Patch Changes
-
#14112
3a746acThanks @penalosa! - Pin non-bundled runtime dependencies to exact versionsDependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new
pnpm check:pinned-depslint enforces this for all published packages (and for the shared pnpm catalog) going forward.