stack.pulse
#stacks/pnpm/tooling

pnpm release notes, breaking changes, and upgrade notes.

Fast, disk space efficient package manager StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo$track this stackplan upgraderss
releases
20
breaking
7
security
10
deprecated
3
migrations
10

Get source-linked upgrade notes and occasional sponsor recommendations. No GitHub login required.

what stackpulse tracks

pnpm releases from GitHub

StackPulse watches pnpm release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed
allbreakingdeprecationmigrationsecurity
v11.9.0mediummigrationfeatureJun 23, 2026

pnpm 11.9

This release introduces improvements to integrity checksum handling for on-demand tarball generation, adds a new `--exclude-peers` flag for SBOM generation, and fixes several bugs related to audit, peer resolution, and Windows-specific issues.

affected

Users relying on peer dependencies, SBOM generation, or Windows-specific functionality may be affected by these changes.

action

Update to pnpm 11.9.0 to benefit from the latest fixes and improvements.

release_signals
+Added `--exclude-peers` to `pnpm sbom` to exclude peer dependencies from the SBOM.
+Improved integrity checksum handling for tarballs generated on-demand by registries.
+Fixed non-deterministic peer resolution to prevent lockfile churn.
+Optimized `pnpm audit` performance for lockfiles with dependency cycles.
+Added `@pnpm/resolving.tarball-url` for canonical npm tarball URL handling.
view source on github->
v11.6.0criticalbreakingmigrationfeaturesecurityJun 11, 2026

pnpm 11.6

This release introduces a critical security fix for environment variable expansion in project `.npmrc` files, preventing potential leaks of sensitive information. It also includes performance improvements for `pnpm install` and new configuration options for URL-scoped registry settings.

affected

Users relying on environment variables in project `.npmrc` files for authentication may need to migrate their configuration.

action

Migrate sensitive tokens from project `.npmrc` to user-level `~/.npmrc` or use `pnpm config set` to avoid authentication issues.

release_signals
-Environment variables in project `.npmrc` files are no longer expanded to prevent security risks
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid leaking secrets
+Support for configuring URL-scoped registry settings through environment variables
+Increased default network concurrency for faster package downloads
+Improved handling of platform-specific optional dependencies
migration_steps2 steps
  1. 01Move authentication tokens from project `.npmrc` to user-level `~/.npmrc` or use `pnpm config set`
  2. 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` in CI environments if editing pipelines is difficult
view source on github->
v10.34.3criticalbreakingmigrationsecurityJun 11, 2026

pnpm 10.34.3

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid leaking sensitive data. It also fixes a bypass where malicious repositories could redirect trusted config file loading.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for registry URLs, proxies, or credentials may experience authentication issues.

action

Migrate sensitive configurations (e.g., tokens) to user-level `~/.npmrc` or global config using `pnpm config set`.

release_signals
-Environment variables in repository-controlled `.npmrc` files (e.g., project/workspace `.npmrc`) are no longer expanded. This affects registry URLs, proxy settings, and credentials.
-Repository-controlled `.npmrc` files can no longer redirect trusted config file loading (e.g., `userconfig`, `globalconfig`, or `prefix`).
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid leaking sensitive data.
!Closed a bypass where repository-controlled `.npmrc` files could redirect trusted config file loading.
migration_steps2 steps
  1. 01Move authentication tokens out of committed `.npmrc` files and into user-level `~/.npmrc` or global config.
  2. 02For CI environments, set `NPM_CONFIG_USERCONFIG=.npmrc` to declare the project `.npmrc` as trusted.
view source on github->
v10.34.2criticalbreakingmigrationfeaturesecurityJun 10, 2026

pnpm 10.34.2

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces stricter verification for package-manager binaries and Node.js releases.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.

action

Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to avoid authentication issues.

release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid secret leaks.
!Closed bypass where project `.npmrc` could set `userconfig`, `globalconfig`, or `prefix` to load untrusted config.
!Stricter verification for package-manager binaries and Node.js releases.
+Package-manager bootstrap traffic now resolves through trusted registries and network config.
+pnpm verifies npm registry signatures for package-manager binaries before execution.
+Environment variable expansion is now trust-aware for registry/auth config and request destinations.
+Reserved manifest `bin` names are rejected to prevent accidental directory deletions.
+pnpm verifies OpenPGP signatures of Node.js release `SHASUMS256.txt` files.
migration_steps2 steps
  1. 01Move authentication tokens out of committed `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set`.
  2. 02In CI environments, set `NPM_CONFIG_USERCONFIG=.npmrc` to declare the project `.npmrc` as trusted.
view source on github->
v11.5.3criticalbreakingdeprecationmigrationfeaturesecurityJun 10, 2026

pnpm 11.5.3

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces several security enhancements, including verification of npm registry signatures and OpenPGP signatures for Node.js runtimes.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.

action

Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to configure them.

release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r by preventing environment variable expansion in repository-controlled `.npmrc` files
!Added npm registry signature verification for package-manager binaries
!Added OpenPGP signature verification for Node.js runtime downloads
!Rejected reserved manifest `bin` names to prevent recursive deletion of global bin directories
!Rejected lockfiles with registry-style dependency paths backed by git or directory resolutions
!Using the `$` version reference syntax in `overrides` is deprecated in favor of catalogs
+Verification of npm registry signatures for package-manager binaries
+OpenPGP signature verification for Node.js runtime downloads
+Deterministic peer-dependent deduplication
+Rejection of invalid package names and versions in staged tarball manifests
+Requirement of trusted package identity for lifecycle script approvals
migration_steps2 steps
  1. 01Move authentication tokens from repository-controlled `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set` to configure them
  2. 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` or `NPM_CONFIG_USERCONFIG=.npmrc` in CI environments to declare the project `.npmrc` trusted
view source on github->
v10.34.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026

pnpm 10.34

This release introduces stricter integrity checks for tarballs and enhances security by addressing several vulnerabilities related to lockfile integrity, git resolutions, and patch files.

affected

Users relying on tarball integrity checks or using unscoped per-registry settings may be affected by the new stricter defaults.

action

Review and update your lockfile integrity checks and registry settings to comply with the new security measures.

release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` if tarball integrity mismatches are detected, requiring the use of `--update-checksums` to bypass
!Reject git resolutions whose `commit` field is not a 40-character hexadecimal SHA
!Reject patch files whose `diff --git` headers reference paths outside the patched package directory
!Reject dependency aliases that contain path-traversal segments
!Deprecation warning emitted for unscoped per-registry settings
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+Pin unscoped per-registry settings to the registry declared in the same config source at load time
+Upgrade cached abbreviated metadata to the full document when `minimumReleaseAge` is active
migration_steps1 steps
  1. 01Use `pnpm install --update-checksums` to refresh locked integrity values from the registry
view source on github->
v11.4.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026

pnpm 11.4

This release introduces stricter integrity checks for tarballs and fixes credential disclosure vulnerabilities. It also improves security by rejecting malicious lockfile entries and patch files.

affected

Users relying on unscoped credentials or encountering tarball-integrity mismatches are affected.

action

Update credentials to be URL-scoped and use `--update-checksums` for tarball-integrity mismatches.

release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` on tarball-integrity mismatches, requiring `--update-checksums` to refresh integrity values
!Fix credential disclosure issue where unscoped `_authToken` could be sent to untrusted registries
!Reject git resolutions with invalid commit fields to prevent command execution
!Reject patch files referencing paths outside the patched package directory
!Reject dependency aliases containing path-traversal segments
!Reject `pnpm-lock.yaml` entries missing the `integrity` field
!Unscoped credentials are now URL-scoped at load time, with a deprecation warning
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+`pnpm runtime set <name> <version>` now saves the runtime to `devEngines.runtime` by default
migration_steps2 steps
  1. 01Use `--update-checksums` to refresh locked integrity values
  2. 02Write credentials URL-scoped (e.g., `//registry.example.com/:_authToken=...`)
view source on github->
v11.2.2mediummigrationfeatureMay 21, 2026

pnpm 11.2.2

This release introduces experimental support for the Rust-based pacquet binary in pnpm's installation process and fixes issues related to CLI flag forwarding and lockfile handling when pacquet is used.

affected

Users opting to use pacquet for installation will be affected by the changes in CLI flag forwarding and lockfile handling.

action

Consider testing pacquet in your project by following the configuration steps provided.

release_signals
+Experimental support for pacquet, a Rust port of pnpm, to handle the materialization phase of `pnpm install`.
migration_steps1 steps
  1. 01To configure pacquet, run `pnpm add @pnpm/pacquet --config` and commit changes to `pnpm-workspace.yaml` and `pnpm-lock.yaml`.
view source on github->
v11.2.1mediummigrationfeatureMay 20, 2026

pnpm 11.2.1

This release introduces an experimental Rust port of pnpm called `@pnpm/pacquet` for faster installation, along with several bug fixes and improvements to dependency handling.

affected

Developers opting into the experimental `@pnpm/pacquet` feature will be affected.

action

Consider trying `@pnpm/pacquet` for faster installations and report any issues.

release_signals
+Experimental support for `@pnpm/pacquet`, a Rust port of pnpm, which delegates the materialization phase of `pnpm install` to the pacquet binary.
migration_steps1 steps
  1. 01To configure pacquet in a project, run: `pnpm add @pnpm/pacquet --config` and commit changes to `pnpm-workspace.yaml` and `pnpm-lock.yaml`.
view source on github->
v11.2.0mediummigrationfeatureMay 20, 2026

pnpm 11.2

This release introduces experimental support for the Rust-based pacquet binary, improves handling of optional dependencies in config dependencies, and fixes several bugs related to registry configurations and lockfile handling.

affected

Users interested in experimenting with the Rust-based pacquet binary or those using platform-specific optional dependencies in config dependencies will be most affected.

action

Consider experimenting with the pacquet binary by adding it to your `pnpm-workspace.yaml`.

release_signals
+Experimental support for the Rust-based pacquet binary in `pnpm-workspace.yaml`
+Improved handling of optional dependencies in config dependencies with platform filtering
+Implemented `pnpm login --scope <scope>` flag for registry mapping
+`pnpm outdated` and `pnpm update --interactive` now report Node.js, Deno, and Bun runtimes
migration_steps1 steps
  1. 01To configure pacquet in a project, run `pnpm add @pnpm/pacquet --config`
view source on github->
pnpm release notes, breaking changes, and upgrade notes ยท StackPulse