v11.3.0
📦 pnpmView on GitHub →
✨ 7 features🐛 4 fixes🔧 12 symbols
Summary
This release introduces several new native commands like `pnpm stage`, `pnpm pkg`, and `pnpm repo`, alongside a new `trustLockfile` setting to optimize supply-chain verification performance. Several critical bugs related to dependency resolution non-determinism and dependency addition regressions have also been fixed.
Migration Steps
- If you rely on supply-chain verification being strictly enforced for every install, review the new `trustLockfile` setting in `pnpm-workspace.yaml`. It defaults to `false` (verification on) in v11, but if you were previously relying on the verification pass, ensure your configuration aligns with the new default behavior or explicitly set `trustLockfile: false` if needed.
✨ New Features
- Added `pnpm stage` command with `publish`, `list`, `view`, `approve`, `reject`, and `download` subcommands for npm staged publishing.
- Added new setting `trustLockfile` to skip supply-chain verification pass during `pnpm install` when set to `true`. Defaults to `false`. Set in `pnpm-workspace.yaml`.
- Cut the memory footprint of the supply-chain verification pass by abbreviating the metadata stored in the trust-meta cache.
- Implemented `pnpm pkg` command natively, following `npm pkg` standards.
- Implemented `pnpm repo` command natively, following `npm repo` standards.
- Implemented `pnpm set-script` (alias `ss`) natively to add or update entries in the project manifest's `scripts` field, supporting `package.json`, `package.json5`, and `package.yaml` formats.
- Added a `skip-manifest-obfuscation` option for `pnpm pack` and `pnpm publish` to keep the original `packageManager` field and publish lifecycle scripts in the packed/published manifest.
🐛 Bug Fixes
- Fixed `pnpm dlx` failing with `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND` when the installed package's CAS slot is missing its `package.json`. `dlx` now falls back to the scopeless package name if the slot's manifest is unreadable.
- Fixed non-determinism in `pnpm dedupe` and `pnpm install` when dependency graphs contain packages with transitive peer dependencies on each other (with `auto-install-peers` enabled) by correcting the order of resolution callbacks.
- Fixed a regression where `pnpm add <github-shorthand>` (and other dependencies whose alias couldn't be parsed immediately) was silently dropped from manifest updates and `pendingBuilds`. Restored index-based pairing between `directDependencies` and `wantedDependencies`.
- Fixed `pnpm add --config` leaving orphan entries in `pnpm-lock.env.yaml`.