v10.34.3
Breaking Changes📦 pnpmView on GitHub →
⚠ 2 breaking🐛 2 fixes🔧 2 symbols
Summary
This release addresses a critical security vulnerability by preventing environment variables from being expanded in repository-controlled `.npmrc` files for sensitive configuration, requiring users to move tokens to trusted configuration sources. A bypass allowing repository config to override trusted file locations was also patched.
⚠️ Breaking Changes
- pnpm no longer expands `${ENV_VAR}` placeholders from repository-controlled project/workspace `.npmrc` files for sensitive configuration keys (like `registry`, credentials, proxy URLs). If authentication breaks, move tokens out of the committed `.npmrc` and use `pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"` or place the token definition in your user-level `~/.npmrc`.
- A repository-controlled project or workspace `.npmrc` can no longer set `userconfig`, `globalconfig`, or `prefix` to redirect pnpm to load configuration files from the repository as trusted sources. User/global config locations are now resolved only from trusted sources before project/workspace `.npmrc` files are read.
Migration Steps
- If authentication broke after upgrading, move any token definitions from the committed project `.npmrc` to your user-level `~/.npmrc` or use `pnpm config set "<key>" <value>` to store them in the global config.
- If you rely on environment variables in repository-controlled `.npmrc` files for registry configuration, move those definitions to your user-level `~/.npmrc` or use CLI options/environment config.
- In CI environments where editing pipelines is difficult, set `NPM_CONFIG_USERCONFIG=.npmrc` in the CI environment to declare the project `.npmrc` trusted (use this cautiously).
🐛 Bug Fixes
- Improved the warning message when a project `.npmrc` uses an environment variable in a registry/proxy URL or credentials, explaining why it was ignored and providing migration steps.
- Fixed a bypass where a project `.npmrc` could set `userconfig`, `globalconfig`, or `prefix` to force pnpm to load repository-supplied configuration files as trusted, bypassing security protections against environment variable expansion in registry requests/credentials.