##description##
##callToAction## //registry.example.com/:cert=...
\n```\n\n### Security: lockfile entries without `integrity` are rejected[β](https://pnpm.io/blog/releases/11.4#security-lockfile-entries-without-integrity-are-rejected)\n\nPreviously, the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes. An attacker who could both alter the lockfile (e.g. via a pull request that strips `integrity:`) and serve modified content at the referenced tarball URL could install a tampered package without any error β including under `--frozen-lockfile`.\n\npnpm now fails closed at lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. Git-hosted tarballs (`gitHosted: true` or a URL on `codeload.github.com` / `bitbucket.org` / `gitlab.com`) and `file:` tarballs are exempt β the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.\n\n### Security: git resolutions reject non-SHA `commit` fields[β](https://pnpm.io/blog/releases/11.4#security-git-resolutions-reject-non-sha-commit-fields)\n\nGit resolutions whose `commit` field is not a 40-character hexadecimal SHA are rejected before `git` is invoked. A malicious lockfile could otherwise smuggle a value such as `--upload-pack=
##description##
##callToAction## pnpm stage list # list staged versions
pnpm stage view # view a staged version
pnpm stage approve # promote a staged version to the registry
pnpm stage reject # discard a staged version
pnpm stage download # download a staged tarball
\n```\n\n### `trustLockfile`[β](https://pnpm.io/blog/releases/11.3#trustlockfile)\n\nA new [`trustLockfile`](https://pnpm.io/settings#trustlockfile) setting controls whether `pnpm install` re-applies the [`minimumReleaseAge`](https://pnpm.io/settings#minimumreleaseage) / `trustPolicy: 'no-downgrade'` checks to every entry in the loaded lockfile. When `true`, the install treats the lockfile as already-trusted and skips the verification pass β useful for closed-source projects where every commit comes from a trusted author. The default is `false`, so verification stays on by default.\n\nSet it in `pnpm-workspace.yaml`:\n\npnpm-workspace.yaml\n\n```\ntrustLockfile: true
\n```\n\nThis release also cuts the **memory footprint** of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument β dependency graphs, scripts, README, and per-version manifests β for the entire install. On large workspaces (~4k lockfile entries with `minimumReleaseAge` + `trustPolicy: no-downgrade` enabled) this could OOM CI runners with a 2 GB heap cap. The cache now stores only the fields the trust check actually reads (`time`, per-version `_npmUser.trustedPublisher`, `dist.attestations.provenance`); the abbreviated-metadata cache is similarly projected to just the package-level `modified` field and the set of currently-listed version names. Fixes [#11860](https://github.com/pnpm/pnpm/issues/11860).\n\n### Native `pnpm pkg`, `pnpm repo`, and `pnpm set-script`[β](https://pnpm.io/blog/releases/11.3#native-pnpm-pkg-pnpm-repo-and-pnpm-set-script)\n\nThree more commands that previously delegated to (or were missing without) npm are now implemented natively, following the npm command conventions:\n\n- [**`pnpm pkg`**](https://pnpm.io/cli/pkg) β get / set / delete fields in `package.json`.\n- [**`pnpm repo`**](https://pnpm.io/cli/repo) β open the repository URL of a package in the browser.\n- [**`pnpm set-script`**](https://pnpm.io/cli/set-script) (alias `ss`) β add or update an entry in the `scripts` field of the project manifest. Supports `package.json`, `package.json5`, and `package.yaml` formats.\n\n### `--skip-manifest-obfuscation` for `pack` and `publish`[β](https://pnpm.io/blog/releases/11.3#--skip-manifest-obfuscation-for-pack-and-publish)\n\nA new [`--skip-manifest-obfuscation`](https://pnpm.io/cli/publish#--skip-manifest-obfuscation) flag for [`pnpm pack`](https://pnpm.io/cli/pack) and [`pnpm publish`](https://pnpm.io/cli/publish) keeps the original `packageManager` field and publish lifecycle scripts in the packed/published manifest instead of stripping them. The pnpm-specific `pnpm` field continues to be omitted.\n\n## Patch Changes[β](https://pnpm.io/blog/releases/11.3#patch-changes)\n\n- Fixed `pnpm dlx` failing with `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND` when the installed package's CAS slot is missing its `package.json`. Observed in the wild for `pnpm dlx node@runtime:
##description##
##callToAction## \n```\n\nYou'll see changes in `pnpm-workspace.yaml` and `pnpm-lock.yaml` that should be committed. If you experience any issues with pacquet, please let us know in the GitHub issue you create.\n\n### `optionalDependencies` for config dependencies[β](https://pnpm.io/blog/releases/11.2#optionaldependencies-for-config-dependencies)\n\n[Config dependencies](https://pnpm.io/config-dependencies) now resolve and install one level of `optionalDependencies` declared by the config dependency, with `os` / `cpu` / `libc` platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via `optionalDependencies` β a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so `require('pkg-platform-arch')` from inside the config dependency resolves correctly.\n\nThe env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's `optionalDependencies` must declare an exact version β ranges and tags are rejected to keep installs reproducible.\n\n### `pnpm login --scope`[β](https://pnpm.io/blog/releases/11.2#pnpm-login---scope)\n\nThe long-documented `pnpm login --scope
##description##
##callToAction##