npm pnpm 10.26.0
pnpm 10.26
on Node.js NPM

latest release: 11.0.0-alpha.2
8 hours ago

Minor Changes

  • Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #10288.

  • Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #10287.

  • Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

    When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

    This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

    Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

    Related PR: #10265.

  • Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

    Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them: 

    allowBuilds:
  esbuild: true
  core-js: false

    The example above achieves the same result as the previous configuration: 

    onlyBuiltDependencies:
  - esbuild
ignoredBuiltDependencies:
  - core-js

    Related PR: #10311

  • Added support for --dry-run to the pack command #10301.

Patch Changes

  • Show deprecation in table/list formats when latest version is deprecated #8658.
  • Remove the injectWorkspacePackages setting from the lockfile on the deploy command #10294.
  • Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #10273.
  • When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #10197.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite
Check out latest releases or
releases around pnpm 10.26.0

Don't miss a new pnpm release

NewReleases is sending notifications on new releases.

Get notifications