v11.6.0
Breaking Changes📦 pnpmView on GitHub →
⚠ 1 breaking✨ 2 features🐛 3 fixes🔧 10 symbols
Summary
This release introduces a critical security fix preventing environment variable leakage from project `.npmrc` files, requiring users to move sensitive configuration to trusted sources. It also enhances installation speed when lockfiles are missing and adds new ways to configure registry settings via environment variables.
⚠️ Breaking Changes
- pnpm no longer expands `${ENV_VAR}` placeholders from repository-controlled project/workspace `.npmrc` files for sensitive configuration keys (like `registry`, authentication tokens, proxy URLs). This is a security fix to prevent environment secret leakage. If authentication breaks, move tokens out of the committed `.npmrc` and use `pnpm config set "<key>" "$NPM_TOKEN"` or place the configuration in your user-level `~/.npmrc`.
Migration Steps
- If authentication broke after upgrading, move tokens configured in your project/workspace `.npmrc` to your user-level `~/.npmrc` or use `pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"` (adjusting the key as necessary).
- If using GitHub Actions with `actions/setup-node` and `registry-url`, no action is required as it already writes to a user-level `.npmrc`.
- For other CI environments where editing pipelines is difficult, set the environment variable `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` (or `NPM_CONFIG_USERCONFIG=.npmrc`) to declare the project `.npmrc` as trusted.
✨ New Features
- Added support for configuring URL-scoped registry settings via environment variables using `npm_config_//...` and `pnpm_config_//...` prefixes (e.g., `npm_config_//registry.npmjs.org/:_authToken=<token>`).
- Improved network concurrency default: raised the floor from 16 to 64 for machines with few CPU cores (e.g., 4-vCPU CI runners) to better utilize I/O bandwidth.
🐛 Bug Fixes
- `pnpm install` now completes without re-resolving when `pnpm-lock.yaml` is deleted but `node_modules` is intact, by using the lockfile found in `node_modules/.pnpm/lock.yaml` to restore the main lockfile.
- Platform-specific optional dependencies are now correctly skipped even when their `os`/`cpu`/`libc` fields are missing from registry metadata or the lockfile, by inferring platform from the package name (e.g., for packages like `@nx/nx-win32-arm64-msvc`).
- Lockfile verification now prints a message indicating that cached policy verification was used, instead of being silent.
Affected Symbols
project/workspace `.npmrc``registry` key`@scope:registry` keyproxy URLsURL-scoped keys (`//host/…`)credential values (`_authToken`, `_auth`, `_password`, `username`, `tokenHelper`, `cert`, `key`)`pnpm-workspace.yaml` registry URLs`node_modules/.pnpm/lock.yaml``npm_config_//…` environment variables`pnpm_config_//…` environment variables