v11.0.0-rc.3
Breaking Changes📦 pnpmView on GitHub →
⚠ 1 breaking✨ 5 features🐛 7 fixes🔧 10 symbols
Summary
This release introduces the `pnpm pack-app` command for creating standalone executables and significantly enhances `pnpm version` to better align with npm's CLI behavior. It also refines security auditing, dependency resolution for git sources, and updates internal platform naming conventions.
⚠️ Breaking Changes
- Overrides emitted by `pnpm audit --fix` now use a caret range (^X.Y.Z) instead of an open-ended >=X.Y.Z, which prevents silently promoting a dependency across a major version boundary when fixing vulnerabilities.
Migration Steps
- If you rely on the exact behavior of `pnpm audit --fix` ignoring `auditLevel`, be aware that it now respects it. If you want to fix everything, use `pnpm audit --fix --severity=info` (or the appropriate level).
- If you download pnpm releases directly, note that platform-specific optional dependency package names and release asset filenames have been renamed to use the `pnpm/exe.<platform>-<arch>[-<libc>]` scheme (e.g., `@pnpm/linux-x64` is now `@pnpm/exe.linux-x64`).
- If you were relying on `pnpm licenses` preferring the deprecated `licenses` array over the `license` field in package.json, note that both `pnpm sbom` and `pnpm licenses` now prefer the modern `license` field.
✨ New Features
- Added `pnpm pack-app` command to pack a CommonJS entry file into a standalone executable for specified targets using Node.js Single Executable Applications API (requires Node.js v25.5+ host or automatic download).
- `pnpm audit --fix` now respects the `auditLevel` setting and supports an interactive mode via `--interactive`/`-i`.
- Added `minimumReleaseAgeIgnoreMissingTime` setting (true by default) to skip `minimumReleaseAge` check if registry metadata lacks the `time` field.
- Expanded `pnpm version` to accept an explicit semver version, recognize npm flags like `--no-commit-hooks`, `--no-git-tag-version`, `--sign-git-tag`, and `--message`, and correctly handle `--no-git-checks`.
- Git commits and annotated tags are now created for version bumps when running inside a git repository (unless `--no-git-tag-version` is used).
🐛 Bug Fixes
- Fixed an issue where `pnpm audit --fix` ignored `auditLevel` setting.
- Fixed directory dependency resolution from absolute paths on different drives on Windows by using `path.resolve` instead of `path.join`.
- Fixed `pnpm sbom` and `pnpm licenses` failing to resolve license information for git-sourced dependencies.
- Fixed `ERR_PNPM_OUTDATED_LOCKFILE` during global install approval flow when sibling directories from `pnpm self-update` were incorrectly picked up as workspace projects.
- Restored the peer suffix encoding used by pnpm 10 for linked dependency paths, resolving lockfile churn caused by `filenamify` upgrade.
- Fixed different platform variants of the same runtime (e.g., glibc vs. musl Node versions) sharing a single global-virtual-store entry; virtual store path now incorporates variant integrity.
- Fixed `pnpm sbom` and `pnpm licenses` reporting NOASSERTION for licenses declared via the deprecated `licenses` array in `package.json` by falling back to scanning on-disk `LICENSE` files.