v11.0.7
📦 pnpmView on GitHub →
✨ 3 features🐛 7 fixes🔧 10 symbols
Summary
This patch release fixes critical issues related to execute permissions on Windows binaries, restores expected JSON output for `pnpm publish`, and enhances configuration flexibility by allowing global user preferences. It also improves lockfile security by pinning git dependency integrity.
Migration Steps
- If you rely on the JSON output of `pnpm publish --json`, be aware that the structure has changed to mirror `npm publish --json` (single object for non-recursive, array for recursive).
- If you previously configured global settings in `pnpm-workspace.yaml` and want them to apply globally regardless of workspace context, move them to `~/.config/pnpm/config.yaml` or use `pnpm config set --location global`.
- If you were relying on the workspace root being included when using negative filters (e.g., `pnpm install --filter '!pkgA'`), you must now explicitly add `--include-workspace-root` to achieve the old behavior.
✨ New Features
- Allow user-level preferences in global config (~/.config/pnpm/config.yaml) for settings like registry, stateDir, and trustPolicy.
- Trusted publishing (OIDC) now takes precedence over a configured static `_authToken` in `pnpm publish`, mirroring npm CLI behavior.
- The `NPM_ID_TOKEN` environment variable is now honored as a CI-agnostic injection point for an OIDC ID token, enabling trusted publishing across more CI providers.
🐛 Bug Fixes
- Restored the execute bit on `node-gyp` shims packed inside `@pnpm/exe`, fixing `Permission denied` errors when running `node-gyp rebuild` on older Node.js versions via `pnpm/action-setup`.
- Fixed `pn`, `pnpx`, and `pnx` aliases failing in Git Bash / MSYS2 on Windows when installed via `@pnpm/exe`, preventing them from dropping users into an interactive command prompt.
- Fixed `pnpm install` recreating `node_modules` after `pnpm fetch` by flagging the modules manifest with `virtualStoreOnly: true` to skip hoist-pattern comparison.
- Git-hosted tarball integrity is now pinned in the lockfile to detect tampered or substituted tarballs on subsequent installs.
- Fixed a regression where `pnpm --recursive --filter '!<pkg>'` commands would incorrectly include the workspace root; the root is now correctly excluded by default when only negative filters are used.
- Restored npm-CLI-compatible `--json` stdout output for `pnpm publish`, fixing breakage for tooling that parses stdout.
- Fixed `pnpm config get @<scope>:registry` diverging from the registry URL used by `pnpm publish` and resolvers by ensuring it reads from the merged configuration map.