v10.34.1
Breaking Changes📦 pnpmView on GitHub →
⚠ 1 breaking🔧 2 symbols
Summary
This patch introduces a critical security fix by enforcing the presence of the `integrity` field in remote tarball resolutions within `pnpm-lock.yaml`, failing builds if it is missing to prevent package tampering.
⚠️ Breaking Changes
- pnpm now rejects `pnpm-lock.yaml` entries where remote tarball resolutions are missing the `integrity` field, failing with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. Previously, hash verification was skipped, allowing potential tampering if the lockfile was altered and the remote content was compromised. To fix, ensure all remote tarball entries in `pnpm-lock.yaml` include the `integrity` field, unless they are git-hosted or `file:` tarballs.
Migration Steps
- Ensure all remote tarball entries in `pnpm-lock.yaml` include the `integrity` field to prevent lockfile tampering vulnerabilities, unless the tarball is git-hosted or uses a `file:` protocol.