Change8

v11.7.0

📦 pnpmView on GitHub →
3 features🐛 10 fixes🔧 9 symbols

Summary

This release introduces significant features for read-only store installations via `--frozen-store` and optional end-to-end dependency resolution delegation to `pacquet`. Numerous bug fixes address security issues related to lockfile aliases, publishing SSL, and deterministic resolution ordering.

Migration Steps

  1. If using `--frozen-store` with a global virtual store, ensure package build outputs are seeded into the store if lifecycle scripts are approved or patches exist, to avoid `ERR_PNPM_FROZEN_STORE_NEEDS_BUILD`.
  2. If using `--frozen-store`, ensure Node.js version is >=22.15.0, >=23.11.0, or >=24.0.0, otherwise the command will fail with `ERR_PNPM_FROZEN_STORE_UNSUPPORTED_NODE`.

✨ New Features

  • Added a new setting `frozenStore` (`--frozen-store`) that allows `pnpm install` to run against a package store on a read-only filesystem (e.g., Nix store, read-only bind mount, OCI layer).
  • When `pacquet` is declared in `configDependencies`, pnpm now delegates dependency resolution (not just materialization) to it, provided `pacquet` version is >= 0.11.7.
  • Added a new opt-in `--batch` flag to `pnpm publish --recursive` to send all selected packages in a single registry request if the target registry supports the batch publish endpoint.

🐛 Bug Fixes

  • Rejected path-traversal and reserved dependency aliases (like `../../../escape`, `.bin`, `.pnpm`, or `node_modules`) originating from a lockfile rather than a fresh manifest resolution.
  • Made shared package child resolution deterministic by choosing the shallowest occurrence, then importer order, then parent path.
  • Fixed garbled summary line after submitting `pnpm update -i` and `pnpm audit --fix -i` by listing only selected package names in the summary.
  • Prevented `pnpm patch-remove` from removing files outside the configured patches directory.
  • Fixed `pnpm publish` ignoring `strictSsl: false` when publishing to registries with self-signed certificates.
  • Fixed a regression on Windows when running `pnpm add <pkg>` outside a workspace where project selection failed due to incorrect path keying (`opts.dir` instead of `project.rootDir`).
  • Git dependencies pointing to a subdirectory (`repo#commit&path:/sub/dir`) now correctly retain the `path` field in the lockfile.
  • Fixed nondeterministic lockfile output causing intermittent failures for `pnpm dedupe --check` by preventing pinned peer providers from leaking into shared parent scopes.
  • Sped up `pnpm install` with a frozen lockfile by running lockfile verification concurrently with fetching and linking.
  • User-defined `npm_config_*` environment variables are now preserved during lifecycle script execution.

Affected Symbols