chore(deps): update pnpm to v10.34.4 #196
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!196
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate-pnpm-10.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
10.18.3→10.34.410.18.3→10.34.4Release Notes
pnpm/pnpm (pnpm)
v10.34.4: pnpm 10.34.4Compare Source
Patch Changes
352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. Apnpm-workspace.yamlwith a traversal-shapedconfigDependenciesname (such as../../PWNED) or version (such as../../../PWNED) could previously causepnpm installto create symlinks or write package files outsidenode_modules/.pnpm-configand the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.352ae48: Reject path-traversal and reserved dependency aliases (such as../../../escape,.bin,.pnpm, ornode_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoistednode_modulesdirectory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.The
nodeLinker: hoistedgraph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.352ae48: Preventpnpm patch-removefrom removing files outside the configured patches directory.217fbe0: Hardened the warning printed when a project.npmrcuses environment variables in registry/auth settings: the suggestedpnpm config setcommand is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled.npmrcand a shell expands$(...), backticks, and$VAReven inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.Platinum Sponsors
Gold Sponsors
v10.34.3: pnpm 10.34.3Compare Source
⚠️ Security fix — environment variables in a project
.npmrc(action may be required)Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands
${ENV_VAR}placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:.npmrc—registry,@scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken,_auth,_password,username,tokenHelper,cert,key);pnpm-workspace.yaml.This release also closes a bypass where a project
.npmrccould setuserconfig,globalconfig, orprefixto make pnpm load a repo-supplied file as trusted config (via@pnpm/npm-conf@3.0.3).Environment variables are still expanded in trusted config: your user-level
~/.npmrc, the global config, CLI options, and environment config.If your authentication broke after upgrading, move the token out of the committed
.npmrc:Or keep the
${NPM_TOKEN}line but put it in your user-level~/.npmrcinstead of the repo. In GitHub Actions,actions/setup-nodewithregistry-urlalready writes a user-level.npmrc, soNODE_AUTH_TOKENkeeps working. For other CI where editing each pipeline is hard, setNPM_CONFIG_USERCONFIG=.npmrcin the CI environment to declare the project.npmrctrusted.See https://pnpm.io/npmrc for full migration details.
Patch Changes
.npmrcuses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by runningpnpm config set "<key>" <value>to store it in the global config, or by keeping the${...}line in the user-level~/.npmrc— with a link to https://pnpm.io/npmrc..npmrccan no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could setuserconfig,globalconfig, orprefixto point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to settokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace.npmrcfiles are read. Fixed by upgrading@pnpm/npm-confto3.0.3.Platinum Sponsors
Gold Sponsors
v10.34.2: pnpm 10.34.2Compare Source
⚠️ Security fix — environment variables in a project
.npmrc(action may be required)Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands
${ENV_VAR}placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:.npmrc—registry,@scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken,_auth,_password,username,tokenHelper,cert,key);pnpm-workspace.yaml.This release also closes a bypass where a project
.npmrccould setuserconfig,globalconfig, orprefixto make pnpm load a repo-supplied file as trusted config (via@pnpm/npm-conf@3.0.3).Environment variables are still expanded in trusted config: your user-level
~/.npmrc, the global config, CLI options, and environment config.If your authentication broke after upgrading, move the token out of the committed
.npmrc:Or keep the
${NPM_TOKEN}line but put it in your user-level~/.npmrcinstead of the repo. In GitHub Actions,actions/setup-nodewithregistry-urlalready writes a user-level.npmrc, soNODE_AUTH_TOKENkeeps working. For other CI where editing each pipeline is hard, setNPM_CONFIG_USERCONFIG=.npmrcin the CI environment to declare the project.npmrctrusted.See https://pnpm.io/npmrc for full migration details.
Patch Changes
packageManagerfield, the registry it fetches from (and the proxy/TLS settings used for that traffic) now come exclusively from trusted config sources — CLI options, env config, user and global.npmrc— defaulting to the public npm registry, instead of the repository's project/workspace settings.packageManagerfield (orpnpm self-update) makes pnpm download another pnpm version, the staged install is verified corepack-style: the integrity recorded in the staged lockfile must carry a valid npm registry signature for the exactname@version, validated against npm's public signing keys that ship embedded in the pnpm CLI. Verification fails closed — a tampered download, an unsigned package, or an unreachable registry refuses the version switch rather than running an unverified binary. It runs only when the wanted version is actually downloaded (a tools-directory cache miss), so repeated commands pay no extra network round trip..npmrcandpnpm-workspace.yaml) can no longer expand${...}placeholders in registry/proxy request destinations, URL-scoped keys, or registry credential values, preventing repository-controlled configuration from exfiltrating environment secrets through request URLs. Trusted user/global/CLI/env config keeps full env expansion, so existing token and registry setup flows continue to work.binnames ("",".","..", and scoped forms such as@scope/..) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted.onlyBuiltDependencies(andallowBuilds) entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the key. Lockfile entries are now rejected when a registry-style dependency path (name@semver) is backed by a git, directory, or git-hosted tarball resolution (ERR_PNPM_RESOLUTION_SHAPE_MISMATCH), so the dependency path is a reliable artifact identity by the time scripts can run.SHASUMS256.txtagainst the Node.js release team's public keys (embedded in the pnpm CLI) before trusting its hashes. The Node.js download mirror is repository-configurable (node-mirror:<channel>in.npmrc), and the integrity check previously trusted aSHASUMS256.txtfetched from that same mirror — a circular check that a malicious mirror could satisfy with a tampered binary and matching hashes. A mirror that proxies the real signed SHASUMS keeps working unchanged. Only thereleasechannel publishes signed SHASUMS files, so pre-release channels (rc, nightly, …) remain unverified.Platinum Sponsors
Gold Sponsors
v10.34.1: pnpm 10.34.1Compare Source
Patch Changes
pnpm-lock.yamlentries whose remote tarballresolution:block is missing theintegrityfield. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that stripsintegrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under--frozen-lockfile. pnpm now fails closed at lockfile-read time withERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: trueor a URL on codeload.github.com / bitbucket.org / gitlab.com) andfile:tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.Platinum Sponsors
Gold Sponsors
v10.34.0: pnpm 10.34Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.Patch Changes
_authToken,_auth,username/_password,tokenHelper, inlinecert/key) to the registry declared in the same config source at load time, so a later layer overridingregistry=(workspace.npmrc,pnpm-workspace.yaml, CLI--registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.minimumReleaseAgehandling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-versiontimefield) by default, which made the maturity check throwERR_PNPM_MISSING_TIMEwhenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch whenminimumReleaseAgeis active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and letsERR_PNPM_MISSING_TIMEfrom the cache fast-path fall through to the network fetch even under strict mode.commitfield is not a 40-character hexadecimal SHA before invokinggit. A malicious lockfile could otherwise smuggle a value such as--upload-pack=<command>throughgit fetch/git checkout, which on SSH or local-file transports executes the supplied command.diff --githeaders reference paths outside the patched package directory. Previously a malicious.patchfile added via a pull request could write, delete, or rename arbitrary files reachable by the user runningpnpm install.--prefix=<dir>not being honored when locating the workspace root. The--prefix → dirrename was applied after workspace detection, so workspace settings declared in<dir>/pnpm-workspace.yamlwere not loaded when pnpm was invoked from outside<dir>#11535.@x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them intonode_modules. A malicious registry package could otherwise use a transitive dependency key to makepnpm installcreate symlinks at attacker-chosen paths outside the intendednode_modulesdirectory.Platinum Sponsors
Gold Sponsors
v10.33.4: pnpm 10.33.4Compare Source
Patch Changes
Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
A new
gitHosted: truefield is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.Fix a regression where
pnpm --recursive --filter '!<pkg>' run/exec/test/addwould include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative--filterarguments are provided, matching the documented behavior. To include the root, pass--include-workspace-root#11341.Platinum Sponsors
Gold Sponsors
v10.33.3: pnpm 10.33.3Compare Source
Patch Changes
@pnpm/exeto v11+ on Intel macOS (darwin-x64),pnpm self-updatenow transparently switches to the JS-onlypnpmpackage on npm instead of installing@pnpm/exe@v11+(which doesn't ship a working binary for Intel Macs because of an upstream Node.js SEA bug — see #11423 and nodejs/node#62893). Without this, the self-update would silently leave the user with no workingpnpmbinary. The new install requires Node.js to be available onPATH; a warning is printed when the swap happens. All other host/version combinations are unchanged.pnpm self-update(with no version argument) no longer downgrades pnpm when the registry'slatestdist-tag points to an older release than the currently active version. Runpnpm self-update latestto force a downgrade #11418.Platinum Sponsors
Gold Sponsors
v10.33.2: pnpm 10.33.2Compare Source
Patch Changes
Globally-installed bins no longer fail with
ERR_PNPM_NO_IMPORTER_MANIFEST_FOUNDwhen pnpm was installed via the standalone@pnpm/exebinary (e.g.curl -fsSL https://get.pnpm.io/install.sh | sh -) on a system without a separate Node.js installation. Previously, whenwhich('node')failed duringpnpm add --global, pnpm fell back toprocess.execPath, which in@pnpm/exeis the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node #11291, #4645.Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g.
npm install -g pnpm@A) and run inside a project whosepackage.jsonselected a different pnpm version via thepackageManagerfield (e.g.pnpm@B), while apnpm-workspace.yamlalso existed at the project root.The child's environment is now forced to
manage-package-manager-versions=false(v10) andpm-on-fail=ignore(v11+), which disables the package-manager-version handling in whichever pnpm runs as the child.Fixes #11337.
Platinum Sponsors
Gold Sponsors
v10.33.1: pnpm 10.33.1Compare Source
Patch Changes
packageManagerfield selects pnpm v11 or newer, commands that v10 would have passed through to npm (version,login,logout,publish,unpublish,deprecate,dist-tag,docs,ping,search,star,stars,unstar,whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example,pnpm version --helpprint npm's help on a project withpackageManager: pnpm@11.0.0-rc.3#11328.Platinum Sponsors
Gold Sponsors
v10.33.0: pnpm 10.33Compare Source
Minor Changes
dedupePeerssetting that reduces peer dependency duplication. When enabled, peer dependency suffixes use version-only identifiers (name@version) instead of full dep paths, eliminating nested suffixes like(foo@1.0.0(bar@2.0.0)). This dramatically reduces the number of package instances in projects with many recursive peer dependencies #11070.Patch Changes
Fail on incompatible lockfiles in CI when frozen lockfile mode is enabled, while preserving non-frozen CI fallback behavior.
When package metadata is malformed or can't be fetched, the error thrown will now show the originating error.
Fixed intermittent failures when multiple
pnpm dlxcalls run concurrently for the same package. When the global virtual store is enabled, the importer now verifies file content before skipping a rename, avoiding destructive swap-renames that break concurrent processes. Also tolerates EPERM during bin creation on Windows and properly propagatesenableGlobalVirtualStorethrough the install pipeline.Fixed handling of non-string version selectors in
hoistPeers, preventing invalid peer dependency specifiers.Improve the non-interactive modules purge error hint to include the
confirmModulesPurge=falseworkaround.When pnpm needs to recreate
node_modulesbut no TTY is available, the error now suggests either settingCI=trueor disabling the purge confirmation prompt viaconfirmModulesPurge=false.Adds a regression test for the non-TTY flow.
Fixed false "Command not found" errors on Windows when a command exists in PATH but exits with a non-zero code. Also fixed path resolution for
--filtercontexts where the command runs in a different package directory.When a pnpm-lock.yaml contains two documents, ignore the first one. pnpm v11 will write two lockfile documents into pnpm-lock.yaml in order to store pnpm version integrities and config dependency resolutions.
Fixed a bug preventing the
clearCachefunction returned bycreateNpmResolverfrom properly clearing metadata cache.Platinum Sponsors
Gold Sponsors
v10.32.1: pnpm 10.32.1Compare Source
Patch Changes
pnpm-workspace.yamlwithout apackagesfield caused all directories to be treated as workspace projects. This broke projects that usepnpm-workspace.yamlonly for settings (e.g.minimumReleaseAge) without defining workspace packages #10909.Platinum Sponsors
Gold Sponsors
v10.32.0: pnpm 10.32Compare Source
Minor Changes
--allflag topnpm approve-buildsthat approves all pending builds without interactive prompts #10136.Patch Changes
lockfile-include-tarball-url. Fixes #10915.Platinum Sponsors
Gold Sponsors
v10.31.0: pnpm 10.31Compare Source
Minor Changes
pnpm-workspace.yaml, comments, string formatting, and whitespace will be preserved.Patch Changes
Added
-Fas a short alias for the--filteroption in the help output.Handle undefined pkgSnapshot in
pnpm why -r#10700.Fix headless install not being used when a project has an injected self-referencing
file:dependency that resolves tolink:in the lockfile.Fixed a race condition when multiple worker threads import the same package to the global virtual store concurrently. The rename operation now tolerates
ENOTEMPTY/EEXISTerrors if another thread already completed the import.When
lockfile-include-tarball-urlis set tofalse, tarball URLs are now always excluded from the lockfile. Previously, tarball URLs could still appear for packages hosted under non-standard URLs, making the behavior flaky and inconsistent #6667.Fixed
optimisticRepeatInstallskipping install whenoverrides,packageExtensions,ignoredOptionalDependencies,patchedDependencies, orpeersSuffixMaxLengthchanged.Fixed
pnpm patch-commitfailing with "unable to access '/.config/git/attributes': Permission denied" error in environments where HOME is unset or non-standard (Docker containers, CI systems).The issue occurred because pnpm was setting
HOMEand the Windows user profile env var to empty strings to suppress user git configuration when runninggit diff. This caused git to resolve the home directory (~) as root (/), leading to permission errors when attempting to access/.config/git/attributes.Now uses
GIT_CONFIG_GLOBAL: os.devNullinstead, which is git's proper mechanism for bypassing user-level configuration without corrupting the home directory path resolution.Fixes #6537
Fix
pnpm why -r --parseablemissing dependents when multiple workspace packages share the same dependency #8100.Fix
link-workspace-packages=trueincorrectly linking workspace packages when the requested version doesn't match the workspace package's version. Previously, on fresh installs the version constraint is overridden to*in the fallback resolution paths, causing any workspace package with a matching name to be linked regardless of version #10173.Fixed
pnpm update --interactivetable breaking with long version strings (e.g., prerelease versions like7.0.0-dev.20251209.1) by dynamically calculating column widths instead of using hardcoded values #10316.Explicitly tell
npmthe path to the globalrcconfig file.The parameter set by the
--allow-buildflag is written toallowBuilds.Fix a bug in which specifying
filteronpnpm-workspace.yamlwould cause pnpm to not detect any projects.Print help message on running pnpm dlx without arguments and exit.
Platinum Sponsors
Gold Sponsors
v10.30.3: pnpm 10.30.3Compare Source
Patch Changes
packageManagerfield failing when pnpm is installed as a standalone executable in environments without a system Node.js #10687.Platinum Sponsors
Gold Sponsors
v10.30.2: pnpm 10.30.2Compare Source
Patch Changes
Platinum Sponsors
Gold Sponsors
v10.30.1: pnpm 10.30.1Compare Source
Patch Changes
/-/npm/v1/security/audits/quickendpoint as the primary audit endpoint, falling back to/-/npm/v1/security/auditswhen it fails #10649.Platinum Sponsors
Gold Sponsors
v10.30.0: pnpm 10.30Compare Source
Minor Changes
pnpm whynow shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.Patch Changes
pnpm whydependency pruning to prefer correctness over memory consumption. Reverted PR: #7122.pnpm whyandpnpm listperformance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #10596.Platinum Sponsors
Gold Sponsors
v10.29.3: pnpm 10.29.3Compare Source
Patch Changes
pnpm list(andpnpm why) on large dependency graphs by replacing the recursive tree builder with a two-phase approach: a BFS dependency graph followed by cached tree materialization. Duplicate subtrees are now deduplicated in the output, shown as "deduped (N deps hidden)" #10586.allowBuildsnot working when set via.pnpmfile.cjs#10516.enableGlobalVirtualStoreoption is set, thepnpm deploycommand would incorrectly create symlinks to the global virtual store. To keep the deploy directory self-contained,pnpm deploynow ignores this setting and always creates a localized virtual store within the deploy directory.minimumReleaseAgeExcludenot being respected bypnpm dlx#10338.Platinum Sponsors
Gold Sponsors
v10.29.2: pnpm 10.29.2Compare Source
Patch Changes
Reverted fix: Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #10497.
Platinum Sponsors
Gold Sponsors
v10.29.1: pnpm 10.29.1Compare Source
Minor Changes
pnpm dlx/pnpxcommand now supports thecatalog:protocol. Example:pnpm dlx shx@catalog:.auditLevelin thepnpm-workspace.yamlfile #10540.workspace:protocol without version specifier. It is now treated asworkspace:*and resolves to the concrete version during publish #10436.Patch Changes
Fixed
pnpm list --jsonreturning incorrect paths when using global virtual store #10187.Fix
pnpm store pathandpnpm store statususing workspace root for path resolution whenstoreDiris relative #10290.Fixed
pnpm run -rfailing with "No projects matched the filters" when an emptypnpm-workspace.yamlexists #10497.Fixed a bug where
catalogMode: strictwould write the literal string"catalog:"topnpm-workspace.yamlinstead of the resolved version specifier when re-adding an existing catalog dependency #10176.Fixed the documentation URL shown in
pnpm completion --helpto point to the correct page at https://pnpm.io/completion #10281.Skip local
file:protocol dependencies duringpnpm fetch. This fixes an issue wherepnpm fetchwould fail in Docker builds when local directory dependencies were not available #10460.Fixed
pnpm audit --jsonto respect the--audit-levelsetting for both exit code and output filtering #10540.update tar to version 7.5.7 to fix security issue
Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842
Fix
pnpm audit --fixreplacing reference overrides (e.g.$foo) with concrete versions #10325.Fix
shamefullyHoistset viaupdateConfigin.pnpmfile.cjsnot being converted topublicHoistPattern#10271.pnpm helpshould correctly report if the currently running pnpm CLI is bundled with Node.js #10561.Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for
node_modules/.bin, causing binaries to not be found when running commands likepnpm exec#10457.Platinum Sponsors
Gold Sponsors
v10.28.2: pnpm 10.28.2Compare Source
Patch Changes
Security fix: prevent path traversal in
directories.binfield.When pnpm installs a
file:orgit:dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked intonode_modules.This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g.,
/etc/passwd,~/.ssh/id_rsa) and have their contents copied when the package is installed.Note: This only affects
file:andgit:dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.Fixed optional dependencies to request full metadata from the registry to get the
libcfield, which is required for proper platform compatibility checks #9950.Platinum Sponsors
Gold Sponsors
v10.28.1: pnpm 10.28.1Compare Source
Patch Changes
Fixed installation of config dependencies from private registries.
Added support for object type in
configDependencieswhen the tarball URL returned from package metadata differs from the computed URL #10431.Fix path traversal vulnerability in binary fetcher ZIP extraction
ERR_PNPM_PATH_TRAVERSALerrorSupport plain
http://andhttps://URLs ending with.gitas git repository dependencies.Previously, URLs like
https://gitea.example.org/user/repo.git#commitwere not recognized as git repositories because they lacked thegit+prefix (e.g.,git+https://). This caused issues when installing dependencies from self-hosted git servers like Gitea or Forgejo that don't provide tarball downloads.Changes:
http://andhttps://URLs ending in.gitas git repositoriesisRepositorycheck from the tarball resolver since it's no longer needed with the new resolver orderFixes #10468
pnpm run -randpnpm run --filternow fail with a non-zero exit code when no packages have the specified script. Previously, this only failed when all packages were selected. Use--if-presentto suppress this error #6844.Fixed a path traversal vulnerability in tarball extraction on Windows. The path normalization was only checking for
./but not.\. Since backslashes are directory separators on Windows, malicious packages could use paths likefoo\..\..\.npmrcto write files outside the package directory.When running "pnpm exec" from a subdirectory of a project, don't change the current working directory to the root of the project #5759.
Fixed a path traversal vulnerability in pnpm's bin linking. Bin names starting with
@bypassed validation, and after scope normalization, path traversal sequences like../../remained intact.Revert Try to avoid making network calls with preferOffline #10334.
Fix
--save-peerto write valid semver ranges topeerDependenciesfor protocol-based installs (e.g.jsr:) by deriving from resolved versions when available and falling back to*if none is available #10417.Do not exclude the root workspace project, when it is explicitly selected via a filter #10465.
Platinum Sponsors
Gold Sponsors
v10.28.0: pnpm 10.28Compare Source
Minor Changes
beforePackingthat can be used to customize thepackage.jsoncontents at publish time #3816.pnpm install --filter ...) was slower than runningpnpm installwithout any filter arguments. This performance regression is now fixed. Filtered installs should be as fast or faster than a full install #10408.Patch Changes
requiredScriptssetting inpnpm-workspace.yaml#10261.Platinum Sponsors
Gold Sponsors
v10.27.0: pnpm 10.27Compare Source
Minor Changes
Adding
trustPolicyIgnoreAfterallows you to ignore trust policy checks for packages published more than a specified time ago#10352.Added project registry for global virtual store prune support.
Projects using the store are now registered via symlinks in
{storeDir}/v10/projects/. This enablespnpm store pruneto track which packages are still in use by active projects and safely remove unused packages from the global virtual store.Semi-breaking. Changed the location of unscoped packages in the virtual global store. They will now be stored under a directory named
@to maintain a uniform 4-level directory depth.Added mark-and-sweep garbage collection for global virtual store.
pnpm store prunenow removes unused packages from the global virtual store'slinks/directory. The algorithm:This includes support for workspace monorepos - all
node_modulesdirectories within a project (including those in workspace packages) are scanned.Patch Changes
tokenHelperor<url>:tokenHelpersetting contains an environment variable.dangerouslyAllowAllBuildssettings #10376.pnpm store pruneshould not fail if the dlx cache directory has files, not only directories #10384pnpm addwould incorrectly modify a catalog entry inpnpm-workspace.yamlto its exact version.Platinum Sponsors
Gold Sponsors
v10.26.2: pnpm 10.26.2Compare Source
Patch Changes
Improve error message when a package version exists but does not meet the
minimumReleaseAgeconstraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #10307.Fix installation of Git dependencies using annotated tags #10335.
Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused
ERR_PNPM_GIT_CHECKOUT_FAILEDerrors because the checked-out commit hash didn't match the stored tag object hash.Binaries of runtime engines (Node.js, Deno, Bun) are written to
node_modules/.binbefore lifecycle scripts (install, postinstall, prepare) are executed #10244.Try to avoid making network calls with preferOffline #10334.
Platinum Sponsors
Gold Sponsors
v10.26.1: pnpm 10.26.1Compare Source
Patch Changes
pnpm add, whenblockExoticSubdepsis set totrue#10324.HEADpoints to the commit after checkout #10310.Platinum Sponsors
Gold Sponsors
v10.26.0: pnpm 10.26Compare Source
Minor Changes
Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in
onlyBuiltDependencies#10288.Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #10287.
Added a new setting
blockExoticSubdepsthat prevents the resolution of exotic protocols in transitive dependencies.When set to
true, direct dependencies (those listed in your rootpackage.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.
Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (
git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).Related PR: #10265.
Added support for
allowBuilds, which is a new field that can be used instead ofonlyBuiltDependenciesandignoredBuiltDependencies. The newallowBuildsfield in yourpnpm-workspace.yamluses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.Example Usage. To explicitly allow all versions of
esbuildto run scripts and preventcore-jsfrom running them:The example above achieves the same result as the previous configuration:
Related PR: #10311
Added support for
--dry-runto thepackcommand #10301.Patch Changes
injectWorkspacePackagessetting from the lockfile on thedeploycommand #10294.package.json#10197.Platinum Sponsors
Gold Sponsors
v10.25.0: pnpm 10.25Compare Source
Minor Changes
Allow loading certificates from
cert,ca, andkeyfor specific registry URLs. E.g.,//registry.example.com/:ca=-----BEGIN CERTIFICATE-----.... Previously this was only working viacertfile,cafile, andkeyfile.These properties are supported in
.npmrc, but were ignored by pnpm, this will make pnpm read and use them as well.Related PR: #10230.
Added a new flag called
--baretopnpm initfor creating a package.json with the bare minimum of required fields #10226.Patch Changes
pnpm installshould build any dependencies that were added toonlyBuiltDependenciesand were not built yet #10256.pnpm publish -r --forceshould allow to run publish over already existing versions in the registry #10272.ERR_PNPM_MISSING_TIMEerror if a package that is excluded from trust policy checks is missing the time field in the metadata.Platinum Sponsors
Gold Sponsors
v10.24.0: pnpm 10.24Compare Source
Minor Changes
Patch Changes
trustPolicyshould ignore the trust evidences of prerelease versions, when installing a non-prerelease version.fs.linkSync(), which can occur in containerized environments (OverlayFS) instead of EXDEV. The operation now gracefully falls back tofs.copyFileSync()in these cases #10217.pnpm self-updateshould download pnpm from the configured npm registry #10205.package.jsonfile (like Node.js) should not be reimported from the store on every install. Another file from the package should be checked in order to verify its presence innode_modules.Platinum Sponsors
Gold Sponsors
v10.23.0: pnpm 10.23Compare Source
Minor Changes
--lockfile-onlyoption topnpm list#10020.Patch Changes
pnpm self-updateshould download pnpm from the configured npm registry #10205.pnpm self-updateshould always install the non-executable pnpm package (pnpm in the registry) and never the@pnpm/exepackage, when installing v11 or newer. We currently cannot ship@pnpm/exeaspkgdoesn't work with ESM #10190.pnpm add, if there's aengines.runtimesetting declared inpackage.json#10209.pnpm listandpnpm whynow display npm: protocol for aliased packages (e.g.,foo npm:is-odd@3.0.1) #8660.pnpm store pruneshould not fail if the store contains Node.js packages #10131.Platinum Sponsors
Gold Sponsors
v10.22.0: pnpm 10.22Compare Source
Minor Changes
Added support for
trustPolicyExclude#10164.You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:
Allow to override the
enginesfield on publish by thepublishConfig.enginesfield.Patch Changes
Platinum Sponsors
Gold Sponsors
v10.21.0: pnpm 10.21Compare Source
Minor Changes
Node.js Runtime Installation for Dependencies. Added support for automatic Node.js runtime installation for dependencies. pnpm will now install the Node.js version required by a dependency if that dependency declares a Node.js runtime in the "engines" field. For example:
If the package with the Node.js runtime dependency is a CLI app, pnpm will bind the CLI app to the required Node.js version. This ensures that, regardless of the globally installed Node.js instance, the CLI will use the compatible version of Node.js.
If the package has a
postinstallscript, that script will be executed using the specified Node.js version.Related PR: #10141
Added a new setting:
trustPolicy.When set to
no-downgrade, pnpm will fail installation if a package’s trust level has decreased compared to previous releases — for example, if it was previously published by a trusted publisher but now only has provenance or no trust evidence.This helps prevent installing potentially compromised versions of a package.
Related issue: #8889.
Added support for
pnpm config get globalconfigto retrieve the global config file path #9977.Patch Changes
pnpm updateon a dependency that is not directly listed inpackage.json, none of the direct dependencies should be updated #10155.gitBranchLockfileand related settings viapnpm-workspace.yamlshould work #9651.Platinum Sponsors
Gold Sponsors
v10.20.0: pnpm 10.20Compare Source
Minor Changes
--alloption inpnpm --helpto list all commands #8628.Patch Changes
latestversion doesn't satisfy the maturity requirement configured byminimumReleaseAge, pick the highest version that is mature enough, even if it has a different major version #10100.createcommand should not verify patch info.managePackageManagerVersionstofalse, when switching to a different version of pnpm CLI, in order to avoid subsequent switches #10063.Platinum Sponsors
Gold Sponsors
v10.19.0: pnpm 10.19Compare Source
Minor Changes
You can now allow specific versions of dependencies to run postinstall scripts.
onlyBuiltDependenciesnow accepts package names with lists of trusted versions. For example:Related PR: #10104.
Added support for exact versions in
minimumReleaseAgeExclude#9985.You can now list one or more specific versions that pnpm should allow to install, even if those versions don’t satisfy the maturity requirement set by
minimumReleaseAge. For example:Platinum Sponsors
Gold Sponsors
Configuration
📅 Schedule: (in timezone UTC)
* 0-6 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate.
📊 Test coverage
Patch coverage: no testable lines changed.
Overall (
app/,lib/,db/, excluding UI per ADR-0019):Soft thresholds per ADR-0019. Coverage is informational and does not block merge.
d28a025bb3a9085f46cfchore(deps): update pnpm to v10.34.3to chore(deps): update pnpm to v10.34.4View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.