v11.1.0
📦 pnpmView on GitHub →
✨ 6 features🐛 5 fixes🔧 13 symbols
Summary
This major release introduces significant features like registry signature verification, enhanced named registry support (including GitHub Packages), and new commands like `pnpm bugs` and `pnpm owner`. It also fixes several bugs related to global installs, proxy usage during publishing, and CLI version reporting.
Migration Steps
- If you rely on global package installations, note that `pnpm add -g pkg1 pkg2` now installs them separately. To install them together in one isolated directory, use `pnpm add -g pkg1,pkg2`.
✨ New Features
- Added `pnpm audit signatures` command to verify ECDSA registry signatures for installed packages against keys from `/-/npm/v1/keys`. Scoped registries are respected, and registries without signing keys are skipped.
- Added support for installing packages from GitHub Packages registry via a built-in `gh:` prefix (e.g. `pnpm add gh:@acme/private`) and support for arbitrary named registries configured in `namedRegistries` in `pnpm-workspace.yaml`.
- Allow setting sbom spec version using `--sbom-spec-version` flag.
- Added `--no-runtime` flag (config: `runtime=false`) to skip installing runtime entries (e.g. Node.js downloaded via `devEngines.runtime`) without modifying the lockfile.
- Added the `pnpm bugs` command that opens a package's bug tracker URL in the browser, falling back to `<repository>/issues` if the `bugs` field is missing.
- Added `pnpm owner` command to manage package owners on the registry.
🐛 Bug Fixes
- The `pnpm view` command output now includes "published X ago by Y" information.
- `pnpm publish` now correctly honors configured HTTP/HTTPS proxies (including environment variables) during the web-based authentication flow's `doneUrl` polling.
- `pnpm add -g` now installs each space-separated package into its own isolated directory by default; use a comma-separated list to bundle packages into a single isolated install.
- `pnpm runtime set <name> <version>` no longer fails with `ADDING_TO_ROOT` error in the root of a multi-package workspace.
- Fixed an issue where `pnpm --version` would hang after printing the version by ensuring `finishWorkers()` is called on all exit paths.