releases.shpreview

pnpm locks down credential exposure as Turborepo chases Windows PTY parity

June 8–14, 2026

pnpm shipped a security fix stopping repository-controlled `.npmrc` files from expanding environment variables, alongside new releases adding frozen store support and file-free registry auth. Turborepo pushed seven canary releases and two stable patches focused on Windows PTY handling and JIT task input hashing.

Security hardening across the package managers

The week's most consequential release came from pnpm, which stopped expanding environment variables in repository-controlled .npmrc and pnpm-workspace.yaml files. Previously, a cloned repo could use ${ENV_VAR} placeholders in its config to exfiltrate secrets from your shell environment. The fix shipped silently in v10.34.2 and v11.5.3 — check your version if you haven't updated this month.

pnpm 11.6 and 11.7: auth without files, installs without writes

pnpm 11.6 introduced a file-free path to registry authentication: you can now supply credentials entirely through npm_config_//… and pnpm_config_//… environment variables, avoiding the need to touch .npmrc at all. It also raised the default network concurrency and skips full lockfile re-resolution when only the file itself is missing — a small but welcome speed-up for fresh clones.

pnpm 11.7 followed with the frozenStore setting, letting you point installs at a read-only package store (useful in CI or container builds), and a --batch flag that publishes an entire workspace in a single registry request. Scope-specific auth tokens and a move toward full resolving installs delegated to pacquet round out the release.

Turborepo's Windows marathon

Turborepo saw a remarkable cadence: six canary releases plus two stable patches in one week, almost entirely focused on Windows PTY (pseudo-terminal) behavior. The story starts with v2.9.17, which fixed stdin handling for persistent tasks on Windows and introduced JIT task input hashing — a feature that defers cache-key computation until a task is about to run, reducing overhead in large graphs. v2.9.17-canary.1 then started sending Ctrl-C properly to Windows PTY tasks, and canary.2 stopped the shim process from killing the local turbo process on Ctrl+C. By canary.3, Ctrl-C delivery to ConPTY children during graceful shutdown was solid. canary.4 flipped the switch to use PTY for all interactive tasks on Windows, and canary.5 filtered pruned pnpm workspace patches so patch files aren't needlessly included in pruned output. Two other canaries (canary.6 and canary.7) iterated on the JIT hashing machinery — deferring hashes for task dependents and fixing npm shim bypass on Windows.

A stable v2.9.18 landed mid-week with cache archive symlink restore hardening and a git argument injection fix, while the web UI mode was removed across several releases.

Elsewhere

Deno 2.8.3 added watch mode to deno compile, glob support in deno.json links, and ML-DSA JWK import/export in ext/crypto. The Vitest VS Code extension v1.50.6 patched compatibility with Deno 2.8 and marked certain failures as test-run errors rather than generic crashes.

Releases covered