Change8

v11.9.0

📦 pnpmView on GitHub →
6 features🐛 14 fixes🔧 11 symbols

Summary

This release introduces improved integrity verification for on-demand registry tarballs and enhances `pnpm audit` performance, especially for graphs with cycles. Several bug fixes address lockfile churn, Windows path length issues in `dlx`, and configuration handling in workspace settings.

Migration Steps

  1. If you rely on lockfile entries missing integrity checksums for on-demand registries, subsequent installs will now fail if integrity cannot be computed or verified (install fails closed).
  2. If you use custom resolvers with pnpmfile, review the logic for rewriting tarball URLs if you were relying on internal logic now exposed via `@pnpm/resolving.tarball-url`.

✨ New Features

  • pnpm now computes integrity checksums for tarballs from registries that generate them on-demand and stores them in the lockfile, ensuring verifiability on subsequent installs.
  • Added `--exclude-peers` flag to `pnpm sbom` to drop peer dependencies (and their exclusive subtrees) from the generated SBOM.
  • pnpm audit --fix now writes a single combined `minimumReleaseAgeExclude` entry per package, matching documentation format, and merges existing per-version entries.
  • The in-memory package metadata cache is now populated on the exact-version disk fast path, significantly speeding up package addition in large monorepos.
  • The in-memory cache key now includes the registry, preventing cache collisions for packages with the same name served by different registries.
  • Added `@pnpm/resolving.tarball-url` which exposes `isCanonicalRegistryTarballUrl` to allow custom resolvers to rewrite resolved tarball URLs to the canonical form before lockfile persistence.

🐛 Bug Fixes

  • Fixed non-deterministic peer resolution that caused lockfile churning by making the resolution decision dependent on graph structure rather than resolution completion order.
  • Fixed a Windows flakiness in `pnpm dlx` where failed installs could surface a spurious `EBUSY: resource busy or locked` error; cleanup is now best-effort with retries.
  • Shortened the `pnpm dlx` cache path to prevent Windows `MAX_PATH` overflow issues that could cause lifecycle scripts to fail with `spawn cmd.exe ENOENT`.
  • Fixed `pnpm` hanging/crashing on non-retryable network errors (like `SELF_SIGNED_CERT_IN_CHAIN`) during registry fetching by rejecting the promise instead of throwing in a detached callback.
  • Fixed a `pnpm audit` performance regression on lockfiles with dependency cycles by using Tarjan's algorithm for reachability computation, achieving linear time complexity.
  • Fixed audit path walk recursion depth issues by making it non-recursive and tracking paths without per-node copying.
  • Fixed failed optional dependency updates from rewriting unrelated dependency specs.
  • Fixed stale hoisted symlinks under `node_modules/.pnpm/node_modules` when `enableGlobalVirtualStore` is toggled on for an existing project.
  • Fixed `pnpm install --ignore-workspace` overwriting the `allowBuilds` map in `pnpm-workspace.yaml` with placeholder values.
  • Fixed `minimumReleaseAgeExclude` and `trustPolicyExclude` not correctly handling multiple exact-version entries as a single disjunction.
  • Fixed `pnpm patch` dropping the package name when the patched dependency resolves to a single git-hosted version.
  • Fixed pnpr resolver endpoints (`/v1/resolve`, `/v1/verify-lockfile`) moving to the reserved `/-/pnpr` namespace.
  • Fixed removing a runtime dependency not removing the corresponding materialized `devEngines.runtime` or `engines.runtime` entry.
  • Fixed correctness issue in tarball URL canonicalization where scoped package unescape did not handle uppercase `%2F`.

Affected Symbols