Overview
This issue tracks the upgrade of the package manager from pnpm 10 to pnpm 11.
pnpm 11 Release Notes
Key Changes in pnpm 11
- Node.js 22+ required — support for Node.js 18, 19, 20, and 21 is dropped. pnpm is now pure ESM.
- Supply-chain protection on by default —
minimumReleaseAge defaults to 1 day (1440 min) and blockExoticSubdeps defaults to true.
allowBuilds replaces legacy build-dependency settings — onlyBuiltDependencies, neverBuiltDependencies, ignoredBuiltDependencies, and ignoreDepScripts are removed.- Configuration split —
.npmrc is now auth/registry only; all other pnpm settings must live in pnpm-workspace.yaml or the new global ~/.config/pnpm/config.yaml.
- New SQLite-backed store index (store v11) — replaces JSON-per-package index for faster installs.
- Native publish flow —
pnpm publish, login, logout, etc. no longer delegate to npm CLI.
- Isolated global installs via the global virtual store.
- New commands —
pnpm ci, pnpm sbom, pnpm clean, pnpm peers check, pnpm runtime set, and short pn/pnx aliases.
- Environment variables use
pnpm_config_* prefix instead of npm_config_*.
Required Changes in This Repository
- Update
packageManager field in package.json to pnpm@11.x.x.
- Migrate
pnpm-workspace.yaml — replace allowBuilds: false entries with the new allowBuilds model; note that strictDepBuilds and related legacy fields are removed.
- Ensure CI environment uses Node.js 22+.
- Review any
.npmrc settings and move non-auth config to pnpm-workspace.yaml.
- Update the lockfile (
pnpm-lock.yaml) by running pnpm install after the upgrade.
- Update
scripts/check-pm.js if needed (the npm_config_user_agent env var logic may need updating since pnpm 11 uses pnpm_config_* prefix for its own settings).
Context
This issue was raised in the context of PR #145, which introduced pnpm 10 as the package manager.
Requested by: @infeo
Overview
This issue tracks the upgrade of the package manager from pnpm 10 to pnpm 11.
pnpm 11 Release Notes
Key Changes in pnpm 11
minimumReleaseAgedefaults to 1 day (1440 min) andblockExoticSubdepsdefaults totrue.allowBuildsreplaces legacy build-dependency settings —onlyBuiltDependencies,neverBuiltDependencies,ignoredBuiltDependencies, andignoreDepScriptsare removed..npmrcis now auth/registry only; all other pnpm settings must live inpnpm-workspace.yamlor the new global~/.config/pnpm/config.yaml.pnpm publish,login,logout, etc. no longer delegate to npm CLI.pnpm ci,pnpm sbom,pnpm clean,pnpm peers check,pnpm runtime set, and shortpn/pnxaliases.pnpm_config_*prefix instead ofnpm_config_*.Required Changes in This Repository
packageManagerfield inpackage.jsontopnpm@11.x.x.pnpm-workspace.yaml— replaceallowBuilds: falseentries with the newallowBuildsmodel; note thatstrictDepBuildsand related legacy fields are removed..npmrcsettings and move non-auth config topnpm-workspace.yaml.pnpm-lock.yaml) by runningpnpm installafter the upgrade.scripts/check-pm.jsif needed (thenpm_config_user_agentenv var logic may need updating since pnpm 11 usespnpm_config_*prefix for its own settings).Context
This issue was raised in the context of PR #145, which introduced pnpm 10 as the package manager.
Requested by: @infeo