advisories/bulk`).
- CVE-based filtering for audits is no longer supported; it has been replaced by GitHub advisory ID (GHSA) filtering.
- The configuration key `auditConfig.ignoreCves` is no longer recognized and must be replaced with `auditConfig.ignoreGhsas`.
Migration Steps
- Replace all `CVE-YYYY-NNNNN` entries in your `auditConfig.ignoreCves` with the corresponding `GHSA-xxxx-xxxx-xxxx` value found in the 'More info' column of `pnpm audit` output.
- Move the new GHSA entries under the `auditConfig.ignoreGhsas` key in your configuration.
✨ New Features
- Added the native `pnpm docs` command (and alias `pnpm home`) to open package documentation or homepage in the browser.
- Added native `pnpm ping` command to test registry connectivity.
- Implemented native `search` command and its aliases (`s`, `se`, `find`).
🐛 Bug Fixes
- Fixed `pnpm store prune` from removing packages used by the globally installed pnpm installation.