pnpm v10 Update Highlights

In pnpm v10, the lifecycle scripts of dependencies no longer execute automatically during installation. Lifecycle scripts like preinstall, install, postinstall, etc., which were previously executed, now need to be manually specified using the onlyBuiltDependencies parameter if they are to run. For example:

            
            {
  "pnpm": {
    "onlyBuiltDependencies": ["fsevents"]
  }
}

This change enhances security but also increases complexity for developers.

pnpm link Improvements

The pnpm link functionality has been updated. It now creates global packages by default, whereas previously pnpm link -g was required. In a workspace with multiple packages, the override option has been added to the root directory. This allows specifying a particular version of a dependency when multiple dependencies rely on different versions of the same package. For instance:

            
          
            {
  "dependencies": {
    "A": "^1.0.0",
    "B": "^2.0.0"
  },
  "pnpm": {
    "overrides": {
      "lodash": "^4.17.21"
    }
  }
}

          

It can also be used to replace a problematic dependency:

            
          
            {
  "dependencies": {
    "problem-package": "^1.0.0"
  },
  "pnpm": {
    "overrides": {
      "problem-package": "my-forked-package@^1.0.1"
    }
  }
}

          

Security Hash Upgrade

All hash algorithms in pnpm v10 have been updated to SHA256. This includes hashing the long paths in node_modules/.pnpm, the long peer dependency hashes in the lock file, the hashes stored in the packageExtensionsChecksum field of pnpm-lock.yaml, the side effect cache keys, and the pnpmfile checksums in the lock file.

Configuration Updates

manage-package-manager-versions is now enabled by default, allowing pnpm to manage its own version based on the packageManager field in package.json.
public-hoist-pattern no longer hoists certain packages (like those with eslint or prettier in their names) to the root of node_modules by default.
@yarnpkg/extensions has been upgraded to v2.0.3, which may change the pnpm-lock file.
On Windows, the default value of virtual-store-dir-max-length has been reduced to 60 characters, and fewer npm_package_* environment variables are set during script execution. Only name, version, bin, engines, and config are retained.
Even when NODE_ENV=production, all dependencies (including development dependencies) are now installed. To install only production dependencies, use pnpm add --prod.

Global Store Changes

The global store has been upgraded to v10. The index file storage method has changed to use content hashes and package identifiers to accommodate different package names or versions of the same content. The integrity check of the lock file against the correct package is more crucial. A new index directory stores the package content mapping, and the index file structure is more efficient in tracking side effects by listing only file differences.

Other Notable Changes

The # character in directory names within node_modules/.pnpm is now escaped.
Running pnpm add --global pnpm or pnpm add --global @pnpm/exe now fails and prompts for self-update.
Dependencies added via URL now record the final resolved URL in the lock file.
The pnpm deploy command now only works with workspaces having inject-workspace-packages=true and creates or falls back to a deployment lock file as needed.
The conversion from lockfile v6 to v9 has been removed. Use pnpm CLI v9 for this conversion if required.
pnpm test now passes all parameters after the test keyword directly to the underlying script, consistent with pnpm run test.

Minor Changes

Support for a new dependency type configurational dependencie has been added. These are installed before other types and require an exact version and integrity checksum. For example:

            
          
            {
  "pnpm": {
    "configDependencies": {
      "my-configs": "1.0.0+sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw=="
    }
  }
}

          

A new setting verify-deps-before-run controls how pnpm checks node_modules before running a script.
The inject-workspace-packages setting allows hard-linking of local workspace dependencies instead of symbolic linking.
Faster repeated installations are now possible with a quick check for the latest node_modules.
pnpm add integrates with the default workspace directory.
pnpm dlx resolves packages to their exact versions for caching.
Some commands no longer validate or clear node_modules if they shouldn't modify it.