10.29

pnpm 10.29 adds catalog: protocol support to pnpm dlx, allows configuring auditLevel in pnpm-workspace.yaml, supports a bare workspace: specifier, and includes several bug fixes.

Minor Changes​

catalog: Protocol in pnpm dlx​

The pnpm dlx / pnpx command now supports the catalog: protocol, allowing you to reference versions defined in your workspace catalogs:

pnpm dlx shx@catalog:

auditLevel Setting​

auditLevel can now be configured in the pnpm-workspace.yaml file, so you don't need to pass --audit-level on every pnpm audit invocation #10540:

pnpm-workspace.yaml

auditLevel: high

Bare workspace: Protocol​

A bare workspace: specifier without a version range is now supported. It is treated as workspace:* and resolves to the concrete version during publish #10436:

{
  "dependencies": {
    "foo": "workspace:"
  }
}

Patch Changes​

• Fixed an out-of-memory error in pnpm list (and pnpm why) on large dependency graphs by replacing the recursive tree builder with a two-phase approach: a BFS dependency graph followed by cached tree materialization. Duplicate subtrees are now deduplicated in the output #10586.

• Fixed allowBuilds not working when set via .pnpmfile.cjs #10516.

• When enableGlobalVirtualStore is set, pnpm deploy now ignores it and always creates a localized virtual store within the deploy directory to keep it self-contained.

• Fixed minimumReleaseAgeExclude not being respected by pnpm dlx #10338.

• Fixed pnpm list --json returning incorrect paths when using global virtual store #10187.

• Fixed pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #10290.

• Fixed catalogMode: strict writing the literal string catalog: to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #10176.

• Skip local file: protocol dependencies during pnpm fetch, fixing Docker builds when local directory dependencies are not available #10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #10540.

• Updated tar to version 7.5.7 to fix a security vulnerability (CVE-2026-24842).

• Fixed pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #10325.

• Fixed shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #10271.

• pnpm help now correctly reports if the currently running pnpm CLI is bundled with Node.js #10561.

• Added a warning when the current directory contains the PATH delimiter character, which can break node_modules/.bin path injection #10457.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page #10281.

"undefined"!=typeof _bsa&&_bsa&&_bsa.init("custom","CWYI4K7E","placement:pnpmio",{target:"#bsa-custom-01",template:`

##description##

##callToAction##

`})