Change8

v11.6.0

Breaking Changes
📦 pnpmView on GitHub →
1 breaking2 features🐛 3 fixes🔧 10 symbols

Summary

This release introduces a critical security fix preventing environment variable leakage from project `.npmrc` files, requiring users to move sensitive configuration to trusted sources. It also enhances installation speed when lockfiles are missing and adds new ways to configure registry settings via environment variables.

⚠️ Breaking Changes

  • pnpm no longer expands `${ENV_VAR}` placeholders from repository-controlled project/workspace `.npmrc` files for sensitive configuration keys (like `registry`, authentication tokens, proxy URLs). This is a security fix to prevent environment secret leakage. If authentication breaks, move tokens out of the committed `.npmrc` and use `pnpm config set "<key>" "$NPM_TOKEN"` or place the configuration in your user-level `~/.npmrc`.

Migration Steps

  1. If authentication broke after upgrading, move tokens configured in your project/workspace `.npmrc` to your user-level `~/.npmrc` or use `pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"` (adjusting the key as necessary).
  2. If using GitHub Actions with `actions/setup-node` and `registry-url`, no action is required as it already writes to a user-level `.npmrc`.
  3. For other CI environments where editing pipelines is difficult, set the environment variable `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` (or `NPM_CONFIG_USERCONFIG=.npmrc`) to declare the project `.npmrc` as trusted.

✨ New Features

  • Added support for configuring URL-scoped registry settings via environment variables using `npm_config_//...` and `pnpm_config_//...` prefixes (e.g., `npm_config_//registry.npmjs.org/:_authToken=<token>`).
  • Improved network concurrency default: raised the floor from 16 to 64 for machines with few CPU cores (e.g., 4-vCPU CI runners) to better utilize I/O bandwidth.

🐛 Bug Fixes

  • `pnpm install` now completes without re-resolving when `pnpm-lock.yaml` is deleted but `node_modules` is intact, by using the lockfile found in `node_modules/.pnpm/lock.yaml` to restore the main lockfile.
  • Platform-specific optional dependencies are now correctly skipped even when their `os`/`cpu`/`libc` fields are missing from registry metadata or the lockfile, by inferring platform from the package name (e.g., for packages like `@nx/nx-win32-arm64-msvc`).
  • Lockfile verification now prints a message indicating that cached policy verification was used, instead of being silent.

Affected Symbols