Skip to main content

pnpm 10.29

· 3 min read
Zoltan Kochan
Zoltan Kochan
Lead maintainer of pnpm

pnpm 10.29 为 pnpm dlx 添加了 catalog: 协议支持,允许在 pnpm-workspace.yaml 中配置 auditLevel,支持一个裸露的 workspace: 指定符,并包含若干错误修复。

🌐 pnpm 10.29 adds catalog: protocol support to pnpm dlx, allows configuring auditLevel in pnpm-workspace.yaml, supports a bare workspace: specifier, and includes several bug fixes.

小幅更改

🌐 Minor Changes

pnpm dlx中的catalog:协议

🌐 catalog: Protocol in pnpm dlx

pnpm dlx / pnpx 命令现在支持 catalog: 协议,使你能够引用在工作区目录中定义的版本:

🌐 The pnpm dlx / pnpx command now supports the catalog: protocol, allowing you to reference versions defined in your workspace catalogs:

pnpm dlx shx@catalog:

auditLevel 设置

🌐 auditLevel Setting

auditLevel 现在可以在 pnpm-workspace.yaml 文件中配置,因此你不需要在每次 pnpm audit 调用时都传递 --audit-level #10540

pnpm-workspace.yaml
auditLevel: high

workspace:协议

🌐 Bare workspace: Protocol

现在支持没有版本范围的裸 workspace: 指定符。它被视为 workspace:*,并在发布期间解析为具体版本 #10436

🌐 A bare workspace: specifier without a version range is now supported. It is treated as workspace:* and resolves to the concrete version during publish #10436:

{
  "dependencies": {
    "foo": "workspace:"
  }
}

补丁更改

🌐 Patch Changes

  • Fixed an out-of-memory error in pnpm list (and pnpm why) on large dependency graphs by replacing the recursive tree builder with a two-phase approach: a BFS dependency graph followed by cached tree materialization. Duplicate subtrees are now deduplicated in the output #10586.

  • Fixed allowBuilds not working when set via .pnpmfile.cjs #10516.

  • When enableGlobalVirtualStore is set, pnpm deploy now ignores it and always creates a localized virtual store within the deploy directory to keep it self-contained.

  • Fixed minimumReleaseAgeExclude not being respected by pnpm dlx #10338.

  • Fixed pnpm list --json returning incorrect paths when using global virtual store #10187.

  • Fixed pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #10290.

  • Fixed catalogMode: strict writing the literal string catalog: to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #10176.

  • Skip local file: protocol dependencies during pnpm fetch, fixing Docker builds when local directory dependencies are not available #10460.

  • Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #10540.

  • Updated tar to version 7.5.7 to fix a security vulnerability (CVE-2026-24842).

  • Fixed pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #10325.

  • Fixed shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #10271.

  • pnpm help now correctly reports if the currently running pnpm CLI is bundled with Node.js #10561.

  • Added a warning when the current directory contains the PATH delimiter character, which can break node_modules/.bin path injection #10457.

  • Fixed the documentation URL shown in pnpm completion --help to point to the correct page #10281.