Major Changes
-
pnpm auditnow calls npm's/-/npm/v1/security/advisories/bulkendpoint. The legacy/-/npm/v1/security/audits{,/quick}endpoints have been retired by the registry, so the legacy request/response contract is no longer supported.The bulk endpoint does not return CVE identifiers. CVE-based filtering has been replaced with GitHub advisory ID (GHSA) filtering:
auditConfig.ignoreCves→auditConfig.ignoreGhsas(the previous key is no longer recognized)pnpm audit --ignore <id>/pnpm audit --ignore-unfixablenow read and write GHSAs instead of CVEs- GHSAs are derived from each advisory's
url(https://github.com/advisories/GHSA-xxxx-xxxx-xxxx)
To migrate: replace each
CVE-YYYY-NNNNNentry in yourauditConfig.ignoreCveswith the correspondingGHSA-xxxx-xxxx-xxxxvalue (visible in theMore infocolumn ofpnpm auditoutput) and move it underauditConfig.ignoreGhsas.
Minor Changes
- Added the
pnpm docscommand and its aliaspnpm home. This command opens the package documentation or homepage in the browser. When the package has no valid homepage, it falls back tohttps://npmx.dev/package/<name>. - Added native
pnpm pingcommand to test registry connectivity.
Provides a simple way to verify connectivity to the configured registry without requiring external tools. - Implemented native
searchcommand and its aliases (s,se,find).
Patch Changes
- Fixed
pnpm store pruneremoving packages used by the globally installed pnpm, breaking it.
Platinum Sponsors
|
|
Gold Sponsors
|
|
|
|
|
|
|
|
|
|
|