v11.9.0
📦 pnpmView on GitHub →
✨ 6 features🐛 14 fixes🔧 11 symbols
Summary
This release introduces improved integrity verification for on-demand registry tarballs and enhances `pnpm audit` performance, especially for graphs with cycles. Several bug fixes address lockfile churn, Windows path length issues in `dlx`, and configuration handling in workspace settings.
Migration Steps
- If you rely on lockfile entries missing integrity checksums for on-demand registries, subsequent installs will now fail if integrity cannot be computed or verified (install fails closed).
- If you use custom resolvers with pnpmfile, review the logic for rewriting tarball URLs if you were relying on internal logic now exposed via `@pnpm/resolving.tarball-url`.
✨ New Features
- pnpm now computes integrity checksums for tarballs from registries that generate them on-demand and stores them in the lockfile, ensuring verifiability on subsequent installs.
- Added `--exclude-peers` flag to `pnpm sbom` to drop peer dependencies (and their exclusive subtrees) from the generated SBOM.
- pnpm audit --fix now writes a single combined `minimumReleaseAgeExclude` entry per package, matching documentation format, and merges existing per-version entries.
- The in-memory package metadata cache is now populated on the exact-version disk fast path, significantly speeding up package addition in large monorepos.
- The in-memory cache key now includes the registry, preventing cache collisions for packages with the same name served by different registries.
- Added `@pnpm/resolving.tarball-url` which exposes `isCanonicalRegistryTarballUrl` to allow custom resolvers to rewrite resolved tarball URLs to the canonical form before lockfile persistence.
🐛 Bug Fixes
- Fixed non-deterministic peer resolution that caused lockfile churning by making the resolution decision dependent on graph structure rather than resolution completion order.
- Fixed a Windows flakiness in `pnpm dlx` where failed installs could surface a spurious `EBUSY: resource busy or locked` error; cleanup is now best-effort with retries.
- Shortened the `pnpm dlx` cache path to prevent Windows `MAX_PATH` overflow issues that could cause lifecycle scripts to fail with `spawn cmd.exe ENOENT`.
- Fixed `pnpm` hanging/crashing on non-retryable network errors (like `SELF_SIGNED_CERT_IN_CHAIN`) during registry fetching by rejecting the promise instead of throwing in a detached callback.
- Fixed a `pnpm audit` performance regression on lockfiles with dependency cycles by using Tarjan's algorithm for reachability computation, achieving linear time complexity.
- Fixed audit path walk recursion depth issues by making it non-recursive and tracking paths without per-node copying.
- Fixed failed optional dependency updates from rewriting unrelated dependency specs.
- Fixed stale hoisted symlinks under `node_modules/.pnpm/node_modules` when `enableGlobalVirtualStore` is toggled on for an existing project.
- Fixed `pnpm install --ignore-workspace` overwriting the `allowBuilds` map in `pnpm-workspace.yaml` with placeholder values.
- Fixed `minimumReleaseAgeExclude` and `trustPolicyExclude` not correctly handling multiple exact-version entries as a single disjunction.
- Fixed `pnpm patch` dropping the package name when the patched dependency resolves to a single git-hosted version.
- Fixed pnpr resolver endpoints (`/v1/resolve`, `/v1/verify-lockfile`) moving to the reserved `/-/pnpr` namespace.
- Fixed removing a runtime dependency not removing the corresponding materialized `devEngines.runtime` or `engines.runtime` entry.
- Fixed correctness issue in tarball URL canonicalization where scoped package unescape did not handle uppercase `%2F`.
Affected Symbols
`pnpm sbom``pnpm audit --fix``pnpm audit` path walk`pnpm dlx` cache path`pnpm install` (lockfile integrity handling)`pnpm dedupe --check``pnpm install --ignore-workspace``pnpm patch``pnpm-workspace.yaml` (minimumReleaseAgeExclude/trustPolicyExclude handling)`@pnpm/resolving.tarball-url`pnpr resolver endpoints (`/v1/resolve`, `/v1/verify-lockfile`)