从 v10 迁移到 v11
pnpm v11 引入了若干对配置读取方式和可用设置的重大更改。大多数配置更改是机械性的,可以通过 codemod 应用;其余的则需要人工处理。当从 v10 安装中运行 pnpm self-update 11 时,pnpm 会打印指向此页面的指针。
🌐 pnpm v11 introduces several breaking changes to how configuration is read and which settings are available. Most config changes are mechanical and can be applied by a codemod; the remainder require human attention. pnpm prints a pointer to this page when pnpm self-update 11 is run from a v10 install.
运行代码修改器
🌐 Run the codemod
cd /path/to/your/project
pnpx codemod run pnpm-v10-to-v11
# or
pnpm add --global codemod
codemod run pnpm-v10-to-v11
codemod 自动应用以下内容:
🌐 The codemod applies the following automatically:
-
Moves settings out of
package.json#pnpmintopnpm-workspace.yaml. In v11, pnpm no longer reads configuration from thepnpmfield inpackage.json. -
Splits
.npmrcinto auth/registry vs. everything else. v11 only reads auth and registry settings from.npmrc. Every other setting (hoist-pattern,node-linker,save-exact, …) is moved intopnpm-workspace.yamlwith a camelCase key. Per-subproject.npmrcfiles land underpackageConfigs["<project-name>"]. -
Consolidates build-dependency settings into
allowBuilds.onlyBuiltDependencies,neverBuiltDependencies,ignoredBuiltDependencies, andonlyBuiltDependenciesFileare merged into a singleallowBuildsmap ({ name: true | false }). -
Replaces the package-manager strictness settings with
pmOnFail.managePackageManagerVersions,packageManagerStrict, andpackageManagerStrictVersionare collapsed into onepmOnFail: download | ignore | warn | errorsetting. -
Renames
allowNonAppliedPatches→allowUnusedPatches, andauditConfig.ignoreCves→auditConfig.ignoreGhsas(the key is renamed; CVE IDs still need to be converted to GHSA IDs manually — see below). -
Converts
useNodeVersioninto adevEngines.runtimeentry on the rootpackage.json. -
Bumps
packageManagerinpackage.jsonto the target pnpm v11 version.
手动跟进
🌐 Manual follow-ups
以下更改无法自动化处理,需要人工关注:
🌐 The following changes are not automatable and need human attention:
-
CVE → GHSA.
auditConfig.ignoreCveswas renamed toauditConfig.ignoreGhsas. Replace eachCVE-YYYY-NNNNNentry with the matchingGHSA-xxxx-xxxx-xxxxID (visible in the "More info" column ofpnpm auditoutput). -
ignorePatchFailureshas been removed. Failed patches now always throw; fix the patch or remove the dependency. -
executionEnv.nodeVersionin a workspace subpackage'spackage.json#pnpmis removed. Declare the runtime in that subpackage'sdevEngines.runtimeinstead. -
npm_config_*environment variables are no longer read. Rename them topnpm_config_*wherever they are set (CI configs, shell profiles, Docker images). -
pnpm link <pkg-name>no longer resolves packages from the global store. Use a relative or absolute path (pnpm link ./foo). -
pnpm install -g(with no arguments) is no longer supported. Usepnpm add -g <pkg>instead. -
pnpm serverhas been removed with no replacement. -
Script names shadow built-in commands. If your
package.jsondefines a script namedclean,setup,deploy, orrebuild,pnpm <name>now runs the script instead of the built-in command. Usepnpm pm <name>to force the built-in.
有关全部重大更改的列表,请参见 v11 更新日志。
🌐 For the full list of breaking changes, see the v11 changelog.