Change8

v10.34.3

Breaking Changes
📦 pnpmView on GitHub →
2 breaking🐛 2 fixes🔧 2 symbols

Summary

This release addresses a critical security vulnerability by preventing environment variables from being expanded in repository-controlled `.npmrc` files for sensitive configuration, requiring users to move tokens to trusted configuration sources. A bypass allowing repository config to override trusted file locations was also patched.

⚠️ Breaking Changes

  • pnpm no longer expands `${ENV_VAR}` placeholders from repository-controlled project/workspace `.npmrc` files for sensitive configuration keys (like `registry`, credentials, proxy URLs). If authentication breaks, move tokens out of the committed `.npmrc` and use `pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"` or place the token definition in your user-level `~/.npmrc`.
  • A repository-controlled project or workspace `.npmrc` can no longer set `userconfig`, `globalconfig`, or `prefix` to redirect pnpm to load configuration files from the repository as trusted sources. User/global config locations are now resolved only from trusted sources before project/workspace `.npmrc` files are read.

Migration Steps

  1. If authentication broke after upgrading, move any token definitions from the committed project `.npmrc` to your user-level `~/.npmrc` or use `pnpm config set "<key>" <value>` to store them in the global config.
  2. If you rely on environment variables in repository-controlled `.npmrc` files for registry configuration, move those definitions to your user-level `~/.npmrc` or use CLI options/environment config.
  3. In CI environments where editing pipelines is difficult, set `NPM_CONFIG_USERCONFIG=.npmrc` in the CI environment to declare the project `.npmrc` trusted (use this cautiously).

🐛 Bug Fixes

  • Improved the warning message when a project `.npmrc` uses an environment variable in a registry/proxy URL or credentials, explaining why it was ignored and providing migration steps.
  • Fixed a bypass where a project `.npmrc` could set `userconfig`, `globalconfig`, or `prefix` to force pnpm to load repository-supplied configuration files as trusted, bypassing security protections against environment variable expansion in registry requests/credentials.

Affected Symbols