releases.shpreview

Deno 2.8 rewires the CLI, pnpm experiments with Rust

May 18–24, 2026

Deno shipped its biggest release of the year with workspace support, six new subcommands, and a new agent security firewall, while pnpm opened the door to a Rust-powered install backend and Turbo kept hardening.

Deno 2.8: a packed release reshapes the CLI

This week belonged to Deno 2.8, which landed with more surface-area changes than any Deno release in recent memory. The headline addition is workspace support in deno bump-version alongside a new catalog: protocol that lets monorepo teams centralize dependency versions the way pnpm's pnpm-workspace.yaml already does — finally giving large Deno workspaces a first-party versioning story. On the CLI front, Deno now ships six new subcommands: deno transpile, deno pack, deno bump-version, deno ci, deno why, and deno audit fix, each filling what had been a gap in the developer workflow. The cold npm install path got a 3.66x speedup, and deno compile gained framework-awareness so it can bundle framework configurations without manual flags.

Separately, Deno also released Claw Patrol, an open-source security firewall designed for AI agents that goes beyond HTTP-level protection — a sign that Deno is thinking hard about where JavaScript runtimes intersect with the agent ecosystem.

pnpm experiments with a Rust backend

pnpm 11.2 shipped an experimental opt-in to pacquet, a Rust reimplementation of pnpm's install logic. It's behind a flag today and only covers install, not publish or audit, but it marks the first time pnpm has offered an alternative to its JavaScript core. The same release expanded config dependencies to install one level of optionalDependencies — enough to make the esbuild/swc platform-binary pattern work inside config deps — and surfaced runtime binaries (Node, Deno, Bun) in pnpm outdated and pnpm update --interactive. A week later pnpm 11.3 added pnpm stage for npm's staged publishing, a trustLockfile setting to skip supply-chain verification on lockfiles you already trust, and native implementations of pnpm pkg, pnpm repo, and pnpm set-script.

Turborepo tightens up and Vitest preps for v5

Turborepo's canary train continued with three closely-spaced releases. v2.9.15-canary.4 focused on Rust codebase stability, removing expect() and unwrap() calls throughout and fixing race conditions in cache restore, symlink handling, and daemon directory creation. canary.6 restored task completion semantics and fixed nested Bun workspace dependency versions being lost, while canary.7 restored release PR auto-merge and added gitignore matcher indexing. Taken together, the theme is clear: Turbo is methodically eliminating panic paths and edge cases ahead of a stable cut.

On the testing front, Vitest v5.0.0-beta.3 now requires Node.js 22 and Vite 6.4, and makes expect.poll fail when the polled function never resolves in time. Meanwhile, v4.1.7 backported a concurrency fix that limits parallelism per task branch rather than per leaf callback, keeping the stable channel healthy while v5 takes shape.

Releases covered