releases.shpreview
pnpm/pnpm/10.26

10.26

pnpm 10.26

December 15, 2025pnpmView original ↗
$npx @buildinternet/releases get rel_YqlEOyAZ8nr_Ag2M7BeTG

pnpm 10.26 introduces stricter security defaults for git-hosted dependencies, adds allowBuilds for granular script permissions, and includes a new setting to block exotic transitive dependencies.

Minor Changes

Stricter Git Dependency Security

Semi-breaking. Git-hosted dependencies are now blocked from running prepare scripts during installation unless they are explicitly allowed in onlyBuiltDependencies (or allowBuilds) #10288. This change prevents malicious code execution from untrusted git repositories.

allowBuilds

Added a new setting allowBuilds which provides a flexible way to manage build scripts. It accepts a map of package matchers to explicitly allow (true) or disallow (false) script execution. This replaces onlyBuiltDependencies and ignoredBuiltDependencies as the preferred configuration method #10311.

Example:

allowBuilds:
  esbuild: true
  core-js: false
  nx@21.6.4 || 21.6.5: true

blockExoticSubdeps

Added a new setting blockExoticSubdeps to improve supply chain security. When set to true, it prevents the resolution of exotic protocols (like git+ssh: or direct https: tarballs) in transitive dependencies. Only direct dependencies are allowed to use exotic sources #10265.

Integrity Hash for HTTP Tarballs

Semi-breaking. pnpm now computes the integrity hash for HTTP tarball dependencies when fetching them and stores it in the lockfile. This ensures that servers cannot serve altered content on subsequent installs without detection #10287.

pnpm pack --dry-run

Added support for --dry-run to the pack command. This allows you to verify which files would be included in the tarball without actually creating it #10301.

Patch Changes

  • Show deprecation in table/list formats when latest version is deprecated #8658.

  • Remove the injectWorkspacePackages setting from the lockfile on the deploy command #10294.

  • Normalize the tarball URLs before saving them to the lockfile #10273.

  • Fix URL normalization for redirected immutable dependencies #10197.

"undefined"!=typeof _bsa&&_bsa&&_bsa.init("custom","CWYI4K7E","placement:pnpmio",{target:"#bsa-custom-01",template:`

##description##

##callToAction##

`})

Fetched May 2, 2026