v11.8.0
📦 pnpmView on GitHub →
✨ 4 features🐛 11 fixes🔧 17 symbols
Summary
This release introduces a `--dry-run` option for `pnpm install`, enhances SBOM generation capabilities, and fixes several security and stability issues, including improved handling of lockfile integrity and macOS binary quarantine attributes.
Migration Steps
- If you rely on `pnpm run --no-bail` always exiting with code 0 when scripts fail in non-recursive runs, be aware that it will now exit with a non-zero code upon failure.
- If you use `pnpm view` without arguments in a workspace, ensure your project manifest (`package.json`, etc.) contains a `name` field, as an error will be thrown otherwise.
✨ New Features
- Added a `--dry-run` option to `pnpm install` which performs dependency resolution and reports changes without writing to disk or affecting the exit code.
- Added support for generating Node.js package maps at `node_modules/.package-map.json` during isolated and hoisted installs, configurable via `node-experimental-package-map` and `node-package-map-type` settings.
- Added per-package SBOM generation support using `--out` and `--split` flags for `pnpm sbom`.
- When running `pnpm view` without a package name, it now searches upward for the nearest project manifest (`package.json`, `package.yaml`, or `package.json5`) and uses its `name` field.
🐛 Bug Fixes
- Fixed `pnpm run --no-bail` to exit with a non-zero code when scripts fail during non-recursive runs, aligning behavior with recursive runs.
- Fixed `pnpm update` overriding the version range policy of named catalogs whose names parse as versions (e.g., `catalog:express4-21`), preserving the catalog's prefix policy.
- Fixed security vulnerability where traversal-shaped names/versions in `configDependencies` from the env lockfile could lead to path traversal outside `node_modules/.pnpm-config` by validating these inputs.
- Fixed `link:` workspace protocol switching to `file:` after `pnpm rm` when running inside a workspace package whose dependency has its own dependencies and `injectWorkspacePackages: true` is set.
- Fixed redundant warning about using both `packageManager` and `devEngines.packageManager` when they specify the exact same package manager version including integrity hash.
- Fixed the progress line in the terminal reporter to correctly clear previous output fragments left by external processes.
- Fixed `pnpm approve-builds` correctly identifying packages awaiting approval after approval was revoked (e.g., via `git stash`) by correctly recording revoked packages in `.modules.yaml`.
- Fixed skipping redundant warning on Windows about `node.exe` when the existing executable matches the target.
- Fixed macOS Gatekeeper blocking native binaries (`.node`, `.dylib`, `.so`) by stripping the `com.apple.quarantine` extended attribute after importing them from the store.
- Fixed `pnpm install` with `optimisticRepeatInstall` incorrectly reporting `Already up to date` when `pnpm-lock.yaml` changed but manifests did not.
- Fixed `checkDepsStatus` to use the correct lockfile path (e.g., `pnpm-lock.<branch>.yaml`) when `useGitBranchLockfile` is enabled.
Affected Symbols
`pnpm install` (CLI option)`pnpm run --no-bail` (CLI behavior)`pnpm sbom` (CLI flags: `--out`, `--split`)`pnpm view` (CLI behavior)`pnpm update` (Catalog handling)`pnpm approve-builds``node-experimental-package-map` (setting)`node-package-map-type` (setting)`pnpm-lock.yaml` (configDependencies validation)`link:` protocol resolution`packageManager` field`devEngines.packageManager` fieldInteractive reporter (terminal output)Native binary import process (macOS)`optimisticRepeatInstall` logic`checkDepsStatus` logic`useGitBranchLockfile` logic