winget install --id pnpm.pnpmAbout pnpm
Fast, disk space efficient package manager.
What's new in 11.0.8
> See full v11.0.0 changelog: https://github.com/pnpm/pnpm/releases/tag/v11.0.0 > Migration guide: Migrating from v10 to v11 ## Patch Changes - Restored the heuristic that preserves tarball URLs in `pnpm-lock.yaml` when they cannot be derived from name+version+registry, even with the default `lockfileIncludeTarballUrl: false`. Without this, `pnpm install --frozen-lockfile` from an empty store fails with ERR_PNPM_FETCH_404 for packages on registries that serve tarballs from a non-standard path — most notably GitHub Packages (`https://npm.pkg.github.com/download/<scope>/<name>/<version>/<hash>`) and JSR. `lockfileIncludeTarballUrl: true` continues to force the URL into the lockfile for every package #11276. - Run `preversion`, `version`, and `postversion` lifecycle scripts for `pnpm version`. - Fixed `ERR_PNPM_BAD_TARBALL_SIZE` when a registry serves tarballs with an end-to-end `Content-Encoding` (e.g. `gzip`). Tarballs are already compressed, so the fetcher now requests them with `Accept-Encoding: identity` (matching pnpm v10's effective behavior) and, as defense in depth against misbehaving servers, no longer enforces the strict `Content-Length` check when the response declares a `Content-Encoding` — `Content-Length` in that case refers to the encoded payload, not the decoded bytes the fetch implementation yields #11506.
Version history
| Version | Updated | Notes |
|---|---|---|
| 11.0.8 | Unknown | > See full v11.0.0 changelog: https://github.com/pnpm/pnpm/releases/tag/v11.0.0 > Migration guide: Migrating from v10 to v11 ## Patch Changes - Restored the heuristic that preserves tarball URLs in `pnpm-lock.yaml` when... |
| 10.33.4 | Unknown | Patch Changes - Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Pre... |
| 10.33.3 | Unknown | Patch Changes - When self-updating from v10's @pnpm/exe to v11+ on Intel macOS (darwin-x64), pnpm self-update now transparently switches to the JS-only pnpm package on npm instead of installing @pnpm/exe@v11+ (which does... |
| 10.33.2 | Unknown | Patch Changes - Globally-installed bins no longer fail with ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND when pnpm was installed via the standalone @pnpm/exe binary (e.g. curl -fsSL https://get.pnpm.io/install.sh | sh -) on a sys... |
| 10.33.1 | Unknown | Patch Changes - When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, st... |
| 10.33.0 | Unknown | Minor Changes - Added a new dedupePeers setting that reduces peer dependency duplication. When enabled, peer dependency suffixes use version-only identifiers (name@version) instead of full dep paths, eliminating nested s... |
| 10.32.1 | Unknown | Patch Changes - Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. min... |
| 10.32.0 | Unknown | Minor Changes - Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #10136. Patch Changes - Reverted change related to setting explicitly the npm config file path, which c... |
| 10.31.0 | Unknown | Minor Changes - When pnpm updates the pnpm-workspace.yaml, comments, string formatting, and whitespace will be preserved. Patch Changes - Added -F as a short alias for the --filter option in the help output. - Handle und... |
| 10.30.3 | Unknown | Patch Changes - Fixed version switching via packageManager field failing when pnpm is installed as a standalone executable in environments without a system Node.js #10687. Platinum Sponsors ────────── Bit ────────── Gold... |
| 10.30.2 | Unknown | Patch Changes - Fix auto-installed peer dependencies ignoring overrides when a stale version exists in the lockfile. - Fixed "input line too long" error on Windows when running lifecycle scripts with the global virtual s... |
| 10.30.1 | Unknown | Patch Changes - Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #10649. Platinum Sponsors ────────── Bit ────────── Gold Sponsors ──... |
| 10.30.0 | Unknown | Minor Changes - pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output whic... |
| 10.29.3 | Unknown | Patch Changes - Fixed an out-of-memory error in pnpm list (and pnpm why) on large dependency graphs by replacing the recursive tree builder with a two-phase approach: a BFS dependency graph followed by cached tree materi... |
| 10.29.2 | Unknown | Patch Changes - Reverted a fix shipped in v10.29.1, which caused another issue #10571. Reverted fix: Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #10497. Plati... |
| 10.29.1 | Unknown | Minor Changes - The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:. - Support configuring auditLevel in the pnpm-workspace.yaml file #10540. - Support bare workspace: protocol... |
| 10.28.2 | Unknown | Patch Changes - Security fix: prevent path traversal in directories.bin field. - When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside... |
| 10.28.1 | Unknown | Patch Changes - Fixed installation of config dependencies from private registries. Added support for object type in configDependencies when the tarball URL returned from package metadata differs from the computed URL #10... |
| 10.28.0 | Unknown | Minor Changes - Add support for a hook called beforePacking that can be used to customize the package.json contents at publish time #3816. - In some cases, a filtered install (i.e. pnpm install --filter ...) was slower t... |
| 10.27.0 | Unknown | Minor Changes - Adding trustPolicyIgnoreAfter allows you to ignore trust policy checks for packages published more than a specified time ago#10352. - Added project registry for global virtual store prune support. Project... |