---
name: JavaScript Runtimes & Tooling
slug: js-toolchain
description: Runtimes, package managers, bundlers, and test runners powering JS and TS projects.
member_count: 5
canonical: https://releases.sh/collections/js-toolchain
---
# JavaScript Runtimes & Tooling
Runtimes, package managers, bundlers, and test runners powering JS and TS projects.
## Members (5)
- [Bun](https://releases.sh/bun) β bun.com
- [Deno](https://releases.sh/deno) β deno.com
- [pnpm](https://releases.sh/pnpm)
- [Vitest](https://releases.sh/vitest) β vitest.dev
- [Turborepo](https://releases.sh/vercel/turborepo) (product Β· Vercel)
## Fetching more
Append `.md` (markdown), `.json` (raw data), or `.atom` (feed) to any URL on this page.
- Aggregated release feed: `https://releases.sh/collections/js-toolchain.atom`
## Recent Releases
---
collection: js-toolchain
collection_name: JavaScript Runtimes & Tooling
release_count: 20
has_more: true
canonical: https://releases.sh/collections/js-toolchain
---
### 2.8.2 / 2026.06.03
- feat(compile): improve --bundle dependency resolution and add --minify
(#34536)
- feat(compile): scope --bundle npm embed to packages actually reached (#34532)
- feat(ext/crypto): add ChaCha20-Poly1305, SHAKE, cSHAKE, TurboSHAKE, SHA-3 HMAC
(#34417)
- feat(ext/crypto): add ML-DSA (FIPS 204) post-quantum signatures (#34448)
- feat(ext/crypto): implement ML-KEM (FIPS 203) post-quantum KEM (#34447)
- feat(ext/node): env/global proxy support for node:http and node:https (#34257)
- feat(ext/node): support DENO_SERVE_ADDRESS override in node:http servers
(#34662)
- feat(jupyter): rewrite kernel in JS, drop zeromq/runtimelib deps (#34083)
- feat(lsp): autocomplete jsr:/npm:/node: in deno.json(c) imports (#34724)
- feat(publish): unfurl import specifiers in Wasm modules (#34549)
- feat(task): support --env-file flag (#34508)
- feat(task): support exclusion groups in task name wildcards (#34506)
- feat(unstable): add --bundle flag to `deno compile` (#34527)
- feat: bump deno_task_shell to 0.33.0 (#34642)
- fix(add): handle version tags like `@latest` in `deno add` for JSR packages
(#32859)
- fix(add): replace panic with error when deno.json discovery fails (#34517)
- fix(bundle): skip decorator pass when module has no decorators (#34489)
- fix(bundle): use node-style CJS interop for the Deno platform (#34533)
- fix(cache): skip WAL journal mode on WSL-1 (#34499)
- fix(cache_dir): EnsureCachedStrategy must surface cached redirects (#34563)
- fix(check): make node:stream/web types alias the globals (#34606)
- fix(check): resolve npm packages without types when type checking (#34551)
- fix(cli): suppress bug-report banner on broken pipe print panics (#34552)
- fix(cli/task): run recursive workspace tasks in parallel (#34512)
- fix(compile): allow process.chdir() into the VFS (#34610)
- fix(compile): bundle workers separately under --bundle (#34531)
- fix(compile): cover CJS-deep imports under --bundle (#34534)
- fix(compile): create code cache when importing JSON or Wasm modules (#34614)
- fix(compile): detect svelte-adapter-deno build output (#34535)
- fix(compile): don't surface graph errors for --include files (#34568)
- fix(compile): embed workspace package.json files in the VFS (#34530)
- fix(compile): enable ANSI colors on Windows in compiled binaries (#34701)
- fix(compile): handle CJS and native addons in --bundle (#34529)
- fix(compile): respect npm registry sub-paths when flattening node_modules
(#34575)
- fix(compile): support workers loaded from blob URLs (#34574)
- fix(compile): transpile TypeScript imported at runtime (#34616)
- fix(config): hook up verbatimModuleSyntax for the emit pipeline (#34495)
- fix(config): make config auto-discovery skip the same errors on every platform
(#34558)
- fix(config): surface invalid "exports" map in linked/workspace packages
(#34473)
- fix(config): warn instead of erroring when start dir is not a workspace member
(#34458)
- fix(config): warn instead of erroring when workspace member dir is missing
(#34511)
- fix(core): TLA hang on dyn import when async dep triggers lazy ESM load
(#34469)
- fix(core): preserve WebAssembly streaming callback across new contexts
(#34679)
- fix(crypto): correct X448 PKCS#8 handling (#34578)
- fix(doc): don't lint private-type-ref for cross-package types (#34339)
- fix(doc): handle non-ASCII doc lint diagnostics (#34626)
- fix(ext/console): degrade gracefully when getKeys throws (#24980) (#34464)
- fix(ext/fetch): implement missing Request properties (#34607)
- fix(ext/fetch): preserve static request body length (#34546)
- fix(ext/ffi): match V8 stack-arg layout in turbocall trampoline on Apple
silicon (#34561)
- fix(ext/fs): error when copyFile source and destination are the same file
(#34718)
- fix(ext/fs): retry without FILE_FLAG_BACKUP_SEMANTICS on Windows when driver
rejects it (#34686)
- fix(ext/fs): surface non-UTF-8 file names from read_dir (#34623)
- fix(ext/http): reject Response-like return from respondWith (#34589)
- fix(ext/http): reject Response-like return from serve handler (#34416)
- fix(ext/io): cancel pending FileResource reads on close (#34544)
- fix(ext/napi): clear error for Windows addons that link against node.exe
(#34696)
- fix(ext/napi): disallow JS execution during napi_new_instance (#34496)
- fix(ext/napi): polyfill libuv thread + semaphore primitives (#34571)
- fix(ext/napi): polyfill more libuv symbols from compat layer (#34488)
- fix(ext/net): re-enable 0-RTT support in QUIC (#34520)
- fix(ext/node): add module findPackageJSON export (#34597)
- fix(ext/node): add node:test/reporters builtin (#34595)
- fix(ext/node): add stripTypeScriptTypes export (#34594)
- fix(ext/node): capture IPC handle eagerly to fix cluster send deadlock
(#34661)
- fix(ext/node): cover node:module SourceMap export (#34591)
- fix(ext/node): disable repl preview when a custom eval is supplied (#34498)
- fix(ext/node): drop bogus Buffer.prototype._isBuffer marker (#34502)
- fix(ext/node): export syncBuiltinESMExports from node:module (#34593)
- fix(ext/node): expose gc from v8 setFlagsFromString (#34604)
- fix(ext/node): fix latin1Slice being too slow (#34503)
- fix(ext/node): honor windowsHide in child_process spawn (#34627)
- fix(ext/node): prevent buffer decode detach race (#34632)
- fix(ext/node): re-export inner spec for module.exports = require(X).Y (#34363)
- fix(ext/node): refuse sqlite close() while a user callback is running (#34515)
- fix(ext/node): report real error code for failed dns.lookup (#34697)
- fix(ext/node): resolve global cache packages when require referrer is outside
DENODIR (#34497)
- fix(ext/node): route node:fs.statfs through FileSystem trait (#34444)
- fix(ext/node): support cyclic imports in vm.Module.prototype.link() (#34472)
- fix(ext/node): support vm dynamic import callback (#34572)
- fix(ext/node): tolerate unreadable cwd in require._nodeModulePaths (#34542)
- fix(ext/node): vm dynamic import without callback throws
ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING (#34427)
- fix(ext/web): forward console.group label to inspector log (#34341)
- fix(ext/web): honor PerformanceObserver buffered flag (#34748)
- fix(ext/web): make MessageEvent.ports a frozen array (#34773)
- fix(fmt): update markup_fmt to fix quadratic inline CSS formatting (#34663)
- fix(install): allow "minimumDependencyAge" object without "age" (#34523)
- fix(install): handle pre-existing node_modules symlink on Windows (#34659)
- fix(install): rewrite relative imports/scopes in copied deno.json (#34562)
- fix(install): run workspace member dependency lifecycle scripts with member
INIT_CWD (#34700)
- fix(install): vendor type-only imports during `deno ci` (#34459)
- fix(jupyter): exit kernel process after sending shutdown reply (#34554)
- fix(jupyter): keep kernel alive across transient peer disconnects (#34550)
- fix(jupyter): make kernel ZMTP handshake compatible with libzmq (#34755)
- fix(jupyter): send transient: {} in execute_result so nbclient doesn't crash
(#34483)
- fix(jupyter): use stable PATH entry for kernel binary path (#34492)
- fix(lsp): avoid empty import specifier completions (#34647)
- fix(lsp): complete npm package exports (#34675)
- fix(lsp): complete string union literals containing dots (#34664)
- fix(lsp): discover all tests when names are duplicated (#34624)
- fix(lsp): handle empty jsx completion ranges (#34651)
- fix(lsp): handle parser panics while parsing documents (#34640)
- fix(lsp): honor `moduleResolution: "bundler"` for npm dir imports (#34643)
- fix(lsp): include configured deps in auto-imports (#34650)
- fix(lsp): limit node_modules auto-import aliasing (#34674)
- fix(lsp): merge duplicate completion imports (#34658)
- fix(lsp): preserve URL extensions in `typeof import(...)` hovers (#34565)
- fix(lsp): recover from TSC isolate OOM instead of crashing the language server
(#34693)
- fix(lsp): release idle memory back to the OS (#34727)
- fix(lsp): skip parent process check when PID isn't visible (#34744)
- fix(lsp): spurious diagnostics in Jupyter notebook cells (#34734)
- fix(lsp): support test steps from imported helpers (#34648)
- fix(lsp): surface CSS imports as .js to TypeScript (#34419)
- fix(lsp): surface module-level uncaught errors in test runs (#34641)
- fix(lsp): use cached registry config when offline (#34723)
- fix(lsp): use file uris for neovim virtual definitions (#34653)
- fix(lsp): walk to enabled nested workspaces (#34654)
- fix(napi): report a clear error for legacy V8/nan native addons (#34683)
- fix(napi): support ZeroMQ libuv addon symbols (#34657)
- fix(node): avoid spurious ERR_MULTIPLE_CALLBACK on process.stdout/stderr
(#34728)
- fix(node): classify required js files as commonjs by default (#34673)
- fix(node): full re-export fallback for unresolvable member re-exports (#34689)
- fix(node): resolve CJS requires with multi-level relative specifiers on
Windows (#34655)
- fix(node): support module-sync export condition (#34599)
- fix(node/repl): gate preview through V8 inspector throwOnSideEffect (#34566)
- fix(npm): apply scoped registry auth to same-origin tarballs (#34698)
- fix(npm): clean node_modules after deno remove (#34110)
- fix(npm): downgrade latest tag for release age (#34581)
- fix(npm): execute native binaries from npm package bin entries (#34375)
- fix(npm): hoist direct deps over higher transitive versions (#34470)
- fix(npm): share copy-package variants via symlink for class identity (#34691)
- fix(resolver): don't resolve linked packages via bare specifier (#34519)
- fix(rt): support host-FS CJS files in the standalone runtime (#34560)
- fix(runtime): better error message when Deno.consoleSize() has no tty (#34538)
- fix(runtime): suggest --allow-scripts for `bindings` native addon error
(#34666)
- fix(runtime): suggest N-API alternatives for legacy V8/nan addons (#34695)
- fix(runtime): suggest Worker/node:vm alternatives for npm:isolated-vm (#34702)
- fix(runtime/ops): unwatch shared RecommendedWatcher on FsWatcher close
(#34467)
- fix(task): preserve trailing backslashes in task arguments (#34505)
- fix(task): restore terminal mode after task exits on Windows (#34685)
- fix(test): abort with a message when a test exits with sanitizeExit disabled
(#34491)
- fix(test): don't kill the deno process on top-level Deno.exit() (#34564)
- fix(test): wait for inspector to disconnect before exiting (#34559)
- fix(tsc): resolve Web globals to Deno's versions in npm packages (#34634)
- fix(watch): register dynamic raw imports with file watcher (#34463)
- fix(watch): restore original cwd between watcher restarts (#34465)
- fix: absolute links should be processed using directory functions (#34218)
- fix: link to docs in JSON import error message (#34611)
- fix: load classic blob worker main script directly (#34592)
- fix: opt-in mitigation for React RCE/DoS CVEs (#34676)
- fix: reject empty package name in package.json dependencies (#34514)
- fix: remove node_shim exec dependency (#34739)
- fix: resolve local file when folder name matches import-mapped package
(#32854)
- fix: send BroadcastChannel messages before close (#34628)
- perf(cli): drop unused deno_ast bundler feature (#34424)
- perf(ext/fetch): cache lowercased header names per Headers instance (#33683)
- perf(ext/node): bulk-build header array and trim header OWS in place (#34443)
- perf(ext/node): cache member-export-props analysis (#34471)
- perf(ext/node): gate node:http async resource entry (#34608)
- perf(ext/node): optimize empty node:http response end (#34493)
- perf(ext/node): optimize node:http header matching (#34484)
- perf(ext/node): skip node:http perf timing without observers (#34409)
- perf(ext/web): convert hot stream queues to O(1) Queue, cache _state reads
(#34437)
- perf(http): remove legacy hyper 0.14 from deno_http (#34557)
- perf(node): lazy stdio + fix LazyEsmModuleLoader source consumption (#34440)
- perf(node): lazy-load node:stream/web cluster out of the snapshot (#34548)
- perf(node): skip require permission checks when read is fully granted (#34722)
- perf(runtime): update notify watcher dependency (#34567)
- perf(web): reduce Brotli CompressionStream binary size (#34432)
- perf: enable safe ICF (identical code folding) when linking (#34478)
- perf: replace ipnetwork with ipnet (#34580)
### π Bug Fixes
- Pin last supported vite-node version - by @sheremet-va [(16f12)](https://github.com/vitest-dev/vitest/commit/16f120d05)
##### [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v3.2.5...v3.2.6)
### π Features
- **api**: Add `allowWrite` and `allowExec` options to `api` [backport to v3] - by @hi-ogawa and **Codex** in https://github.com/vitest-dev/vitest/issues/10445 [(af88b)](https://github.com/vitest-dev/vitest/commit/af88b1f5d)
### π Bug Fixes
- **browser**: Disable client `cdp` API when `allowWrite/allowExec: false` [backport to v3] - by @hi-ogawa and **Codex** in https://github.com/vitest-dev/vitest/issues/10456 [(385a1)](https://github.com/vitest-dev/vitest/commit/385a1aefd)
##### [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v3.2.4...v3.2.5)
### π Bug Fixes
- **browser**:
- Disable client `cdp` API when `allowWrite/allowExec: false` [backport to v4] - by @hi-ogawa and **Codex** in https://github.com/vitest-dev/vitest/issues/10450 [(e4067)](https://github.com/vitest-dev/vitest/commit/e4067b3b1)
- Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4] - by @toxik and @Zelys-DFKH in https://github.com/vitest-dev/vitest/issues/10474 [(675b4)](https://github.com/vitest-dev/vitest/commit/675b4343f)
##### [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8)
## pnpm 11.5
pnpm 11.5 adds a `hoistingLimits` setting for controlling how far dependencies hoist in `nodeLinker: hoisted` installs, replaces the interactive prompt library to fix scrolling in long choice lists, recognizes staged publishes in the trust scale, and ships several install and `dist-tag` fixes.
## Minor Changes[β](https://pnpm.io/blog/releases/11.5#minor-changes)
### New `hoistingLimits` setting[β](https://pnpm.io/blog/releases/11.5#new-hoistinglimits-setting)
A new [`hoistingLimits`](https://pnpm.io/settings#hoistinglimits) setting controls how far dependencies are hoisted when using `nodeLinker: hoisted`. It mirrors yarn's `nmHoistingLimits` and accepts:
- **none** - hoist as far as possible (the default).
- **workspaces** - hoist only as far as each workspace package.
- **dependencies** - hoist only up to each workspace package's direct dependencies.
Originally proposed in [#6468](https://github.com/pnpm/pnpm/pull/6468), closing [#6457](https://github.com/pnpm/pnpm/issues/6457).
### New interactive prompt library[β](https://pnpm.io/blog/releases/11.5#new-interactive-prompt-library)
pnpm replaced `enquirer` with `@inquirer/prompts` for all interactive prompts. This fixes the `update -i` scrolling overflow bug where long choice lists were clipped in the terminal ([#6643](https://github.com/pnpm/pnpm/issues/6643)). The new library uses visual-line-aware pagination, so scrolling now works correctly when many packages are available.
Affected commands include `pnpm update -i` (and `--latest`), `pnpm audit --fix -i`, `pnpm approve-builds`, `pnpm patch`, `pnpm patch-remove`, `pnpm publish`, `pnpm login`, and `pnpm run` / `pnpm exec` (with `verifyDepsBeforeRun=prompt`).
Vim-style `j` / `k` keys still work for up/down navigation in all interactive prompts.
### Staged publishes recognized in the trust scale[β](https://pnpm.io/blog/releases/11.5#staged-publishes-recognized-in-the-trust-scale)
Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an `approver` field, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level ([#11887](https://github.com/pnpm/pnpm/issues/11887)).
## Patch Changes[β](https://pnpm.io/blog/releases/11.5#patch-changes)
- Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example, `pnpm i nuxt@npm:nuxt-nightly@5x`) ([#11999](https://github.com/pnpm/pnpm/issues/11999)).
- Fix `pnpm dist-tag add` and `pnpm dist-tag rm` against npmjs.org failing without `--otp`. pnpm now surfaces the OTP challenge through the existing browser-based 2FA flow (the same one used by `pnpm publish`), so the browser opens, the user authenticates, and the dist-tag is set on retry. `--otp=` continues to work via the classic flow.
- Fix `minimumReleaseAgeExclude` handling in npm resolution fast paths so excluded packages do not get pinned to stale versions.
- Fix the `integrity` field being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. The missing integrity could otherwise make subsequent `--frozen-lockfile` installs fail with `ERR_PNPM_MISSING_TARBALL_INTEGRITY` ([#12001](https://github.com/pnpm/pnpm/issues/12001)).
- Skip dependency re-resolution when `pnpm-lock.yaml` is missing but `node_modules/.pnpm/lock.yaml` exists and still satisfies the manifest. `pnpm install` now reuses the materialized snapshot to regenerate `pnpm-lock.yaml` instead of walking the registry to rebuild it from scratch ([#11993](https://github.com/pnpm/pnpm/issues/11993)). `--frozen-lockfile` still refuses to proceed when `pnpm-lock.yaml` is absent.
"undefined"!=typeof \_bsa&&\_bsa&&\_bsa.init("custom","CWYI4K7E","placement:pnpmio",{target:"#bsa-custom-01",template:\` 
##description##
##callToAction## \`})
## Turborepo v2.9.16
## What's Changed
### Changelog
* release(turborepo): 2.9.15 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12955
* fix: Avoid hanging PTY shutdown by @anthonyshew in https://github.com/vercel/turborepo/pull/12958
* fix: Retry npm tlog publish failures by @anthonyshew in https://github.com/vercel/turborepo/pull/12959
* release(turborepo): 2.9.16-canary.1 by @anthonyshew in https://github.com/vercel/turborepo/pull/12960
* fix: Preserve nested Bun dependency versions by @anthonyshew in https://github.com/vercel/turborepo/pull/12963
* Revert "fix: Preserve nested Bun dependency versions" by @anthonyshew in https://github.com/vercel/turborepo/pull/12964
* release(turborepo): 2.9.16-canary.2 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12961
* fix: Preserve nested Bun dependency versions by @anthonyshew in https://github.com/vercel/turborepo/pull/12965
* fix: Don't delete existing `.git` when using `--no-git` flag by @anthonyshew in https://github.com/vercel/turborepo/pull/12968
**Full Changelog**: https://github.com/vercel/turborepo/compare/v2.9.15...v2.9.16
### 2.8.1 / 2026.05.27
- Revert "fix(ext/node): polyfill module.enableCompileCache and companions"
(#34190) (#34348)
- feat(bundle): support `browser` field map in package.json (#34407)
- fix(bundle): read package.json sideEffects field (#34406)
- fix(cli): clearer error when importing .node addon via ESM (#34361)
- fix(config): don't panic when --config path can't be converted to URL (#34351)
- fix(core): allow host objects to round-trip through core.deserialize (#34380)
- fix(core): keep lazy_loaded_esm sources across concurrent loads (#34353)
- fix(ext/fetch,ext/websocket): check resolved IPs against net deny list
(#34236)
- fix(ext/node): TLSSocket.authorized=false when client presents no cert
(#34381)
- fix(ext/node): accept array forms of cert/key/pfx in createSecureContext
(#34379)
- fix(ext/node): add missing node:util APIs getSystemErrorMap,
transferableAbortSignal, transferableAbortController (#34372)
- fix(ext/node): allow omitting arguments in base64Slice (#34318)
- fix(ext/node): attach register as static on Module (#34305)
- fix(ext/node): do not throw NotFound for fs.exists (#34244)
- fix(ext/node): drop extra positional args in promisified fs.promises.*
(#34347)
- fix(ext/node): emit 'error' event for fs.watch open failures (#34398)
- fix(ext/node): enforce minimum Miller-Rabin rounds in checkPrime (#34391)
- fix(ext/node): extract cert/key from pfx in tls SecureContext (#34383)
- fix(ext/node): prevent panic on `node:sqlite` aggregate method (#34385)
- fix(ext/node): require env permission for process.loadEnvFile (#34350)
- fix(ext/node): reset req.reusedSocket on transparent retry (#34376)
- fix(ext/node): support PKCS#12 MACs other than SHA-1 (#34342)
- fix(ext/node): tolerate non-AsyncWrap handles in _getNewAsyncId (#34413)
- fix(http): wake runtime after direct serve dispatch (#34387)
- fix(inspector): emit NodeWorker.attachedToWorker for late workers (#34377)
- fix(node/util): don't invoke Proxy traps in util.inspect (#34373)
- fix(pack): remove automatic @deno/shim-deno injection (#34411)
- fix(runtime): lazy-loaded globals should shadow on inherited [[Set]] (#34405)
- fix(task): walk ancestor node_modules/.bin in BYONM mode (#34364)
- fix(transpile): preserve newlines after multi-line block comments (#34357)
- fix(types): restore brotli in CompressionFormat for dom/webworker libs
(#34349)
- fix(upgrade): zstd-compress bsdiff delta patches (#34354)
- fix: allow --inspect=localhost:0 to resolve hostnames (#34230)
- fix: panic in deno test --parallel (#34378)
- fix: support npm: specifiers in --preload and --import (#34346)
- perf(ext/node): reuse keep-alive timer in node:http server (#34302)
## pnpm 11.4
pnpm 11.4 closes a cluster of supply-chain holes around lockfile integrity, credential scoping, git resolutions, patch files, and dependency aliases, makes tarball-integrity mismatches a hard install failure by default (with a narrowly-scoped `--update-checksums` opt-in), and changes `pnpm runtime set` to write to `devEngines.runtime` instead of `engines.runtime` by default.
## Minor Changes[β](https://pnpm.io/blog/releases/11.4#minor-changes)
### Tarball-integrity mismatches are now a hard failure[β](https://pnpm.io/blog/releases/11.4#tarball-integrity-mismatches-are-now-a-hard-failure)
Previously, `pnpm install` (non-frozen) would log `ERR_PNPM_TARBALL_INTEGRITY` when a downloaded tarball's hash didn't match the lockfile, silently re-resolve from the registry, and overwrite the locked integrity. A compromised registry, proxy, or republished version could therefore substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.
`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` and a hint pointing at the new opt-in flag.
The only opt-in is **`pnpm install --update-checksums`** β narrowly scoped to refreshing the locked integrity values from what the registry currently serves. It mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.
`--force` and `pnpm update` deliberately do **not** bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. `--frozen-lockfile` behavior is unchanged. `--fix-lockfile` keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.
### `pnpm runtime set` writes to `devEngines.runtime` by default[β](https://pnpm.io/blog/releases/11.4#pnpm-runtime-set-writes-to-devenginesruntime-by-default)
[`pnpm runtime set `](https://pnpm.io/cli/runtime) now saves the runtime to `devEngines.runtime` by default instead of `engines.runtime`. Pass `--save-prod` (or `-P`) to save it to `engines.runtime` instead. See [#11948](https://github.com/pnpm/pnpm/issues/11948).
## Patch Changes[β](https://pnpm.io/blog/releases/11.4#patch-changes)
### Security: unscoped credentials no longer leak across registries[β](https://pnpm.io/blog/releases/11.4#security-unscoped-credentials-no-longer-leak-across-registries)
An unscoped `_authToken` (or `_auth`, or `username` + `_password`, or `tokenHelper`) defined in one source β `~/.npmrc`, `~/.config/pnpm/auth.ini`, a workspace `.npmrc`, CLI flags, etc. β would be sent as an `Authorization` header to whichever registry a different (potentially untrusted) source named. The same exposure extended to client TLS credentials (`cert`, `key`).
pnpm now rewrites each unscoped per-registry setting (`_authToken`, `_auth`, `username`, `_password`, `tokenHelper`, `cert`, `key`) to its URL-scoped form at load time, using the `registry=` value declared in the same source (or the npmjs default registry if the source declares none). A later layer overriding `registry=` therefore cannot pull an unscoped credential along, because it is already pinned to the URL its author intended. `ca` / `cafile` are intentionally not rescoped β they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally.
Every rescope emits a deprecation warning telling the user where the setting was pinned and how to write it directly. npm has rejected unscoped credentials outright since `npm@9`, and pnpm intends to remove support in a future major release. To target a specific registry, write the setting URL-scoped:
.npmrc
```
//registry.example.com/:_authToken=...
//registry.example.com/:cert=...
```
### Security: lockfile entries without `integrity` are rejected[β](https://pnpm.io/blog/releases/11.4#security-lockfile-entries-without-integrity-are-rejected)
Previously, the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes. An attacker who could both alter the lockfile (e.g. via a pull request that strips `integrity:`) and serve modified content at the referenced tarball URL could install a tampered package without any error β including under `--frozen-lockfile`.
pnpm now fails closed at lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. Git-hosted tarballs (`gitHosted: true` or a URL on `codeload.github.com` / `bitbucket.org` / `gitlab.com`) and `file:` tarballs are exempt β the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.
### Security: git resolutions reject non-SHA `commit` fields[β](https://pnpm.io/blog/releases/11.4#security-git-resolutions-reject-non-sha-commit-fields)
Git resolutions whose `commit` field is not a 40-character hexadecimal SHA are rejected before `git` is invoked. A malicious lockfile could otherwise smuggle a value such as `--upload-pack=` through `git fetch` / `git checkout`, which on SSH or local-file transports executes the supplied command.
### Security: patch files writing outside the package directory are rejected[β](https://pnpm.io/blog/releases/11.4#security-patch-files-writing-outside-the-package-directory-are-rejected)
Patch files whose `diff --git` headers reference paths outside the patched package directory are now rejected. Previously a malicious `.patch` file added via a pull request could write, delete, or rename arbitrary files reachable by the user running `pnpm install`.
### Security: dependency aliases with path-traversal segments are rejected[β](https://pnpm.io/blog/releases/11.4#security-dependency-aliases-with-path-traversal-segments-are-rejected)
Dependency aliases that contain path-traversal segments (such as `@x/../../../../../.git/hooks`) are rejected when read from a package manifest or symlinked into `node_modules`. A malicious registry package could otherwise use a transitive dependency key to make `pnpm install` create symlinks at attacker-chosen paths outside the intended `node_modules` directory.
### Trusted-publisher metadata now requires provenance[β](https://pnpm.io/blog/releases/11.4#trusted-publisher-metadata-now-requires-provenance)
Trusted publisher metadata is only treated as the strongest trust evidence when provenance is also present.
### Other fixes[β](https://pnpm.io/blog/releases/11.4#other-fixes)
- Fix `pnpm deploy` crashing with `ENOENT: ... lstat '/node_modules'` when `configDependencies` declares pacquet (`pacquet` or `@pnpm/pacquet`). The deploy directory never installs config dependencies, so the install engine they designate isn't on disk to invoke; the nested install now skips them.
- Limit concurrent project manifest reads while listing large workspaces to avoid `EMFILE` errors.
- Validate `devEngines.runtime` and `engines.runtime` version ranges for `node`, `deno`, and `bun` when `onFail` is set to `error` or `warn`. Previously these settings only had an effect with `onFail: 'download'` β the `error` and `warn` modes silently did nothing [#11818](https://github.com/pnpm/pnpm/issues/11818). Violations now throw `ERR_PNPM_BAD_RUNTIME_VERSION`.
- Improve the log message that pnpm prints after auto-adding entries to `minimumReleaseAgeExclude` when `minimumReleaseAge` is set without `minimumReleaseAgeStrict`. The message previously referred to the internal "loose mode" terminology, which wasn't searchable in the docs; it now tells the user to set `minimumReleaseAgeStrict` to `true` if they want these updates gated behind a prompt instead [#11747](https://github.com/pnpm/pnpm/issues/11747).
"undefined"!=typeof \_bsa&&\_bsa&&\_bsa.init("custom","CWYI4K7E","placement:pnpmio",{target:"#bsa-custom-01",template:\` ##description##
##callToAction## \`})
## Turborepo v2.9.15
## What's Changed
### Changelog
* release(turborepo): 2.9.14 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12805
* fix: Prune package.json workspaces by @anthonyshew in https://github.com/vercel/turborepo/pull/12808
* fix: Wait for process trees before task completion by @anthonyshew in https://github.com/vercel/turborepo/pull/12809
* release(turborepo): 2.9.15-canary.1 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12810
* ci: Sign macOS release binaries by @anthonyshew in https://github.com/vercel/turborepo/pull/12811
* release(turborepo): 2.9.15-canary.2 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12812
* fix: Prevent cache archive symlink reads by @anthonyshew in https://github.com/vercel/turborepo/pull/12813
* release(turborepo): 2.9.15-canary.3 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12814
* fix: Avoid path-racy chmod during directory restore by @anthonyshew in https://github.com/vercel/turborepo/pull/12815
* fix: Prevent cache restore symlink race writes by @anthonyshew in https://github.com/vercel/turborepo/pull/12817
* chore: Deny Rust panic extraction by default by @anthonyshew in https://github.com/vercel/turborepo/pull/12818
* fix: Make structured log symlink defense race-safe by @anthonyshew in https://github.com/vercel/turborepo/pull/12821
* fix: Preserve Bun alias child packages by @anthonyshew in https://github.com/vercel/turborepo/pull/12822
* fix: Avoid UTF-8 panics at boundaries by @anthonyshew in https://github.com/vercel/turborepo/pull/12823
* fix: Preserve non-UTF-8 Git path boundaries by @anthonyshew in https://github.com/vercel/turborepo/pull/12826
* fix: Create daemon dirs with private permissions by @anthonyshew in https://github.com/vercel/turborepo/pull/12827
* fix: Return Berry lockfile errors instead of panicking by @anthonyshew in https://github.com/vercel/turborepo/pull/12828
* fix: Isolate Corepack state in integration tests by @anthonyshew in https://github.com/vercel/turborepo/pull/12831
* ci: Use larger Windows runners for Rust tests by @anthonyshew in https://github.com/vercel/turborepo/pull/12832
* docs: Add `with-vite-module-federation` example by @gioboa in https://github.com/vercel/turborepo/pull/12794
* test: Run Rust tests without partitioning by @anthonyshew in https://github.com/vercel/turborepo/pull/12833
* chore: Remove `TaskHashTracker`-based `expect()` calls by @anthonyshew in https://github.com/vercel/turborepo/pull/12836
* chore: Deduplicate hash canonicalization by @anthonyshew in https://github.com/vercel/turborepo/pull/12837
* fix: Prevent Windows process drain hangs by @anthonyshew in https://github.com/vercel/turborepo/pull/12838
* fix: Refactor execsync to execfilesync for Shell command built from environment values by @bjormgyg in https://github.com/vercel/turborepo/pull/12829
* test: Bound vt100 random quickcheck by @anthonyshew in https://github.com/vercel/turborepo/pull/12839
* fix: Validate daemon discovery responses by @anthonyshew in https://github.com/vercel/turborepo/pull/12840
* fix: Store `PackageGraph` root invariants by @anthonyshew in https://github.com/vercel/turborepo/pull/12841
* chore: Avoid engine graph node expects by @anthonyshew in https://github.com/vercel/turborepo/pull/12842
* test: Make Rust tests parallel-safe by @anthonyshew in https://github.com/vercel/turborepo/pull/12843
* fix: Avoid graph utility node lookup panics by @anthonyshew in https://github.com/vercel/turborepo/pull/12844
* fix: Avoid graph walker `expect()` calls by @anthonyshew in https://github.com/vercel/turborepo/pull/12845
* fix: Remove fs panic extraction lints by @anthonyshew in https://github.com/vercel/turborepo/pull/12846
* fix: Remove fixed map panic extraction calls by @anthonyshew in https://github.com/vercel/turborepo/pull/12847
* fix: Remove devtools WebSocket panics by @anthonyshew in https://github.com/vercel/turborepo/pull/12850
* fix: Remove json rewrite panic lint allow by @anthonyshew in https://github.com/vercel/turborepo/pull/12848
* fix: Remove turborepo-types panic lint allows by @anthonyshew in https://github.com/vercel/turborepo/pull/12849
* chore: Remove turborepo-hash build expect by @anthonyshew in https://github.com/vercel/turborepo/pull/12851
* fix: Remove napi panic lint allows by @anthonyshew in https://github.com/vercel/turborepo/pull/12852
* fix: Avoid globwatch expect calls by @anthonyshew in https://github.com/vercel/turborepo/pull/12853
* fix: Remove LSP expect callsites by @anthonyshew in https://github.com/vercel/turborepo/pull/12854
* fix: Remove scope panic lint allows by @anthonyshew in https://github.com/vercel/turborepo/pull/12855
* fix: Remove task hash panic lints by @anthonyshew in https://github.com/vercel/turborepo/pull/12856
* fix: Remove frameworks panic lint allows by @anthonyshew in https://github.com/vercel/turborepo/pull/12857
* fix: Remove microfrontends proxy expect lint allow by @anthonyshew in https://github.com/vercel/turborepo/pull/12859
* fix: Avoid API client expect calls by @anthonyshew in https://github.com/vercel/turborepo/pull/12858
* fix: Avoid task executor expect calls by @anthonyshew in https://github.com/vercel/turborepo/pull/12860
* fix: Remove turbo-trace unwrap callsite by @anthonyshew in https://github.com/vercel/turborepo/pull/12863
* fix: Remove Vercel API mock expect usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12862
* fix: Remove vt100 expect lint allow by @anthonyshew in https://github.com/vercel/turborepo/pull/12861
* fix: Remove turborepo-shim expect callsites by @anthonyshew in https://github.com/vercel/turborepo/pull/12864
* test: Deflake daemon existing process test by @anthonyshew in https://github.com/vercel/turborepo/pull/12865
* fix: Avoid repository NAPI unwrap calls by @anthonyshew in https://github.com/vercel/turborepo/pull/12866
* fix: Remove pidlock panic callsites by @anthonyshew in https://github.com/vercel/turborepo/pull/12867
* fix: Remove telemetry panic callsites by @anthonyshew in https://github.com/vercel/turborepo/pull/12868
* chore: Remove Rust re-export shims by @anthonyshew in https://github.com/vercel/turborepo/pull/12870
* fix: Remove turbo-json panic lint allows by @anthonyshew in https://github.com/vercel/turborepo/pull/12869
* fix: Remove `globwalk`'s `expect()` callsites by @anthonyshew in https://github.com/vercel/turborepo/pull/12871
* fix: Remove `turbopath`'s `expect()` callsites by @anthonyshew in https://github.com/vercel/turborepo/pull/12872
* test: Deflake Corepack prepare lock on Windows by @anthonyshew in https://github.com/vercel/turborepo/pull/12873
* fix: Remove signals panic callsites by @anthonyshew in https://github.com/vercel/turborepo/pull/12874
* fix: Remove `turbo-trace`'s `expect()` allow by @anthonyshew in https://github.com/vercel/turborepo/pull/12876
* fix: Remove Vercel API mock unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12877
* fix: Remove task executor unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12878
* fix: Remove run summary expect usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12879
* fix: Remove microfrontends proxy unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12880
* fix: Remove api client unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12881
* fix: Remove globwalk unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12883
* fix: Remove UI `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12882
* fix: Remove microfrontends expect usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12885
* fix: Remove `boundaries`'s `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12887
* fix: Remove `turborepo-process`'s `unwrap()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12888
* fix: Remove UI unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12889
* fix: Remove microfrontends unwrap allow by @anthonyshew in https://github.com/vercel/turborepo/pull/12890
* fix: Remove `turborepo-process`'s `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12891
* fix: Remove scm expect usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12893
* fix: Remove auth unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12886
* fix: Remove `turbopath`'s `unwrap()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12884
* fix: Remove `auth`'s `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12895
* fix: Remove wax unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12899
* fix: Remove scm unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12897
* fix: Remove `turborepo-boundaries`'s `unwrap()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12896
* fix: Remove daemon unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12898
* fix: Include lockfile-changed packages in affected tasks by @anthonyshew in https://github.com/vercel/turborepo/pull/12900
* fix: Remove `turborepo-wax`'s `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12901
* fix: Remove `turborepo-filewatch`'s `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12903
* fix: Remove `turborepo-cache`'s `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12902
* fix: Remove `turborepo-daemon`'s `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12904
* fix: Remove `turborepo-engine`'s `unwrap()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12906
* fix: Remove filewatch unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12907
* fix: Remove engine expect usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12908
* fix: Remove cache unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12909
* fix: Remove `turborepo-lockfiles` `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12910
* chore: Set pnpm minimum release age by @anthonyshew in https://github.com/vercel/turborepo/pull/12912
* fix: Remove `turborepo-lockfiles`'s `unwrap()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12911
* fix: Remove `turborepo-vt100`'s `unwrap()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12913
* release(turborepo): 2.9.15-canary.4 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12905
* fix: Remove `turborepo-lib`'s `unwrap()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12915
* fix: Remove `turborepo-lib`'s `expect()` usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12914
* fix: Remove shim test unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12917
* fix: Remove turbo json test unwrap allowance by @anthonyshew in https://github.com/vercel/turborepo/pull/12918
* fix: Remove run summary test unwrap usage by @anthonyshew in https://github.com/vercel/turborepo/pull/12916
* release(turborepo): 2.9.15-canary.5 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12919
* fix: Restore task completion semantics by @anthonyshew in https://github.com/vercel/turborepo/pull/12923
* fix: Preserve nested Bun workspace dependency versions by @anthonyshew in https://github.com/vercel/turborepo/pull/12924
* release(turborepo): 2.9.15-canary.6 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12925
* fix: Restore release PR auto-merge by @anthonyshew in https://github.com/vercel/turborepo/pull/12927
* perf: Index repo gitignore matchers by @anthonyshew in https://github.com/vercel/turborepo/pull/12928
* ci: Disable incremental Rust test builds by @anthonyshew in https://github.com/vercel/turborepo/pull/12929
* perf: Trim OpenTelemetry crate features by @anthonyshew in https://github.com/vercel/turborepo/pull/12930
* perf: Trim microfrontends proxy HTTP features by @anthonyshew in https://github.com/vercel/turborepo/pull/12931
* fix: Accept `experimentalCI` object config by @anthonyshew in https://github.com/vercel/turborepo/pull/12934
* release(turborepo): 2.9.15-canary.7 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12935
* fix: Restore a few internal invariant checks by @anthonyshew in https://github.com/vercel/turborepo/pull/12933
* fix: Improve profile tracing coverage by @anthonyshew in https://github.com/vercel/turborepo/pull/12936
* fix: Use build-scale OTel duration buckets by @anthonyshew in https://github.com/vercel/turborepo/pull/12939
* fix: Preserve pnpm injected peer package entries by @anthonyshew in https://github.com/vercel/turborepo/pull/12940
* feat: Add heap allocation profiling by @anthonyshew in https://github.com/vercel/turborepo/pull/12943
* release(turborepo): 2.9.15-canary.8 by @anthonyshew in https://github.com/vercel/turborepo/pull/12945
* docs: Correct attribute presence claims in turborepo-otel by @adityasingh2400 in https://github.com/vercel/turborepo/pull/12932
* chore(turbo-codemod): Remove duplicate "in" in transforms path comment by @mvanhorn in https://github.com/vercel/turborepo/pull/12948
* chore: Switch Geist font imports to npm geist package by @christopherkindl in https://github.com/vercel/turborepo/pull/12952
* fix: Respect root gitignore during prune by @anthonyshew in https://github.com/vercel/turborepo/pull/12953
* fix: Harden OTEL endpoint validation by @anthonyshew in https://github.com/vercel/turborepo/pull/12954
## New Contributors
* @gioboa made their first contribution in https://github.com/vercel/turborepo/pull/12794
* @bjormgyg made their first contribution in https://github.com/vercel/turborepo/pull/12829
* @adityasingh2400 made their first contribution in https://github.com/vercel/turborepo/pull/12932
* @mvanhorn made their first contribution in https://github.com/vercel/turborepo/pull/12948
* @christopherkindl made their first contribution in https://github.com/vercel/turborepo/pull/12952
**Full Changelog**: https://github.com/vercel/turborepo/compare/v2.9.14...v2.9.15
## pnpm 11.3
pnpm 11.3 adds support for npm's staged publishing (`pnpm stage`), the new [`trustLockfile`](https://pnpm.io/settings#trustlockfile) setting for skipping the supply-chain verification pass on already-trusted lockfiles, and native implementations of `pnpm pkg`, `pnpm repo`, and `pnpm set-script`. It also adds a `--skip-manifest-obfuscation` flag for `pack` / `publish` and cuts the memory footprint of `minimumReleaseAge` / `trustPolicy` verification on large workspaces.
## Minor Changes[β](https://pnpm.io/blog/releases/11.3#minor-changes)
### `pnpm stage`[β](https://pnpm.io/blog/releases/11.3#pnpm-stage)
A new [`pnpm stage`](https://pnpm.io/cli/stage) command brings npm's [staged publishing](https://docs.npmjs.com/about-staged-publishing) workflow to pnpm. Staged publishing lets you publish a version that's hidden from `npm install` until you explicitly approve it β useful for verifying release artifacts, smoke-testing CI, or coordinating multi-package releases.
The available subcommands are:
```
pnpm stage publish
pnpm stage list
pnpm stage view
pnpm stage approve
pnpm stage reject
pnpm stage download
```
### `trustLockfile`[β](https://pnpm.io/blog/releases/11.3#trustlockfile)
A new [`trustLockfile`](https://pnpm.io/settings#trustlockfile) setting controls whether `pnpm install` re-applies the [`minimumReleaseAge`](https://pnpm.io/settings#minimumreleaseage) / `trustPolicy: 'no-downgrade'` checks to every entry in the loaded lockfile. When `true`, the install treats the lockfile as already-trusted and skips the verification pass β useful for closed-source projects where every commit comes from a trusted author. The default is `false`, so verification stays on by default.
Set it in `pnpm-workspace.yaml`:
pnpm-workspace.yaml
```
trustLockfile: true
```
This release also cuts the **memory footprint** of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument β dependency graphs, scripts, README, and per-version manifests β for the entire install. On large workspaces (~4k lockfile entries with `minimumReleaseAge` + `trustPolicy: no-downgrade` enabled) this could OOM CI runners with a 2 GB heap cap. The cache now stores only the fields the trust check actually reads (`time`, per-version `_npmUser.trustedPublisher`, `dist.attestations.provenance`); the abbreviated-metadata cache is similarly projected to just the package-level `modified` field and the set of currently-listed version names. Fixes [#11860](https://github.com/pnpm/pnpm/issues/11860).
### Native `pnpm pkg`, `pnpm repo`, and `pnpm set-script`[β](https://pnpm.io/blog/releases/11.3#native-pnpm-pkg-pnpm-repo-and-pnpm-set-script)
Three more commands that previously delegated to (or were missing without) npm are now implemented natively, following the npm command conventions:
- [**`pnpm pkg`**](https://pnpm.io/cli/pkg) β get / set / delete fields in `package.json`.
- [**`pnpm repo`**](https://pnpm.io/cli/repo) β open the repository URL of a package in the browser.
- [**`pnpm set-script`**](https://pnpm.io/cli/set-script) (alias `ss`) β add or update an entry in the `scripts` field of the project manifest. Supports `package.json`, `package.json5`, and `package.yaml` formats.
### `--skip-manifest-obfuscation` for `pack` and `publish`[β](https://pnpm.io/blog/releases/11.3#--skip-manifest-obfuscation-for-pack-and-publish)
A new [`--skip-manifest-obfuscation`](https://pnpm.io/cli/publish#--skip-manifest-obfuscation) flag for [`pnpm pack`](https://pnpm.io/cli/pack) and [`pnpm publish`](https://pnpm.io/cli/publish) keeps the original `packageManager` field and publish lifecycle scripts in the packed/published manifest instead of stripping them. The pnpm-specific `pnpm` field continues to be omitted.
## Patch Changes[β](https://pnpm.io/blog/releases/11.3#patch-changes)
- Fixed `pnpm dlx` failing with `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND` when the installed package's CAS slot is missing its `package.json`. Observed in the wild for `pnpm dlx node@runtime:` when the GVS slot was populated without the synthesized manifest runtime archives need. `dlx` now falls back to the scopeless package name when the slot's manifest is unreadable β for single-bin packages (the dlx common case, including every `runtime:` spec) this matches what `manifest.bin` would have named.
- Fixed non-determinism in `pnpm dedupe` and `pnpm install` when a dependency graph contains packages with transitive peer dependencies on each other (e.g. `@aws-sdk/client-sts` and `@aws-sdk/client-sso-oidc`) and `auto-install-peers` is enabled. The lockfile no longer flips between two equally-valid forms across consecutive runs. The root cause was that `resolveDependencies` pushed onto its `pkgAddresses` / `postponedResolutionsQueue` arrays from inside `Promise.all`\-spawned callbacks, so completion-order timing leaked into the array order and downstream cyclic-peer suffix assignment. Fixes [#8155](https://github.com/pnpm/pnpm/issues/8155).
- Fixed a regression where `pnpm add ` (and any other wanted-dependency whose alias can't be parsed from the user-supplied spec, e.g. tarball URLs or `pnpm/test-git-fetch#sha`) was silently dropped from the manifest update and from `pendingBuilds`.
- Fixed `pnpm add --config` leaving orphan entries in `pnpm-lock.env.yaml` (the optional subdependencies of the previously resolved version of the updated config dependency).
"undefined"!=typeof \_bsa&&\_bsa&&\_bsa.init("custom","CWYI4K7E","placement:pnpmio",{target:"#bsa-custom-01",template:\` ##description##
##callToAction## \`})
### 2.8.0 / 2026.05.22
Read more: http://deno.com/blog/v2.8
- feat: accept `deno audit fix` as alias for `deno audit --fix` (#34273)
- feat: add --watch flag to deno check (#34224)
- feat: add `deno bump-version` subcommand (#30562)
- feat: add `deno why` subcommand (#32908)
- feat: support workspaces in `deno bump-version` (#33689)
- feat(add/install): default to npm registry for unprefixed packages (#33246)
- feat(compile): add progress bar for deno compile (#33874)
- feat(compile): support module.registerHooks() in compiled binaries (#33853)
- feat(core): add `Deno.core.loadExtScript()` for lazy-loaded scripts (#33739)
- feat(core): add async module resolution support via ModuleResolveResponse
(#32432)
- feat(core): support lazy_loaded_esm modules via import statements (#33873)
- feat(core): synthetic_esm extension DSL + node:worker_threads canary (#34038)
- feat(ext/fetch): emit Network.* inspector events for fetch() (#34220)
- feat(ext/node): ESM import() support for module.registerHooks() (#33763)
- feat(ext/node): add createHistogram to node:perf_hooks (#34003)
- feat(ext/node): buffer Network.* bodies for inspector body-fetch commands
(#34201)
- feat(ext/node): convert node:url/util/zlib to synthetic_esm (#34041)
- feat(ext/node): emit Network.* inspector events for node:http (#34231)
- feat(ext/node): expose inspector.isEnabled() via process.binding('inspector')
(#34203)
- feat(ext/node): implement Network CDP domain for inspector (#32707)
- feat(ext/node): implement NodeRuntime.notifyWhenWaitingForDisconnect (#34204)
- feat(ext/node): implement module.registerHooks() API for CommonJS (#33733)
- feat(ext/node): implement node:module SourceMap API (#32890)
- feat(ext/node): implement node:wasi (#34089)
- feat(ext/node): implement postMessageToThread cross-thread messaging (#34015)
- feat(ext/node): implement vm.SourceTextModule with microtaskMode afterEvaluate
support (#33603)
- feat(ext/node): make Network.* CDP events fire under plain --inspect (#34270)
- feat(ext/node): restore module.registerHooks (#34081)
- feat(ext/node): support KeyObject structured clone over MessagePort (#34229)
- feat(ext/node): support NODE_EXTRA_CA_CERTS (#33148)
- feat(ext/node): support sending dgram.Socket handles over IPC (#33863)
- feat(ext/telemetry): add gRPC protocol support for OTLP exporter (#30365)
- feat(ext/web): support structured clone for Blob and File (#33827)
- feat(ext/websocket): emit Network.* inspector events for WebSocket (#34222)
- feat(install): add --os and --arch flags for cross-platform npm installs
(#32785)
- feat(install): added --prod to skip dev deps and @types (#33248)
- feat(install): default to npm for `deno install -g` unprefixed packages
(#34290)
- feat(npm): add `catalog:` protocol for centralized dependency versions in
workspaces (#32947)
- feat(npm): add hoisted node_modules linker mode (#32788)
- feat(npmrc): support min-release-age (#33983)
- feat(task): prefix output lines with task name when running in parallel
(#33805)
- feat(test): add timeout option to Deno.test() (#33815)
- feat(types): add Math.sumPrecise and Intl.Locale.prototype.variants (#34287)
- feat(unstable): Geometry Interfaces Module Level 1 (#27527)
- feat(unstable): support TC39 import defer proposal (#32360)
- feat(x): add --package/-p flag for specifying package separately from binary
(#32855)
- feat: OffscreenCanvas (#29357)
- feat: add --package-json flag to deno add/install/remove/uninstall (#33199)
- feat: add `deno ci` subcommand (#34235)
- feat: add `deno pack` command to create npm tarballs (#32139)
- feat: add `deno transpile` subcommand (#32691)
- feat: disable "no-process-global", "no-node-globals" lint rules by default
(#33247)
- feat: disable ops and resources sanitizers by default in deno test (#33250)
- feat: framework detection for deno compile (#33164)
- feat: implement `deno audit --fix` (#32909)
- feat: include node lib by default and use NodeJS.Timeout for timers (#33823)
- feat: stabilize text imports (#34238)
- feat: support Deno.upgradeWebSocket with node:http upgrade events (#33342)
- feat: update TypeScript to 6.0.3 (#32944)
- feat: use Node.js timers by default and remove global proxy (#33249)
- feat: v8 14.9 (#34226)
- fix(ci): disable test-child-process-send-returns-boolean.js on windows
(#33883)
- fix(cli): make deno why work with jsr deps (#34227)
- fix(console): don't trigger proxy get trap for nodejs.util.inspect.custom
(#33730)
- fix(core): disable include_icu_data feature (#34279)
- fix(core): evaluate pre-instantiated module in lazy_load_esm_module (#33973)
- fix(core): prevent TLA hang when has_tick_scheduled is set during async module
evaluation (#33278)
- fix(core): short-circuit async-resolve when it returns an already-registered
module (#34058)
- fix(doc): resolve npm entrypoints without types (#34147)
- fix(ext/crypto): add SHA3 support to crypto.subtle.digest (#32342)
- fix(ext/crypto): normalize P-521 SPKI exports (#34087)
- fix(ext/crypto): validate raw key length on X25519/X448/Ed25519 importKey
(#33944)
- fix(ext/fetch): close response_rid when abort races op_fetch_send completion
(#33928)
- fix(ext/fs): run open_async on the blocking pool so FIFO opens don't stall the
runtime (#33667)
- fix(ext/image): handle bitmaps in `createImageBitmap` correctly (#34285)
- fix(ext/napi): run weak-callback finalizers synchronously in second-pass
(#34023)
- fix(ext/node): DSA keygen with arbitrary modulusLength (#34206)
- fix(ext/node): MessagePort.on('message') should deduplicate listeners (#33991)
- fix(ext/node): Node-compatible TAP reporter for node:test (#34255)
- fix(ext/node): TLSSocket.setServername throws typed errors (#33744)
- fix(ext/node): Worker rejects --heap-prof and --cpu-prof execArgv flags with
wrong error (#34011)
- fix(ext/node): accept ArrayBufferView in tls.setDefaultCACertificates (#33700)
- fix(ext/node): accept CryptoKey input in createPublicKey/createPrivatβ¦
(#33750)
- fix(ext/node): add ERR_REQUIRE_ASYNC_MODULE and ERR_REQUIRE_CYCLE_MODULE error
codes (#33921)
- fix(ext/node): add `limits` property on `node:sqlite` DatabaseSync (#33106)
- fix(ext/node): add active process resources APIs (#34101)
- fix(ext/node): add emitExperimentalWarning/pendingDeprecate to internal/util,
support modifyPrototype option in util.deprecate (#33660)
- fix(ext/node): add http2.performServerHandshake to polyfill (#33668)
- fix(ext/node): add linkRequests/moduleRequests/instantiate to node:vm (#34131)
- fix(ext/node): add post-resolution deny check in TCPWrap connect (#33880)
- fix(ext/node): add process._debugEnd() / process._debugProcess() (#34194)
- fix(ext/node): add test.expectFailure to node:test (#34130)
- fix(ext/node): add tls.getCaCertificates() (#32032)
- fix(ext/node): add util.setTraceSigInt stub (#34013)
- fix(ext/node): add v8.GCProfiler (#34158)
- fix(ext/node): add v8.queryObjects() and util.queryObjects() (#34159)
- fix(ext/node): add v8.startupSnapshot API polyfill (#34189)
- fix(ext/node): align crypto KeyObject PKCS#8 encryption, JWK input and PSS
salt with Node (#33757)
- fix(ext/node): align inspector WebSocket URL with Node.js format
(ws://host:port/UUID) (#33592)
- fix(ext/node): align nextTick ordering in ESM (#34085)
- fix(ext/node): align node stream `destroy` named export (#33573)
- fix(ext/node): align scrypt behavior and performance with Node (#33773)
- fix(ext/node): allow explicit paramEncoding for EC key generation (#33807)
- fix(ext/node): allow tls.Server SecureContext without cert/key for SNICallback
(#33715)
- fix(ext/node): apply Deno's resolver inside loader-hook defaultResolve
(#33964)
- fix(ext/node): apply encoding to Dirent name/parentPath in fs.readdir (#33972)
- fix(ext/node): apply http1Options to HTTP/2 secure server fallback (#33678)
- fix(ext/node): attach addAbortListener to EventEmitter, fix errorMonitor
(#34262)
- fix(ext/node): avoid panic in vm.createContext loop at isolate teardown
(#34195)
- fix(ext/node): bind setImmediate callback this to the Immediate instance
(#33716)
- fix(ext/node): bind to IPv6 wildcard for default Server.listen() to enable
dual-stack (#33617)
- fix(ext/node): cancel pending TLS writes when the socket closes (#33690)
- fix(ext/node): close named-pipe handles after child_process.spawn on Windows
(#33941)
- fix(ext/node): complete TLS peer cert chains (#34098)
- fix(ext/node): decrypt encrypted private keys in publicEncrypt/privateDecrypt
and ignore passphrase (#33770)
- fix(ext/node): decrypt legacy Proc-Type/DEK-Info encrypted PEM private keys
(#33769)
- fix(ext/node): defer http2 stream window replenishment while paused (#33640)
- fix(ext/node): detect non-mtime stat changes in StatWatcher (#33950)
- fix(ext/node): dns resolveAny with real ANY query, retry/maxTimeout support
(#33577)
- fix(ext/node): don't emit ServerResponse 'finish' after client abort (#34026)
- fix(ext/node): drive TLSWrap cycle on JSStream writes to fix deadlock (#33914)
- fix(ext/node): emit DEP0111/DEP0119 from process.binding under
--pending-deprecation (#33594)
- fix(ext/node): emit DEP0192 deprecation warning when _tls_common is required
(#33819)
- fix(ext/node): emit ERR_HTTP2_MAX_PENDING_SETTINGS_ACK via session error
instead of throwing (#33679)
- fix(ext/node): emit ERR_HTTP2_TOO_MANY_INVALID_FRAMES for empty DATA frames
without END_STREAM (#33644)
- fix(ext/node): emit Protocol error when http2 client connects to non-h2 server
(#33740)
- fix(ext/node): emit deprecation warnings for legacy stream/_tls_wrap requires
and module.parent (#34086)
- fix(ext/node): emit destroy for cleared immediates (#34084)
- fix(ext/node): emit diagnostics_channel events for HTTP server (#33908)
- fix(ext/node): emit drained server close on next tick for Node parity (#33672)
- fix(ext/node): emit http PerformanceObserver entries for HttpClient and
HttpRequest (#33826)
- fix(ext/node): emit perf_hooks PerformanceEntry for http2 sessions and streams
(#33618)
- fix(ext/node): enable quic node compat tests by correcting .mjs file
extensions in config (#33824)
- fix(ext/node): enable test-crypto-keygen-async-explicit-elliptic-curve
(#33812)
- fix(ext/node): enable test-crypto-rsa-dsa node compat test with DSA encrypted
keys (#33811)
- fix(ext/node): enable test-crypto-sign-verify node compat test (#33810)
- fix(ext/node): enable test-crypto.js node compat test (#33822)
- fix(ext/node): enable test-http2-server-shutdown-redundant (#33793)
- fix(ext/node): enforce OpenSSL SECLEVEL key-strength check in
createSecureContext (#33686)
- fix(ext/node): expand diagnostics_channel coverage (#34243)
- fix(ext/node): export UV_EOF and fix Socket._final without connect (#34211)
- fix(ext/node): expose Http2Session and nghttp2ErrorString on http2
internalBinding (#33732)
- fix(ext/node): expose Http2Session and nghttp2ErrorString on http2
internalBinding (#33742)
- fix(ext/node): expose Http2Stream and nghttp2ErrorString on http2
internalBinding (#33729)
- fix(ext/node): expose TLS server name (SNI) on server-side TLSSocket via
getServername op (#33725)
- fix(ext/node): expose `E` and `SystemError` from `internal/errors` (#34080)
- fix(ext/node): expose http2 internalBinding and add missing HTTP2_HEADER_*
constants (#33726)
- fix(ext/node): expose http2 session setNextStreamID with capital-ID method
name (#33666)
- fix(ext/node): expose http2 test bindings and route pushStream through
pushPromise (#33741)
- fix(ext/node): expose internal webstreams modules (#34107)
- fix(ext/node): expose internal/async_hooks as requireable module (#34116)
- fix(ext/node): expose internal/fs/promises with FileHandle (#34118)
- fix(ext/node): expose internal/js_stream_socket and add default read path
(#34088)
- fix(ext/node): expose internal/net as requireable module (#34152)
- fix(ext/node): expose internal/options as requireable module (#34117)
- fix(ext/node): expose internal/tty as requireable module (#34105)
- fix(ext/node): expose internal/url so require('internal/url') works (#34012)
- fix(ext/node): expose internal/util/debuglog and add formatTime helper
(#33665)
- fix(ext/node): fire uncaughtExceptionMonitor with correct origin for sync
top-level throws (#34048)
- fix(ext/node): fix TLS crash with Happy Eyeballs address fallback (#33641)
- fix(ext/node): fix TLS peer certificate multi-value fields, issuer chain, and
EC curve names (#33782)
- fix(ext/node): fix child_process.send() backpressure return value (#33869)
- fix(ext/node): fix module resolution for nested package.json files (#33767)
- fix(ext/node): flesh out node:trace_events polyfill (#34216)
- fix(ext/node): forward http2 protocol errors from invalid frame callback to
session error event (#33630)
- fix(ext/node): handle HTTP/2 flow control (#33795)
- fix(ext/node): handle connectionsCheckingInterval option and send 408 for
request timeout (#33836)
- fix(ext/node): handle unhandled rejections in node:test without crashing
runner (#33749)
- fix(ext/node): implement AES Key Wrap and Key Wrap with Padding ciphers
(#33813)
- fix(ext/node): implement ALPNCallback and SNICallback for TLS server (#33360)
- fix(ext/node): implement ECDH validation and DH verifyError (#33751)
- fix(ext/node): implement Module._stat (#34157)
- fix(ext/node): implement SocketAddress class (#34020)
- fix(ext/node): implement TCP/TLS socket useUserBuffer (#34164)
- fix(ext/node): implement displayErrors for vm scripts (#33942)
- fix(ext/node): implement h2 END_STREAM packing and Http2Session
PerformanceObserver entries (#33796)
- fix(ext/node): implement missing node:test APIs (#33764)
- fix(ext/node): implement mock.getter, mock.setter, mockImplementation in
node:test (#33755)
- fix(ext/node): implement noDelay property on net.Server and apply TCP_NODELAY
to accepted (#33828)
- fix(ext/node): implement node:cluster on unix (#33752)
- fix(ext/node): implement node:wasi preview1 compat (#34245)
- fix(ext/node): implement vm.SyntheticModule constructor (#34014)
- fix(ext/node): import/export PKCS#8 and legacy encrypted PEM private keys
(#33762)
- fix(ext/node): improve http server parser compat (#34094)
- fix(ext/node): improve https agent compat (#34091)
- fix(ext/node): improve module hooks support (#33877)
- fix(ext/node): improve node:tls test compatibility (#34067)
- fix(ext/node): improve worker_threads MessagePort compatibility (#34250)
- fix(ext/node): isolate TLS client reject session resumption (#34097)
- fix(ext/node): make hideStackFrames actually hide frames, expose
internal/validators (#33673)
- fix(ext/node): map rustls record-decode errors to OpenSSL-style "wrong version
number" (#33711)
- fix(ext/node): module hook fixes for ESM nextLoad, createRequire URL, and
builtin redirects (#34219)
- fix(ext/node): node:repl improvements (#33930)
- fix(ext/node): node:test improvements (#33929)
- fix(ext/node): node:test with watch-mode events (#34254)
- fix(ext/node): normalize underscored V8 flags (#34129)
- fix(ext/node): omit glibc version fields on musl/non-Linux (#33987)
- fix(ext/node): pad DH shared secret and fix prime sign byte for stateless
diffieHellman (#33761)
- fix(ext/node): pass URL to kOnHeadersComplete when request has no headers
(#33831)
- fix(ext/node): per-request executionAsyncResource() for async_hooks (#34188)
- fix(ext/node): polyfill module.enableCompileCache and companions (#34190)
- fix(ext/node): port internal/priority_queue and expose it via require (#33696)
- fix(ext/node): preserve AsyncLocalStorage context across HTTP/2 client streams
(#33677)
- fix(ext/node): preserve raw socket connect when wrapping TLS (#34093)
- fix(ext/node): prevent panic when importing node builtins after
module.register() (#33920)
- fix(ext/node): prevent top-level `await test(...)` deadlock in node:test
(#33947)
- fix(ext/node): propagate highWaterMark option from http.createServer to req
and res (#33825)
- fix(ext/node): readFile of large file via fd returns scrambled content
(#34258)
- fix(ext/node): refresh async id for reused agent sockets (#34138)
- fix(ext/node): register sigwinch listeners for stdout/stderr (#33890)
- fix(ext/node): reject structuredClone for file-backed Blobs (#34075)
- fix(ext/node): report directory imports with node error code (#34076)
- fix(ext/node): restore llhttp parser.data after execute to handle re-entrant
calls (#33832)
- fix(ext/node): retry named-pipe connect on ERROR_PIPE_BUSY (Windows) (#33974)
- fix(ext/node): route ServerHttp2Stream.respond through binding proto (#33736)
- fix(ext/node): run load hook chain on every require() of a builtin (#34223)
- fix(ext/node): run register() hooks in worker thread, add
--experimental-loader flag (#33906)
- fix(ext/node): satisfy agent-base node:https stack-trace check (#34264)
- fix(ext/node): send http2 GOAWAY before stream RSTs so peer sees session
destroy code (#33637)
- fix(ext/node): set OSSL error codes and key-type checks in stateless
diffieHellman (#33772)
- fix(ext/node): share TLS session cache and ticketer for tls.TLSSocket session
resumption (#33693)
- fix(ext/node): skip ESM load hook bridge for CJS modules (#33861)
- fix(ext/node): support CA certificate introspection and off-thread loading
tests (#33708)
- fix(ext/node): support PKCS#8 encrypted private key PEM export via PBES2
(#33758)
- fix(ext/node): support TLS client resume compat tests (#34095)
- fix(ext/node): support `encoding` option in `fs.watch` (#33634)
- fix(ext/node): support `signal` option in `fs.watch`/`fs.promises.watch`
(#33650)
- fix(ext/node): support abstract Unix sockets in node:net pipe bind (#33872)
- fix(ext/node): support encrypted PKCS#8 DER private key export and import
(#33756)
- fix(ext/node): support node:fs APIs on VFS files in deno compile (#33803)
- fix(ext/node): support sending net.Socket and net.Server handles to child
processes on unix (#33605)
- fix(ext/node): support shouldUpgradeCallback in http server (#34092)
- fix(ext/node): support undici dispatcher for allowHTTP1 websocket upgrades
(#33731)
- fix(ext/node): surface ERR_REQUIRE_ASYNC_MODULE/CYCLE_MODULE codes and fix TLA
retry (#34060)
- fix(ext/node): tagged template literal support for SQL (#34018)
- fix(ext/node): throw ERR_CRYPTO_HASH_FINALIZED on subsequent Hash.digest()
calls (#33774)
- fix(ext/node): throw ERR_INVALID_ARG_VALUE for falsy dns.lookup hostname
(#34234)
- fix(ext/node): throw ERR_INVALID_ARG_VALUE for odd-length headers array in
http.ServerResp (#33820)
- fix(ext/node): throw OpenSSL-shaped error from tls.createSecureContext when
clientCertEngine is set (#33691)
- fix(ext/node): throw correct error for encrypted PEM key in privateDecrypt
(#33808)
- fix(ext/node): tls server error message, rejection capture, two compat tests
(#34183)
- fix(ext/node): unblock fs.open on FIFOs and read pipes correctly in http2
respondWithFile (#33792)
- fix(ext/node): use ASCII byte-truncation in http2 writeAsciiString polyfill
(#33645)
- fix(ext/node): use core.loadExtScript for deno_web/deno_io polyfill deps
(#33798)
- fix(ext/node): use primordials in internal_binding/symbols.ts (#33865)
- fix(ext/node): use proper error codes for tls.TLSSocket.setServername()
(#33745)
- fix(ext/node): use queueMicrotask in fs.close to avoid sanitizer
false-positive (#33714)
- fix(ext/node): validate data type in Cipheriv/Decipheriv update() (#33649)
- fix(ext/node): validate fs.watch options.ignore (#33574)
- fix(ext/node): wire HTTP/2 PING ack callbacks and emit payload buffer (#33794)
- fix(ext/node): wire http2 maxSettings option to
nghttp2_option_set_max_settings (#33790)
- fix(ext/node): wire up http2 per-session maxOutstandingPings flag (#33791)
- fix(ext/node): wrap process.chdir errors with path/dest/syscall (#33584)
- fix(ext/process): respect AbortSignal in Deno.Command.output() (#34069)
- fix(ext/process): tolerate unlinked cwd in spawn (#33587)
- fix(ext/tls): upgrade rustls to fix SSL cert validation regression (#33912)
- fix(ext/url): URLSearchParams Node-compat error messages on invalid this and
missing args (#34017)
- fix(ext/url): align URLSearchParams with Node for node:url compat (#34119)
- fix(ext/web): convert MessageEvent ports via WebIDL sequence iteration
(#33652)
- fix(ext/web): respect cancelable and passive flags in Event.returnValue setter
(#33651)
- fix(ext/websocket): don't panic on H2 stream reset in poll_write (#33982)
- fix(fmt): panic on tagged HTML template with multi-level indent (#34263)
- fix(init): replace add(2,3) template with Deno.serve HTTP server (#33042)
- fix(install): don't treat JS scripts with non-Node shebang as native binaries
(#33971)
- fix(install): regenerate lockfile with --force on global install (#33970)
- fix(lsp): don't panic on unresolved dts import hover (#34112)
- fix(node): fix registerHooks for custom file type loaders (#33899)
- fix(node): weakly track util.aborted resources (#34142)
- fix(node/fs): readSync with position argument returns EINVAL (#34021)
- fix(node/sqlite): implement DatabaseSync.serialize() and deserialize()
(#34010)
- fix(node/tls): handle detached ArrayBuffer in TLSWrap write methods (#33737)
- fix(node:http2): preserve timeout inspect links on proxied session sockets
(#33721)
- fix(npm): resolve catalog: overrides from workspaces object form (#33816)
- fix(npm): support `catalog:` protocol in overrides (#33799)
- fix(publish): don't panic on provenance generation in non-GitHub CI (#33802)
- fix(repl): drain microtasks after inspector polling to avoid 'Promise was
collected' (#33735)
- fix(resolver): handle tag version req in byonm resolver (#33962)
- fix(task): escape backticks in forwarded args (#34151)
- fix(task): support recursive task completions in workspaces (#32422)
- fix(test): include --watch= in watched paths (fixes #21704) (#32621)
- fix(update): `deno update --lockfile-only` should not update config (#33746)
- fix(watch): apply `--watch-exclude` filter to file change events (#33854)
- fix(workspace): clamp CLI include paths to member folder (#33949)
- fix: bump deno_graph to 0.108.2 for wasm multi-value return types (#34070)
- fix: disable V8 external memory check to prevent panic on large TypedArrays
(#33896)
- fix: fix CJS re-export analysis for npm packages (#33263)
- fix: handle native binary bin entries in global npm install (#33935)
- fix: include node lib by default and use NodeJS.Timeout for timers (#33823)
- fix: report eval scripts as `[eval]` URL for inspector (#34192)
- perf(core): SIMD ASCII fast path for op_decode (#33720)
- perf(core): cap V8 platform thread pool to 4 threads (#33697)
- perf(ext): convert ext/cache, ext/canvas, ext/crypto JS sources to lazy-loaded
scripts (#33778)
- perf(ext): convert ext/fetch JS sources to lazy-loaded scripts (#33784)
- perf(ext): convert ext/ffi JS source to lazy-loaded script (#33780)
- perf(ext): convert ext/io, ext/os, ext/net JS sources to lazy-loaded scripts
(#33779)
- perf(ext): convert ext/kv and ext/webgpu JS sources to lazy-loaded scripts
(#33818)
- perf(ext): convert ext/process and ext/http JS sources to lazy-loaded scripts
(#33817)
- perf(ext): convert ext/telemetry and ext/cron JS sources to lazy-loaded
scripts (#33801)
- perf(ext/fetch): fast-path string in BodyInit_DOMString converter (#33676)
- perf(ext/fetch): skip dict-converter walk on default init in
Request/fetch/Response.json (#33999)
- perf(ext/fs): convert ext/fs JS source to lazy-loaded script (#33800)
- perf(ext/geometry): avoid heap allocation for the argument that requires a
fixed length of sequence (#33688)
- perf(ext/net): reduce Quinn TLS provider size (#34294)
- perf(ext/node): convert 62 more polyfill files to lazy-loaded scripts (#33835)
- perf(ext/node): convert _stream_* polyfills to lazy-loaded JS (#33988)
- perf(ext/node): convert child_process, cluster, console to lazy-loaded JS
(#33925)
- perf(ext/node): convert child_process, fs, http, http2, https, inspector to
lazy-loaded JS (#33967)
- perf(ext/node): convert cluster, console, constants, crypto, dgram, dns to
lazy-loaded JS (#33951)
- perf(ext/node): convert errors.ts, util.mjs, and foundation layer to
lazy-loaded scripts (#33830)
- perf(ext/node): convert fs helpers, streams, dgram, dns/utils to lazy-loaded
ESM (#33936)
- perf(ext/node): convert fs internals, timers, tty, url, webstreams to
lazy-loaded ESM (#33939)
- perf(ext/node): convert http2, readline, stream_base_commons to lazy-loaded JS
(#33932)
- perf(ext/node): convert internal/crypto to lazy-loaded JS (#33919)
- perf(ext/node): convert more polyfills to lazy-loaded JS (#33871)
- perf(ext/node): convert more polyfills to lazy-loaded JS (#33882)
- perf(ext/node): convert more polyfills to lazy-loaded JS (#33897)
- perf(ext/node): convert more polyfills to lazy-loaded JS (#33900)
- perf(ext/node): convert more polyfills to lazy-loaded JS (#33902)
- perf(ext/node): convert more polyfills to lazy-loaded JS (#33909)
- perf(ext/node): convert more polyfills to lazy-loaded JS (#33913)
- perf(ext/node): convert net, _tls_common, _tls_wrap to lazy-loaded JS (#33997)
- perf(ext/node): convert node:events and stream internals to lazy-loaded JS
(#33881)
- perf(ext/node): convert node:path to lazy-loaded JS (#33917)
- perf(ext/node): convert node:util, node:assert to lazy-loaded (#33876)
- perf(ext/node): convert timers, tls, tty, url, v8, worker_threads, zlib to
lazy-loaded JS (#33960)
- perf(ext/node): convert validators.mjs and dependencies to lazy-loaded scripts
(#33821)
- perf(ext/node): optimize direct ServerResponse string end (#34253)
- perf(ext/node): replace node: imports with core.loadExtScript for buffer and
nextTick (#33862)
- perf(ext/node): true writev on tcp sockets for node:http (#33659)
- perf(ext/web): add hyper-fast path for TextDecoder.decode (#33674)
- perf(ext/web): convert all ext/web JS sources to lazy-loaded scripts (#33760)
- perf(ext/web): fast path for TextEncoder.encodeInto (#33675)
- perf(ext/web): lazy-init EventTarget listeners table (#33734)
- perf(ext/web): linear-time set/delete on FormData, URLSearchParams, Headers
(#33961)
- perf(ext/web): optimize TextEncoder encodeInto result (#34055)
- perf(ext/web): structuredClone primitive fast path (#33728)
- perf(ext/webidl): fast path for createDictionaryConverter undefined input
(#33692)
- perf(ext/webidl): hoist EMPTY_OPTS for converter opts default (#34007)
- perf(ext/websocket): lazy-load WebSocket and WebSocketStream JS (#33701)
- perf(http): avoid ReadableStream when full body already buffered (#33844)
- perf(http): directly dispatch into js request handler (#33845)
- perf(http): don't add Vary header if response is not compressed (#33892)
- perf(http): split clear-text HTTP autodetect connection task (#33887)
- perf(libs/core): drop libuv-style partial-read break to fix node:http p99
(#33860)
- perf(runtime): convert 8 runtime JS files to lazy-loaded scripts (#33864)
- perf(snapshot): dedupe JS sources between binary and v8 snapshot (#33992)
- perf: consolidate HTTP Brotli compressor setup (#34282)
- perf: lazy-load more modules in the snapshot (#34061)
- perf: monch 0.6 (#33643)
- perf: use panic=abort in release builds (#34280)
## Deno 2.8
\`import defer\`, six new subcommands (\`deno transpile\`, \`deno pack\`, \`deno bump-version\`, \`deno ci\`, \`deno why\`, \`deno audit fix\`), network debugging in Chrome DevTools, framework-aware \`deno compile\`, and 3.66x faster cold npm installs.
## Claw Patrol: an open-source security firewall for agents
Why we needed an agent firewall that speaks more than HTTP.
### π Bug Fixes
- **runner**: Limit concurrency per task branch in addition to per leaf callbacks (backport) - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/10384 [(4f0f2)](https://github.com/vitest-dev/vitest/commit/4f0f2a1ee)
##### [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7)
## pnpm 11.2
pnpm 11.2 ships an experimental opt-in into [pacquet](https://npmx.dev/package/@pnpm/pacquet) (the Rust port of pnpm) as the install backend, expands [config dependencies](https://pnpm.io/config-dependencies) to install one level of `optionalDependencies` (so the esbuild/swc platform-binary pattern works for config deps too), wires up the long-documented `pnpm login --scope` flag, and surfaces runtime entries (Node.js, Deno, Bun) in `pnpm outdated` and `pnpm update --interactive`.
## Minor Changes[β](https://pnpm.io/blog/releases/11.2#minor-changes)
### Experimental: pacquet as the install backend[β](https://pnpm.io/blog/releases/11.2#experimental-pacquet-as-the-install-backend)
Adding [`@pnpm/pacquet`](https://npmx.dev/package/@pnpm/pacquet) (the Rust port of pnpm) to `configDependencies` in `pnpm-workspace.yaml` now delegates the materialization phase of `pnpm install` to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine β see [#11723](https://github.com/pnpm/pnpm/issues/11723).
To configure pacquet in a project, run:
```
pnpm add @pnpm/pacquet --config
```
You'll see changes in `pnpm-workspace.yaml` and `pnpm-lock.yaml` that should be committed. If you experience any issues with pacquet, please let us know in the GitHub issue you create.
### `optionalDependencies` for config dependencies[β](https://pnpm.io/blog/releases/11.2#optionaldependencies-for-config-dependencies)
[Config dependencies](https://pnpm.io/config-dependencies) now resolve and install one level of `optionalDependencies` declared by the config dependency, with `os` / `cpu` / `libc` platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via `optionalDependencies` β a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so `require('pkg-platform-arch')` from inside the config dependency resolves correctly.
The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's `optionalDependencies` must declare an exact version β ranges and tags are rejected to keep installs reproducible.
### `pnpm login --scope`[β](https://pnpm.io/blog/releases/11.2#pnpm-login---scope)
The long-documented `pnpm login --scope ` flag is now implemented. The scope is normalized (a leading `@` is added if missing; blank values are ignored) and an `@:registry=` mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of `@/*` packages then route to the chosen registry. Previously the documented flag errored with `Unknown option: 'scope'`. See [#11716](https://github.com/pnpm/pnpm/issues/11716).
### Runtimes in `outdated` and `update --interactive`[β](https://pnpm.io/blog/releases/11.2#runtimes-in-outdated-and-update---interactive)
[`pnpm outdated`](https://pnpm.io/cli/outdated) and [`pnpm update --interactive`](https://pnpm.io/cli/update) now report Node.js, Deno, and Bun runtimes installed as project dependencies (`runtime:` specifiers). Previously these were silently skipped.
## Patch Changes[β](https://pnpm.io/blog/releases/11.2#patch-changes)
- Fixed `cafile=` in `.npmrc` being read from the wrong directory when pnpm is invoked from a different cwd (e.g. `pnpm --dir install` from a CI wrapper or monorepo script). The path is now resolved against the directory of the `.npmrc` that declared it, not `process.cwd()`. Before this fix, the install proceeded without the configured CA and the user only saw TLS errors against a private registry with no log line tying back to the wrongly resolved path [#11624](https://github.com/pnpm/pnpm/issues/11624).
- Fixed `config.registry` getting a trailing slash appended when `registry` is set in `.npmrc` and no `registries.default` is provided by `pnpm-workspace.yaml`.
- Fixed global add/update to handle `minimumReleaseAge` policy violations instead of surfacing an internal resolver guardrail error.
- Fixed two crashes with `injectWorkspacePackages: true` when the lockfile has been pruned (e.g. by `turbo prune --docker`): a `Cannot use 'in' operator to search for 'directory' in undefined` from peer-dependency-variant injected snapshots whose base `packages:` entry had been dropped, and an `ERR_PNPM_ENOENT` on `node_modules/.bin/` after `prepare` / `postinstall` re-imported each injected workspace package.
- Fixed `pnpm login` and `pnpm logout` ignoring `registries.default` from `pnpm-workspace.yaml` [#10099](https://github.com/pnpm/pnpm/issues/10099).
- Fixed the `minimumReleaseAge` (publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whose `modified` field equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or a `MISSING_TIME` error when full metadata wasn't permitted).
- Honor `publishConfig.access` when publishing packages.
## 11.2.1[β](https://pnpm.io/blog/releases/11.2#1121)
- Mark optional subdependency snapshots of config dependencies with `optional: true` in the env lockfile, matching how optional dependencies are recorded elsewhere in `pnpm-lock.yaml`. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's `optionalDependencies` were written as empty objects.
- Fixed `pickRegistryForPackage` returning the wrong registry for an unscoped `npm:` alias under a scoped local name. A manifest entry like `"@private/foo": "npm:lodash@^1"` was routing the `lodash` fetch through `registries["@private"]`, even though `lodash` is unscoped.
- Don't print `Installing config dependencies...` when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed.
## 11.2.2[β](https://pnpm.io/blog/releases/11.2#1122)
- When the install engine is delegated to pacquet via `configDependencies`, the user's CLI flags passed to `pnpm install` (e.g. `--no-runtime`, `--prod`, `--dev`, `--no-optional`, `--node-linker`, `--cpu` / `--os` / `--libc`, `--offline`, `--prefer-offline`) are now forwarded to pacquet's `install` subcommand verbatim. Previously pacquet was invoked with a fixed argument list, so flags like `--no-runtime` were silently dropped. Flag forwarding is gated on the command being `install` / `i`; `add`, `update`, and `dedupe` still don't forward (their flag surface doesn't line up with pacquet's `install`).
- Fixed `pnpm up` (and `pnpm add` / `pnpm remove`) failing with `pacquet_package_manager::outdated_lockfile` when pacquet is declared in `configDependencies`. pnpm now passes `--ignore-manifest-check` to pacquet so its `--frozen-lockfile` check doesn't fire against the (pre-mutation) `package.json` pnpm hasn't written yet [#11797](https://github.com/pnpm/pnpm/issues/11797).
"undefined"!=typeof \_bsa&&\_bsa&&\_bsa.init("custom","CWYI4K7E","placement:pnpmio",{target:"#bsa-custom-01",template:\` ##description##
##callToAction## \`})
## Turborepo v2.9.14
> [!NOTE]
> This release contains important security fixes.
### High:
- [GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection](https://github.com/vercel/turborepo/security/advisories/GHSA-5xc8-49mv-x4mm)
### Low:
- [GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation](https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r)
- [GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection](https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726)
## What's Changed
### Changelog
* release(turborepo): 2.9.12 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12774
* fix: Restore docs mobile menu by @anthonyshew in https://github.com/vercel/turborepo/pull/12782
* ci: Use `pull_request` for PR title linting by @anthonyshew in https://github.com/vercel/turborepo/pull/12787
* ci: Scope GitHub Actions caches by branch by @anthonyshew in https://github.com/vercel/turborepo/pull/12788
* test: Validate lockfiles without dependency downloads by @anthonyshew in https://github.com/vercel/turborepo/pull/12789
* Removed unneeded import form hash creation script in docs by @dancrumb in https://github.com/vercel/turborepo/pull/12799
* fix: Validate auth callback state by @anthonyshew in https://github.com/vercel/turborepo/pull/12802
* fix: Harden VS Code extension command execution by @anthonyshew in https://github.com/vercel/turborepo/pull/12800
* fix: Avoid project-local Yarn during detection by @anthonyshew in https://github.com/vercel/turborepo/pull/12801
* chore: Release 2.9.13 by @anthonyshew in https://github.com/vercel/turborepo/pull/12803
## New Contributors
* @dancrumb made their first contribution in https://github.com/vercel/turborepo/pull/12799
**Full Changelog**: https://github.com/vercel/turborepo/compare/v2.9.12...v2.9.14
## Bun v1.3.14
To install Bun v1.3.14
```bash
curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun
```
Windows:
```bash
powershell -c "irm bun.sh/install.ps1|iex"
```
To upgrade to Bun v1.3.14:
```bash
bun upgrade
```
## [Read Bun v1.3.14's release notes on Bun's blog](https://bun.com/blog/bun-v1.3.14)
### Thanks to 11 contributors!
- [@190n](https://github.com/190n)
- [@alii](https://github.com/alii)
- [@carlsmedstad](https://github.com/carlsmedstad)
- [@cirospaciari](https://github.com/cirospaciari)
- [@coleleavitt](https://github.com/coleleavitt)
- [@djs5008](https://github.com/djs5008)
- [@dylan-conway](https://github.com/dylan-conway)
- [@ig-ant](https://github.com/ig-ant)
- [@Jarred-Sumner](https://github.com/Jarred-Sumner)
- [@robobun](https://github.com/robobun)
- [@sosukesuzuki](https://github.com/sosukesuzuki)
### π Bug Fixes
- **browser**: Provide project reference in `ToMatchScreenshotResolvePath` - by @macarie and @sheremet-va in https://github.com/vitest-dev/vitest/issues/10138 [(31882)](https://github.com/vitest-dev/vitest/commit/31882607c)
- Global `sequence.concurrent: true` with top-level `test(..., { concurrent: false })` + depreacte `sequential` test API and options - by @hi-ogawa, **Codex** and @sheremet-va in https://github.com/vitest-dev/vitest/issues/10196 [(2847d)](https://github.com/vitest-dev/vitest/commit/2847dfa2a)
- **browser**: Simplify orchestrator otel carrier - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/10285 [(18af9)](https://github.com/vitest-dev/vitest/commit/18af98cee)
### π Performance
- Stringify diff objects only once - by @sheremet-va in https://github.com/vitest-dev/vitest/issues/10276 [(9f7b1)](https://github.com/vitest-dev/vitest/commit/9f7b1528c)
##### [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.5...v4.1.6)
## pnpm 11.1
pnpm 11.1 adds a few new commands β [`pnpm audit signatures`](https://pnpm.io/cli/audit#signatures), [`pnpm bugs`](https://pnpm.io/cli/bugs), and [`pnpm owner`](https://pnpm.io/cli/owner) β alongside support for installing from arbitrary named registries (including a built-in alias for the GitHub Packages npm registry), the ability to skip runtime installation in CI, and several fixes.
## Minor Changes[β](https://pnpm.io/blog/releases/11.1#minor-changes)
### `pnpm audit signatures`[β](https://pnpm.io/blog/releases/11.1#pnpm-audit-signatures)
A new [`pnpm audit signatures`](https://pnpm.io/cli/audit#signatures) subcommand verifies ECDSA registry signatures for installed packages against keys published at `/-/npm/v1/keys` [#7909](https://github.com/pnpm/pnpm/issues/7909). Scoped registries are respected; registries that don't publish signing keys are skipped.
```
pnpm audit signatures
```
### Named registries (and a built-in `gh:` alias)[β](https://pnpm.io/blog/releases/11.1#named-registries-and-a-built-in-gh-alias)
You can now install packages from the [GitHub Packages npm registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry) via a built-in `gh:` prefix, and β more broadly β from arbitrary named registries in the style of [vlt's named-registry aliases](https://docs.vlt.sh/cli/registries):
```
pnpm add gh:@acme/private
```
Authentication is picked up from existing per-URL `.npmrc` entries (e.g. `//npm.pkg.github.com/:_authToken=...`), so no separate auth mechanism is required.
Additional aliases β or an override for the built-in `gh` alias, for GitHub Enterprise Server β can be configured under `namedRegistries` in `pnpm-workspace.yaml`:
pnpm-workspace.yaml
```
namedRegistries:
gh: https://npm.pkg.github.example.com/
work: https://npm.work.example.com/
```
With this, `work:@corp/lib@^2.0.0` resolves against `https://npm.work.example.com/`. See [#8941](https://github.com/pnpm/pnpm/issues/8941).
### `--sbom-spec-version`[β](https://pnpm.io/blog/releases/11.1#--sbom-spec-version)
[`pnpm sbom`](https://pnpm.io/cli/sbom) now accepts a `--sbom-spec-version` flag to choose the CycloneDX specification version (`1.5`, `1.6`, or `1.7` β default `1.7`). The flag is only valid with `--sbom-format cyclonedx`. See [#11389](https://github.com/pnpm/pnpm/pull/11389).
### `--no-runtime` for CI matrices[β](https://pnpm.io/blog/releases/11.1#--no-runtime-for-ci-matrices)
A new `--no-runtime` flag (config: `runtime=false`) skips installing runtime entries (e.g. Node.js downloaded via `devEngines.runtime`) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and `.bin` linking are skipped. This is useful in CI matrices where the runtime is provisioned externally (e.g. via `pnpm runtime -g set node `) before `pnpm install` runs.
### `pnpm bugs`[β](https://pnpm.io/blog/releases/11.1#pnpm-bugs)
The new [`pnpm bugs`](https://pnpm.io/cli/bugs) command opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's `package.json`; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. It falls back to `/issues` when the `bugs` field is missing. See [#11279](https://github.com/pnpm/pnpm/pull/11279).
### `pnpm owner`[β](https://pnpm.io/blog/releases/11.1#pnpm-owner)
The new [`pnpm owner`](https://pnpm.io/cli/owner) command manages package owners on the registry:
```
pnpm owner ls package>
pnpm owner add package> user>
pnpm owner rm package> user>
```
## Patch Changes[β](https://pnpm.io/blog/releases/11.1#patch-changes)
-
`pnpm view` now prints "published X ago by Y" alongside the rest of its output, mirroring `npm view`. This is useful when comparing against `minimumReleaseAge`. For example, `pnpm view pnpm` now shows `published 17 hours ago by GitHub Actions`.
-
`pnpm publish` now honors the configured HTTP/HTTPS proxy (including the `https_proxy` / `http_proxy` / `no_proxy` environment variables) when polling the registry's `doneUrl` during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond `403` from a different source IP and the login to never complete [#11561](https://github.com/pnpm/pnpm/issues/11561).
-
`pnpm add -g` now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so they share dependencies and are removed together), pass them as a comma-separated list. For example:
`pnpm add -g foo bar` installs `foo` and `bar` as two independent globals β removing one does not affect the other.
- `pnpm add -g foo,bar qar` bundles `foo` and `bar` into a single isolated install while `qar` is installed on its own.
Related: [#11587](https://github.com/pnpm/pnpm/issues/11587).
-
`pnpm runtime set ` no longer fails in the root of a multi-package workspace with the `ADDING_TO_ROOT` error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.
-
Fixed `pnpm --version` hanging for the lifetime of the worker pool after the version was printed. The CLI entry now runs `finishWorkers()` from its own `finally`, so every exit path tears the pool down.
"undefined"!=typeof _bsa&&_bsa&&_bsa.init("custom","CWYI4K7E","placement:pnpmio",{target:"#bsa-custom-01",template:`
##description##
##callToAction##
`})
## Turborepo v2.9.12
## What's Changed
### Changelog
* release(turborepo): 2.9.11 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12771
* fix: Allow transit nodes in LSP diagnostics by @anthonyshew in https://github.com/vercel/turborepo/pull/12773
**Full Changelog**: https://github.com/vercel/turborepo/compare/v2.9.11...v2.9.12