Change8

v11.5.0

📦 pnpmView on GitHub →
2 features🐛 6 fixes🔧 16 symbols

Summary

This release introduces configuration for hoisting limits in hoisted mode and replaces the interactive prompt library, fixing scrolling issues across several commands. Several critical bugs related to peer resolution deadlocks, 2FA handling for dist-tags, and lockfile integrity for remote dependencies have also been resolved.

Migration Steps

  1. Plugins or custom builds that inject their own enquirer mock must update their DI interfaces: `OtpEnquirer` and `LoginEnquirer` changed from expecting `{ prompt }` to expecting `{ input }` / `{ input, password }` respectively.

✨ New Features

  • Added a new `hoistingLimits` setting for `nodeLinker: hoisted` installs, accepting `none`, `workspaces`, or `dependencies` to control hoisting behavior.
  • Staged publishes are now recognized in the trust scale, treated as the strongest trust evidence due to requiring 2FA approvals.

🐛 Bug Fixes

  • Fixed scrolling overflow bug in interactive prompts (like `pnpm update -i`) by replacing `enquirer` with `@inquirer/prompts`, ensuring correct pagination for long choice lists.
  • Fixed pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths by short-circuiting cached path promises.
  • Fixed `pnpm dist-tag add` and `pnpm dist-tag rm` against npmjs.org failing without `--otp` when 2FA is enabled by correctly handling the OTP challenge via the browser flow.
  • Fixed `minimumReleaseAgeExclude` handling in npm resolution fast paths, ensuring excluded packages are not pinned to stale versions.
  • Fixed the `integrity` field being dropped from the lockfile entry of remote https-tarball dependencies when an unrelated package was installed afterwards, preventing `ERR_PNPM_MISSING_TARBALL_INTEGRITY` errors on subsequent `--frozen-lockfile` installs.
  • Skipped dependency re-resolution when `pnpm-lock.yaml` is missing but `node_modules/.pnpm/lock.yaml` exists and satisfies the manifest, allowing regeneration of `pnpm-lock.yaml` without registry lookups.

Affected Symbols