what stackpulse tracks
pnpm releases from GitHub
StackPulse watches pnpm release notes and keeps the original source link close to every summary.
#stacks/pnpm/tooling
pnpm release notes, breaking changes, and upgrade notes.
Fast, disk space efficient package manager StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
20
breaking
7
security
10
deprecated
3
migrations
10
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv11.9.0mediummigrationfeatureJun 23, 2026
pnpm 11.9
This release introduces improvements to integrity checksum handling for on-demand tarball generation, adds a new `--exclude-peers` flag for SBOM generation, and fixes several bugs related to audit, peer resolution, and Windows-specific issues.
affected
Users relying on peer dependencies, SBOM generation, or Windows-specific functionality may be affected by these changes.
action
Update to pnpm 11.9.0 to benefit from the latest fixes and improvements.
release_signals
+Added `--exclude-peers` to `pnpm sbom` to exclude peer dependencies from the SBOM.
+Improved integrity checksum handling for tarballs generated on-demand by registries.
+Fixed non-deterministic peer resolution to prevent lockfile churn.
+Optimized `pnpm audit` performance for lockfiles with dependency cycles.
+Added `@pnpm/resolving.tarball-url` for canonical npm tarball URL handling.
v10.34.4criticalsecurityJun 18, 2026
pnpm 10.34.4
Critical security patches addressing path traversal vulnerabilities in config dependencies and lockfile dependencies. Enhanced validation prevents symlink escapes and unauthorized file writes.
affected
All users running pnpm install with untrusted config dependencies or lockfiles are affected by these vulnerabilities.
action
Upgrade immediately to mitigate potential symlink escapes and file system traversal exploits.
release_signals
!Validates config dependency names and versions to prevent path traversal (GHSA-qrv3-253h-g69c)
!Rejects path-traversal and reserved alias dependencies from lockfiles (GHSA-fr4h-3cph-29xv)
!Prevents patch-remove from deleting files outside patches directory
!Hardens warning when .npmrc uses environment variables in registry/auth settings
v11.8.0highfeaturesecurityJun 18, 2026
pnpm 11.8
This release introduces a dry-run option for installs, improved SBOM generation, and Node.js package map support. It also includes security fixes and various bug fixes.
affected
Users employing configDependencies in lockfiles are affected by the security fix; others benefit from new features.
action
Update to version 11.8.0 to address security vulnerabilities and gain new features.
release_signals
!Fixed path traversal via configDependencies in lockfiles (GHSA-qrv3-253h-g69c)
+Added a --dry-run option to pnpm install that previews changes without writing to disk
+Added support for generating Node.js package maps at node_modules/.package-map.json
+pnpm sbom now marks devDependencies with CycloneDX scope: excluded
+Added per-package SBOM generation with --out and --split flags
+pnpm view now searches upward for project manifest when package name is omitted
v11.7.0highfeatureJun 15, 2026
pnpm 11.7
This release introduces support for read-only package stores, enhances pacquet integration for dependency resolution, and adds batch publishing capabilities. It also includes several bug fixes and performance improvements.
affected
Users working with read-only filesystems or needing batch publishing capabilities will benefit from this release.
action
Update to pnpm 11.7.0 to leverage new features and fixes.
release_signals
+Added `frozenStore` setting for read-only filesystem support.
+Enhanced pacquet integration to handle full dependency resolution.
+Introduced `--batch` flag for batch publishing in `pnpm publish --recursive`.
+Improved deterministic shared package child resolution.
+Fixed `pnpm patch-remove` to prevent removing files outside patches directory.
v11.6.0criticalbreakingmigrationfeaturesecurityJun 11, 2026
pnpm 11.6
This release introduces a critical security fix for environment variable expansion in project `.npmrc` files, preventing potential leaks of sensitive information. It also includes performance improvements for `pnpm install` and new configuration options for URL-scoped registry settings.
affected
Users relying on environment variables in project `.npmrc` files for authentication may need to migrate their configuration.
action
Migrate sensitive tokens from project `.npmrc` to user-level `~/.npmrc` or use `pnpm config set` to avoid authentication issues.
release_signals
-Environment variables in project `.npmrc` files are no longer expanded to prevent security risks
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid leaking secrets
+Support for configuring URL-scoped registry settings through environment variables
+Increased default network concurrency for faster package downloads
+Improved handling of platform-specific optional dependencies
migration_steps2 steps
- 01Move authentication tokens from project `.npmrc` to user-level `~/.npmrc` or use `pnpm config set`
- 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` in CI environments if editing pipelines is difficult
v10.34.3criticalbreakingmigrationsecurityJun 11, 2026
pnpm 10.34.3
This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid leaking sensitive data. It also fixes a bypass where malicious repositories could redirect trusted config file loading.
affected
Users relying on environment variables in repository-controlled `.npmrc` files for registry URLs, proxies, or credentials may experience authentication issues.
action
Migrate sensitive configurations (e.g., tokens) to user-level `~/.npmrc` or global config using `pnpm config set`.
release_signals
-Environment variables in repository-controlled `.npmrc` files (e.g., project/workspace `.npmrc`) are no longer expanded. This affects registry URLs, proxy settings, and credentials.
-Repository-controlled `.npmrc` files can no longer redirect trusted config file loading (e.g., `userconfig`, `globalconfig`, or `prefix`).
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid leaking sensitive data.
!Closed a bypass where repository-controlled `.npmrc` files could redirect trusted config file loading.
migration_steps2 steps
- 01Move authentication tokens out of committed `.npmrc` files and into user-level `~/.npmrc` or global config.
- 02For CI environments, set `NPM_CONFIG_USERCONFIG=.npmrc` to declare the project `.npmrc` as trusted.
v10.34.2criticalbreakingmigrationfeaturesecurityJun 10, 2026
pnpm 10.34.2
This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces stricter verification for package-manager binaries and Node.js releases.
affected
Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.
action
Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to avoid authentication issues.
release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid secret leaks.
!Closed bypass where project `.npmrc` could set `userconfig`, `globalconfig`, or `prefix` to load untrusted config.
!Stricter verification for package-manager binaries and Node.js releases.
+Package-manager bootstrap traffic now resolves through trusted registries and network config.
+pnpm verifies npm registry signatures for package-manager binaries before execution.
+Environment variable expansion is now trust-aware for registry/auth config and request destinations.
+Reserved manifest `bin` names are rejected to prevent accidental directory deletions.
+pnpm verifies OpenPGP signatures of Node.js release `SHASUMS256.txt` files.
migration_steps2 steps
- 01Move authentication tokens out of committed `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set`.
- 02In CI environments, set `NPM_CONFIG_USERCONFIG=.npmrc` to declare the project `.npmrc` as trusted.
v11.5.3criticalbreakingdeprecationmigrationfeaturesecurityJun 10, 2026
pnpm 11.5.3
This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces several security enhancements, including verification of npm registry signatures and OpenPGP signatures for Node.js runtimes.
affected
Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.
action
Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to configure them.
release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r by preventing environment variable expansion in repository-controlled `.npmrc` files
!Added npm registry signature verification for package-manager binaries
!Added OpenPGP signature verification for Node.js runtime downloads
!Rejected reserved manifest `bin` names to prevent recursive deletion of global bin directories
!Rejected lockfiles with registry-style dependency paths backed by git or directory resolutions
!Using the `$` version reference syntax in `overrides` is deprecated in favor of catalogs
+Verification of npm registry signatures for package-manager binaries
+OpenPGP signature verification for Node.js runtime downloads
+Deterministic peer-dependent deduplication
+Rejection of invalid package names and versions in staged tarball manifests
+Requirement of trusted package identity for lifecycle script approvals
migration_steps2 steps
- 01Move authentication tokens from repository-controlled `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set` to configure them
- 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` or `NPM_CONFIG_USERCONFIG=.npmrc` in CI environments to declare the project `.npmrc` trusted
v11.5.2mediumfeaturesecurityJun 5, 2026
pnpm 11.5.2
This release focuses on improving peer dependency resolution, enhancing lockfile security, fixing crashes, and addressing concurrency issues during package installation.
affected
Users relying on peer dependencies, lockfile integrity, or concurrent installations are affected.
action
Update to v11.5.2 to benefit from improved security and stability fixes.
release_signals
!Lockfile verifier now rejects mismatched tarball URLs to prevent fetching attacker-chosen bytes.
+Peer dependency resolution now reuses existing peer contexts from the lockfile when providers are still valid.
+Lockfile verifier now checks tarball URLs against registry metadata to prevent tampering.
+Fixed `pnpm update --recursive --lockfile-only` crashing with invalid version errors.
+Avoided Node.js crashes on Windows after network requests.
+Fixed concurrent `pnpm install` processes causing missing root-level files in the virtual store.
v11.5.1mediumfeatureJun 2, 2026
pnpm 11.5.1
This release focuses on performance improvements, bug fixes, and better handling of edge cases in dependency resolution and lifecycle scripts.
affected
Users relying on `pnpm audit`, remote tarball dependencies, or publishing to registries like Gitea/Codeberg may be affected.
action
Update to v11.5.1 to benefit from performance improvements and bug fixes.
release_signals
+Improved `pnpm audit` performance by pruning non-vulnerable lockfile subtrees
+Preserve the `integrity` field of remote tarball dependencies during lockfile rebuilds
+Normalize string `repository` fields into object form during `pnpm publish`
v11.5.0mediumbreakingfeatureMay 29, 2026
pnpm 11.5
This release introduces a new `hoistingLimits` setting for hoisted installs, replaces `enquirer` with `@inquirer/prompts` for improved interactive prompts, and enhances trust scale recognition for staged publishes. Several bug fixes address peer resolution, dist-tag handling, and lockfile integrity.
affected
Users relying on custom enquirer mocks or interactive prompts will need to update their configurations.
action
Update any custom enquirer mocks to match the new DI interfaces.
release_signals
-The `OtpEnquirer` and `LoginEnquirer` DI interfaces changed from `{ prompt }` to `{ input }` / `{ input, password }`. Plugins or custom builds injecting their own enquirer mock will need to update.
+Added `hoistingLimits` setting for `nodeLinker: hoisted` installs, mirroring yarn's `nmHoistingLimits`.
+Replaced `enquirer` with `@inquirer/prompts` for all interactive prompts, fixing scrolling overflow issues.
+Staged publishes are now recognized in the trust scale, preventing false-positive trust downgrade errors.
v10.34.1criticalsecurityMay 27, 2026
pnpm 10.34.1
This release introduces a security fix to reject `pnpm-lock.yaml` entries missing the `integrity` field in the `resolution:` block, preventing potential tampering of packages.
affected
Users relying on `pnpm-lock.yaml` entries without the `integrity` field will encounter errors and need to update their lockfile.
action
Ensure all `pnpm-lock.yaml` entries include the `integrity` field in the `resolution:` block.
release_signals
!Reject `pnpm-lock.yaml` entries with missing `integrity` field in the `resolution:` block to prevent tampering of packages.
v10.34.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026
pnpm 10.34
This release introduces stricter integrity checks for tarballs and enhances security by addressing several vulnerabilities related to lockfile integrity, git resolutions, and patch files.
affected
Users relying on tarball integrity checks or using unscoped per-registry settings may be affected by the new stricter defaults.
action
Review and update your lockfile integrity checks and registry settings to comply with the new security measures.
release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` if tarball integrity mismatches are detected, requiring the use of `--update-checksums` to bypass
!Reject git resolutions whose `commit` field is not a 40-character hexadecimal SHA
!Reject patch files whose `diff --git` headers reference paths outside the patched package directory
!Reject dependency aliases that contain path-traversal segments
!Deprecation warning emitted for unscoped per-registry settings
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+Pin unscoped per-registry settings to the registry declared in the same config source at load time
+Upgrade cached abbreviated metadata to the full document when `minimumReleaseAge` is active
migration_steps1 steps
- 01Use `pnpm install --update-checksums` to refresh locked integrity values from the registry
v11.4.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026
pnpm 11.4
This release introduces stricter integrity checks for tarballs and fixes credential disclosure vulnerabilities. It also improves security by rejecting malicious lockfile entries and patch files.
affected
Users relying on unscoped credentials or encountering tarball-integrity mismatches are affected.
action
Update credentials to be URL-scoped and use `--update-checksums` for tarball-integrity mismatches.
release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` on tarball-integrity mismatches, requiring `--update-checksums` to refresh integrity values
!Fix credential disclosure issue where unscoped `_authToken` could be sent to untrusted registries
!Reject git resolutions with invalid commit fields to prevent command execution
!Reject patch files referencing paths outside the patched package directory
!Reject dependency aliases containing path-traversal segments
!Reject `pnpm-lock.yaml` entries missing the `integrity` field
!Unscoped credentials are now URL-scoped at load time, with a deprecation warning
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+`pnpm runtime set <name> <version>` now saves the runtime to `devEngines.runtime` by default
migration_steps2 steps
- 01Use `--update-checksums` to refresh locked integrity values
- 02Write credentials URL-scoped (e.g., `//registry.example.com/:_authToken=...`)
v11.3.0mediumfeatureMay 24, 2026
pnpm 11.3
This release introduces new commands like `pnpm stage` for npm staged publishing and adds a `trustLockfile` setting to skip supply-chain verification. It also includes several bug fixes and improvements to existing commands.
affected
Users leveraging npm staged publishing or needing to optimize supply-chain verification will benefit from this release.
action
Update to v11.3.0 to take advantage of new features and bug fixes.
release_signals
+Added `pnpm stage` with subcommands for npm staged publishing.
+Added `trustLockfile` setting to skip supply-chain verification.
+Implemented `pnpm pkg`, `pnpm repo`, and `pnpm set-script` commands natively.
+Added `skip-manifest-obfuscation` option for `pnpm pack` and `pnpm publish`.
v11.2.2mediummigrationfeatureMay 21, 2026
pnpm 11.2.2
This release introduces experimental support for the Rust-based pacquet binary in pnpm's installation process and fixes issues related to CLI flag forwarding and lockfile handling when pacquet is used.
affected
Users opting to use pacquet for installation will be affected by the changes in CLI flag forwarding and lockfile handling.
action
Consider testing pacquet in your project by following the configuration steps provided.
release_signals
+Experimental support for pacquet, a Rust port of pnpm, to handle the materialization phase of `pnpm install`.
migration_steps1 steps
- 01To configure pacquet, run `pnpm add @pnpm/pacquet --config` and commit changes to `pnpm-workspace.yaml` and `pnpm-lock.yaml`.
v11.2.1mediummigrationfeatureMay 20, 2026
pnpm 11.2.1
This release introduces an experimental Rust port of pnpm called `@pnpm/pacquet` for faster installation, along with several bug fixes and improvements to dependency handling.
affected
Developers opting into the experimental `@pnpm/pacquet` feature will be affected.
action
Consider trying `@pnpm/pacquet` for faster installations and report any issues.
release_signals
+Experimental support for `@pnpm/pacquet`, a Rust port of pnpm, which delegates the materialization phase of `pnpm install` to the pacquet binary.
migration_steps1 steps
- 01To configure pacquet in a project, run: `pnpm add @pnpm/pacquet --config` and commit changes to `pnpm-workspace.yaml` and `pnpm-lock.yaml`.
v11.2.0mediummigrationfeatureMay 20, 2026
pnpm 11.2
This release introduces experimental support for the Rust-based pacquet binary, improves handling of optional dependencies in config dependencies, and fixes several bugs related to registry configurations and lockfile handling.
affected
Users interested in experimenting with the Rust-based pacquet binary or those using platform-specific optional dependencies in config dependencies will be most affected.
action
Consider experimenting with the pacquet binary by adding it to your `pnpm-workspace.yaml`.
release_signals
+Experimental support for the Rust-based pacquet binary in `pnpm-workspace.yaml`
+Improved handling of optional dependencies in config dependencies with platform filtering
+Implemented `pnpm login --scope <scope>` flag for registry mapping
+`pnpm outdated` and `pnpm update --interactive` now report Node.js, Deno, and Bun runtimes
migration_steps1 steps
- 01To configure pacquet in a project, run `pnpm add @pnpm/pacquet --config`
v11.1.3mediumfeatureMay 18, 2026
pnpm 11.1.3
This release introduces stricter validation of `pnpm-lock.yaml` entries against `minimumReleaseAge` and `trustPolicy` settings, ensuring safer dependency installations. It also improves handling of `.npmrc` auth values and respects `minimumReleaseAge` during `pnpm self-update`.
affected
Users relying on `pnpm-lock.yaml` for dependency management and those using `pnpm self-update` are affected by the stricter validation and improved handling of release age policies.
action
Review and update your `pnpm-lock.yaml` and `.npmrc` configurations to ensure compatibility with the new validation rules.
release_signals
+Enhanced validation of `pnpm-lock.yaml` entries against `minimumReleaseAge` and `trustPolicy` settings
+Improved handling of redundant trailing base64 padding in `.npmrc` auth values
+`pnpm self-update` now respects `minimumReleaseAge` and `minimumReleaseAgeExclude`
+Global installs respect global config build policy when GVS is enabled
+Honor `--silent` flag during auto-installation of dependencies
v11.1.2mediumMay 14, 2026
pnpm 11.1.2
This release focuses on fixing critical issues related to HTTP headers, metadata handling, and package upgrades. It includes improvements to `minimumReleaseAge` handling, fixes for `pnpm upgrade` commands, and optimizations for lockfile resolution.
view source on github->