releases.shpreview

Post-quantum crypto lands in Deno, Vitest ships v5 beta

June 1–7, 2026

Deno 2.8.2 adds post-quantum cryptography and a `--minify` flag for compiled binaries, while Vitest released its v5 beta with breaking changes and backported security controls for the browser test runner.

Deno goes post-quantum

Deno 2.8.2 is the week's standout release, bringing ML-DSA (FIPS 204) digital signatures and ML-KEM (FIPS 203) key encapsulation to the Web Crypto API — both NIST-standardized post-quantum algorithms designed to withstand attacks from future quantum computers. The same release adds ChaCha20-Poly1305, SHAKE (including cSHAKE and TurboSHAKE), and SHA-3 HMAC support, rounding out what is now one of the most comprehensive crypto APIs available in any runtime.

On the tooling side, the deno compile subcommand gains a --minify flag and improved --bundle dependency resolution that scopes npm embeddings to only the packages actually reached by the bundle, reducing binary size. Dozens of bug fixes across Node.js compatibility, the LSP, and file I/O round out the release.

Vitest: stable patches and a v5 peek

Vitest shipped across four versions this week. v3.2.5 and v3.2.6 are maintenance patches — the former backports allowWrite and allowExec API options for the browser test runner, and the latter pins a needed vite-node version. v4.1.8 backports the same allowWrite/allowExec controls plus a fix for orphaned Playwright routes when a module is mocked through multiple IDs. Together these give teams tighter security boundaries: the browser runner's CDP API can now be locked down when write or exec permissions are denied, preventing accidental file system or process access during tests.

More notably, v5.0.0-beta.4 landed as a breaking change preview. It throws an error when hoistable methods appear outside the top-level scope (catching a class of subtle bugs) and makes toHaveTextContent strict — replacing the old behavior with a new toMatchTextContent matcher for substring matching. Teams evaluating the v5 migration should test their assertion suites against this beta.

Turborepo refines monorepo fidelity

Vercel's Turborepo posted three canary releases this week, each tightening dependency resolution. v2.9.17-canary.3 stopped Bun nested dependency versions from being dropped during lockfile processing. v2.9.17-canary.4 began ignoring peer dependencies in the package graph entirely — a behavioral change that can significantly reduce the number of edges Turborepo considers when determining task ordering. v2.9.17-canary.5 fixed pnpm override-resolved depenencies being lost during prune, kept PTY stdin open for tasks, and added P-521 ECDSA certificate chain support over rustls. Combined, these canaries move toward more accurate dependency tracking, especially in mixed-lockfile monorepos.

Releases covered