Codestin Search App

Patch Changes

Fixed version switching via packageManager field failing when pnpm is installed as a standalone executable in environments without a system Node.js #10687.

Platinum Sponsors

Gold Sponsors

Major Changes

Store

Runtime dependencies are always linked from the global virtual store #10233.
Optimized index file format to store the hash algorithm once per file instead of repeating it for every file entry. Each file entry now stores only the hex digest instead of the full integrity string (<algo>-<digest>). Using hex format improves performance since file paths in the content-addressable store use hex representation, eliminating base64-to-hex conversion during path lookups.
Store version bumped to v11.
Switched internal store and cache files from JSON to MessagePack format for improved performance.

This change migrates all internal index files and metadata cache files to use MessagePack serialization instead of JSON. MessagePack provides faster serialization/deserialization and more compact file sizes, resulting in improved installation performance.

Related PR: #10500
Store the bundled manifest (name, version, bin, engines, scripts, etc.) directly in the package index file, eliminating the need to read package.json from the content-addressable store during resolution and installation. This reduces I/O and speeds up repeat installs #10473.

Configuration

pnpm config get (without --json) no longer print INI formatted text.
Instead, it would print JSON for both objects and arrays and raw string for
strings, numbers, booleans, and nulls.
pnpm config get --json would still print all types of values as JSON like before.
pnpm config get <array> now prints a JSON array.
pnpm config list now prints a JSON object instead of INI formatted text.
pnpm config list and pnpm config get (without argument) now hide auth-related settings.
pnpm config list and pnpm config get (without argument) now show top-level keys as camelCase.
Exception: Keys that start with @ or // would be preserved (their cases don't change).
pnpm config get and pnpm config list no longer load non camelCase options from the workspace manifest (pnpm-workspace.yaml).
pnpm no longer loads non-auth and non-registry settings from rc files. Other settings must be defined in pnpm-workspace.yaml.

Replace workspace project specific .npmrc with packageConfigs in pnpm-workspace.yaml.

A workspace manifest with packageConfigs would look something like this:

# File: pnpm-workspace.yaml
packages:
  - "packages/project-1"
  - "packages/project-2"
packageConfigs:
  "project-1":
    saveExact: true
  "project-2":
    savePrefix: "~"

Or this:

# File: pnpm-workspace.yaml
packages:
  - "packages/project-1"
  - "packages/project-2"
packageConfigs:
  - match: ["project-1", "project-2"]
    modulesDir: "node_modules"
    saveExact: true

Other

This package is now pure ESM.
Node.js v18, 19, 20, and 21 support discontinued.
The standalone exe version of pnpm requires at least glibc 2.27.
strictDepBuilds is true by default.
blockExoticSubdeps is true by default.
Remove deprecated build dependency settings: onlyBuiltDependencies, onlyBuiltDependenciesFile, neverBuiltDependencies, and ignoredBuiltDependencies.

Use the allowBuilds setting instead. It is a map where keys are package name patterns and values are booleans:
- true means the package is allowed to run build scripts
- false means the package is explicitly denied from running build scripts
Same as before, by default, none of the packages in the dependencies are allowed to run scripts. If a package has postinstall scripts and it isn't declared in allowBuilds, an error is printed.

Before:
```
onlyBuiltDependencies:
  - electron
onlyBuiltDependenciesFile: "allowed-builds.json"
neverBuiltDependencies:
  - core-js
ignoredBuiltDependencies:
  - esbuild
```
After:
```
allowBuilds:
  electron: true
  core-js: false
  esbuild: false
```
Removed the deprecated allowNonAppliedPatches completely in favor of allowUnusedPatches.
Remove ignorePatchFailures so all patch application failures should throw an error.
Removed the pnpm server command #10463.
Removed support for the useNodeVersion and executionEnv.nodeVersion fields. devEngines.runtime and engines.runtime should be used instead #10373.
Removed support for hooks.fetchers. We now have a new API for custom fetchers and resolvers via the fetchers field of pnpmfile.
The default value of the type field in the package.json file of the project initialized by pnpm init command has been changed to module.
Support lowercase options in pnpm add: -d, -p, -o, -e #9197.

When using pnpm add command only:
- -p is now an alias for --save-prod instead of --parseable
- -d is now an alias for --save-dev instead of --loglevel=info
pnpm publish now works without the npm CLI.

The One-time Password feature now reads from PNPM_CONFIG_OTP instead of NPM_CONFIG_OTP:
```
export PNPM_CONFIG_OTP='<your OTP here>'
pnpm publish --no-git-checks
```
Since the new pnpm publish no longer calls npm publish, some undocumented features may have been unknowingly dropped. If you rely on a feature that is now gone, please open an issue at https://github.com/pnpm/pnpm/issues. In the meantime, you can use pnpm pack && npm publish *.tgz as a workaround.

Minor Changes

7fab2a2: Load environment variables whose names start with pnpm_config_ into config. These environment variables override settings from pnpm-workspace.yaml but not the CLI arguments.
cb367b9: Support reading allowBuilds from pnpm-workspace.yaml in the global package directory for global installs.
075aa99: Add support for a global YAML config file named config.yaml.

Now configurations are divided into 2 categories:
- Registry and auth settings which can be stored in INI files such as global rc and local .npmrc.
- pnpm-specific settings which can only be loaded from YAML files such as global config.yaml and local pnpm-workspace.yaml.
e146e98: Added support for pnpmfiles written in ESM. They should have the .mjs extension: .pnpmfile.mjs #9730.
7d5ada0: pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.
5bf7768: A new --yes flag can be passed to pnpm to automatically confirm prompts. This is useful when running pnpm in non-interactive script.
2b14c74: When pnpm updates the pnpm-workspace.yaml, comments, string formatting, and whitespace will be preserved.

Patch Changes

Check if a package is installable for non npm-hosted packages (e.g., git or tarball dependencies) after the manifest has been fetched.
Explicitly tell npm the path to the global rc config file.
Fix YAML formatting preservation in pnpm-workspace.yaml when running commands like pnpm update. Previously, quotes and other formatting were lost even when catalog values didn't change.

Closes #10425
The parameter set by the --allow-build flag is written to allowBuilds.
Fix a bug in which specifying filter on pnpm-workspace.yaml would cause pnpm to not detect any projects.
Defer patch errors until all patches in a group are applied, so that one failed patch does not prevent other patches from being attempted.

Platinum Sponsors

Gold Sponsors

Major Changes

Store

Runtime dependencies are always linked from the global virtual store #10233.
Optimized index file format to store the hash algorithm once per file instead of repeating it for every file entry. Each file entry now stores only the hex digest instead of the full integrity string (<algo>-<digest>). Using hex format improves performance since file paths in the content-addressable store use hex representation, eliminating base64-to-hex conversion during path lookups.
Store version bumped to v11.
Switched internal store and cache files from JSON to MessagePack format for improved performance.

This change migrates all internal index files and metadata cache files to use MessagePack serialization instead of JSON. MessagePack provides faster serialization/deserialization and more compact file sizes, resulting in improved installation performance.

Related PR: #10500
Store the bundled manifest (name, version, bin, engines, scripts, etc.) directly in the package index file, eliminating the need to read package.json from the content-addressable store during resolution and installation. This reduces I/O and speeds up repeat installs #10473.

Configuration

pnpm config get (without --json) no longer print INI formatted text.
Instead, it would print JSON for both objects and arrays and raw string for
strings, numbers, booleans, and nulls.
pnpm config get --json would still print all types of values as JSON like before.
pnpm config get <array> now prints a JSON array.
pnpm config list now prints a JSON object instead of INI formatted text.
pnpm config list and pnpm config get (without argument) now hide auth-related settings.
pnpm config list and pnpm config get (without argument) now show top-level keys as camelCase.
Exception: Keys that start with @ or // would be preserved (their cases don't change).
pnpm config get and pnpm config list no longer load non camelCase options from the workspace manifest (pnpm-workspace.yaml).
pnpm no longer loads non-auth and non-registry settings from rc files. Other settings must be defined in pnpm-workspace.yaml.

Replace workspace project specific .npmrc with packageConfigs in pnpm-workspace.yaml.

A workspace manifest with packageConfigs would look something like this:

# File: pnpm-workspace.yaml
packages:
  - "packages/project-1"
  - "packages/project-2"
packageConfigs:
  "project-1":
    saveExact: true
  "project-2":
    savePrefix: "~"

Or this:

# File: pnpm-workspace.yaml
packages:
  - "packages/project-1"
  - "packages/project-2"
packageConfigs:
  - match: ["project-1", "project-2"]
    modulesDir: "node_modules"
    saveExact: true

Other

This package is now pure ESM.
Node.js v18, 19, 20, and 21 support discontinued.
The standalone exe version of pnpm requires at least glibc 2.27.
strictDepBuilds is true by default.
blockExoticSubdeps is true by default.
Remove deprecated build dependency settings: onlyBuiltDependencies, onlyBuiltDependenciesFile, neverBuiltDependencies, and ignoredBuiltDependencies.

Use the allowBuilds setting instead. It is a map where keys are package name patterns and values are booleans:
- true means the package is allowed to run build scripts
- false means the package is explicitly denied from running build scripts
Same as before, by default, none of the packages in the dependencies are allowed to run scripts. If a package has postinstall scripts and it isn't declared in allowBuilds, an error is printed.

Before:
```
onlyBuiltDependencies:
  - electron
onlyBuiltDependenciesFile: "allowed-builds.json"
neverBuiltDependencies:
  - core-js
ignoredBuiltDependencies:
  - esbuild
```
After:
```
allowBuilds:
  electron: true
  core-js: false
  esbuild: false
```
Removed the deprecated allowNonAppliedPatches completely in favor of allowUnusedPatches.
Remove ignorePatchFailures so all patch application failures should throw an error.
Removed the pnpm server command #10463.
Removed support for the useNodeVersion and executionEnv.nodeVersion fields. devEngines.runtime and engines.runtime should be used instead #10373.
Removed support for hooks.fetchers. We now have a new API for custom fetchers and resolvers via the fetchers field of pnpmfile.
The default value of the type field in the package.json file of the project initialized by pnpm init command has been changed to module.
Support lowercase options in pnpm add: -d, -p, -o, -e #9197.

When using pnpm add command only:
- -p is now an alias for --save-prod instead of --parseable
- -d is now an alias for --save-dev instead of --loglevel=info
pnpm publish now works without the npm CLI.

The One-time Password feature now reads from PNPM_CONFIG_OTP instead of NPM_CONFIG_OTP:
```
export PNPM_CONFIG_OTP='<your OTP here>'
pnpm publish --no-git-checks
```
Since the new pnpm publish no longer calls npm publish, some undocumented features may have been unknowingly dropped. If you rely on a feature that is now gone, please open an issue at https://github.com/pnpm/pnpm/issues. In the meantime, you can use pnpm pack && npm publish *.tgz as a workaround.

Minor Changes

7fab2a2: Load environment variables whose names start with pnpm_config_ into config. These environment variables override settings from pnpm-workspace.yaml but not the CLI arguments.
cb367b9: Support reading allowBuilds from pnpm-workspace.yaml in the global package directory for global installs.
075aa99: Add support for a global YAML config file named config.yaml.

Now configurations are divided into 2 categories:
- Registry and auth settings which can be stored in INI files such as global rc and local .npmrc.
- pnpm-specific settings which can only be loaded from YAML files such as global config.yaml and local pnpm-workspace.yaml.
e146e98: Added support for pnpmfiles written in ESM. They should have the .mjs extension: .pnpmfile.mjs #9730.
7d5ada0: pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.
5bf7768: A new --yes flag can be passed to pnpm to automatically confirm prompts. This is useful when running pnpm in non-interactive script.
2b14c74: When pnpm updates the pnpm-workspace.yaml, comments, string formatting, and whitespace will be preserved.

Patch Changes

Check if a package is installable for non npm-hosted packages (e.g., git or tarball dependencies) after the manifest has been fetched.
Explicitly tell npm the path to the global rc config file.
Fix YAML formatting preservation in pnpm-workspace.yaml when running commands like pnpm update. Previously, quotes and other formatting were lost even when catalog values didn't change.

Closes #10425
The parameter set by the --allow-build flag is written to allowBuilds.
Fix a bug in which specifying filter on pnpm-workspace.yaml would cause pnpm to not detect any projects.
Defer patch errors until all patches in a group are applied, so that one failed patch does not prevent other patches from being attempted.

Platinum Sponsors

Gold Sponsors

Patch Changes

Fix auto-installed peer dependencies ignoring overrides when a stale version exists in the lockfile.
Fixed "input line too long" error on Windows when running lifecycle scripts with the global virtual store enabled #10673.
Update @zkochan/js-yaml to fix moderate vulnerability.

Platinum Sponsors

Gold Sponsors

Patch Changes

Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #10649.

Platinum Sponsors

Gold Sponsors

Major Changes

Store

Runtime dependencies are always linked from the global virtual store #10233.
Optimized index file format to store the hash algorithm once per file instead of repeating it for every file entry. Each file entry now stores only the hex digest instead of the full integrity string (<algo>-<digest>). Using hex format improves performance since file paths in the content-addressable store use hex representation, eliminating base64-to-hex conversion during path lookups.
Store version bumped to v11.
Switched internal store and cache files from JSON to MessagePack format for improved performance.

This change migrates all internal index files and metadata cache files to use MessagePack serialization instead of JSON. MessagePack provides faster serialization/deserialization and more compact file sizes, resulting in improved installation performance.

Related PR: #10500
Store the bundled manifest (name, version, bin, engines, scripts, etc.) directly in the package index file, eliminating the need to read package.json from the content-addressable store during resolution and installation. This reduces I/O and speeds up repeat installs #10473.

Configuration

pnpm config get (without --json) no longer print INI formatted text.
Instead, it would print JSON for both objects and arrays and raw string for
strings, numbers, booleans, and nulls.
pnpm config get --json would still print all types of values as JSON like before.
pnpm config get <array> now prints a JSON array.
pnpm config list now prints a JSON object instead of INI formatted text.
pnpm config list and pnpm config get (without argument) now hide auth-related settings.
pnpm config list and pnpm config get (without argument) now show top-level keys as camelCase.
Exception: Keys that start with @ or // would be preserved (their cases don't change).
pnpm config get and pnpm config list no longer load non camelCase options from the workspace manifest (pnpm-workspace.yaml).
pnpm no longer loads non-auth and non-registry settings from rc files. Other settings must be defined in pnpm-workspace.yaml.

Replace workspace project specific .npmrc with packageConfigs in pnpm-workspace.yaml.

A workspace manifest with packageConfigs would look something like this:

# File: pnpm-workspace.yaml
packages:
  - "packages/project-1"
  - "packages/project-2"
packageConfigs:
  "project-1":
    saveExact: true
  "project-2":
    savePrefix: "~"

Or this:

# File: pnpm-workspace.yaml
packages:
  - "packages/project-1"
  - "packages/project-2"
packageConfigs:
  - match: ["project-1", "project-2"]
    modulesDir: "node_modules"
    saveExact: true

Other

This package is now pure ESM.
Node.js v18, 19, 20, and 21 support discontinued.
The standalone exe version of pnpm requires at least glibc 2.27.
strictDepBuilds is true by default.
blockExoticSubdeps is true by default.
Remove deprecated build dependency settings: onlyBuiltDependencies, onlyBuiltDependenciesFile, neverBuiltDependencies, and ignoredBuiltDependencies.

Use the allowBuilds setting instead. It is a map where keys are package name patterns and values are booleans:
- true means the package is allowed to run build scripts
- false means the package is explicitly denied from running build scripts
Same as before, by default, none of the packages in the dependencies are allowed to run scripts. If a package has postinstall scripts and it isn't declared in allowBuilds, an error is printed.

Before:
```
onlyBuiltDependencies:
  - electron
onlyBuiltDependenciesFile: "allowed-builds.json"
neverBuiltDependencies:
  - core-js
ignoredBuiltDependencies:
  - esbuild
```
After:
```
allowBuilds:
  electron: true
  core-js: false
  esbuild: false
```
Removed the deprecated allowNonAppliedPatches completely in favor of allowUnusedPatches.
Remove ignorePatchFailures so all patch application failures should throw an error.
Removed the pnpm server command #10463.
Removed support for the useNodeVersion and executionEnv.nodeVersion fields. devEngines.runtime and engines.runtime should be used instead #10373.
Removed support for hooks.fetchers. We now have a new API for custom fetchers and resolvers via the fetchers field of pnpmfile.
The default value of the type field in the package.json file of the project initialized by pnpm init command has been changed to module.
Support lowercase options in pnpm add: -d, -p, -o, -e #9197.

When using pnpm add command only:
- -p is now an alias for --save-prod instead of --parseable
- -d is now an alias for --save-dev instead of --loglevel=info
pnpm publish now works without the npm CLI.

The One-time Password feature now reads from PNPM_CONFIG_OTP instead of NPM_CONFIG_OTP:
```
export PNPM_CONFIG_OTP='<your OTP here>'
pnpm publish --no-git-checks
```
Since the new pnpm publish no longer calls npm publish, some undocumented features may have been unknowingly dropped. If you rely on a feature that is now gone, please open an issue at https://github.com/pnpm/pnpm/issues. In the meantime, you can use pnpm pack && npm publish *.tgz as a workaround.

Minor Changes

Load environment variables whose names start with pnpm_config_ into config. These environment variables override settings from pnpm-workspace.yaml but not the CLI arguments.
Support reading allowBuilds from pnpm-workspace.yaml in the global package directory for global installs.
Add support for a global YAML config file named config.yaml.

Now configurations are divided into 2 categories:
- Registry and auth settings which can be stored in INI files such as global rc and local .npmrc.
- pnpm-specific settings which can only be loaded from YAML files such as global config.yaml and local pnpm-workspace.yaml.
Added support for pnpmfiles written in ESM. They should have the .mjs extension: .pnpmfile.mjs #9730.
pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.
A new --yes flag can be passed to pnpm to automatically confirm prompts. This is useful when running pnpm in non-interactive script.
When pnpm updates the pnpm-workspace.yaml, comments, string formatting, and whitespace will be preserved.

Patch Changes

Check if a package is installable for non npm-hosted packages (e.g., git or tarball dependencies) after the manifest has been fetched.
Explicitly tell npm the path to the global rc config file.
Fix YAML formatting preservation in pnpm-workspace.yaml when running commands like pnpm update. Previously, quotes and other formatting were lost even when catalog values didn't change.

Closes #10425
The parameter set by the --allow-build flag is written to allowBuilds.
Fix a bug in which specifying filter on pnpm-workspace.yaml would cause pnpm to not detect any projects.
Defer patch errors until all patches in a group are applied, so that one failed patch does not prevent other patches from being attempted.

Platinum Sponsors

Gold Sponsors


...

Major Changes

Store

Runtime dependencies are always linked from the global virtual store #10233.
Optimized index file format to store the hash algorithm once per file instead of repeating it for every file entry. Each file entry now stores only the hex digest instead of the full integrity string (<algo>-<digest>). Using hex format improves performance since file paths in the content-addressable store use hex representation, eliminating base64-to-hex conversion during path lookups.
Store version bumped to v11.
Switched internal store and cache files from JSON to MessagePack format for improved performance.

This change migrates all internal index files and metadata cache files to use MessagePack serialization instead of JSON. MessagePack provides faster serialization/deserialization and more compact file sizes, resulting in improved installation performance.

Related PR: #10500
Store the bundled manifest (name, version, bin, engines, scripts, etc.) directly in the package index file, eliminating the need to read package.json from the content-addressable store during resolution and installation. This reduces I/O and speeds up repeat installs #10473.

Configuration

pnpm config get (without --json) no longer print INI formatted text.
Instead, it would print JSON for both objects and arrays and raw string for
strings, numbers, booleans, and nulls.
pnpm config get --json would still print all types of values as JSON like before.
pnpm config get <array> now prints a JSON array.
pnpm config list now prints a JSON object instead of INI formatted text.
pnpm config list and pnpm config get (without argument) now hide auth-related settings.
pnpm config list and pnpm config get (without argument) now show top-level keys as camelCase.
Exception: Keys that start with @ or // would be preserved (their cases don't change).
pnpm config get and pnpm config list no longer load non camelCase options from the workspace manifest (pnpm-workspace.yaml).
pnpm no longer loads non-auth and non-registry settings from rc files. Other settings must be defined in pnpm-workspace.yaml.

Replace workspace project specific .npmrc with packageConfigs in pnpm-workspace.yaml.

A workspace manifest with packageConfigs would look something like this:

# File: pnpm-workspace.yaml
packages:
  - "packages/project-1"
  - "packages/project-2"
packageConfigs:
  "project-1":
    saveExact: true
  "project-2":
    savePrefix: "~"

Or this:

# File: pnpm-workspace.yaml
packages:
  - "packages/project-1"
  - "packages/project-2"
packageConfigs:
  - match: ["project-1", "project-2"]
    modulesDir: "node_modules"
    saveExact: true

Other

This package is now pure ESM.
Node.js v18, 19, 20, and 21 support discontinued.
The standalone exe version of pnpm requires at least glibc 2.27.
strictDepBuilds is true by default.
blockExoticSubdeps is true by default.
Remove deprecated build dependency settings: onlyBuiltDependencies, onlyBuiltDependenciesFile, neverBuiltDependencies, and ignoredBuiltDependencies.

Use the allowBuilds setting instead. It is a map where keys are package name patterns and values are booleans:
- true means the package is allowed to run build scripts
- false means the package is explicitly denied from running build scripts
Same as before, by default, none of the packages in the dependencies are allowed to run scripts. If a package has postinstall scripts and it isn't declared in allowBuilds, an error is printed.

Before:
```
onlyBuiltDependencies:
  - electron
onlyBuiltDependenciesFile: "allowed-builds.json"
neverBuiltDependencies:
  - core-js
ignoredBuiltDependencies:
  - esbuild
```
After:
```
allowBuilds:
  electron: true
  core-js: false
  esbuild: false
```
Removed the deprecated allowNonAppliedPatches completely in favor of allowUnusedPatches.
Remove ignorePatchFailures so all patch application failures should throw an error.
Removed the pnpm server command #10463.
Removed support for the useNodeVersion and executionEnv.nodeVersion fields. devEngines.runtime and engines.runtime should be used instead #10373.
Removed support for hooks.fetchers. We now have a new API for custom fetchers and resolvers via the fetchers field of pnpmfile.
The default value of the type field in the package.json file of the project initialized by pnpm init command has been changed to module.
Support lowercase options in pnpm add: -d, -p, -o, -e #9197.

When using pnpm add command only:
- -p is now an alias for --save-prod instead of --parseable
- -d is now an alias for --save-dev instead of --loglevel=info
pnpm publish now works without the npm CLI.

The One-time Password feature now reads from PNPM_CONFIG_OTP instead of NPM_CONFIG_OTP:
```
export PNPM_CONFIG_OTP='<your OTP here>'
pnpm publish --no-git-checks
```
Since the new pnpm publish no longer calls npm publish, some undocumented features may have been unknowingly dropped. If you rely on a feature that is now gone, please open an issue at https://github.com/pnpm/pnpm/issues. In the meantime, you can use pnpm pack && npm publish *.tgz as a workaround.

Minor Changes

Load environment variables whose names start with pnpm_config_ into config. These environment variables override settings from pnpm-workspace.yaml but not the CLI arguments.
Support reading allowBuilds from pnpm-workspace.yaml in the global package directory for global installs.
Add support for a global YAML config file named config.yaml.

Now configurations are divided into 2 categories:
- Registry and auth settings which can be stored in INI files such as global rc and local .npmrc.
- pnpm-specific settings which can only be loaded from YAML files such as global config.yaml and local pnpm-workspace.yaml.
Added support for pnpmfiles written in ESM. They should have the .mjs extension: .pnpmfile.mjs #9730.
pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.
A new --yes flag can be passed to pnpm to automatically confirm prompts. This is useful when running pnpm in non-interactive script.
When pnpm updates the pnpm-workspace.yaml, comments, string formatting, and whitespace will be preserved.

Patch Changes

Check if a package is installable for non npm-hosted packages (e.g., git or tarball dependencies) after the manifest has been fetched.
Explicitly tell npm the path to the global rc config file.
Fix YAML formatting preservation in pnpm-workspace.yaml when running commands like pnpm update. Previously, quotes and other formatting were lost even when catalog values didn't change.

Closes #10425
The parameter set by the --allow-build flag is written to allowBuilds.
Fix a bug in which specifying filter on pnpm-workspace.yaml would cause pnpm to not detect any projects.
Defer patch errors until all patches in a group are applied, so that one failed patch does not prevent other patches from being attempted.

Platinum Sponsors

Gold Sponsors


...

Minor Changes

pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #7122.
Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #10596.

Platinum Sponsors

Gold Sponsors

Patch Changes

Fixed an out-of-memory error in pnpm list (and pnpm why) on large dependency graphs by replacing the recursive tree builder with a two-phase approach: a BFS dependency graph followed by cached tree materialization. Duplicate subtrees are now deduplicated in the output, shown as "deduped (N deps hidden)" #10586.
Fixed allowBuilds not working when set via .pnpmfile.cjs #10516.
When the enableGlobalVirtualStore option is set, the pnpm deploy command would incorrectly create symlinks to the global virtual store. To keep the deploy directory self-contained, pnpm deploy now ignores this setting and always creates a localized virtual store within the deploy directory.
Fixed minimumReleaseAgeExclude not being respected by pnpm dlx #10338.

Platinum Sponsors

Gold Sponsors

Patch Changes

Reverted a fix shipped in v10.29.1, which caused another issue #10571.
Reverted fix: Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #10497.

Platinum Sponsors

Gold Sponsors

Uh oh!

Releases: pnpm/pnpm

pnpm 10.30.3

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 11 Alpha 11

Major Changes

Store

Configuration

Other

Minor Changes

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 11 Alpha 10

Major Changes

Store

Configuration

Other

Minor Changes

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 10.30.2

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 10.30.1

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 11 Alpha 5

Major Changes

Store

Configuration

Other

Minor Changes

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 11 Alpha.4

Major Changes

Store

Configuration

Other

Minor Changes

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 10.30

Minor Changes

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 10.29.3

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!

pnpm 10.29.2

Patch Changes

Platinum Sponsors

Gold Sponsors

Uh oh!