stack.pulse
#stacks/pnpm/tooling

pnpm release notes, breaking changes, and upgrade notes.

Fast, disk space efficient package manager StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo$track this stackplan upgraderss
releases
20
breaking
7
security
10
deprecated
3
migrations
10

Get source-linked upgrade notes and occasional sponsor recommendations. No GitHub login required.

what stackpulse tracks

pnpm releases from GitHub

StackPulse watches pnpm release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed
allbreakingdeprecationmigrationsecurity
v11.6.0criticalbreakingmigrationfeaturesecurityJun 11, 2026

pnpm 11.6

This release introduces a critical security fix for environment variable expansion in project `.npmrc` files, preventing potential leaks of sensitive information. It also includes performance improvements for `pnpm install` and new configuration options for URL-scoped registry settings.

affected

Users relying on environment variables in project `.npmrc` files for authentication may need to migrate their configuration.

action

Migrate sensitive tokens from project `.npmrc` to user-level `~/.npmrc` or use `pnpm config set` to avoid authentication issues.

release_signals
-Environment variables in project `.npmrc` files are no longer expanded to prevent security risks
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid leaking secrets
+Support for configuring URL-scoped registry settings through environment variables
+Increased default network concurrency for faster package downloads
+Improved handling of platform-specific optional dependencies
migration_steps2 steps
  1. 01Move authentication tokens from project `.npmrc` to user-level `~/.npmrc` or use `pnpm config set`
  2. 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` in CI environments if editing pipelines is difficult
view source on github->
v10.34.3criticalbreakingmigrationsecurityJun 11, 2026

pnpm 10.34.3

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid leaking sensitive data. It also fixes a bypass where malicious repositories could redirect trusted config file loading.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for registry URLs, proxies, or credentials may experience authentication issues.

action

Migrate sensitive configurations (e.g., tokens) to user-level `~/.npmrc` or global config using `pnpm config set`.

release_signals
-Environment variables in repository-controlled `.npmrc` files (e.g., project/workspace `.npmrc`) are no longer expanded. This affects registry URLs, proxy settings, and credentials.
-Repository-controlled `.npmrc` files can no longer redirect trusted config file loading (e.g., `userconfig`, `globalconfig`, or `prefix`).
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid leaking sensitive data.
!Closed a bypass where repository-controlled `.npmrc` files could redirect trusted config file loading.
migration_steps2 steps
  1. 01Move authentication tokens out of committed `.npmrc` files and into user-level `~/.npmrc` or global config.
  2. 02For CI environments, set `NPM_CONFIG_USERCONFIG=.npmrc` to declare the project `.npmrc` as trusted.
view source on github->
v10.34.2criticalbreakingmigrationfeaturesecurityJun 10, 2026

pnpm 10.34.2

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces stricter verification for package-manager binaries and Node.js releases.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.

action

Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to avoid authentication issues.

release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid secret leaks.
!Closed bypass where project `.npmrc` could set `userconfig`, `globalconfig`, or `prefix` to load untrusted config.
!Stricter verification for package-manager binaries and Node.js releases.
+Package-manager bootstrap traffic now resolves through trusted registries and network config.
+pnpm verifies npm registry signatures for package-manager binaries before execution.
+Environment variable expansion is now trust-aware for registry/auth config and request destinations.
+Reserved manifest `bin` names are rejected to prevent accidental directory deletions.
+pnpm verifies OpenPGP signatures of Node.js release `SHASUMS256.txt` files.
migration_steps2 steps
  1. 01Move authentication tokens out of committed `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set`.
  2. 02In CI environments, set `NPM_CONFIG_USERCONFIG=.npmrc` to declare the project `.npmrc` as trusted.
view source on github->
v11.5.3criticalbreakingdeprecationmigrationfeaturesecurityJun 10, 2026

pnpm 11.5.3

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces several security enhancements, including verification of npm registry signatures and OpenPGP signatures for Node.js runtimes.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.

action

Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to configure them.

release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r by preventing environment variable expansion in repository-controlled `.npmrc` files
!Added npm registry signature verification for package-manager binaries
!Added OpenPGP signature verification for Node.js runtime downloads
!Rejected reserved manifest `bin` names to prevent recursive deletion of global bin directories
!Rejected lockfiles with registry-style dependency paths backed by git or directory resolutions
!Using the `$` version reference syntax in `overrides` is deprecated in favor of catalogs
+Verification of npm registry signatures for package-manager binaries
+OpenPGP signature verification for Node.js runtime downloads
+Deterministic peer-dependent deduplication
+Rejection of invalid package names and versions in staged tarball manifests
+Requirement of trusted package identity for lifecycle script approvals
migration_steps2 steps
  1. 01Move authentication tokens from repository-controlled `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set` to configure them
  2. 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` or `NPM_CONFIG_USERCONFIG=.npmrc` in CI environments to declare the project `.npmrc` trusted
view source on github->
v11.5.0mediumbreakingfeatureMay 29, 2026

pnpm 11.5

This release introduces a new `hoistingLimits` setting for hoisted installs, replaces `enquirer` with `@inquirer/prompts` for improved interactive prompts, and enhances trust scale recognition for staged publishes. Several bug fixes address peer resolution, dist-tag handling, and lockfile integrity.

affected

Users relying on custom enquirer mocks or interactive prompts will need to update their configurations.

action

Update any custom enquirer mocks to match the new DI interfaces.

release_signals
-The `OtpEnquirer` and `LoginEnquirer` DI interfaces changed from `{ prompt }` to `{ input }` / `{ input, password }`. Plugins or custom builds injecting their own enquirer mock will need to update.
+Added `hoistingLimits` setting for `nodeLinker: hoisted` installs, mirroring yarn's `nmHoistingLimits`.
+Replaced `enquirer` with `@inquirer/prompts` for all interactive prompts, fixing scrolling overflow issues.
+Staged publishes are now recognized in the trust scale, preventing false-positive trust downgrade errors.
view source on github->
v10.34.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026

pnpm 10.34

This release introduces stricter integrity checks for tarballs and enhances security by addressing several vulnerabilities related to lockfile integrity, git resolutions, and patch files.

affected

Users relying on tarball integrity checks or using unscoped per-registry settings may be affected by the new stricter defaults.

action

Review and update your lockfile integrity checks and registry settings to comply with the new security measures.

release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` if tarball integrity mismatches are detected, requiring the use of `--update-checksums` to bypass
!Reject git resolutions whose `commit` field is not a 40-character hexadecimal SHA
!Reject patch files whose `diff --git` headers reference paths outside the patched package directory
!Reject dependency aliases that contain path-traversal segments
!Deprecation warning emitted for unscoped per-registry settings
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+Pin unscoped per-registry settings to the registry declared in the same config source at load time
+Upgrade cached abbreviated metadata to the full document when `minimumReleaseAge` is active
migration_steps1 steps
  1. 01Use `pnpm install --update-checksums` to refresh locked integrity values from the registry
view source on github->
v11.4.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026

pnpm 11.4

This release introduces stricter integrity checks for tarballs and fixes credential disclosure vulnerabilities. It also improves security by rejecting malicious lockfile entries and patch files.

affected

Users relying on unscoped credentials or encountering tarball-integrity mismatches are affected.

action

Update credentials to be URL-scoped and use `--update-checksums` for tarball-integrity mismatches.

release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` on tarball-integrity mismatches, requiring `--update-checksums` to refresh integrity values
!Fix credential disclosure issue where unscoped `_authToken` could be sent to untrusted registries
!Reject git resolutions with invalid commit fields to prevent command execution
!Reject patch files referencing paths outside the patched package directory
!Reject dependency aliases containing path-traversal segments
!Reject `pnpm-lock.yaml` entries missing the `integrity` field
!Unscoped credentials are now URL-scoped at load time, with a deprecation warning
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+`pnpm runtime set <name> <version>` now saves the runtime to `devEngines.runtime` by default
migration_steps2 steps
  1. 01Use `--update-checksums` to refresh locked integrity values
  2. 02Write credentials URL-scoped (e.g., `//registry.example.com/:_authToken=...`)
view source on github->