Change8

v11.1.3

📦 pnpmView on GitHub →
7 features🐛 3 fixes🔧 6 symbols

Summary

This patch significantly enhances lockfile verification against age and trust policies during installation, introduces strict/loose modes for handling immature dependency versions, and corrects cache hashing to align with the actual script execution environment.

Migration Steps

  1. If you explicitly set 'minimumReleaseAge', consider setting 'minimumReleaseAgeStrict: false' if you wish to retain the previous 'loose mode' behavior of auto-adding immature picks to 'minimumReleaseAgeExclude' without prompting.
  2. Users of SEA-pnpm bundles or projects using 'devEngines.runtime' pinning might experience one-time GVS slot churn upon upgrade as cache keys adjust to the script-runner Node version.

✨ New Features

  • pnpm install now re-validates pnpm-lock.yaml entries against minimumReleaseAge and trustPolicy: 'no-downgrade' policies before fetching tarballs, preventing silent installation of versions violating these policies.
  • Introduced strict mode for minimumReleaseAge: in interactive terminals, it prompts once with all immature direct AND transitive picks for approval; in CI/non-TTY, it aborts listing all offending entries.
  • pnpm self-update now respects minimumReleaseAge (and minimumReleaseAgeExclude) when resolving which pnpm version to install, selecting the newest mature version if 'latest' is too new.
  • dlx and outdated now surface invalid minimumReleaseAgeExclude patterns using ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE instead of internal error codes.
  • Global installs now correctly respect global config build policy (like dangerouslyAllowAllBuilds) when GVS is enabled by fixing the order of policy application.
  • Honor --silent flag when verifyDepsBeforeRun: install auto-installs dependencies before pnpm run/exec, suppressing install output.
  • Side-effects-cache key and global-virtual-store hash are now anchored to the project's script-runner Node (engines.runtime pin or shell node) instead of pnpm's own runtime, resolving cache partitioning issues for SEA bundles and pinned runtimes.

🐛 Bug Fixes

  • Allow redundant trailing base64 padding in .npmrc auth values and report invalid auth base64 with a pnpm error.
  • Fix lockfile parsing failures when pnpm-lock.yaml contains CRLF line endings and multiple YAML documents.
  • The GVS hash's engine portion is now resolved per-snapshot when a dependency declares its own engines.runtime, instead of using an install-wide value.

Affected Symbols

pnpm installpnpm self-updatedlxoutdatedpnpm runpnpm exec