Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #8897. For example:
{
"pnpm": {
"onlyBuiltDependencies": ["fsevents"]
}
}
Read pnpm 10.0.0 Blocks Lifecycle Scripts by Default to learn about the motivation of the change.
If you want the old pre v10 behaviour, so you want to allow all dependencies to run postinstall scripts, then add this to your package.json:
{
"pnpm": {
"neverBuiltDependencies": []
}
}pnpm link behavior updated:
The pnpm link command now adds overrides to the root package.json.
pnpm link from the package’s directory. Previously, you needed to use pnpm link -g.Secure hashing with SHA256:
Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:
node_modules/.pnpm are now hashed with SHA256.packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.Configuration updates:
manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.
public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #8378
Upgraded @yarnpkg/extensions to v2.0.3. This may alter your lockfile.
virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.
Reduced environment variables for scripts:
During script execution, fewer npm_package_* environment variables are set. Only name, version, bin, engines, and config remain.
Related Issue: #8552
All dependencies are now installed even if NODE_ENV=production. Related Issue: #8827
Changes to the global store:
Store version bumped to v10.
Some registries allow identical content to be published under different package names or versions. To accommodate this, index files in the store are now stored using both the content hash and package identifier.
This approach ensures that we can:
More efficient side effects indexing. The structure of index files in the store has changed. Side effects are now tracked more efficiently by listing only file differences rather than all files.
Related PR: #8636
A new index directory stores package content mappings. Previously, these files were in files.
Other breaking changes:
# character is now escaped in directory names within node_modules/.pnpm.pnpm add --global pnpm or pnpm add --global @pnpm/exe now fails with an error message, directing you to use pnpm self-update instead.pnpm deploy command now only works in workspaces that have inject-workspace-packages=true. This limitation is introduced to allow us to create a proper lockfile for the deployed project using the workspace lockfile.pnpm test now passes all parameters after the test keyword directly to the underlying script. This matches the behavior of pnpm run test. Previously you needed to use the -- prefix.node-gyp updated to version 11.
pnpm deploy now tries creating a dedicated lockfile from a shared lockfile for deployment. It will fallback to deployment without a lockfile if there is no shared lockfile or force-legacy-deploy is set to true.
Added support for a new type of dependencies called "config dependencies". These dependencies are installed before all the other types of dependencies (before "dependencies", "devDependencies", "optionalDependencies").
Config dependencies cannot have dependencies of their own or lifecycle scripts. They should be added using exact version and the integrity checksum. Example:
{
"pnpm": {
"configDependencies": {
"my-configs": "1.0.0+sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw=="
}
}
}
New settings:
New verify-deps-before-run setting. This setting controls how pnpm checks node_modules before running scripts:
install: Automatically run pnpm install if node_modules is outdated.warn: Print a warning if node_modules is outdated.prompt: Prompt the user to confirm running pnpm install if node_modules is outdated.error: Throw an error if node_modules is outdated.false: Disable dependency checks.New inject-workspace-packages setting enables hard-linking all local workspace dependencies instead of symlinking them. Previously, this could be achieved using dependenciesMeta[].injected, which remains supported.
Related PR: #8836
Faster repeat installs:
On repeated installs, pnpm performs a quick check to ensure node_modules is up to date.
Related PR: #8838
pnpm add integrates with default workspace catalog:
When adding a dependency, pnpm add checks the default workspace catalog. If the dependency and version requirement match the catalog, pnpm add uses the catalog: protocol. Without a specified version, it matches the catalog’s version. If it doesn’t match, it falls back to standard behavior.
Related Issue: #8640
pnpm dlx now resolves packages to their exact versions and uses these exact versions for cache keys. This ensures pnpm dlx always installs the latest requested packages.
Related PR: #8811
No node_modules validation on certain commands. Commands that should not modify node_modules (e.g., pnpm install --lockfile-only) no longer validate or purge node_modules.
Related PR: #8657
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4