pnpm closes supply-chain holes while Turborepo fixes its stability floor
May 25–31, 2026
pnpm 11.4 and 11.5 shipped security hardening around lockfiles, credentials, and patch files, while Turborepo landed a series of fixes for process hangs, symlink races, and Bun compatibility across four canary and stable releases.
Supply-chain hardening with pnpm
Pnpm 11.4 closed a cluster of supply-chain attack surfaces that could let malicious registries or git references slip tampered code into a project without detection. Lockfile integrity checks are now enforced by default, tarball integrity mismatches block installs (with a scoped --update-checksums opt-in for legitimate retractions), and git resolutions are validated against their expected commit hashes. Credential scoping was tightened so tokens don't leak across registries, and patch files are checked before application. The change also hardened dependency alias validation and made pnpm runtime set write to devEngines.runtime by default instead of engines.runtime, keeping the latter reserved for explicit runtime requirements.
A week later, Pnpm 11.5 added a more granular quality-of-life feature: the new hoistingLimits setting gives developers fine control over how far dependencies hoist in nodeLinker: hoisted installs, useful for monorepos with deeply nested dependency trees. The release also replaced the interactive prompt library to fix scrolling in long choice lists, and recognized staged publishes in pnpm's trust scale.
Turborepo's stability sprint
Turborepo dominated the week's release volume with five updates between May 26 and May 30, and the theme was unmistakably stability. Turborepo v2.9.15 landed first, fixing symlink race conditions during cache restore and archive reads, preventing Windows process drain hangs, and removing widespread panic! callsites that could crash the tool on unexpected states. It also fixed prune's handling of package.json workspaces and Bun alias child package preservation.
The v2.9.16 stable release doubled down on the process hang issue from the previous release, fixing a PTY shutdown hang that could leave processes stuck indefinitely. It also preserved nested Bun dependency versions correctly and ensured --no-git no longer accidentally deletes an existing .git directory. Two canary releases followed: v2.9.16-canary.2 added heap allocation profiling and hardened OpenTelemetry endpoint validation, while v2.9.17-canary.2 added HTTP timeouts for authentication requests and fixed graceful shutdown on Windows.
The v2.9.17-canary.1 in between continued the Bun dependency version preservation work and fixed non-PTY stdin staying alive for persistent tasks. Taken together, this week's Turborepo output reads like a systematic audit of the tool's process lifecycle — symlinks, PTY shutdowns, Windows drains, and root task detection all got explicit attention.
Deno's Node.js compatibility patch
Deno v2.8.1 wasn't a headline feature release, but it fixed several sharp edges in Node.js compatibility that matter for production workloads. TLSSocket.authorized now correctly returns false when clients present no certificate (matching Node's behavior), PKCS#12 MAC support was added to TLS SecureContext for enterprise certificate handling, and fs.watch now emits error events on open failures instead of silently failing. Network permission checks now apply to resolved IPs in both fetch and WebSocket, closing a potential bypass vector. The release also fixed a panic in deno test --parallel and improved error messages when importing .node native addons via ESM.
Releases covered
- Turborepo v2.9.15 fixes cache symlink races and process handling
- Turborepo v2.9.16 fixes PTY shutdown hang and Bun dependency handling
- Turborepo v2.9.16-canary.2 adds heap allocation profiling and hardens OTEL validation
- Turborepo v2.9.17-canary.2 adds auth HTTP timeouts and fixes Windows shutdown
- Turborepo v2.9.17-canary.1 fixes Bun dependency versions and .git deletion