v11.7.0
📦 pnpmView on GitHub →
✨ 3 features🐛 10 fixes🔧 9 symbols
Summary
This release introduces significant features for read-only store installations via `--frozen-store` and optional end-to-end dependency resolution delegation to `pacquet`. Numerous bug fixes address security issues related to lockfile aliases, publishing SSL, and deterministic resolution ordering.
Migration Steps
- If using `--frozen-store` with a global virtual store, ensure package build outputs are seeded into the store if lifecycle scripts are approved or patches exist, to avoid `ERR_PNPM_FROZEN_STORE_NEEDS_BUILD`.
- If using `--frozen-store`, ensure Node.js version is >=22.15.0, >=23.11.0, or >=24.0.0, otherwise the command will fail with `ERR_PNPM_FROZEN_STORE_UNSUPPORTED_NODE`.
✨ New Features
- Added a new setting `frozenStore` (`--frozen-store`) that allows `pnpm install` to run against a package store on a read-only filesystem (e.g., Nix store, read-only bind mount, OCI layer).
- When `pacquet` is declared in `configDependencies`, pnpm now delegates dependency resolution (not just materialization) to it, provided `pacquet` version is >= 0.11.7.
- Added a new opt-in `--batch` flag to `pnpm publish --recursive` to send all selected packages in a single registry request if the target registry supports the batch publish endpoint.
🐛 Bug Fixes
- Rejected path-traversal and reserved dependency aliases (like `../../../escape`, `.bin`, `.pnpm`, or `node_modules`) originating from a lockfile rather than a fresh manifest resolution.
- Made shared package child resolution deterministic by choosing the shallowest occurrence, then importer order, then parent path.
- Fixed garbled summary line after submitting `pnpm update -i` and `pnpm audit --fix -i` by listing only selected package names in the summary.
- Prevented `pnpm patch-remove` from removing files outside the configured patches directory.
- Fixed `pnpm publish` ignoring `strictSsl: false` when publishing to registries with self-signed certificates.
- Fixed a regression on Windows when running `pnpm add <pkg>` outside a workspace where project selection failed due to incorrect path keying (`opts.dir` instead of `project.rootDir`).
- Git dependencies pointing to a subdirectory (`repo#commit&path:/sub/dir`) now correctly retain the `path` field in the lockfile.
- Fixed nondeterministic lockfile output causing intermittent failures for `pnpm dedupe --check` by preventing pinned peer providers from leaking into shared parent scopes.
- Sped up `pnpm install` with a frozen lockfile by running lockfile verification concurrently with fetching and linking.
- User-defined `npm_config_*` environment variables are now preserved during lifecycle script execution.