Update pnpm to v10 [SECURITY]

This MR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pnpm (source)	9.1.3 -> 10.0.0

---

pnpm no-script global cache poisoning via overrides / ignore-scripts evasion

CVE-2024-53866 / GHSA-vm32-9rqf-rh3r

More information

Details

Summary

pnpm seems to mishandle overrides and global cache:

1. Overrides from one workspace leak into npm metadata saved in global cache
2. npm metadata from global cache affects other workspaces
3. installs by default don't revalidate the data (including on first lockfile generation)

This can make workspace A (even running with ignore-scripts=true) posion global cache and execute scripts in workspace B

Users generally expect ignore-scripts to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).

Here, that expectation is broken

Details

See PoC.

In it, overrides from a single run of A get leaked into e.g. ~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json and persistently affect all other projects using the cache

PoC

Postinstall code used in PoC is benign and can be inspected in https://www.npmjs.com/package/ponyhooves?activeTab=code, it's just a console.log

1. Remove store and cache On mac: rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store This step is not required in general, but we'll be using a popular package for PoC that's likely cached
2. Create A/package.json:

   {
     "name": "A",
     "pnpm": { "overrides": { "rimraf>glob": "npm:ponyhooves@1" } },
     "dependencies": { "rimraf": "6.0.1" }
   }

   Install it with pnpm i --ignore-scripts (the flag is not required, but the point of the demo is to show that it doesn't help)
3. Create B/package.json:

   {
     "name": "B",
     "dependencies": { "rimraf": "6.0.1" }
   }

   Install it with pnpm i

Result:

Packages: +3
+++
Progress: resolved 3, reused 3, downloaded 0, added 3, done
node_modules/.pnpm/ponyhooves@1.0.1/node_modules/ponyhooves: Running postinstall script, done in 51ms

dependencies:
+ rimraf 6.0.1

Done in 1.4s

Also, that code got leaked into another project and it's lockfile now!

Impact

Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs

As a work-around, use separate cache and store dirs in each workspace

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/MR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
• https://nvd.nist.gov/vuln/detail/CVE-2024-53866
• https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
• https://github.com/pnpm/pnpm

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting

CVE-2024-47829 / GHSA-8cc4-rfj6-fhg4

More information

Details

The path shortening function is used in pnpm：

export function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string {
  let filename = depPathToFilenameUnescaped(depPath).replace(/[\\/:*?"<>|]/g, '+')
  if (filename.includes('(')) {
    filename = filename
      .replace(/\)$/, '')
      .replace(/(\)\()|\(|\)/g, '_')
  }
  if (filename.length > maxLengthWithoutHash || filename !== filename.toLowerCase() && !filename.startsWith('file+')) {
    return `${filename.substring(0, maxLengthWithoutHash - 27)}_${createBase32Hash(filename)}`
  }
  return filename
}

However, it uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. In the diagram, we assume that two packages are called packageA and packageB, and that the first 90 digits of their package names must be the same, and that the hash value of the package names with versions must be the same. Then C is the package that they both reference, but with a different version number. (npm allows package names up to 214 bytes, so constructing such a collision package name is obvious.)

Then hash(packageA@1.2.3)=hash(packageB@3.4.5). This results in the same path for the installation, and thus under the same directory. Although the package names under node_modoules are the full paths again, they are shared with C. What is the exact version number of C? In our local tests, it depends on which one is installed later. If packageB is installed later, the C version number will change to 2.0.0. At this time, although package A requires the C@1.0.0 version, package. json will only work during installation, and will not affect the actual operation. We did not receive any installation error issues from pnpm during our local testing, nor did we use force, which is clearly a case that can be triggered.

For a package with a package name + version number longer than 120, another package can be constructed to introduce an indirect reference to a lower version, such as one with some known vulnerability. Alternatively, it is possible to construct two packages with more than 120 package names + version numbers. This is clearly an advantage for those intent on carrying out supply chain attacks.

The solution: The repair cost is also very low, just need to upgrade the md5 function to sha256.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/MR:N/UI:N/S:C/C:L/I:L/A:L

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4
• https://nvd.nist.gov/vuln/detail/CVE-2024-47829
• https://github.com/pnpm/pnpm

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pnpm/pnpm (pnpm)

v10.0.0

Compare Source

Major Changes

• Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #​8897. For example:

  {
    "pnpm": {
      "onlyBuiltDependencies": ["fsevents"]
    }
  }

• pnpm link behavior updated:

  The pnpm link command now adds overrides to the root package.json.

  • In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.
  • Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g. Related MR: #​8653

• Secure hashing with SHA256:

  Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

  • Long paths inside node_modules/.pnpm are now hashed with SHA256.
  • Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)
  • The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.
  • The side effects cache keys now use SHA256.
  • The pnpmfile checksum in the lockfile now uses SHA256 (#​8530).

• Configuration updates:

  • manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

  • public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #​8378

  • Upgraded @yarnpkg/extensions to v2.0.3. This may alter your lockfile.

  • virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.

  • Reduced environment variables for scripts: During script execution, fewer npm_package_* environment variables are set. Only name, version, bin, engines, and config remain. Related Issue: #​8552

  • All dependencies are now installed even if NODE_ENV=production. Related Issue: #​8827

• Changes to the global store:

  • Store version bumped to v10.

  • Some registries allow identical content to be published under different package names or versions. To accommodate this, index files in the store are now stored using both the content hash and package identifier.

    This approach ensures that we can:

    1. Validate that the integrity in the lockfile corresponds to the correct package, which might not be the case after a poorly resolved Git conflict.
    2. Allow the same content to be referenced by different packages or different versions of the same package. Related MR: #​8510 Related Issue: #​8204

  • More efficient side effects indexing. The structure of index files in the store has changed. Side effects are now tracked more efficiently by listing only file differences rather than all files. Related MR: #​8636

  • A new index directory stores package content mappings. Previously, these files were in files.

• Other breaking changes:

  • The # character is now escaped in directory names within node_modules/.pnpm. Related MR: #​8557
  • Running pnpm add --global pnpm or pnpm add --global @​pnpm/exe now fails with an error message, directing you to use pnpm self-update instead. Related MR: #​8728
  • Dependencies added via a URL now record the final resolved URL in the lockfile, ensuring that any redirects are fully captured. Related Issue: #​8833
  • The pnpm deploy command now only works in workspaces that have inject-workspace-packages=true. This limitation is introduced to allow us to create a proper lockfile for the deployed project using the workspace lockfile.
  • Removed conversion from lockfile v6 to v9. If you need v6-to-v9 conversion, use pnpm CLI v9.
  • pnpm test now passes all parameters after the test keyword directly to the underlying script. This matches the behavior of pnpm run test. Previously you needed to use the -- prefix. Related MR: #​8619

• node-gyp updated to version 11.

• pnpm deploy now tries creating a dedicated lockfile from a shared lockfile for deployment. It will fallback to deployment without a lockfile if there is no shared lockfile or force-legacy-deploy is set to true.

Minor Changes

• Added support for a new type of dependencies called "configurational dependencies". These dependencies are installed before all the other types of dependencies (before "dependencies", "devDependencies", "optionalDependencies").

  Configurational dependencies cannot have dependencies of their own or lifecycle scripts. They should be added using exact version and the integrity checksum. Example:

  {
    "pnpm": {
      "configDependencies": {
        "my-configs": "1.0.0+sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw=="
      }
    }
  }

  Related RFC: #​8. Related MR: #​8915.

• New settings:

  • New verify-deps-before-run setting. This setting controls how pnpm checks node_modules before running scripts:

    • install: Automatically run pnpm install if node_modules is outdated.
    • warn: Print a warning if node_modules is outdated.
    • prompt: Prompt the user to confirm running pnpm install if node_modules is outdated.
    • error: Throw an error if node_modules is outdated.
    • false: Disable dependency checks. Related Issue: #​8585

  • New inject-workspace-packages setting enables hard-linking all local workspace dependencies instead of symlinking them. Previously, this could be achieved using dependenciesMeta[].injected, which remains supported. Related MR: #​8836

• Faster repeat installs:

  On repeated installs, pnpm performs a quick check to ensure node_modules is up to date. Related MR: #​8838

• pnpm add integrates with default workspace catalog:

  When adding a dependency, pnpm add checks the default workspace catalog. If the dependency and version requirement match the catalog, pnpm add uses the catalog: protocol. Without a specified version, it matches the catalog’s version. If it doesn’t match, it falls back to standard behavior. Related Issue: #​8640

• pnpm dlx now resolves packages to their exact versions and uses these exact versions for cache keys. This ensures pnpm dlx always installs the latest requested packages. Related MR: #​8811

• No node_modules validation on certain commands. Commands that should not modify node_modules (e.g., pnpm install --lockfile-only) no longer validate or purge node_modules. Related MR: #​8657

v9.15.9: pnpm 9.15.9

Compare Source

Patch Changes

• Fix running pnpm CLI from pnpm CLI on Windows when the CLI is bundled to an executable #​8971.

Platinum Sponsors

Gold Sponsors

v9.15.8: pnpm 9.15.8

Compare Source

Patch Changes

• pnpm self-update should always update the version in the packageManager field of package.json.
• The pnpm CLI process should not stay hanging, when --silent reporting is used.
• When --loglevel is set to error, don't show installation summary, execution time, and big tarball download progress.
• Don't show info output when --loglevel=error is used.

Platinum Sponsors

Gold Sponsors

v9.15.7: pnpm 9.15.7

Compare Source

Patch Changes

• pnpm self-update should not leave a directory with a broken pnpm installation if the installation fails.
• Allow scope registry CLI option without --config. prefix such as --@​scope:registry=https://scope.example.com/npm #​9089.
• pnpm self-update should not read the pnpm settings from the package.json file in the current working directory.
• pnpm update -i should list only packages that have newer versions #​9206.
• Fix a bug causing entries in the catalogs section of the pnpm-lock.yaml file to be removed when dedupe-peer-dependents=false on a filtered install. #​9112

Platinum Sponsors

Gold Sponsors

v9.15.6: pnpm 9.15.6

Compare Source

Patch Changes

• Fix instruction for updating pnpm with corepack #​9101.
• Print pnpm's version after the execution time at the end of the console output.
• The pnpm version specified by packageManager cannot start with v.
• Fix a bug causing catalog snapshots to be removed from the pnpm-lock.yaml file when using --fix-lockfile and --filter. #​8639
• Fix a bug causing catalog protocol dependencies to not re-resolve on a filtered install #​8638.

v9.15.5: pnpm 9.15.5

Compare Source

Patch Changes

• Verify that the package name is valid when executing the publish command.
• When running pnpm install, the preprepare and postprepare scripts of the project should be executed #​8989.
• Quote args for scripts with shell-quote to support new lines (on POSIX only) #​8980.
• Proxy settings should be respected, when resolving Git-hosted dependencies #​6530.
• Replace strip-ansi with the built-in util.stripVTControlCharacters #​9009.

Platinum Sponsors

Gold Sponsors

v9.15.4: pnpm 9.15.4

Compare Source

Patch Changes

• Ensure that recursive pnpm update --latest <pkg> updates only the specified package, with dedupe-peer-dependents=true.

Platinum Sponsors

Gold Sponsors

v9.15.3: pnpm 9.15.3

Compare Source

Patch Changes

• Fixed the Regex used to find the package manifest during packing #​8938.
• pnpm update --filter <pattern> --latest <pkg> should only change the specified package for the specified workspace, when dedupe-peer-dependents is set to true #​8877.
• Exclude .DS_Store file at patch-commit #​8922.
• Fix a bug in which pnpm patch is unable to bring back old patch without specifying @version suffix #​8919.

Platinum Sponsors

Gold Sponsors

v9.15.2: pnpm 9.15.2

Compare Source

Patch Changes

• Fixed publish/pack error with workspace dependencies with relative paths #​8904. It was broken in v9.4.0 (398472c).
• Use double quotes in the command suggestion by pnpm patch on Windows #​7546.
• Do not fall back to SSH, when resolving a git-hosted package if git ls-remote works via HTTPS #​8906.
• Improve how packages with blocked lifecycle scripts are reported during installation. Always print the list of ignored scripts at the end of the output. Include a hint about how to allow the execution of those packages.

Platinum Sponsors

Gold Sponsors

v9.15.1: pnpm 9.15.1

Compare Source

Patch Changes

• pnpm remove should not link dependencies from the workspace, when link-workspace-packages is set to false #​7674.
• Installation with hoisted node_modules should not fail, when a dependency has itself in its own peer dependencies #​8854.

Platinum Sponsors

Gold Sponsors

v9.15.0: pnpm 9.15

Compare Source

Minor Changes

• Metadata directory version bumped to force fresh cache after we shipped a fix to the metadata write function. This change is backward compatible as install doesn't require a metadata cache.

Patch Changes

• pnpm update --global should not crash if there are no any global packages installed #​7898.
• Fix an exception when running pnpm update --interactive if catalogs are used.

Platinum Sponsors

Gold Sponsors

v9.14.4: pnpm 9.14.4

Compare Source

Patch Changes

• Don't ever save mutated metadata to the metadata cache.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.14.3: pnpm 9.14.3

Compare Source

Patch Changes

• Some commands should ignore the packageManager field check of package.json #​7959.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.14.2

Compare Source

Patch Changes

• pnpm publish --json should work #​8788.

Platinum Sponsors

Gold Sponsors

v9.14.1

Compare Source

Minor Changes

• Added support for pnpm pack --json to print packed tarball and contents in JSON format #​8765.

Patch Changes

• pnpm exec should print a meaningful error message when no command is provided #​8752.
• pnpm setup should remove the CLI from the target location before moving the new binary #​8173.
• Fix ERR_PNPM_TARBALL_EXTRACT error while installing a dependency from GitHub having a slash in branch name #​7697.
• Don't crash if the use-node-version setting is used and the system has no Node.js installed #​8769.
• Convert settings in local .npmrc files to their correct types. For instance, child-concurrency should be a number, not a string #​5075.
• pnpm should fail if a project requires a different package manager even if manage-package-manager-versions is set to true.
• pnpm init should respect the --dir option #​8768.

Platinum Sponsors

Gold Sponsors

v9.14.0

Compare Source

v9.13.2: pnpm 9.13.2

Compare Source

Patch Changes

• Detection of circular peer dependencies should not crash with aliased dependencies #​8759. Fixes a regression introduced in the previous version.
• Fix race condition of symlink creations caused by multiple parallel dlx processes.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.13.1: pnpm 9.13.1

Compare Source

Patch Changes

• Fixed some edge cases where resolving circular peer dependencies caused a dead lock #​8720.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.13.0: pnpm 9.13

Compare Source

Minor Changes

• The self-update now accepts a version specifier to install a specific version of pnpm. E.g.:

  pnpm self-update 9.5.0

  or

  pnpm self-update next-10

Patch Changes

• Fix Cannot read properties of undefined (reading 'name') that is printed while trying to render the missing peer dependencies warning message #​8538.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.12.3

Compare Source

Patch Changes

• Don't purge node_modules, when typing "n" in the prompt that asks whether to remove node_modules before installation #​8655.
• Fix a bug causing pnpm to infinitely spawn itself when manage-package-manager-versions=true is set and the .tools directory is corrupt.
• Use crypto.hash, when available, for improved performance #​8629.
• Fixed a race condition in temporary file creation in the store by including worker thread ID in filename. Previously, multiple worker threads could attempt to use the same temporary file. Temporary files now include both process ID and thread ID for uniqueness #​8703.
• All commands should read settings from the package.json at the root of the workspace #​8667.
• When manage-package-manager-versions is set to true, errors spawning a self-managed version of pnpm will now be shown (instead of being silent).
• Pass the find command to npm, it is an alias for npm search
• Fixed an issue in which pnpm deploy --prod fails due to missing devDependencies #​8778.

v9.12.2

Compare Source

Patch Changes

• When checking whether a file in the store has executable permissions, the new approach checks if at least one of the executable bits (owner, group, and others) is set to 1. Previously, a file was incorrectly considered executable only when all the executable bits were set to 1. This fix ensures that files with any executable permission, regardless of the user class, are now correctly identified as executable #​8546.

v9.12.1

Compare Source

Patch Changes

• pnpm update --latest should not update the automatically installed peer dependencies #​6657.
• pnpm publish should be able to publish from a local tarball #​7950.
• The pnpx command should work correctly on Windows, when pnpm is installed via the standalone installation script #​8608.
• Prevent EBUSY errors caused by creating symlinks in parallel dlx processes #​8604.
• Fix maximum call stack size exceeded error related to circular workspace dependencies #​8599.

v9.12.0

Compare Source

Minor Changes

• Fix peer dependency resolution dead lock #​8570. This change might change some of the keys in the snapshots field inside pnpm-lock.yaml but it should happen very rarely.

• pnpm outdated command supports now a --sort-by=name option for sorting outdated dependencies by package name #​8523.

• Added the ability for overrides to remove dependencies by specifying "-" as the field value #​8572. For example, to remove lodash from the dependencies, use this configuration in package.json:

  {
    "pnpm": {
      "overrides": {
        "lodash": "-"
      }
    }
  }

Patch Changes

• Fixed an issue where pnpm list --json pkg showed "private": false for a private package #​8519.
• Packages with libc that differ from pnpm.supportedArchitectures.libc are not downloaded #​7362.
• Prevent ENOENT errors caused by running store prune in parallel #​8586.
• Add issues alias to pnpm bugs #​8596.

v9.11.0

Compare Source

Minor Changes

• Experimental: added pnpm cache commands for inspecting the metadata cache #​8512.

Patch Changes

• Fix a regression in which pnpm deploy with node-linker=hoisted produces an empty node_modules directory #​6682.
• Don't print a warning when linking packages globally #​4761.
• pnpm deploy should work in workspace with shared-workspace-lockfile=false #​8475.

v9.10.0

Compare Source

Minor Changes

• Support for a new CLI flag, --exclude-peers, added to the list and why commands. When --exclude-peers is used, peer dependencies are not printed in the results, but dependencies of peer dependencies are still scanned #​8506.

• Added a new setting to package.json at pnpm.auditConfig.ignoreGhsas for ignoring vulnerabilities by their GHSA code #​6838.

  For instance:

  {
    "pnpm": {
      "auditConfig": {
        "ignoreGhsas": [
          "GHSA-42xw-2xvc-qx8m",
          "GHSA-4w2v-q235-vp99",
          "GHSA-cph5-m8f7-6c5x",
          "GHSA-vh95-rmgr-6w4m"
        ]
      }
    }
  }

Patch Changes

• Throw an exception if pnpm switches to the same version of itself.
• Reduce memory usage during peer dependencies resolution.

v9.9.0

Compare Source

Minor Changes

• Minor breaking change. This change might result in resolving your peer dependencies slightly differently but we don't expect it to introduce issues.

  We had to optimize how we resolve peer dependencies in order to fix some infinite loops and out-of-memory errors during peer dependencies resolution.

  When a peer dependency is a prod dependency somewhere in the dependency graph (with the same version), pnpm will resolve the peers of that peer dependency in the same way across the subgraph.

  For example, we have react-dom in the peer deps of the form and button packages. card has react-dom and react as regular dependencies and card is a dependency of form.

  These are the direct dependencies of our example project:

  form
  react@16
  react-dom@16

  These are the dependencies of card:

  button
  react@17
  react-dom@16

  When resolving peers, pnpm will not re-resolve react-dom for card, even though card shadows react@16 from the root with react@17. So, all 3 packages (form, card, and button) will use react-dom@16, which in turn uses react@16. form will use react@16, while card and button will use react@17.

  Before this optimization react-dom@16 was duplicated for the card, so that card and button would use a react-dom@16 instance that uses react@17.

  Before the change:

  form
  -> react-dom@16(react@16)
  -> react@16
  card
  -> react-dom@16(react@17)
  -> react@17
  button
  -> react-dom@16(react@17)
  -> react@17

  After the change

  form
  -> react-dom@16(react@16)
  -> react@16
  card
  -> react-dom@16(react@16)
  -> react@17
  button
  -> react-dom@16(react@16)
  -> react@17

Patch Changes

• pnpm deploy should write the node_modules/.modules.yaml to the node_modules directory within the deploy directory #​7731.
• Don't override a symlink in node_modules if it already points to the right location pnpm/symlink-dir#54.

v9.8.0

Compare Source

Minor Changes

• Added a new command for upgrading pnpm itself when it isn't managed by Corepack: pnpm self-update. This command will work, when pnpm was installed via the standalone script from the pnpm installation page #​8424.

  When executed in a project that has a packageManager field in its package.json file, pnpm will update its version in the packageManager field.

Patch Changes

• CLI tools installed in the root of the workspace should be added to the PATH, when running scripts and use-node-version is set.

• pnpm setup should never switch to another version of pnpm.

  This fixes installation with the standalone script from a directory that has a package.json with the packageManager field. pnpm was installing the version of pnpm specified in the packageManager field due to this issue.

• Ignore non-string value in the os, cpu, libc fields, which checking optional dependencies #​8431.

• Remember the state of edit dir, allow running pnpm patch-commit the second time without having to re-run pnpm patch.

v9.7.1

Compare Source

Patch Changes

• Fixed passing public-hoist-pattern and hoist-pattern via env variables #​8339.
• pnpm setup no longer creates Batch/Powershell scripts on Linux and macOS #​8418.
• When dlx uses cache, use the real directory path not the symlink to the cache #​8421.
• pnpm exec now supports executionEnv #​8356.
• Remove warnings for non-root pnpm field, add warnings for non-root pnpm subfields that aren't executionEnv #​8143.
• Replace semver in "peerDependency" with workspace protocol #​8355.
• Fix a bug in patch-commit in which relative path is rejected #​8405.
• Update Node.js in @pnpm/exe to v20.

v9.7.0

Compare Source

Minor Changes

• Added pnpm version management to pnpm. If the manage-package-manager-versions setting is set to true, pnpm will switch to the version specified in the packageManager field of package.json #​8363. This is the same field used by Corepack. Example:

  {
    "packageManager": "pnpm@9.3.0"
  }

• Added the ability to apply patch to all versions: If the key of pnpm.patchedDependencies is a package name without a version (e.g. pkg), pnpm will attempt to apply the patch to all versions of the package. Failures will be skipped. If it is a package name and an exact version (e.g. pkg@x.y.z), pnpm will attempt to apply the patch to that exact version only. Failures will cause pnpm to fail.

  If there's only one version of pkg installed, pnpm patch pkg and subsequent pnpm patch-commit $edit_dir will create an entry named pkg in pnpm.patchedDependencies. And pnpm will attempt to apply this patch to other versions of pkg in the future.

  If there are multiple versions of pkg installed, pnpm patch pkg will ask which version to edit and whether to attempt to apply the patch to all. If the user chooses to apply the patch to all, pnpm patch-commit $edit_dir would create a pkg entry in pnpm.patchedDependencies. If the user chooses not to apply the patch to all, pnpm patch-commit $edit_dir would create a pkg@x.y.z entry in pnpm.patchedDependencies with x.y.z being the version the user chose to edit.

  If the user runs pnpm patch pkg@x.y.z with x.y.z being the exact version of pkg that has been installed, pnpm patch-commit $edit_dir will always create a pkg@x.y.z entry in pnpm.patchedDependencies.

• Change the default edit dir location when running pnpm patch from a temporary directory to node_modules/.pnpm_patches/pkg[@​version] to allow the code editor to open the edit dir in the same file tree as the main project.

• Substitute environment variables in config keys #​6679.

Patch Changes

• pnpm install should run node-gyp rebuild if the project has a binding.gyp file even if the project doesn't have an install script #​8293.
• Print warnings to stderr #​8342.
• Peer dependencies of optional peer dependencies should be automatically installed #​8323.

v9.6.0

Compare Source

Minor Changes

• Support specifying node version (via pnpm.executionEnv.nodeVersion in package.json) for running lifecycle scripts per each package in a workspace #​6720.
• Overrides now support the catalogs: protocol #​8303.

Patch Changes

• The pnpm deploy command now supports the catalog: protocol #​8298.
• The pnpm outdated command now supports the catalog: protocol #​8304.
• Correct the error message when trying to run pnpm patch without node_modules/.modules.yaml #​8257.
• Silent reporting fixed with the pnpm exec command #​7608.
• Add registries information to the calculation of dlx cache hash #​8299.

v9.5.0

Compare Source

Minor Changes

• Added support for catalogs 8122.

  Catalogs may be declared in the pnpm-workspace.yaml file. For example:

v9.4.0

Compare Source

Minor Changes

• Some registries allow the exact same content to be published under different package names and/or versions. This breaks the validity checks of packages in the store. To avoid errors when verifying the names and versions of such packages in the store, you may now set the strict-store-pkg-content-check setting to false #​4724.

Patch Changes

• Fix package-manager-strict-version missing in config #​8195.
• If install is performed on a subset of workspace projects, always create an up-to-date lockfile first. So, a partial install can be performed only on a fully resolved (non-partial) lockfile #​8165.
• Handle workspace protocol with any semver range specifier, when used in peer dependencies #​7578.

v9.3.0

Compare Source

Minor Changes

• Semi-breaking. Dependency key names in the lockfile are shortened if they are longer than 1000 characters. We don't expect this change to affect many users. Affected users most probably can't run install successfully at the moment. This change is required to fix some edge cases in which installation fails with an out-of-memory error or "Invalid string length (RangeError: Invalid string length)" error. The max allowed length of the dependency key can be controlled with the peers-suffix-max-length setting #​8177.

Patch Changes

• Set reporter-hide-prefix to true by default for pnpm exec. In order to show prefix, the user now has to explicitly set reporter-hide-prefix=false #​8174.

v9.2.0

Compare Source

Minor Changes

• If package-manager-strict-version is set to true, pnpm will fail if its version doesn't exactly match the version in the "packageManager" field of package.json.

Patch Changes

• Update @yarnpkg/pnp to the latest version, fixing issue with node: imports #​8161.
• Deduplicate bin names to prevent race condition and corrupted bin scripts #​7833.
• pnpm doesn't fail if its version doesn't match the one specified in the "packageManager" field of package.json #​8087.
• exec now also streams prefixed output when --recursive or --parallel is specified just as run does #​8065.

v9.1.4

Compare Source

Patch Changes

• Improved the performance of the resolution stage by changing how missing peer dependencies are detected #​8144.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.