Unclaimed project
Are you a maintainer of pnpm? Claim this project to take control of your public changelog and roadmap.
directories.bin — prevents malicious packages from exploiting bin directory traversalfile: and git: dependencies — symlinks pointing outside package root are now skipped, preventing exfiltration of sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) into node_modulesFixed installation of config dependencies from private registries.
Added support for object type in configDependencies when the tarball URL returned from package metadata differs from the computed URL #10431.
Fix path traversal vulnerability in binary fetcher ZIP extraction
pnpm config get (without --json) no longer print INI formatted text.
Instead, it would print JSON for both objects and arrays and raw string for
strings, numbers, booleans, and nulls.
pnpm config get --json would still print all types of values as JSON like before.
Replace workspace project specific .npmrc with packageConfigs in `pnpm-workspa...
beforePacking that can be used to customize the package.json contents at publish time #3816.pnpm install --filter ...) was slower than running pnpm install without any filter arguments. This performance regression is now fixed. Filtered installs sh...Adding trustPolicyIgnoreAfter allows you to ignore trust policy checks for packages published more than a specified time ago#10352.
Added project registry for global virtual store prune support.
Projects using the store are now registered via symlinks in {storeDir}/v10/projects/. This enables pnpm store prune...
Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #10307.
Fix installation of Git dependencies using annotated tags [#10335](https://githu...
pnpm add, when blockExoticSubdeps is set to true #10324.HEAD points to the commit after checkout #10310.pnpm config get (without --json) no longer print INI formatted text.
Instead, it would print JSON for both objects and arrays and raw string for
strings, numbers, booleans, and nulls.
pnpm config get --json would still print all types of values as JSON like before.
pnpm config list and pnpm config get (without argument) now hide auth-related...
Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #10288.
Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs [#...
Allow loading certificates from cert, ca, and key for specific registry URLs. E.g., //registry.example.com/:ca=-----BEGIN CERTIFICATE-----.... Previously this was only working via certfile, cafile, and keyfile.
These properties are supported in .npmrc, but were ignored by pnpm, this will make pnpm read and use them as well.
Related PR: [#10230]...
Interactive roadmaps, guides and other educational content to help developers grow in their careers.
Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
This is the repo for Vue 2. For Vue 3, go to https://github.com/vuejs/core