v0.18.3

Patch Changes

• 14e61d5: Update @​types/node, use @​typescript/native-preview for local build/check
• 25031aa: - Fix "Cannot read properties of undefined (reading 'filename')" caused by fflate 0.8.3 (#​258)
  • Bump fflate to ^0.8.3

v5.101.0

Compare Source

v5.100.14

Compare Source

v5.100.13

Compare Source

Patch Changes

• fix(query-core): drop the custom NoInfer<T> re-export and rely on TypeScript's built-in NoInfer (TS ≥ 5.4) so NoInfer<X[K]> stays assignable to X[K] in generic contexts (fixes #​9937) (#​10593)

v5.100.12

Compare Source

v5.100.11

v6.0.2

Compare Source

Allow all options in reactCompilerPreset (#​1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

v6.0.7

Features

• use carets for @rolldown/pluginutils version (#​776) (941b651)

Bug Fixes

• deps: update all non-major dependencies (#​762) (9e825b8)
• deps: update all non-major dependencies (#​774) (77dc8bc)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v1.9.0

Compare Source

Minor Changes

• #​636 b072bcc Thanks @​bluwy! - Add a new @changesets/action/pr-comment sub-action to comment on PRs

• #​625 8795eee Thanks @​bluwy! - Add a new @changesets/action/pr-status sub-action to generate the changeset status comment for PRs as an alternative to the Changesets Bot.

Patch Changes

• #​535 34f64f6 Thanks @​Andarist! - Fixed an issue with GitHub releases not being created for successfully published packages when some packages failed to be published to the registry.

• #​632 1d54b9e Thanks @​bluwy! - Simplify internal implementation to get changelog entries for a package version

• #​629 e0c90aa Thanks @​bluwy! - Fix custom version and publish command argument parsing

• #​645 f9585d9 Thanks @​Andarist! - Improved force-push handling when using commitMode: "github-api" so updating an existing branch no longer temporarily resets the target branch to the base commit, avoiding cases where GitHub closes open pull requests during the update. This should remove a possibility of a GitHub state race that caused the force-pushed PRs not being reopened.

v10.5.0

Compare Source

v10.4.1

Compare Source

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#​20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#​20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#​20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#​20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#​20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#​20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#​20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#​20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#​20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#​20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#​20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#​20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#​20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@​0.8.2 (#​20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#​20873) (Copilot)

v10.4.0

Compare Source

v22.7.5

Compare Source

22.7.5 (2026-05-27)

🩹 Fixes

• core: update tmp to 0.2.6 due to CVE-2026-44705 (#​35813)

❤️ Thank You

• Jack Hsu @​jaysoo

v22.7.4

Compare Source

22.7.4 (2026-05-25)

🩹 Fixes

• core: update brace-expansion and yaml (#​35790)

❤️ Thank You

• Jack Hsu @​jaysoo

v22.7.3

Compare Source

22.7.3 (2026-05-22)

🚀 Features

• js: support pnpm 11.2.2 (#​35772)

🩹 Fixes

• angular: only add @​oxc-project/runtime on the vitest-analog path (#​35734)
• angular-rspack: exclude eslint config from tailwind v4 source scan (#​35663)
• core: warn before installing unknown npm packages as preset (#​35644)
• core: preserve input order in createNodes plugin results (#​35595)
• core: resolve local plugin subpath imports from source (#​35631)
• core: treat undefined task parallelism as parallel when scheduling (#​35736)
• core: handle object form of bin field in getPrettierPath (#​35680)
• core: detect vscode copilot ai agent (#​35757)
• core: allow local plugin subpath imports without custom conditions (#​35751, #​35631)
• dotnet: include Directory.. files in inputs (#​35738)
• gradle: add transitive:true to all tasks (#​35677)
• gradle: pin generated e2e project toolchain to installed JDK (#​35703)
• js: fall back to npm publish when bun publish fails with auth error (#​35756)
• linter: improve convert-to-flat-config output fidelity (#​35330)
• linter: only rewrite workspace-package peer deps to workspace:* (#​35423, #​35318, #​33417)
• misc: stop inferring projects: 'self' in dependsOn entries (#​35686)
• misc: skip $ escaping in file paths on windows (#​35692)
• repo: run dotnet restore before publish (#​35771)
• repo: run dotnet restore before macos e2e job (#​35774)
• rsbuild: infer build outputs from distPath.root directly (#​35707)
• rsbuild: lazy-require @​rsbuild/core in plugin so spec mocks work after jest.resetModules (#​35707)
• testing: correct yargs-parser import in getJestProjectsAsync (#​35672, #​35654)

❤️ Thank You

• AgentEnder @​AgentEnder
• Artur @​arturovt
• Benjamin Staneck @​Stanzilla
• Copilot @​Copilot
• Craigory Coppola @​AgentEnder
• FrozenPandaz @​FrozenPandaz
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• leosvelperez @​leosvelperez
• Louie Weng @​lourw

v22.7.2

Compare Source

22.7.2 (2026-05-14)

🚀 Features

• gradle: stream batch task results to nx as they finish (#​35487)
• nx-dev: track docs analytics for code copy, LLM prompt, YouTube (#​35526)
• testing: add migration for Jest 30 snapshot guide link (#​35629)

🩹 Fixes

• angular: disable vitest watch by default (#​35493)
• angular-rspack: keep root-scoped assets out of per-locale i18n emit (#​35621)
• bundling: include tsconfig solution input for rollup (#​35476)
• bundling: include tsconfig solution input for webpack (#​35477, #​35476)
• core: bump axios to 1.16.0 for all packages (#​35568)
• core: add provenance check in nx console status path (#​35485)
• core: remove access control header from graph app (#​35494)
• core: ensure verbose logs go to stderr and daemon logs are properly decorated (#​34358)
• core: show flaky-task count in run summary (#​35491)
• core: unique telemetry user_id; expose workspace_id dimension (#​35553)
• core: update minimatch to 10.2.5 (#​35569, #​34660)
• core: restore use-legacy-versioning shim for @​nx/js@​21 ensurePackage path (#​35574)
• core: isolate NX_PARALLEL env var in parallel-related specs (#​35579)
• core: skip handleimport miss path when nx key packages are absent (#​35596)
• core: use gethostuuid(3) instead of ioreg on macOS (#​35599)
• core: isolate cache env vars in splitArgs spec (#​35584)
• core: enable node's native v8 compile cache support (#​35415, #​20454)
• core: support skipped batch tasks end-to-end and fix TUI double logs (#​35617)
• core: keep TUI task selection on the in-progress section (#​35640)
• core: allow nx mcp to run outside of an Nx workspace (#​35655)
• core: cast perf entries to PerformanceMeasure for detail access (43c0c821ba)
• devkit: exclude dist from jest module path scan (#​35615)
• devkit: expand @​nx/devkit/internal re-exports for cherry-picked v23 deep-import migration (#​35541)
• dotnet: correct output paths for Web SDK and centralized dist setups (#​35398)
• gradle: exclude batch-runner from jest haste-map crawl (#​35501)
• gradle: exclude project-graph from jest module path scan (#​35609)
• gradle: support Windows file paths (#​35184, #​34987)
• js: strip glob from inferred outputs before resolving as path (#​35463, #​35452)
• js: reference vitest.config in eslint dep-checks for vitest libs (#​35460, #​33670, #​35450)
• js: include transitive workspace deps in pruned pnpm lockfile (#​35532, #​35347, #​34655)
• linter: prevent ENOENT crash in getRelativeImportPath for unresolvable paths (#​35007, #​13872, #​34066, #​30491, #​16716, #​35006, #​21889, #​32190)
• maven: skip attached artifacts that fail to materialize in batch record (#​35473)
• maven: serialize Maven 4 build state recording (#​35555)
• maven: widen runCLI timeout for --no-batch maven.test.ts cases (#​35589)
• nx-dev: document nested CLI subcommands beyond two levels (#​35519)
• nx-dev: short-circuit bot probes in framer rewrite edge function (#​35527)
• react: withSvgr migration preserves other properties (#​35484)
• repo: clear NX_INVOCATION_ROOT_PID in run-native-target to avoid recursion false-positive (443dee0b22)
• repo: revert deep-import rewrites that targeted v23-only @​nx/devkit/internal entry (ac8187963d)
• repo: unblock 22.7.x cargo tests and nx-build e2e (#​34285)
• repo: expand "..." spread token in graph typecheck inputs (#​34285, #​35458)
• testing: pin jest to ~30.3.0 to avoid jest-runtime 30.4 RN incompat (#​35618)
• testing: handle absolute cypress screenshotsFolder/videosFolder paths (#​35624)
• testing: exclude dist and out-tsc from default jest module path scan (#​35619)
• testing: update remaining snapshot guide links missed by migration (cd350c1140)

❤️ Thank You

• Adam Keenan @​adamk33n3r
• AgentEnder @​AgentEnder
• beeman
• Claude
• Craigory Coppola @​AgentEnder
• FrozenPandaz @​FrozenPandaz
• Jack Hsu @​jaysoo
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• Max Kless
• MaxKless @​MaxKless
• Optischa @​Optischa
• Sharon Lougheed

v11.8.0

Compare Source

Minor Changes

• c112b61: Added a --dry-run option to pnpm install. It runs a full dependency resolution and reports what an install would change, but writes nothing to disk (no lockfile, no node_modules) and always exits with code 0. This mirrors the preview semantics of npm install --dry-run #​7340.

• 179ebc4: pnpm run --no-bail now exits with a non-zero exit code when any of the executed scripts fail, while still running every matched script to completion. This makes the exit-code behavior of --no-bail consistent between recursive and non-recursive runs (recursive runs already failed at the end). Previously, a non-recursive pnpm run --no-bail always exited with code 0, even when a script failed #​8013.

• 0474a9c: Added support for generating Node.js package maps at node_modules/.package-map.json during isolated and hoisted installs. Added the node-experimental-package-map setting to inject the generated map into pnpm-managed Node.js script environments, and the node-package-map-type setting to choose between standard and loose package maps.

• dcededc: pnpm sbom now marks components reachable only through devDependencies with CycloneDX scope: "excluded" and the cdx:npm:package:development property. The excluded scope documents "component usage for test and other non-runtime purposes", which matches the semantics of a devDependency; the property is the CycloneDX npm-taxonomy marker emitted by @cyclonedx/cyclonedx-npm, so both modern (scope) and existing (property) consumers are covered. Components reachable at runtime (including installed optionalDependencies) omit scope and default to required.

• 1495cb0: Added per-package SBOM generation with --out and --split flags. Use --out out/%s.cdx.json to write one SBOM per workspace package to individual files, or --split for NDJSON output to stdout. When --filter selects a single package, the SBOM root component now uses that package's metadata. Workspace inter-dependencies (workspace: protocol) and their transitive dependencies are included. Author, repository, and license fall back to the root manifest when the package doesn't define them.

• 293921a: feat(view): support searching project manifest upward when package name is omitted

  When running pnpm view without a package name, the command now searches
  upward for the nearest project manifest (package.json, package.yaml, or package.json5) and uses its name field.
  If the manifest exists but lacks a name field, an error is thrown.

  This change also replaces the find-up dependency with empathic for
  improved performance and consistency across workspace tools.

Patch Changes

• 29ab905: Fixed pnpm update overriding the version range policy of a named catalog whose name parses as a version (e.g. catalog:express4-21). The catalog: reference carries no pinning of its own, so the prefix from the catalog entry (such as ~) is now preserved instead of being widened to ^ #​10321.

• bee4bf4: Security: validate config dependency names and versions from the env lockfile (pnpm-lock.yaml) before using them to build filesystem paths. A committed lockfile with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions; the same validation is applied to optional subdependencies of config dependencies, and to the legacy workspace-manifest format before any lockfile is written. See GHSA-qrv3-253h-g69c.

• 96bdd57: Fix link: workspace protocol switching to file: after pnpm rm is run from inside a workspace package whose target workspace dependency has its own dependencies, when injectWorkspacePackages: true is set. Follow-up to #​10575, which fixed the same symptom for workspace packages without dependencies.

• 302a2f7: No longer warn about using both packageManager and devEngines.packageManager when the two fields pin the same package manager at the same version with the same integrity hash (e.g. both pnpm@11.5.1+sha512.…). Previously the hash was stripped from the legacy packageManager field but not from devEngines.packageManager, so even identical specifications looked like a mismatch #​12028.

  The warning still fires on any genuine divergence, and several cases now state the specific reason instead of a single generic message: a different package manager, a different version, or contradictory integrity hashes for the same version.

• 3f0fb21: Fixed the progress line showing leftover characters from external processes that write to the terminal between progress updates (e.g. an SSH passphrase prompt would leave a fragment like added 0sa':). The interactive reporter now redraws each frame in place, erasing to the end of the display before reprinting, so any such remnants are cleared #​12350.

• 564619f: Fixed pnpm approve-builds reporting "no packages awaiting approval" when a build-script dependency whose approval was revoked (e.g. after git stash drops the allowBuilds from pnpm-workspace.yaml) is re-added. The revoked packages are now correctly recorded in .modules.yaml so approve-builds can find them. #​12221

• 3d1fd20: Skip the redundant "target bin directory already contains an exe called node" warning on Windows when the existing node.exe already matches the target (same hard link or identical content) pnpm/pnpm#12203.

• 1b02b47: Fix macOS Gatekeeper blocking native binaries (.node, .dylib, .so) by removing the com.apple.quarantine extended attribute after importing them from the store.

  When pnpm imports files from its content-addressable store into node_modules, macOS preserves extended attributes, including com.apple.quarantine. If this xattr is present on a store blob (e.g. it was first written under a Gatekeeper-enabled app such as a Git client), it propagates to node_modules, and Gatekeeper blocks the native binary from loading even though pnpm already verified the file's integrity against the lockfile.

  After importing a package, pnpm now strips com.apple.quarantine from its native binaries, matching Homebrew's behaviour of dropping quarantine from verified downloads. The cleanup is macOS-only, runs in a single batched xattr call per package, is restricted to native binaries (other files are untouched), and is non-fatal (it logs a warning on unexpected errors).

  Fixes #​11056

• 61969fb: Fix pnpm install with optimisticRepeatInstall incorrectly reporting Already up to date when pnpm-lock.yaml changed but project manifests did not. This affected workflows such as checking out or restoring only the lockfile #​12100.

  Also fixes checkDepsStatus to use the correct lockfile path when useGitBranchLockfile is enabled, so the optimistic fast-path and lockfile modification detection work with pnpm-lock.<branch>.yaml files instead of always stat'ing pnpm-lock.yaml. Merge-conflict detection now reads the resolved lockfile name as well, and with mergeGitBranchLockfiles enabled every pnpm-lock.*.yaml is scanned for modifications and conflicts. The git branch is now resolved by reading .git/HEAD directly (no process spawn) and uses the workspace directory rather than process.cwd().

• 5c12968: Fix recursive updates of transitive dependencies when the update command mixes transitive dependency patterns with direct dependency selectors. For example, pnpm up -r "@​babel/core" uuid now updates matching transitive @babel/core dependencies even when uuid is a direct dependency selector #​12103.

• 9d79ba1: Register the pnpm update --no-save flag in the CLI help and option parser.

• 0474a9c: Fixed pnpm import for Yarn v2 lockfiles when js-yaml v4 is installed.

• 9e0c375: Fixed pnpm install repeatedly prompting to remove and reinstall node_modules in a workspace package when enableGlobalVirtualStore is enabled. The post-install build step recorded a per-project node_modules/.pnpm virtual store directory in node_modules/.modules.yaml, overwriting the global <storeDir>/links value the install step had written. The next install then detected a virtual-store mismatch (ERR_PNPM_UNEXPECTED_VIRTUAL_STORE). The build step now derives the same global virtual store directory as the install step #​12307.

• 223d060: Document the --cpu, --os and --libc flags in the output of pnpm install --help. These flags were already supported but were only documented on the website #​12359.

• e85aea2: Avoid reading README.md from disk when publishing if the publish manifest already provides a readme field. The README is now only read lazily, inside createExportableManifest, when it is actually needed.

• 3188ae7: Fixed pnpm peers check to accept loose peer dependency ranges such as >=3.16.0 || >=4.0.0- when the installed peer version satisfies the range #​12149.

• 531f2a3: Fixed pnpm update rewriting a workspace: dependency that points at a local path (e.g. workspace:../packages/foo/dist) into a normalized link: or version-range specifier. Such specifiers are now preserved verbatim when the workspace protocol is preserved #​3902.

• fe66535: Fixed a lockfile non-convergence bug where an incremental install kept a duplicate transitive dependency that a fresh install would not produce. When a package is reused from the lockfile, its child edges are taken verbatim and bypass the preferred-versions walk, so a transitive dependency could stay pinned to an older version even after a direct dependency resolved to a higher version that satisfies the same range. The resolver now refreshes such a stale pin to the higher direct-dependency version during resolution — so the older version is never resolved or fetched, and the incremental result converges to the fresh one.

• 6d35338: pnpm install detects changes inside local file dependencies again. The optimistic repeat-install fast path only tracks manifest and lockfile modification times, so edits inside a local dependency's directory (or a repacked local tarball) were reported as "Already up to date". Projects with local file dependencies (file: and bare local path or tarball specifiers, declared directly or through pnpm.overrides) now always run a full install, which refetches those dependencies, matching pnpm v10 behavior #​11795.

• 4ca9247: Preserve the existing Node.js runtime version prefix when resolving node@runtime:<range> to a concrete version.

• 30c7590: Create shorter CAFS temporary package directories to leave room for lifecycle scripts that create IPC socket paths under TMPDIR.

• 13815ad: Reporter output (warnings, progress) for pnpm store and pnpm config subcommands now goes to stderr instead of stdout. This fixes scripts that capture their stdout (e.g. PNPM_STORE=$(pnpm store path), pnpm config list --json | jq) from getting warnings mixed into the result.

• 1c05876: Avoid relinking unchanged child dependencies and remove stale child links during warm installs.

• 817f99d: Fixed lockfile churn where a package's transitivePeerDependencies could be dropped (and shift between packages) when the package participates in a dependency cycle. A cycle re-entry resolves against truncated children, so it must not be cached as "pure"; otherwise sibling occurrences of the same package short-circuit and lose transitive peers depending on traversal order #​5108.

• eba03e0: Fix pnpm install reporting "Already up to date" after a catalog entry in pnpm-workspace.yaml was reverted to a previous version. After an update modified a catalog, the workspace state cache stored the pre-update catalog versions, so reverting the entry back to its original version was not detected as an outdated state #​12418.

• 3b54d79: pnpm update now keeps lockfile overrides that resolve through a catalog in sync with the catalog. Previously, when an override referenced a catalog (e.g. overrides: { foo: 'catalog:' }) and pnpm update bumped that catalog entry, the lockfile's catalogs advanced while the resolved overrides kept the old version. The resulting lockfile was internally inconsistent, so a later pnpm install --frozen-lockfile failed with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH.

• 9d0a300: Fixed pnpm version --recursive so it honors the workspace selection. In recursive mode the version bump now applies to the packages resolved from the workspace filter (selectedProjectsGraph), matching the behavior of pnpm publish --recursive, instead of always bumping every workspace package #​11348.

v11.7.0

Compare Source

Minor Changes

• Added a new setting frozenStore (--frozen-store) that lets pnpm install run against a package store on a read-only filesystem (e.g. a Nix store, a read-only bind mount, an OCI layer). When enabled, pnpm opens the store's SQLite index.db through the immutable=1 URI — bypassing the WAL/-shm sidecar creation that otherwise fails on a read-only directory — and suppresses every store-write path (the index.db writer and the project-registry write). Pair it with --offline --frozen-lockfile against a fully-populated store. Under the global virtual store, package directories live inside the store, so if the store is missing the build output of a package whose lifecycle scripts are approved (or that has a patch), pnpm fails up front with ERR_PNPM_FROZEN_STORE_NEEDS_BUILD rather than crashing mid-build on a read-only write — seed the store with those builds first. Incompatible with --force and with a configured pnpr server, since both write into the store; the side-effects cache is likewise not written under frozenStore. If the store is missing its content directory, the install fails fast with ERR_PNPM_FROZEN_STORE_INCOMPLETE rather than attempting to initialize it. The read-only immutable=1 open requires Node.js >=22.15.0, >=23.11.0, or >=24.0.0; on older runtimes --frozen-store fails with a clear ERR_PNPM_FROZEN_STORE_UNSUPPORTED_NODE error. Bin-linking also tolerates a read-only store: under the global virtual store a package's bin source lives inside the store, so the chmod that makes it executable would be refused — with EPERM/EACCES, or with EROFS o

✂ Note

PR body was truncated to here.