Change8

v10.34.2

Breaking Changes
📦 pnpmView on GitHub →
2 breaking3 features🐛 2 fixes🔧 4 symbols

Summary

This patch significantly enhances security by enforcing trust boundaries for package manager bootstrapping and environment variable expansion in configuration. It also introduces cryptographic verification for downloaded pnpm binaries and Node.js release hashes.

⚠️ Breaking Changes

  • Repository-controlled configuration files (.npmrc, pnpm-workspace.yaml) can no longer expand environment variables (${...}) in registry/proxy request destinations, URL-scoped keys, or registry credential values. This prevents secret exfiltration. Trusted config sources (CLI options, env config, user/global .npmrc) retain full environment variable expansion.
  • When pnpm downloads a new pnpm version via `packageManager` field or `pnpm self-update`, the registry used for the download now comes exclusively from trusted config sources (CLI options, env config, user/global .npmrc), ignoring repository project/workspace settings. If verification fails, the version switch is refused.

Migration Steps

  1. If you rely on environment variable expansion within registry URLs or authentication credentials defined in project or workspace `.npmrc` or `pnpm-workspace.yaml`, move those definitions to global `.npmrc`, user `.npmrc`, CLI configuration, or environment variables.
  2. If you explicitly approved lifecycle scripts for git, tarball, or directory artifacts using `onlyBuiltDependencies` or `allowBuilds` with a registry-style dependency path, update the key to use the peer-suffix-free lockfile depPath instead.

✨ New Features

  • pnpm now verifies the npm registry signature of any downloaded package-manager binary (when updating pnpm itself) against embedded public signing keys.
  • pnpm now verifies the detached OpenPGP signature of the Node.js release's SHASUMS256.txt against embedded Node.js release team public keys before trusting Node.js hashes, enhancing security when downloading Node.js.
  • Package-manager bootstrap traffic now resolves exclusively through trusted registries and network configurations.

🐛 Bug Fixes

  • Reserved manifest `bin` names (like "", ".", "..", and scoped forms) are now rejected during resolution, preventing potential recursive deletion of global bin directories during global add/remove/update operations.
  • Lockfile entries backed by git, directory, or git-hosted tarball resolutions will now be rejected if they use a registry-style dependency path (name@semver), ensuring dependency path identity is reliable before lifecycle scripts run.

Affected Symbols