stack.pulse
#stacks/pnpm/tooling

pnpm release notes, breaking changes, and upgrade notes.

Fast, disk space efficient package manager StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo$track this stackplan upgraderss
releases
20
breaking
7
security
10
deprecated
3
migrations
10

Get source-linked upgrade notes and occasional sponsor recommendations. No GitHub login required.

what stackpulse tracks

pnpm releases from GitHub

StackPulse watches pnpm release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed
allbreakingdeprecationmigrationsecurity
v10.34.4criticalsecurityJun 18, 2026

pnpm 10.34.4

Critical security patches addressing path traversal vulnerabilities in config dependencies and lockfile dependencies. Enhanced validation prevents symlink escapes and unauthorized file writes.

affected

All users running pnpm install with untrusted config dependencies or lockfiles are affected by these vulnerabilities.

action

Upgrade immediately to mitigate potential symlink escapes and file system traversal exploits.

release_signals
!Validates config dependency names and versions to prevent path traversal (GHSA-qrv3-253h-g69c)
!Rejects path-traversal and reserved alias dependencies from lockfiles (GHSA-fr4h-3cph-29xv)
!Prevents patch-remove from deleting files outside patches directory
!Hardens warning when .npmrc uses environment variables in registry/auth settings
view source on github->
v11.8.0highfeaturesecurityJun 18, 2026

pnpm 11.8

This release introduces a dry-run option for installs, improved SBOM generation, and Node.js package map support. It also includes security fixes and various bug fixes.

affected

Users employing configDependencies in lockfiles are affected by the security fix; others benefit from new features.

action

Update to version 11.8.0 to address security vulnerabilities and gain new features.

release_signals
!Fixed path traversal via configDependencies in lockfiles (GHSA-qrv3-253h-g69c)
+Added a --dry-run option to pnpm install that previews changes without writing to disk
+Added support for generating Node.js package maps at node_modules/.package-map.json
+pnpm sbom now marks devDependencies with CycloneDX scope: excluded
+Added per-package SBOM generation with --out and --split flags
+pnpm view now searches upward for project manifest when package name is omitted
view source on github->
v11.6.0criticalbreakingmigrationfeaturesecurityJun 11, 2026

pnpm 11.6

This release introduces a critical security fix for environment variable expansion in project `.npmrc` files, preventing potential leaks of sensitive information. It also includes performance improvements for `pnpm install` and new configuration options for URL-scoped registry settings.

affected

Users relying on environment variables in project `.npmrc` files for authentication may need to migrate their configuration.

action

Migrate sensitive tokens from project `.npmrc` to user-level `~/.npmrc` or use `pnpm config set` to avoid authentication issues.

release_signals
-Environment variables in project `.npmrc` files are no longer expanded to prevent security risks
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid leaking secrets
+Support for configuring URL-scoped registry settings through environment variables
+Increased default network concurrency for faster package downloads
+Improved handling of platform-specific optional dependencies
migration_steps2 steps
  1. 01Move authentication tokens from project `.npmrc` to user-level `~/.npmrc` or use `pnpm config set`
  2. 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` in CI environments if editing pipelines is difficult
view source on github->
v10.34.3criticalbreakingmigrationsecurityJun 11, 2026

pnpm 10.34.3

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid leaking sensitive data. It also fixes a bypass where malicious repositories could redirect trusted config file loading.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for registry URLs, proxies, or credentials may experience authentication issues.

action

Migrate sensitive configurations (e.g., tokens) to user-level `~/.npmrc` or global config using `pnpm config set`.

release_signals
-Environment variables in repository-controlled `.npmrc` files (e.g., project/workspace `.npmrc`) are no longer expanded. This affects registry URLs, proxy settings, and credentials.
-Repository-controlled `.npmrc` files can no longer redirect trusted config file loading (e.g., `userconfig`, `globalconfig`, or `prefix`).
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid leaking sensitive data.
!Closed a bypass where repository-controlled `.npmrc` files could redirect trusted config file loading.
migration_steps2 steps
  1. 01Move authentication tokens out of committed `.npmrc` files and into user-level `~/.npmrc` or global config.
  2. 02For CI environments, set `NPM_CONFIG_USERCONFIG=.npmrc` to declare the project `.npmrc` as trusted.
view source on github->
v10.34.2criticalbreakingmigrationfeaturesecurityJun 10, 2026

pnpm 10.34.2

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces stricter verification for package-manager binaries and Node.js releases.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.

action

Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to avoid authentication issues.

release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r: Prevented environment variable expansion in repository-controlled `.npmrc` files to avoid secret leaks.
!Closed bypass where project `.npmrc` could set `userconfig`, `globalconfig`, or `prefix` to load untrusted config.
!Stricter verification for package-manager binaries and Node.js releases.
+Package-manager bootstrap traffic now resolves through trusted registries and network config.
+pnpm verifies npm registry signatures for package-manager binaries before execution.
+Environment variable expansion is now trust-aware for registry/auth config and request destinations.
+Reserved manifest `bin` names are rejected to prevent accidental directory deletions.
+pnpm verifies OpenPGP signatures of Node.js release `SHASUMS256.txt` files.
migration_steps2 steps
  1. 01Move authentication tokens out of committed `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set`.
  2. 02In CI environments, set `NPM_CONFIG_USERCONFIG=.npmrc` to declare the project `.npmrc` as trusted.
view source on github->
v11.5.3criticalbreakingdeprecationmigrationfeaturesecurityJun 10, 2026

pnpm 11.5.3

This release addresses a critical security vulnerability (GHSA-3qhv-2rgh-x77r) by preventing environment variable expansion in repository-controlled `.npmrc` files to avoid potential secret leaks. It also introduces several security enhancements, including verification of npm registry signatures and OpenPGP signatures for Node.js runtimes.

affected

Users relying on environment variables in repository-controlled `.npmrc` files for authentication may be affected.

action

Move authentication tokens to user-level `~/.npmrc` or use `pnpm config set` to configure them.

release_signals
-Environment variables in repository-controlled `.npmrc` files are no longer expanded, which may break authentication if tokens are stored in these files.
!Fixed GHSA-3qhv-2rgh-x77r by preventing environment variable expansion in repository-controlled `.npmrc` files
!Added npm registry signature verification for package-manager binaries
!Added OpenPGP signature verification for Node.js runtime downloads
!Rejected reserved manifest `bin` names to prevent recursive deletion of global bin directories
!Rejected lockfiles with registry-style dependency paths backed by git or directory resolutions
!Using the `$` version reference syntax in `overrides` is deprecated in favor of catalogs
+Verification of npm registry signatures for package-manager binaries
+OpenPGP signature verification for Node.js runtime downloads
+Deterministic peer-dependent deduplication
+Rejection of invalid package names and versions in staged tarball manifests
+Requirement of trusted package identity for lifecycle script approvals
migration_steps2 steps
  1. 01Move authentication tokens from repository-controlled `.npmrc` files to user-level `~/.npmrc` or use `pnpm config set` to configure them
  2. 02Set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` or `NPM_CONFIG_USERCONFIG=.npmrc` in CI environments to declare the project `.npmrc` trusted
view source on github->
v11.5.2mediumfeaturesecurityJun 5, 2026

pnpm 11.5.2

This release focuses on improving peer dependency resolution, enhancing lockfile security, fixing crashes, and addressing concurrency issues during package installation.

affected

Users relying on peer dependencies, lockfile integrity, or concurrent installations are affected.

action

Update to v11.5.2 to benefit from improved security and stability fixes.

release_signals
!Lockfile verifier now rejects mismatched tarball URLs to prevent fetching attacker-chosen bytes.
+Peer dependency resolution now reuses existing peer contexts from the lockfile when providers are still valid.
+Lockfile verifier now checks tarball URLs against registry metadata to prevent tampering.
+Fixed `pnpm update --recursive --lockfile-only` crashing with invalid version errors.
+Avoided Node.js crashes on Windows after network requests.
+Fixed concurrent `pnpm install` processes causing missing root-level files in the virtual store.
view source on github->
v10.34.1criticalsecurityMay 27, 2026

pnpm 10.34.1

This release introduces a security fix to reject `pnpm-lock.yaml` entries missing the `integrity` field in the `resolution:` block, preventing potential tampering of packages.

affected

Users relying on `pnpm-lock.yaml` entries without the `integrity` field will encounter errors and need to update their lockfile.

action

Ensure all `pnpm-lock.yaml` entries include the `integrity` field in the `resolution:` block.

release_signals
!Reject `pnpm-lock.yaml` entries with missing `integrity` field in the `resolution:` block to prevent tampering of packages.
view source on github->
v10.34.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026

pnpm 10.34

This release introduces stricter integrity checks for tarballs and enhances security by addressing several vulnerabilities related to lockfile integrity, git resolutions, and patch files.

affected

Users relying on tarball integrity checks or using unscoped per-registry settings may be affected by the new stricter defaults.

action

Review and update your lockfile integrity checks and registry settings to comply with the new security measures.

release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` if tarball integrity mismatches are detected, requiring the use of `--update-checksums` to bypass
!Reject git resolutions whose `commit` field is not a 40-character hexadecimal SHA
!Reject patch files whose `diff --git` headers reference paths outside the patched package directory
!Reject dependency aliases that contain path-traversal segments
!Deprecation warning emitted for unscoped per-registry settings
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+Pin unscoped per-registry settings to the registry declared in the same config source at load time
+Upgrade cached abbreviated metadata to the full document when `minimumReleaseAge` is active
migration_steps1 steps
  1. 01Use `pnpm install --update-checksums` to refresh locked integrity values from the registry
view source on github->
v11.4.0criticalbreakingdeprecationmigrationfeaturesecurityMay 27, 2026

pnpm 11.4

This release introduces stricter integrity checks for tarballs and fixes credential disclosure vulnerabilities. It also improves security by rejecting malicious lockfile entries and patch files.

affected

Users relying on unscoped credentials or encountering tarball-integrity mismatches are affected.

action

Update credentials to be URL-scoped and use `--update-checksums` for tarball-integrity mismatches.

release_signals
-`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` on tarball-integrity mismatches, requiring `--update-checksums` to refresh integrity values
!Fix credential disclosure issue where unscoped `_authToken` could be sent to untrusted registries
!Reject git resolutions with invalid commit fields to prevent command execution
!Reject patch files referencing paths outside the patched package directory
!Reject dependency aliases containing path-traversal segments
!Reject `pnpm-lock.yaml` entries missing the `integrity` field
!Unscoped credentials are now URL-scoped at load time, with a deprecation warning
+Treat tarball-integrity mismatches against the lockfile as a hard failure by default
+`pnpm runtime set <name> <version>` now saves the runtime to `devEngines.runtime` by default
migration_steps2 steps
  1. 01Use `--update-checksums` to refresh locked integrity values
  2. 02Write credentials URL-scoped (e.g., `//registry.example.com/:_authToken=...`)
view source on github->