blog/releases/10.26.md
pnpm 10.26 introduces stricter security defaults for git-hosted dependencies, adds allowBuilds for granular script permissions, and includes a new setting to block exotic transitive dependencies.
Semi-breaking. Git-hosted dependencies are now blocked from running prepare scripts during installation unless they are explicitly allowed in onlyBuiltDependencies (or allowBuilds) #10288. This change prevents malicious code execution from untrusted git repositories.
allowBuildsAdded a new setting allowBuilds which provides a flexible way to manage build scripts. It accepts a map of package matchers to explicitly allow (true) or disallow (false) script execution. This replaces onlyBuiltDependencies and ignoredBuiltDependencies as the preferred configuration method #10311.
Example:
allowBuilds:
esbuild: true
core-js: false
[email protected] || 21.6.5: true
blockExoticSubdepsAdded a new setting blockExoticSubdeps to improve supply chain security. When set to true, it prevents the resolution of exotic protocols (like git+ssh: or direct https: tarballs) in transitive dependencies. Only direct dependencies are allowed to use exotic sources #10265.
Semi-breaking. pnpm now computes the integrity hash for HTTP tarball dependencies when fetching them and stores it in the lockfile. This ensures that servers cannot serve altered content on subsequent installs without detection #10287.
pnpm pack --dry-runAdded support for --dry-run to the pack command. This allows you to verify which files would be included in the tarball without actually creating it #10301.
injectWorkspacePackages setting from the lockfile on the deploy command #10294.