Release Notes
Minor Changes
Optional peer dependencies declared only via
peerDependenciesMeta(for exampledebug'ssupports-colorpeer) are now resolved from a satisfying version already present in the dependency graph, the same way explicitly declared optional peer dependencies are. Previously such peers were only resolved this way when the package's metadata was read back from the lockfile, so an unrelated dependency change could rewrite peer resolutions across the whole lockfile.Added
pnpm licensescommand to the Rust pacquet port to list package licenses in a tabular or JSON format.
Patch Changes
pnpm version -rno longer writes a versioning-ledger entry with no consumed intents as a bareintents:key, which the next run failed to read withERR_PNPM_INVALID_VERSIONING_LEDGER. Empty intent lists are now written asintents: [], and the ledger reader accepts the bare form left by earlier releases.Fixed
pnpm install --frozen-lockfileincorrectly failing withERR_PNPM_OUTDATED_LOCKFILEwhen a workspace project declarespeerDependenciesthatauto-install-peersresolves. Withauto-install-peersenabled (the default), pnpm records those missing peers in the lockfile importer'sdependencies; the frozen-lockfile freshness check now foldspeerDependenciesinto the comparison instead of reporting the materialized peers as removed.Fixed Pacquet workspace commands to honor project filters, preserve complete lockfile state, and materialize only the selected dependency closure, including pnpr-backed installs.
Fixed a lockfile corruption during non-frozen re-installs: when one workspace project reused a package's resolution from the lockfile and another project's edge to the same package was denied reuse (for example because it also depends on a direct dependency whose specifier changed), the denied edge could read the reused, dependency-less resolution from the shared wanted-dependency cache and record the package as a leaf. Its lockfile snapshot became empty (
{}), its peer suffix was dropped, and none of its dependencies were linked, which later broke installs and builds consuming that lockfile #13070.