Change8

v10.34.1

Breaking Changes
📦 pnpmView on GitHub →
1 breaking🔧 2 symbols

Summary

This patch introduces a critical security fix by enforcing the presence of the `integrity` field in remote tarball resolutions within `pnpm-lock.yaml`, failing builds if it is missing to prevent package tampering.

⚠️ Breaking Changes

  • pnpm now rejects `pnpm-lock.yaml` entries where remote tarball resolutions are missing the `integrity` field, failing with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. Previously, hash verification was skipped, allowing potential tampering if the lockfile was altered and the remote content was compromised. To fix, ensure all remote tarball entries in `pnpm-lock.yaml` include the `integrity` field, unless they are git-hosted or `file:` tarballs.

Migration Steps

  1. Ensure all remote tarball entries in `pnpm-lock.yaml` include the `integrity` field to prevent lockfile tampering vulnerabilities, unless the tarball is git-hosted or uses a `file:` protocol.

Affected Symbols