pnpm

Major Changes

• Node.js v16 support dropped. Use at least Node.js v18.12.
• Support for lockfile v5 is dropped. Use pnpm v8 to convert lockfile v5 to lockfile v6 #7470.
• The dedupe-injected-deps setting is true by default.
• The default value of the link-workspace-packages setting changed from true to false. This means that by default, dependencies will be linked from workspace packages only when they are specified using the workspace protocol.
• Use the same directories on macOS as on Linux. Don't use directories inside ~/Library on macOS #7321.
• The default value of the hoist-workspace-packages is true.

Our Gold Sponsors

Our Silver Sponsors

Major Changes

• The root package is excluded by default, when running pnpm -r exec|run|add #2769.

• Filtering by path is done by globs.

  In pnpm v6, in order to pick packages under a certain directory, the following filter was used: --filter=./apps

  In pnpm v7, a glob should be used: --filter=./apps/**

• The NODE_PATH env variable is not set in the command shims (the files in node_modules/.bin). This env variable was really long and frequently caused errors on Windows.

  Also, the extend-node-path setting is removed.

  Related PR: #4253

• The embed-readme setting is false by default.

• When using pnpm run <script>, all command line arguments after the script name are now passed to the script's argv, even --. For example, pnpm run echo --hello -- world will now pass --hello -- world to the echo script's argv. Previously flagged arguments (e.g. --silent) were intepreted as pnpm arguments unless -- came before it.

• Side effects cache is turned on by default. To turn it off, use side-effects-cache=false.

• The npm_config_argv env variable is not set for scripts #4153.

• pnpx is now just an alias of pnpm dlx.

  If you want to just execute the command of a dependency, run pnpm <cmd>. For instance, pnpm eslint.

  If you want to install and execute, use pnpm dlx <pkg name>.

• pnpm install -g pkg will add the global command only to a predefined location. pnpm will not try to add a bin to the global Node.js or npm folder. To set the global bin directory, either set the PNPM_HOME env variable or the global-bin-dir setting.

• pnpm pack should only pack a file as an executable if it's a bin or listed in the publishConfig.executableFiles array.

• -W is not an alias of --ignore-workspace-root-check anymore. Just use -w or --workspace-root instead, which will also allow to install dependencies in the root of the workspace.

What's Changed

• feat!: breaking config changes for v7 by @zkochan in https://github.com/pnpm/pnpm/pull/4253
• feat(pack)!: limit what files are packed as executables by @zkochan in https://github.com/pnpm/pnpm/pull/4266
• feat!: pnpx is an alias of pnpm dlx by @zkochan in https://github.com/pnpm/pnpm/pull/4267
• feat: run scripts without -- by @gluxon in https://github.com/pnpm/pnpm/pull/4290
• fix: revert backwards compatible handling of -- for run by @gluxon in https://github.com/pnpm/pnpm/pull/4291
• feat!: global bins should be created only in predefined locations by @zkochan in https://github.com/pnpm/pnpm/pull/4280
• ci: use pnpm v7 by @zkochan in https://github.com/pnpm/pnpm/pull/4307
• feat!: remove -W option by @zkochan in https://github.com/pnpm/pnpm/pull/4308
• test(audit): fix for 2022-02-15 by @gluxon in https://github.com/pnpm/pnpm/pull/4340

Full Changelog: https://github.com/pnpm/pnpm/compare/v6.31.0...v7.0.0-alpha.1

Patch Changes

• A security vulnerabity fixed. When commands are executed on Windows, they should not be searched for in the current working directory.

Patch Changes

• Updating dependencies to fix security vulnerability CVE-2021-32803.

Minor Changes

• New command added: pnpm audit --fix. This command adds overrides to package.json that force versions of packages that do not have the vulnerabilities #3598.

• Own implementation of pnpm pack is added. It is not passed through to npm pack anymore #3608.

• When pnpm add pkg is executed in a workspace and pkg is already in the dependencies of one of the workspace projects, pnpm uses that already present version range to add the new dependency #3614.

• New package.json setting added: publishConfig.executableFiles. By default, for portability reasons, no files except those listed in the bin field will be marked as executable in the resulting package archive. The executableFiles field lets you declare additional fields that must have the executable flag (+x) set even if they aren't directly accessible through the bin field.

  {
    "publishConfig": {
      "executableFiles": [
        "./dist/shim.js",
      ]
    }
  }
  

Patch Changes

• Don't collapse warnings when --reporter append-only is used.
• Print a warning when a lifecycle script is skipped #3619.

Minor Changes

• New command added: pnpm audit --fix. This command adds overrides to package.json that force versions of packages that do not have the vulnerabilities #3598.
• Own implementation of pnpm pack is added. It is not passed through to npm pack anymore #3608.
• When pnpm add pkg is executed in a workspace and pkg is already in the dependencies of one of the workspace projects, pnpm uses that already present version range to add the new dependency #3614.

Patch Changes

• Don't collapse warnings when --reporter append-only is used.
• Print a warning when a lifecycle script is skipped #3619.

Minor Changes

• New command added: pnpm audit --fix. This command adds overrides to package.json that force versions of packages that do not have the vulnerabilities #3598.
• Own implementation of pnpm pack is added. It is not passed through to npm pack anymore #3608.
• When pnpm add pkg is executed in a workspace and pkg is already in the dependencies of one of the workspace projects, pnpm uses that already present version range to add the new dependency #3614.

Patch Changes

• Don't collapse warnings when --reporter append-only is used.
• Print a warning when a lifecycle script is skipped #3619.

Minor Changes

• New command added: pnpm audit --fix. This command adds overrides to package.json that force versions of packages that do not have the vulnerabilities #3598.
• Own implementation of pnpm pack is added. It is not passed through to npm pack anymore #3608.
• When pnpm add pkg is executed in a workspace and pkg is already in the dependencies of one of the workspace projects, pnpm uses that already present version range to add the new dependency #3614.

Patch Changes

• Don't collapse warnings when --reporter append-only is used.

Minor Changes

• New command added: pnpm audit --fix. This command adds overrides to package.json that force versions of packages that do not have the vulnerabilities #3598.
• Own implementation of pnpm pack is added. It is not passed through to npm pack anymore #3608.
• When pnpm add pkg is executed in a workspace and pkg is already in the dependencies of one of the workspace projects, pnpm uses that already present version range to add the new dependency #3614.

Patch Changes

• Don't collapse warnings when --reporter append-only is used.

Patch Changes

• pnpm exec should work outside of Node.js projects #3597.
• Overriding should work when the range selector contains >.

Minor Changes

• New command added: pnpm store path #3571.
• New setting added: cache-dir. cache-dir is the location of the package metadata cache. Previously this cache was stored in the store directory. By default, the cache directory is created in the XDG_CACHE_HOME directory #3578.
• New setting added: state-dir. state-dir is the directory where pnpm creates the pnpm-state.json file that is currently used only by the update checker. By default, the state directory is created in the XDG_STATE_HOME directory #3580.
• workspace-concurrency is based on CPU cores amount, when set to 0 or a negative number. The concurrency limit is set as max((amount of cores) - abs(workspace-concurrency), 1) #3574.

Patch Changes

• Never do full resolution when package manifest is ignored #3576.
• An error is thrown if pnpm link is executed. pnpm link needs at least one argument or option #3590.

Minor Changes

• A new optional field added to the pnpm section of package.json: packageExtensions. The packageExtensions fields offer a way to extend the existing package definitions with additional information. For example, if react-redux should have react-dom in its peerDependencies but it has not, it is possible to patch react-redux using packageExtensions:

  {
    "pnpm": {
      "packageExtensions": {
        "react-redux": {
          "peerDependencies": {
            "react-dom": "*"
          }
        }
      }
    }
  }
  

  The keys in packageExtensions are package names or package names and semver ranges, to it is possible to patch only some versions of a package:

  {
    "pnpm": {
      "packageExtensions": {
        "react-redux@1": {
          "peerDependencies": {
            "react-dom": "*"
          }
        }
      }
    }
  }
  

  The following fields may be extended using packageExtensions: dependencies, optionalDependencies, peerDependencies, and peerDependenciesMeta.

  A bigger example:

  {
    "pnpm": {
      "packageExtensions": {
        "express@1": {
          "optionalDependencies": {
            "typescript": "2"
          }
        },
        "fork-ts-checker-webpack-plugin": {
          "dependencies": {
            "@babel/core": "1"
          },
          "peerDependencies": {
            "eslint": ">= 6"
          },
          "peerDependenciesMeta": {
            "eslint": {
              "optional": true
            }
          }
        }
      }
    }
  }
  

Minor Changes

• When use-beta-cli is true, filtering by directories supports globs #3521.

Patch Changes

• The pnpm remove and pnpm update commands do not fail when the dev, production, or optional settings are set.
• Use the real package names of the peer dependencies when creating the paths in the virtual store #3545.
• The lockfile should not break on peer dependencies that have underscores in their name #3546.
• Resolve peer dependencies from the dependencies of the root project of the workspace #3549.

Bug Fixes

• Generate a correct command shim on Windows if pnpm is installed to a directory with spaces in its name #3519.

Bug Fixes

• Generate a correct command shim on Windows if pnpm is installed to a directory with spaces in its name #3519.

Patch Changes

• pnpm exec should run the command in the right directory, when executed inside a workspace #3514.

Patch Changes

• When publishing in a workspace, pass the .npmrc file from the root of the workspace to npm #3511.

Bug Fixes

• It should be possible to install a Git-hosted package that uses a default branch other than "master" #3506.
• It should be possible to install a Git-hosted package by using only part of the Git commit hash #3507.

Features

• Support the publishConfig.directory field in package.json #3490.
• There is no need to escape the command shell with --, when using the exec command. So just pnpm exec rm -rf dir instead of pnpm exec -- rm -rf dir #3492.
• pnpm audit supports a new option: --ignore-registry-errors. pnpm audit --ignore-registry-errors exits with exit code 0, when the registry responds with a non-200 status code #3472.

Bug Fixes

• Mention pnpm exec in the generic help.
• pnpm outdated should read the value of the strict-ssl setting #3493.
• New lines in engine field should not break the lockfile #3491.