Change8

v11.8.0

📦 pnpmView on GitHub →
4 features🐛 11 fixes🔧 17 symbols

Summary

This release introduces a `--dry-run` option for `pnpm install`, enhances SBOM generation capabilities, and fixes several security and stability issues, including improved handling of lockfile integrity and macOS binary quarantine attributes.

Migration Steps

  1. If you rely on `pnpm run --no-bail` always exiting with code 0 when scripts fail in non-recursive runs, be aware that it will now exit with a non-zero code upon failure.
  2. If you use `pnpm view` without arguments in a workspace, ensure your project manifest (`package.json`, etc.) contains a `name` field, as an error will be thrown otherwise.

✨ New Features

  • Added a `--dry-run` option to `pnpm install` which performs dependency resolution and reports changes without writing to disk or affecting the exit code.
  • Added support for generating Node.js package maps at `node_modules/.package-map.json` during isolated and hoisted installs, configurable via `node-experimental-package-map` and `node-package-map-type` settings.
  • Added per-package SBOM generation support using `--out` and `--split` flags for `pnpm sbom`.
  • When running `pnpm view` without a package name, it now searches upward for the nearest project manifest (`package.json`, `package.yaml`, or `package.json5`) and uses its `name` field.

🐛 Bug Fixes

  • Fixed `pnpm run --no-bail` to exit with a non-zero code when scripts fail during non-recursive runs, aligning behavior with recursive runs.
  • Fixed `pnpm update` overriding the version range policy of named catalogs whose names parse as versions (e.g., `catalog:express4-21`), preserving the catalog's prefix policy.
  • Fixed security vulnerability where traversal-shaped names/versions in `configDependencies` from the env lockfile could lead to path traversal outside `node_modules/.pnpm-config` by validating these inputs.
  • Fixed `link:` workspace protocol switching to `file:` after `pnpm rm` when running inside a workspace package whose dependency has its own dependencies and `injectWorkspacePackages: true` is set.
  • Fixed redundant warning about using both `packageManager` and `devEngines.packageManager` when they specify the exact same package manager version including integrity hash.
  • Fixed the progress line in the terminal reporter to correctly clear previous output fragments left by external processes.
  • Fixed `pnpm approve-builds` correctly identifying packages awaiting approval after approval was revoked (e.g., via `git stash`) by correctly recording revoked packages in `.modules.yaml`.
  • Fixed skipping redundant warning on Windows about `node.exe` when the existing executable matches the target.
  • Fixed macOS Gatekeeper blocking native binaries (`.node`, `.dylib`, `.so`) by stripping the `com.apple.quarantine` extended attribute after importing them from the store.
  • Fixed `pnpm install` with `optimisticRepeatInstall` incorrectly reporting `Already up to date` when `pnpm-lock.yaml` changed but manifests did not.
  • Fixed `checkDepsStatus` to use the correct lockfile path (e.g., `pnpm-lock.<branch>.yaml`) when `useGitBranchLockfile` is enabled.

Affected Symbols