Перейти до основного змісту

pnpm 11.5

· 3 хв читання
Золтан Кочан
Золтан Кочан
Головний розробник pnpm

pnpm 11.5 adds a hoistingLimits setting for controlling how far dependencies hoist in nodeLinker: hoisted installs, replaces the interactive prompt library to fix scrolling in long choice lists, recognizes staged publishes in the trust scale, and ships several install and dist-tag fixes.

Незначні зміни

New hoistingLimits setting

A new hoistingLimits setting controls how far dependencies are hoisted when using nodeLinker: hoisted. It mirrors yarn's nmHoistingLimits and accepts:

  • none - hoist as far as possible (the default).
  • workspaces - hoist only as far as each workspace package.
  • dependencies - hoist only up to each workspace package's direct dependencies.

Originally proposed in #6468, closing #6457.

New interactive prompt library

pnpm replaced enquirer with @inquirer/prompts for all interactive prompts. This fixes the update -i scrolling overflow bug where long choice lists were clipped in the terminal (#6643). The new library uses visual-line-aware pagination, so scrolling now works correctly when many packages are available.

Affected commands include pnpm update -i (and --latest), pnpm audit --fix -i, pnpm approve-builds, pnpm patch, pnpm patch-remove, pnpm publish, pnpm login, and pnpm run / pnpm exec (with verifyDepsBeforeRun=prompt).

Vim-style j / k keys still work for up/down navigation in all interactive prompts.

Staged publishes recognized in the trust scale

Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an approver field, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level (#11887).

Зміни в патчах

  • Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example, pnpm i nuxt@npm:nuxt-nightly@5x) (#11999).
  • Fix pnpm dist-tag add and pnpm dist-tag rm against npmjs.org failing without --otp. pnpm now surfaces the OTP challenge through the existing browser-based 2FA flow (the same one used by pnpm publish), so the browser opens, the user authenticates, and the dist-tag is set on retry. --otp=<code> continues to work via the classic flow.
  • Fix minimumReleaseAgeExclude handling in npm resolution fast paths so excluded packages do not get pinned to stale versions.
  • Fix the integrity field being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. The missing integrity could otherwise make subsequent --frozen-lockfile installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY (#12001).
  • Skip dependency re-resolution when pnpm-lock.yaml is missing but node_modules/.pnpm/lock.yaml exists and still satisfies the manifest. pnpm install now reuses the materialized snapshot to regenerate pnpm-lock.yaml instead of walking the registry to rebuild it from scratch (#11993). --frozen-lockfile still refuses to proceed when pnpm-lock.yaml is absent.