Change8

v10.26.0

Breaking Changes
📦 pnpmView on GitHub →
2 breaking7 features🐛 3 fixes🔧 8 symbols

Summary

This release adds supply‑chain security features like `blockExoticSubdeps` and integrity hashing, introduces the unified `allowBuilds` config, and brings several usability improvements such as `--dry‑run` for `pack` and better deprecation displays.

⚠️ Breaking Changes

  • Git-hosted dependencies are now blocked from running prepare scripts unless they are explicitly allowed via `onlyBuiltDependencies`. Fix by adding the needed packages to `onlyBuiltDependencies` or migrate to the new `allowBuilds` field.
  • Integrity hashes are now computed for HTTP tarball dependencies and stored in the lockfile. This may cause mismatches with existing lockfiles; regenerate the lockfile (`pnpm install`) to include the new hashes.

Migration Steps

  1. Replace usage of `onlyBuiltDependencies` and `ignoredBuiltDependencies` with the new `allowBuilds` map in `pnpm-workspace.yaml`.
  2. If you rely on git-hosted dependencies running prepare scripts, add them to `onlyBuiltDependencies` (or `allowBuilds`) to keep the behavior.
  3. Regenerate the lockfile (`pnpm install`) to capture new integrity hashes and normalized URLs.
  4. Review any custom resolvers; ensure they are listed as trusted sources when `blockExoticSubdeps` is enabled.
  5. No action needed for `--dry-run` support; you can now use `pnpm pack --dry-run`.

✨ New Features

  • Added `blockExoticSubdeps` setting to prevent resolution of exotic protocols in transitive dependencies.
  • Added `allowBuilds` field as a unified replacement for `onlyBuiltDependencies` and `ignoredBuiltDependencies`.
  • Implemented `--dry-run` flag for the `pack` command.
  • Deprecation warnings are now shown in table and list formats when the latest version is deprecated.
  • Removed `injectWorkspacePackages` setting from the lockfile during `deploy`.
  • Normalized tarball URLs before saving them to the lockfile, stripping default ports.
  • When a direct URL dependency redirects to an immutable URL, the original URL is normalized and saved to `package.json`.

🐛 Bug Fixes

  • Removed stale `injectWorkspacePackages` entry from lockfiles on `deploy`.
  • Fixed URL normalization to exclude default ports (:80, :443).
  • Handled immutable redirect URLs correctly by normalizing and persisting the original URL.

🔧 Affected Symbols

onlyBuiltDependenciesignoredBuiltDependenciesallowBuildsblockExoticSubdepsinjectWorkspacePackagespackprepare scriptspnpm-workspace.yaml