Change8

v11.5.1

📦 pnpmView on GitHub →
🐛 7 fixes🔧 3 symbols

Summary

This patch release improves performance for pnpm audit, fixes several critical bugs related to lockfile integrity preservation and peer dependency resolution, and ensures correct behavior during package publishing.

Migration Steps

  1. If publishing packages, ensure the repository field in package.json is an object { type, url } instead of a string, or pnpm will normalize it, which might affect compatibility with older registries.

🐛 Bug Fixes

  • Improved pnpm audit performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap.
  • Avoided crashing when the workspace state cache is partially written or malformed.
  • Set npm_config_user_agent for root lifecycle scripts during headless installs.
  • Preserved the integrity field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt, preventing ERR_PNPM_MISSING_TARBALL_INTEGRITY errors.
  • Normalized a string repository field into the { type, url } object form when creating the publish manifest to match npm behavior and prevent 500 errors on some registries (e.g., Gitea/Codeberg) during pnpm publish.
  • Preserved compatible optional peer versions already present in the lockfile when resolving dependencies.
  • Fixed inconsistent resolution of a peer dependency shared through a diamond structure (e.g., when A depends on B and C, and B and C both peer-depend on D with different versions), ensuring the correct version of the shared peer is reused.

Affected Symbols