what stackpulse tracks
pnpm releases from GitHub
StackPulse watches pnpm release notes and keeps the original source link close to every summary.
#stacks/pnpm/tooling
pnpm release notes, breaking changes, and upgrade notes.
Fast, disk space efficient package manager StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
20
breaking
7
security
10
deprecated
3
migrations
10
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv11.5.3criticalbreakingdeprecationmigrationfeaturesecurityJun 10, 2026
pnpm 11.5.3
This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces several security enhancements, including verification of npm registry signatures and OpenPGP signatures for Node.js runtimes.
affected
Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.
action
Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to configure them.
release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r by preventing environment variable expansion in repository-controlled `.npmrc` files
!Added npm registry signature verification for package-manager binaries
!Added OpenPGP signature verification for Node.js runtime downloads
!Rejected reserved manifest `bin` names to prevent recursive deletion of global bin directories
!Rejected lockfiles with registry-style dependency paths backed by git or directory resolutions
!Using the `$` version reference syntax in `overrides` is deprecated in favor of catalogs
+Verification of npm registry signatures for package-manager binaries
+OpenPGP signature verification for Node.js runtime downloads
+Deterministic peer-dependent deduplication
+Rejection of invalid package names and versions in staged tarball manifests
+Requirement of trusted package identity for lifecycle script approvals
migration_steps2 steps
- 01Move authentication tokens from repository-controlled `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set` to configure them
- 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` or `NPM_CONFIG_USERCONFIG=.npmrc` in CI environments to declare the project `.npmrc` trusted
v10.34.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026
pnpm 10.34
This release introduces stricter integrity checks for tarballs and enhances security by addressing several vulnerabilities related to lockfile integrity, git resolutions, and patch files.
affected
Users relying on tarball integrity checks or using unscoped per-registry settings may be affected by the new stricter defaults.
action
Review and update your lockfile integrity checks and registry settings to comply with the new security measures.
release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` if tarball integrity mismatches are detected, requiring the use of `--update-checksums` to bypass
!Reject git resolutions whose `commit` field is not a 40-character hexadecimal SHA
!Reject patch files whose `diff --git` headers reference paths outside the patched package directory
!Reject dependency aliases that contain path-traversal segments
!Deprecation warning emitted for unscoped per-registry settings
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+Pin unscoped per-registry settings to the registry declared in the same config source at load time
+Upgrade cached abbreviated metadata to the full document when `minimumReleaseAge` is active
migration_steps1 steps
- 01Use `pnpm install --update-checksums` to refresh locked integrity values from the registry
v11.4.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026
pnpm 11.4
This release introduces stricter integrity checks for tarballs and fixes credential disclosure vulnerabilities. It also improves security by rejecting malicious lockfile entries and patch files.
affected
Users relying on unscoped credentials or encountering tarball-integrity mismatches are affected.
action
Update credentials to be URL-scoped and use `--update-checksums` for tarball-integrity mismatches.
release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` on tarball-integrity mismatches, requiring `--update-checksums` to refresh integrity values
!Fix credential disclosure issue where unscoped `_authToken` could be sent to untrusted registries
!Reject git resolutions with invalid commit fields to prevent command execution
!Reject patch files referencing paths outside the patched package directory
!Reject dependency aliases containing path-traversal segments
!Reject `pnpm-lock.yaml` entries missing the `integrity` field
!Unscoped credentials are now URL-scoped at load time, with a deprecation warning
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+`pnpm runtime set <name> <version>` now saves the runtime to `devEngines.runtime` by default
migration_steps2 steps
- 01Use `--update-checksums` to refresh locked integrity values
- 02Write credentials URL-scoped (e.g., `//registry.example.com/:_authToken=...`)