





















pnpm 11.8 adds install dry-run previews, Node.js package map generation, richer SBOM output, pnpm view defaulting to the current package, and correct pnpm run --no-bail exit codes. It also includes a config-dependency lockfile traversal fix and many install/update determinism fixes.
pnpm install --dry-runpnpm install now supports --dry-run. It runs full dependency resolution and reports what a real install would change, but writes nothing to disk: no lockfile, no manifests, and no node_modules updates.
A completed dry run exits with code 0, matching the preview behavior of npm install --dry-run (#7340).
pnpm now generates node_modules/.package-map.json during isolated and hoisted installs. The map describes how packages should resolve through the installed node_modules layout.
The new nodeExperimentalPackageMap setting injects the generated map into pnpm-managed Node.js script environments by adding Node's --experimental-package-map option to NODE_OPTIONS. The nodePackageMapType setting chooses between standard maps, which expose declared dependencies only, and loose maps, which also map packages reachable through the installed layout.
pnpm sbom can now write SBOMs to files with --out, generate one SBOM per selected workspace package with --split, and use the selected package's metadata as the root component when --filter selects a single package.
CycloneDX output now marks components reachable only through devDependencies with scope: "excluded" and the cdx:npm:package:development property. Runtime components, including installed optional dependencies, keep the default required scope.
pnpm run --no-bail now continues running every matched script, but exits with a non-zero code if any script failed. Recursive runs already behaved this way; non-recursive runs now match them (#8013).
pnpm view can now be run without a package name. In that case it searches upward for the nearest project manifest and uses its name field.
configDependencies names or versions to write outside node_modules/.pnpm-config or the store. Names must be valid npm package names, and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.pnpm update overriding the version range policy of a named catalog whose name parses as a version, such as catalog:express4-21 (#10321).link: workspace protocol dependencies switching to file: after pnpm rm when injectWorkspacePackages: true is set and the target workspace dependency has its own dependencies.packageManager and devEngines.packageManager values when both pin the same package manager, version, and integrity hash (#12028).pnpm approve-builds missing packages whose build approval was revoked and then re-added (#12221).node.exe when it already matches the target (#12203).com.apple.quarantine extended attribute from native binaries after import (#11056).optimisticRepeatInstall incorrectly reporting "Already up to date" when only pnpm-lock.yaml changed, and fixed the same checks for git branch lockfiles (#12100).pnpm up -r "@babel/core" uuid (#12103).pnpm update --no-save in CLI help and option parsing.pnpm import for Yarn v2 lockfiles when js-yaml v4 is installed.enableGlobalVirtualStore is enabled by keeping the virtual store directory recorded during post-install builds aligned with the install step (#12307).--cpu, --os, and --libc flags in pnpm install --help (#12359).README.md from disk during publish when the publish manifest already provides a readme field.pnpm peers check rejecting loose peer dependency ranges that the installed peer satisfies (#12149).workspace: dependencies that point at local paths during pnpm update (#3902).pnpm install detects changes inside local file: dependencies and local tarballs again, bypassing the optimistic fast path for those projects (#11795).node@runtime:<range> to a concrete version.TMPDIR.pnpm store and pnpm config subcommands now goes to stderr, so scripts can safely capture stdout.transitivePeerDependencies could be dropped or shifted when a package participates in a dependency cycle (#5108).pnpm install reporting "Already up to date" after a catalog entry in pnpm-workspace.yaml was reverted to a previous version (#12418).overrides that resolve through a catalog in sync when pnpm update bumps the catalog entry.pnpm version --recursive so it honors workspace selection instead of always bumping every workspace package (#11348).此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。