Compare Versions - pm2
→
7.0.1
Bug Fixes
- Fix Python (and other non-Node) interpreter regression on Ubuntu: bun runtime detection used a naive
includes('bun')substring check that matched any path containing the letters "bun" — most notably/home/ubuntu/.... Affected paths were routed throughProcessContainerForkBun.jsand crashed withSyntaxError: unterminated string literalwhen Python tried to parse the JS container. Anchored the match to the end of the interpreter path (=== 'bun'or/bun$/) in bothlib/God/ForkMode.jsandlib/Common.js#5990 - Display
max_memory_restartinpm2 describeoutput when set #5925 - Add missing
portoption toStartOptionsTypeScript declaration #6045 - Fix incorrect file permissions on
openrc.tpltemplate (0755 → 0644) #5957 - Fix Windows cmd.exe regression: revert
bin/pm2*launchers to#!/usr/bin/env nodeshebang (was polyglot#!/bin/sh). Polyglot worked on Linux/macOS but broke npm'spm2.cmdshim on Windows —cmd.execan't interpret/bin/shshebang and failed with'"/bin/sh"' is not recognized as an internal or external command. PowerShell's auto-generatedpm2.ps1shim happened to callnodedirectly so it kept working, masking the regression. Bun-only Linux/macOS users (no Node installed) need to symlinknodetobun(sudo ln -s $(which bun) /usr/local/bin/node) — same workaround used in the project's bun test Dockerfile. Documented in README #6108
7.0.0
Breaking Changes
- Require Node.js >= 18.0.0 (dropped Node.js 16 support)
Core Refactor
- Internalize pm2-axon, pm2-axon-rpc, pm2-io-bpm, pm2-io-agent, fclone as local modules (reduced supply chain surface)
- Internalize pm2-multimeter and charm into lib/tools/multimeter (zero external deps)
- Add Bun runtime support (ProcessContainerBun.js, ProcessContainerForkBun.js)
- Replace
needlewith nativefetch(CliAuth, TAR publish) - Replace
enquirerwith lightweight built-in prompt (boilerplate selector) - Replace
promptlywith built-in lib/tools/prompt - Replace
mkdirpwith nativefs.mkdirSync({ recursive: true }) - Replace
source-map-supportwith nativeprocess.setSourceMapsEnabled() - Replace
sprintf-jswith template literals (Dashboard) - Replace
url.parse()with nativeURLconstructor (Serve, Utility, CliAuth) - Remove
fclonenpm dep, use internalized module - Drop auto source map file detection in Common.prepareAppConf
Security
- CVE-2025-5891 Fix ReDoS in Config.js string-to-array split regex #6075
- CVE-2026-27699 Update proxy-agent to 6.5.0, basic-ftp to 5.3.1 #6088
- Fix command injection in WebAuth.js open() — replace exec() with execFile() #6089
- Fix command injection in PM2IO.js open() — replace exec() with execFile(), validate SUDO_USER
- Fix command injection in lib/tools/open.js — replace exec() with execFile(), validate SUDO_USER
- Fix prototype pollution in Configuration.set/unset via proto key traversal #6089
- Fix HttpInterface env stripping never executing (WEB_STRIP_ENV_VARS) #6089
Bug Fixes
- Rewrite TreeKill: single ps snapshot + in-memory tree build, eliminates race conditions. SIGKILL escalation now targets surviving child processes directly instead of re-walking a dead tree #6084
- Fix [object Object] env vars leaked to fork mode subprocesses #6073
- Fix Windows home path: use os.homedir() instead of HOMEPATH/HOMEDRIVE env vars #6106
- Fix Windows TreeKill callback consistency
- Fix missing BPM monitoring injection in Bun cluster mode (ProcessContainerBun.js)
- Fix ReferenceError crash in Bun cluster console overrides when disable_logs is true
- Fix CliAuth wrong credentials error displaying "undefined" instead of error message
Features
- Add
--ftpoption topm2 servefor directory listing (python http.server style)
Dependencies
- Add OpenTelemetry tracing as direct dependencies (@opentelemetry/api, sdk-node, auto-instrumentations-node)
- Upgrade OpenTelemetry packages to latest
- Update pidusage from 3.0.2 to 4.0.1
- Upgrade ws to ^8.18.0, eventemitter2 to ^6.4.9
- Remove needle, enquirer, promptly, mkdirp, source-map-support, sprintf-js, fclone from npm dependencies
Testing
- Add Docker parallel test runner with Node.js and Bun support
- Add Windows test suite (test/windows.sh)
- Add OpenTelemetry tracing tests
- Add TreeKill unit tests
- Add test scripts for internalized modules (bpm, axon, axon-rpc, io-agent)
- Fix test compatibility for Node.js 22+ and Bun
- CI matrix: Node.js 18, 20 + latest
6.0.14
- Fixed version of @pm2/pm2-version-check #6055
- CVE-2025-64718 Update js-yaml
- replace fs.R_OK with fs.constants.T_OK #6012 #6019
- fix blessed dep
- #6037 Drop npm-shrinkwrap in favor of fixed dependencies versions
- #5577 fix pm2 monit crash
- #6034 replace package-lock.json by npm-shrinkwrap.json
- #5915 fix allowing to update namespaced pm2 NPM module (@org/module-name)
- revert #5971 #6031
6.0.9
- updates all typescript definitions
- upgrade github ci workflows
- upgrade mocha dep and adapt tests
- bump packages
- fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation #5971
- fix: package-lock update
- fix: ansis-node10 https://github.com/Unitech/pm2/commit/99d9224e940d119a1ad5b241b4fc4e0db7c830ed @
webdiscus
- refactor: replace chalk with ansis by @webdiscus fix #5976 #5247
6.0.5
- Bun support - Fixes #5893 #5774 #5682 #5675 #5777
- Disable git parsing by default #5909 #2182 #5801 #5051 #5696
- Add WEBP content type for pm2 serve #5900 @tbo47
- Enable PM2 module update from tarball #5906 @AYOKINYA
- Fix treekil on FreeBSD #5896 @skeyby
- fix allowing to update namespaced pm2 NPM module (@org/module-name) #5915 @endelendel
Update websocket dependency in pm2/agent submodule
- drop old uuid sub dependency
- #5782 add autostart true||false feature by @ultimate-tester
- update modules
- Fix terminal width when condensed https://github.com/Unitech/pm2/commit/cac839329afaa768ea9901e3e2551987d509ae05
- Auto run tsx/ts files with bun binary instead of ts-node https://github.com/Unitech/pm2/commit/f122aabe3270aade8fa770fd5b67b877a26efd52
- #5686 Switch from Travis CI to Github Actions
- #5680 Fixed reserved keyword for ES6 Strict Mode when Bundling @juaneth
- #5683 update badges
- #5684 auto switch light and dark mode logos
- #5678 Bugfix/deploy ecosystem filename extension / esm module default ecosystem config name @TeleMediaCC
- #5660 Fix matching logic for logs from namespace when lines = 0 @bawjensen
- fix "vulnerabilities" in axios module
2.1.4
- #2333 #2478 #1732 #1346 #1311 #1101 Fix GracefulShutdown SIGINT output + Better Stop process flow
- Faster CLI load time, reduce load time by 1/4 (downgrade cli-table2 -> cli-table)
- #2353 --wait-ready will wait that the application sends 'ready' event process.send('ready')
- #2486 add --web option to pm2-docker command to expose web process api
- #2425 allow to specify node.js version to be used or installed via interpreter 'node@VERSION'
- #2471 Make app environment immutable on application restart/reload by default for CLI actions
- #2451 Config file can be javascript files
- #2484 fix pm2 kill on windows
- #2101 pm2 ecosystem now generates a javascript configuration file
- #2422 allow to pass none to exec_interpreter
- Do not use disconnect() anymore on cluster processes
- Better Stop process flow: Upgrade TreeKill system + Wait for check
- Fix deploy issue with Windows
- Expose -i
to pm2-docker - Drop npm-shrinkwrap
- Upgrade chokidar (fix symlink), cron, fclone, shelljs
- #2400 Create log/pid default folder even if the root folder is already created
- #2395 CRON feature now call PM2 for app to be killed (allow to use SIGINT)
- #2413 #2405 #2406 do not exit on unhandledRejection auto catch
- pidusage upgrade to 1.0.8 to avoid util exception on windows when wmic fail
- Do no display error when pidusage try to monitor an unknow PID (modules)
- New module system backward compatible and compatible with NPM 3.x
- Possibility to install module from tgz (#1713)
- ecosystem generated file via pm2 generate uptaded (not json5 prefix anymore, and updated comments)
- always prefix logs #1695
- blessed dependency removed
- drop locking system
- add callback to deploy (#1673)
- typo fixes