惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

K
Kaspersky official blog
T
Threat Research - Cisco Blogs
N
News and Events Feed by Topic
Hacker News: Ask HN
Hacker News: Ask HN
Project Zero
Project Zero
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 叶小钗
Security Latest
Security Latest
Spread Privacy
Spread Privacy
aimingoo的专栏
aimingoo的专栏
N
News and Events Feed by Topic
Webroot Blog
Webroot Blog
U
Unit 42
Cyberwarzone
Cyberwarzone
小众软件
小众软件
Scott Helme
Scott Helme
Engineering at Meta
Engineering at Meta
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
A
About on SuperTechFans
爱范儿
爱范儿
S
Schneier on Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Schneier on Security
Schneier on Security
Latest news
Latest news
GbyAI
GbyAI
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
The Register - Security
The Register - Security
WordPress大学
WordPress大学
博客园_首页
Blog — PlanetScale
Blog — PlanetScale
PCI Perspectives
PCI Perspectives
Jina AI
Jina AI
AI
AI
NISL@THU
NISL@THU
I
Intezer
G
GRAHAM CLULEY
B
Blog
S
Secure Thoughts
IT之家
IT之家
宝玉的分享
宝玉的分享
Recent Announcements
Recent Announcements
Y
Y Combinator Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
有赞技术团队
有赞技术团队
V2EX - 技术
V2EX - 技术
Recorded Future
Recorded Future
Hacker News - Newest:
Hacker News - Newest: "LLM"

pnpm Blog

pnpm 11.10 pnpm 11.9 pnpm 11.7 Why pnpm no longer expands environment variables in a repository's .npmrc pnpm 11.6 pnpm 11.5 pnpm 11.4 pnpm 11.3 pnpm 11.2 pnpm 11.1 pnpm 11.0 pnpm 10.32 pnpm 10.31 pnpm 10.30 pnpm 10.29 pnpm 10.28 pnpm 10.27 🚀 2025年的 pnpm pnpm 10.26 pnpm 10.25 我们如何保护新闻编辑部免受npm供应链攻击 pnpm 10.24 pnpm 10.23 pnpm 10.22 pnpm 10.21 pnpm 10.20
pnpm 11.8
Zoltan Kochan · 2026-06-18 · via pnpm Blog

pnpm 11.8 adds install dry-run previews, Node.js package map generation, richer SBOM output, pnpm view defaulting to the current package, and correct pnpm run --no-bail exit codes. It also includes a config-dependency lockfile traversal fix and many install/update determinism fixes.

次要更改

pnpm install --dry-run

pnpm install now supports --dry-run. It runs full dependency resolution and reports what a real install would change, but writes nothing to disk: no lockfile, no manifests, and no node_modules updates.

A completed dry run exits with code 0, matching the preview behavior of npm install --dry-run (#7340).

Node.js package maps

pnpm now generates node_modules/.package-map.json during isolated and hoisted installs. The map describes how packages should resolve through the installed node_modules layout.

The new nodeExperimentalPackageMap setting injects the generated map into pnpm-managed Node.js script environments by adding Node's --experimental-package-map option to NODE_OPTIONS. The nodePackageMapType setting chooses between standard maps, which expose declared dependencies only, and loose maps, which also map packages reachable through the installed layout.

SBOM improvements

pnpm sbom can now write SBOMs to files with --out, generate one SBOM per selected workspace package with --split, and use the selected package's metadata as the root component when --filter selects a single package.

CycloneDX output now marks components reachable only through devDependencies with scope: "excluded" and the cdx:npm:package:development property. Runtime components, including installed optional dependencies, keep the default required scope.

CLI behavior

pnpm run --no-bail now continues running every matched script, but exits with a non-zero code if any script failed. Recursive runs already behaved this way; non-recursive runs now match them (#8013).

pnpm view can now be run without a package name. In that case it searches upward for the nearest project manifest and uses its name field.

补丁更改

  • Security: Validate config dependency names and versions from the env lockfile before using them to build filesystem paths. A committed lockfile can no longer use traversal-shaped configDependencies names or versions to write outside node_modules/.pnpm-config or the store. Names must be valid npm package names, and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.
  • Fixed pnpm update overriding the version range policy of a named catalog whose name parses as a version, such as catalog:express4-21 (#10321).
  • Fixed link: workspace protocol dependencies switching to file: after pnpm rm when injectWorkspacePackages: true is set and the target workspace dependency has its own dependencies.
  • Stopped warning about matching packageManager and devEngines.packageManager values when both pin the same package manager, version, and integrity hash (#12028).
  • Fixed interactive progress output leaving characters behind when external processes write to the terminal, such as SSH passphrase prompts (#12350).
  • Fixed pnpm approve-builds missing packages whose build approval was revoked and then re-added (#12221).
  • Skipped the redundant Windows warning about an existing node.exe when it already matches the target (#12203).
  • Fixed macOS Gatekeeper blocking native binaries imported from the store by removing the com.apple.quarantine extended attribute from native binaries after import (#11056).
  • Fixed optimisticRepeatInstall incorrectly reporting "Already up to date" when only pnpm-lock.yaml changed, and fixed the same checks for git branch lockfiles (#12100).
  • Fixed recursive updates that mix transitive dependency patterns with direct dependency selectors, such as pnpm up -r "@babel/core" uuid (#12103).
  • Registered pnpm update --no-save in CLI help and option parsing.
  • Fixed pnpm import for Yarn v2 lockfiles when js-yaml v4 is installed.
  • Fixed repeated reinstall prompts when enableGlobalVirtualStore is enabled by keeping the virtual store directory recorded during post-install builds aligned with the install step (#12307).
  • Documented the --cpu, --os, and --libc flags in pnpm install --help (#12359).
  • Avoided reading README.md from disk during publish when the publish manifest already provides a readme field.
  • Fixed pnpm peers check rejecting loose peer dependency ranges that the installed peer satisfies (#12149).
  • Preserved workspace: dependencies that point at local paths during pnpm update (#3902).
  • Fixed a lockfile non-convergence case where incremental installs could keep a duplicate transitive dependency that a fresh install would remove.
  • pnpm install detects changes inside local file: dependencies and local tarballs again, bypassing the optimistic fast path for those projects (#11795).
  • Preserved the existing Node.js runtime version prefix when resolving node@runtime:<range> to a concrete version.
  • Shortened CAFS temporary package directories to leave room for lifecycle scripts that create IPC socket paths under TMPDIR.
  • Reporter output for pnpm store and pnpm config subcommands now goes to stderr, so scripts can safely capture stdout.
  • Avoided relinking unchanged child dependencies and removed stale child links during warm installs.
  • Fixed lockfile churn where transitivePeerDependencies could be dropped or shifted when a package participates in a dependency cycle (#5108).
  • Fixed pnpm install reporting "Already up to date" after a catalog entry in pnpm-workspace.yaml was reverted to a previous version (#12418).
  • Kept lockfile overrides that resolve through a catalog in sync when pnpm update bumps the catalog entry.
  • Fixed pnpm version --recursive so it honors workspace selection instead of always bumping every workspace package (#11348).