pnpm 10.26
pnpm 10.26 introduces stricter security defaults for git-hosted dependencies, adds allowBuilds for granular script permissions, and includes a new setting to block exotic transitive dependencies.
Minor Changes
Stricter Git Dependency Security
Semi-breaking. Git-hosted dependencies are now blocked from running prepare scripts during installation unless they are explicitly allowed in onlyBuiltDependencies (or allowBuilds) #10288. This change prevents malicious code execution from untrusted git repositories.
allowBuilds
Added a new setting allowBuilds which provides a flexible way to manage build scripts. It accepts a map of package matchers to explicitly allow (true) or disallow (false) script execution. This replaces onlyBuiltDependencies and ignoredBuiltDependencies as the preferred configuration method #10311.
例:
allowBuilds:
esbuild: true
core-js: false
nx@21.6.4 || 21.6.5: true
blockExoticSubdeps
Added a new setting blockExoticSubdeps to improve supply chain security. When set to true, it prevents the resolution of exotic protocols (like git+ssh: or direct https: tarballs) in transitive dependencies. Only direct dependencies are allowed to use exotic sources #10265.
Integrity Hash for HTTP Tarballs
Semi-breaking. pnpm now computes the integrity hash for HTTP tarball dependencies when fetching them and stores it in the lockfile. This ensures that servers cannot serve altered content on subsequent installs without detection #10287.
pnpm pack --dry-run
Added support for --dry-run to the pack command. This allows you to verify which files would be included in the tarball without actually creating it #10301.
Patch Changes
- Show deprecation in table/list formats when latest version is deprecated #8658.
- Remove the
injectWorkspacePackagessetting from the lockfile on thedeploycommand #10294. - Normalize the tarball URLs before saving them to the lockfile #10273.
- Fix URL normalization for redirected immutable dependencies #10197.