Skip to content

chore: update lockfile, Node.js, pnpm, and pacquet versions#12421

Merged
zkochan merged 2 commits into
mainfrom
chore/update-lockfile
Jun 15, 2026
Merged

chore: update lockfile, Node.js, pnpm, and pacquet versions#12421
zkochan merged 2 commits into
mainfrom
chore/update-lockfile

Conversation

@zkochan

@zkochan zkochan commented Jun 15, 2026

Copy link
Copy Markdown
Member

This automated PR refreshes the project's pinned versions:

  • Updates the lockfile to the latest compatible versions of dependencies.
  • Bumps Node.js to the latest 26.x release, propagated into the CI, release, and benchmark workflows via the meta-updater.
  • Bumps pnpm to the latest release (packageManager and devEngines.packageManager).
  • Bumps the @pnpm/pacquet config dependency to its latest release.

Created by the update-lockfile workflow.

Summary by CodeRabbit

This release includes maintenance updates to development tooling and dependencies.

  • Chores
    • Updated the package manager version requirement to pnpm 11.7.0
    • Updated the workspace configuration dependency @pnpm/pacquet to 0.11.7

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 15, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0)

Grey Divider


Action required

1. Prerelease Node resolved ✓ Resolved 🐞 Bug ☼ Reliability
Description
The root scripts/devEngines now request node@runtime:^26.3.0, and pnpm’s Node runtime resolver
uses includePrerelease: true when picking the max satisfying version, so this range can resolve to
an rc/nightly build. Those prerelease channels are documented as unsigned, but signature
verification is still enabled on the release channel, causing runtime resolution failures (or
unexpected prerelease Node usage) in pretest/CI.
Code

package.json[21]

+    "compile-only": "tsgo --build workspace/workspace-manifest-reader workspace/projects-reader && pnx node@runtime:^26.3.0 __utils__/scripts/src/typecheck-only.ts && pn -F=pnpm compile",
Evidence
pretest invokes compile-only, which now runs pnx node@runtime:^26.3.0. The Node runtime
resolver parses runtime:, then selects a version via `semver.maxSatisfying(..., {
includePrerelease: true }) over the complete version list from the Node mirror index.json` (no
prerelease filtering), so a caret range can pick an rc/nightly version if present. The resolver
explicitly states prerelease channels are unsigned, but enables signature verification when
releaseChannel === 'release', making prerelease resolution prone to verification failures.

package.json[8-22]
package.json[72-76]
pnpm-lock.yaml[1164-1166]
engine/runtime/node-resolver/src/index.ts[39-71]
engine/runtime/node-resolver/src/index.ts[99-105]
engine/runtime/node-resolver/src/index.ts[190-206]
engine/runtime/node-resolver/src/index.ts[224-261]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`package.json` switched from an exact Node runtime version (`runtime:26.3.0`) to a range (`runtime:^26.3.0`). Because pnpm’s Node runtime resolver includes prereleases when selecting the “max satisfying” version, the range can resolve to an rc/nightly version, which is incompatible with the resolver’s signature-verification expectations for the `release` channel and can break `pn pretest`/CI.
## Issue Context
- `pretest` runs `compile-only`, so this impacts common CI/test entrypoints.
- The Node runtime resolver fetches all versions from `index.json` and does not filter out prereleases for `release` channel semver ranges.
## Fix Focus Areas
- package.json[8-22]
- package.json[72-76]
- pnpm-lock.yaml[1164-1166]
### Suggested change
- Revert to an exact Node runtime pin (e.g. `node@runtime:26.3.0` / `devEngines.runtime.version: "26.3.0"`).
- Update the lockfile importer `node` specifier accordingly (from `runtime:^26.3.0` back to `runtime:26.3.0`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Previous review results

Review updated until commit 7742b7f

Results up to commit N/A


🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX issues (0) 🔗 Cross-repo conflicts (0)


Action required
1. Prerelease Node resolved ✓ Resolved 🐞 Bug ☼ Reliability
Description
The root scripts/devEngines now request node@runtime:^26.3.0, and pnpm’s Node runtime resolver
uses includePrerelease: true when picking the max satisfying version, so this range can resolve to
an rc/nightly build. Those prerelease channels are documented as unsigned, but signature
verification is still enabled on the release channel, causing runtime resolution failures (or
unexpected prerelease Node usage) in pretest/CI.
Code

package.json[21]

+    "compile-only": "tsgo --build workspace/workspace-manifest-reader workspace/projects-reader && pnx node@runtime:^26.3.0 __utils__/scripts/src/typecheck-only.ts && pn -F=pnpm compile",
Evidence
pretest invokes compile-only, which now runs pnx node@runtime:^26.3.0. The Node runtime
resolver parses runtime:, then selects a version via `semver.maxSatisfying(..., {
includePrerelease: true }) over the complete version list from the Node mirror index.json` (no
prerelease filtering), so a caret range can pick an rc/nightly version if present. The resolver
explicitly states prerelease channels are unsigned, but enables signature verification when
releaseChannel === 'release', making prerelease resolution prone to verification failures.

package.json[8-22]
package.json[72-76]
pnpm-lock.yaml[1164-1166]
engine/runtime/node-resolver/src/index.ts[39-71]
engine/runtime/node-resolver/src/index.ts[99-105]
engine/runtime/node-resolver/src/index.ts[190-206]
engine/runtime/node-resolver/src/index.ts[224-261]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`package.json` switched from an exact Node runtime version (`runtime:26.3.0`) to a range (`runtime:^26.3.0`). Because pnpm’s Node runtime resolver includes prereleases when selecting the “max satisfying” version, the range can resolve to an rc/nightly version, which is incompatible with the resolver’s signature-verification expectations for the `release` channel and can break `pn pretest`/CI.
## Issue Context
- `pretest` runs `compile-only`, so this impacts common CI/test entrypoints.
- The Node runtime resolver fetches all versions from `index.json` and does not filter out prereleases for `release` channel semver ranges.
## Fix Focus Areas
- package.json[8-22]
- package.json[72-76]
- pnpm-lock.yaml[1164-1166]
### Suggested change
- Revert to an exact Node runtime pin (e.g. `node@runtime:26.3.0` / `devEngines.runtime.version: "26.3.0"`).
- Update the lockfile importer `node` specifier accordingly (from `runtime:^26.3.0` back to `runtime:26.3.0`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Qodo Logo

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1b5cd184-ef08-4c18-b7ab-4a2a9c7d22b6

📥 Commits

Reviewing files that changed from the base of the PR and between 47588b5 and 7742b7f.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json

📝 Walkthrough

Walkthrough

Two version bumps across two config files: package.json updates pnpm from 11.6.0 to 11.7.0, and pnpm-workspace.yaml bumps @pnpm/pacquet from 0.11.4 to 0.11.7.

Changes

Toolchain Version Bumps

Layer / File(s) Summary
pnpm and pacquet version bumps
package.json, pnpm-workspace.yaml
packageManager and devEngines.packageManager.version bumped from pnpm@11.6.0 / 11.6.0 to pnpm@11.7.0 / 11.7.0; @pnpm/pacquet bumped from 0.11.4 to 0.11.7 in workspace configDependencies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • pnpm/pnpm#12261: Updates the same packageManager/devEngines.packageManager.version fields in package.json and configDependencies['@pnpm/pacquet'] in pnpm-workspace.yaml.
  • pnpm/pnpm#12211: Modifies the root package.json toolchain fields by bumping packageManager and devEngines.packageManager.version to a newer pnpm version.
  • pnpm/pnpm#12130: Updates @pnpm/pacquet in pnpm-workspace.yaml configDependencies to a newer version.

Suggested labels

area: supply chain security

Poem

🐇 Hop, hop, hooray for fresh versions today!
The pnpm climbed to eleven-point-seven with glee,
And pacquet crept up, oh so gracefully,
Small bumps in the config, one step closer the way! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: updating lockfile, Node.js, pnpm, and pacquet versions, which aligns with the PR objectives and file modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-lockfile

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

PR Summary by Qodo

Chore: refresh lockfile; bump Node 26.x, pnpm 11.7, and pacquet
⚙️ Configuration changes 🕐 10-20 Minutes

Grey Divider

Walkthroughs

Description
• Bump Node runtime constraint to ^26.3.0 for dev tooling and scripts.
• Upgrade pnpm to 11.7.0 and refresh the pnpm lockfile.
• Update @pnpm/pacquet config dependency to 0.11.7 across workspace config.
Diagram
graph TD
CI["CI / workflows"] --> PJ["package.json"] --> WS["pnpm-workspace.yaml"] --> LOCK["pnpm-lock.yaml"]
PJ --> NODE(("Node.js ^26.3.0"))
PJ --> PNPM(("pnpm 11.7.0"))
WS --> PAC(("@pnpm/pacquet 0.11.7"))
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Keep Node pinned to an exact patch version
  • ➕ Maximizes reproducibility across developer machines and CI
  • ➕ Avoids surprise breakages from new Node 26.x minors
  • ➖ Requires more frequent update PRs to pick up fixes
  • ➖ Harder to validate compatibility with the broader 26.x line
2. Allow Node range but pin tooling invocation to a specific runtime
  • ➕ Keeps dev/CI flexible while keeping critical scripts deterministic
  • ➕ Reduces risk in typecheck/compile steps
  • ➖ Introduces split-brain configuration (range in devEngines, pin elsewhere)
  • ➖ More cognitive overhead when debugging environment issues

Recommendation: The current approach (moving Node from an exact 26.3.0 pin to ^26.3.0) is reasonable if the project intentionally tracks the latest compatible 26.x runtime. If determinism is a priority (e.g., to reduce CI variability), consider reverting to an exact patch pin for Node while still upgrading pnpm/pacquet and refreshing the lockfile.

Grey Divider

File Changes

Other (3)
package.json Bump pnpm to 11.7 and loosen Node runtime to ^26.3.0 +4/-4

Bump pnpm to 11.7 and loosen Node runtime to ^26.3.0

• Updates the declared pnpm version in packageManager and devEngines. Changes the Node runtime version from a fixed 26.3.0 to the compatible range ^26.3.0, including the compile-only script’s runtime invocation.

package.json


pnpm-lock.yaml Refresh lockfile for pnpm 11.7 and pacquet 0.11.7 +326/-414

Refresh lockfile for pnpm 11.7 and pacquet 0.11.7

• Updates lockfile entries for pnpm 11.7.0 and @pnpm/pacquet 0.11.7, including platform pacquet packages. Brings along transitive dependency updates (e.g., eslint, @types/node patch bump, and other resolved versions) consistent with the refreshed install state.

pnpm-lock.yaml


pnpm-workspace.yaml Bump workspace configDependency @pnpm/pacquet to 0.11.7 +1/-1

Bump workspace configDependency @pnpm/pacquet to 0.11.7

• Updates the workspace-level configDependencies entry for @pnpm/pacquet from 0.11.4 to 0.11.7 to align with the refreshed lockfile and tooling versions.

pnpm-workspace.yaml


Grey Divider

Qodo Logo

Comment thread package.json Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
pnpm-workspace.yaml (1)

353-353: Behavioral change: pacquet 0.11.7 enables full resolving installs.

The bump from 0.11.4 to 0.11.7 crosses a feature-gate threshold. Per installing/commands/src/runPacquet.ts:270-275, pacquet >= 0.11.7 supports full resolving installs, while earlier versions stay on pnpm's resolve-then-materialize path. This means non-frozen plain installs will now delegate both resolution and materialization to pacquet instead of only materialization.

This is a significant change in the install code path. Ensure the change is intentional and that pacquet 0.11.7's resolving installs behavior has been tested in the repository's install workflows.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` at line 353, The pacquet version bump from 0.11.4 to
0.11.7 activates full resolving installs behavior as determined by the version
check logic in runPacquet.ts, which means non-frozen plain installs will now use
pacquet for both resolution and materialization instead of just materialization.
Verify this behavioral change in install workflows is intentional by reviewing
the runPacquet.ts version gate logic (around lines 270-275) to confirm the
threshold, then test and document that pacquet 0.11.7's resolving installs
behavior works correctly in your repository's standard install scenarios to
ensure the change does not introduce regressions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 65: The packageManager field is set to pnpm version 11.7.0, which does
not exist. Update the packageManager field in package.json to use pnpm@11.6.0,
which is the latest stable release in the pnpm 11 series as of June 2026. Note
that the comment indicates this version specification appears in multiple places
in package.json and all occurrences should be updated to the correct version.
- Line 21: The meta-updater cannot sync semver ranges because the regex at
`.meta-updater/src/index.ts:312` used by syncNodeRuntimeInScripts() only matches
exact versions like `node@runtime:[\d.]+` and not semver operators like `^`.
Revert both line 21 and line 74 in package.json from the semver range `^26.3.0`
back to the exact version `26.3.0` to keep the Node.js runtime version pinned
and in sync across devEngines and scripts, or alternatively update the
meta-updater regex to handle semver ranges like `^` if you need semver
flexibility.

In `@pnpm-workspace.yaml`:
- Line 353: Update the `@pnpm/pacquet` version in pnpm-workspace.yaml from 0.11.7
to a publicly available and security-patched release. The specified version
0.11.7 is not a published npm release; verify and update to the latest stable
public version (0.2.3 or newer if available) or ensure the current version
includes the patch for security advisory GHSA-3qhv-2rgh-x77r, which addresses
environment variable expansion vulnerabilities in repository-controlled
configuration files. If an internal development version is intentionally being
used, document confirmation that the patch disabling environment variable
expansion in repository-controlled sources is included.

---

Nitpick comments:
In `@pnpm-workspace.yaml`:
- Line 353: The pacquet version bump from 0.11.4 to 0.11.7 activates full
resolving installs behavior as determined by the version check logic in
runPacquet.ts, which means non-frozen plain installs will now use pacquet for
both resolution and materialization instead of just materialization. Verify this
behavioral change in install workflows is intentional by reviewing the
runPacquet.ts version gate logic (around lines 270-275) to confirm the
threshold, then test and document that pacquet 0.11.7's resolving installs
behavior works correctly in your repository's standard install scenarios to
ensure the change does not introduce regressions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 3180c451-5b65-4f61-a80e-93d167447e97

📥 Commits

Reviewing files that changed from the base of the PR and between 41b74e7 and 47588b5.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • package.json
  • pnpm-workspace.yaml

Comment thread package.json Outdated
Comment thread package.json
"typescript": "catalog:"
},
"packageManager": "pnpm@11.6.0",
"packageManager": "pnpm@11.7.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

pnpm 11.7.0 release notes changelog dependency management commands

💡 Result:

As of today, June 15, 2026, pnpm version 11.7.0 has not been released. The most recent stable release in the pnpm 11 series is version 11.6.0, which was released on June 11, 2026 [1]. For context, pnpm 11 is the current major version of the package manager, introduced on April 28, 2026 [2][3]. Key features and changes in the pnpm 11 series include: - Requirement of Node.js 22 or newer, with pnpm itself transitioning to pure ESM [3]. - Enhanced security defaults, such as a default minimum release age for new packages (to protect against supply chain attacks) and stricter dependency build settings [2][3]. - A transition to a native implementation for package publishing commands (e.g., publish, login, logout, unpublish), removing the reliance on the npm CLI fallback [3]. - A new SQLite-backed store index (store v11) for improved performance [3]. - Global package isolation, where global installs no longer share a virtual store, preventing dependency conflicts [3]. Official changelogs and release notes for all pnpm versions can be found in the official GitHub repository at https://github.com/pnpm/pnpm/blob/main/pnpm/CHANGELOG.md [4].

Citations:


🌐 Web query:

pnpm 11.7.0 security vulnerabilities CVE

💡 Result:

As of June 15, 2026, there are no security vulnerabilities specifically assigned to pnpm version 11.7.0 [1]. Several security advisories have been issued for the pnpm 11.x release line, but they have been addressed in subsequent patch releases. Specifically, relevant vulnerabilities in the 11.x line include: * CVE-2026-48995: Affects versions >= 11.0.0 and < 11.0.7, where GitHub git dependency tarball hashes were not stored in the lockfile [2]. This was patched in version 11.0.7 [2]. * CVE-2026-50016: A path traversal vulnerability affecting versions >= 11.0.0 and < 11.4.0, which allowed project path overrides [3]. This was patched in version 11.4.0 [3]. * CVE-2026-50017: A credential exposure vulnerability affecting versions >= 11.0.0 and < 11.4.0, where unscoped npm credentials could be sent to unauthorized registries [4]. This was patched in version 11.4.0 [4]. * AIKIDO-2026-10970 (Insufficient policy enforcement): Affected versions 11.0.0 through 11.1.1, involving metadata caching issues and potential CPU exhaustion [5]. This was patched in version 11.1.2 [5]. Because pnpm 11.7.0 was released after these security patches, it is not affected by these specific vulnerabilities [1]. Users are encouraged to always use the latest available version of pnpm to ensure all known security patches are included [1].

Citations:


Use pnpm 11.6.0 instead—version 11.7.0 does not exist. As of June 15, 2026, the latest stable release in the pnpm 11 series is 11.6.0 (released June 11, 2026). Update package.json lines 65 and 69 to reference pnpm@11.6.0.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 65, The packageManager field is set to pnpm version
11.7.0, which does not exist. Update the packageManager field in package.json to
use pnpm@11.6.0, which is the latest stable release in the pnpm 11 series as of
June 2026. Note that the comment indicates this version specification appears in
multiple places in package.json and all occurrences should be updated to the
correct version.

Comment thread pnpm-workspace.yaml

configDependencies:
'@pnpm/pacquet': 0.11.4
'@pnpm/pacquet': 0.11.7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

pacquet 0.11.7 security vulnerabilities CVE

💡 Result:

There is no CVE specifically assigned to the pacquet package manager version 0.11.7. However, pacquet was identified as an affected component in a security advisory regarding environmental variable expansion [1]. The primary security-related issue involving pacquet is: Environmental Variable Expansion Vulnerability (GHSA-3qhv-2rgh-x77r): Pacquet, along with pnpm, was identified as affected by a vulnerability where environment variable placeholders (e.g., ${ENV_VAR}) in repository-level.npmrc or pnpm-workspace.yaml files could be expanded into registry request destinations or authentication headers [1]. This could allow a malicious repository to exfiltrate environment secrets to an attacker-controlled registry [1]. This is tracked under CWE-201, CWE-200, and CWE-522 [1]. It is important to distinguish this from CVE-2026-9496, which is a Denial of Service (DoS) vulnerability affecting the npm package pacote (versions 11.2.7 and later), not pacquet [2][3][4][5]. Pacote is a different library used within the Node.js ecosystem for fetching packages and is not the same as the pacquet package manager [2][4].

Citations:


🌐 Web query:

@pnpm/pacquet 0.11.7 npm security advisories

💡 Result:

As of June 15, 2026, there is no specific security advisory issued for a version named "0.11.7" of @pnpm/pacquet. Pacquet is the Rust-based rewrite of pnpm, and its versioning, security posture, and vulnerability disclosures are managed in direct coordination with the core pnpm project [1][2][3]. Recent security vulnerabilities impacting the pnpm ecosystem—which include the pacquet implementation—have been disclosed via official GitHub Security Advisories for the main pnpm repository [4][5]. Relevant recent advisories and security hardening measures include: 1. GHSA-3qhv-2rgh-x77r (CAND-PNPM-122): This advisory addresses a vulnerability where repository-controlled.npmrc and pnpm-workspace.yaml files could expand environment variable placeholders into registry request destinations and credentials, potentially leaking secrets [4]. Pacquet was identified as an affected component and was patched to prevent this expansion [4]. 2. GHSA-4gxm-v5v7-fqc4 (CAND-PNPM-085): This advisory addresses the need to harden bin name validation by explicitly rejecting reserved names (e.g., ".", "..") that could otherwise resolve to unsafe paths [5]. Pacquet's Rust-based bin resolver was updated to mirror the validation logic used in pnpm's TypeScript implementation [5]. 3. Security Hardening (pnpm v11.5.3): In June 2026, pnpm introduced mandatory verification of npm registry signatures for its own binaries and the @pacquet/ platform-specific binaries [6][7]. This mechanism ensures that a compromised or malicious registry cannot supply a tampered binary for pacquet, as the system will now block execution if the signature does not verify [6][7]. Because pacquet is an experimental install backend for pnpm and is frequently updated in lockstep with the core pnpm repository, users should monitor the main pnpm security advisories page for the most accurate and up-to-date information regarding vulnerabilities affecting the ecosystem [4][1]. [4][6][5][7]

Citations:


🌐 Web query:

GHSA-3qhv-2rgh-x77r pacquet patch version fix

💡 Result:

The security vulnerability GHSA-3qhv-2rgh-x77r involves the improper expansion of environment variable placeholders (${ENV_VAR}) within repository-controlled configuration files (specifically .npmrc and pnpm-workspace.yaml). This could allow a malicious repository to exfiltrate sensitive environment secrets to an attacker-controlled registry during package installation [1][2][3]. To address this, pnpm and its Rust-based implementation, pacquet, have been updated to treat environment variable expansion as "trust-aware." As of pnpm versions 10.34.2 and 11.5.3, these placeholders are no longer expanded when they appear in sensitive fields—such as registry URLs, proxy settings, and authentication credentials—within repository-controlled configuration files [1][2][3][4]. If you are using pacquet or pnpm and encounter issues due to this change, you should migrate your configuration to a "trusted" source, such as your user-level ~/.npmrc file, global configuration, or CLI options, where environment variable expansion remains supported [3][5][4]. Top results: [1][2][3][4]

Citations:


🌐 Web query:

pacquet 0.11.7 release date changelog environment variable

💡 Result:

Pacquet is an ongoing project serving as the official Rust-based rewrite of the pnpm package manager [1]. As of June 15, 2026, there is no single publicly released version named 0.11.7. Development is tracked primarily through the pnpm/pacquet GitHub repository [2][3][4][5]. Regarding your specific areas of interest: Release Information There is no official release manifest for a 0.11.7 version [1]. Recent development activity indicates that pnpm has begun delegating resolution tasks to pacquet versions 0.11 and higher [3]. Because pacquet is still in active development and not yet production-ready, it does not follow a traditional, public-facing stable release cadence like standard npm packages [1]. Environment Variables Pacquet has specific handling for environment variables related to configuration and security [6]: - Trusted configuration sources, including user-level.npmrc files, CLI arguments, and actual environment variables, continue to support environment variable expansion (e.g., ${ENV_VAR}) for registry configuration and authentication [6]. - Security restrictions have been implemented to prevent project-level.npmrc files and pnpm-workspace.yaml files from expanding environment variable placeholders. This is a security measure to prevent potential leakage of environment secrets to unauthorized registries during dependency resolution [6]. For the most accurate and up-to-date information on the codebase, you should refer to the official pnpm/pacquet repository on GitHub, as it remains the primary source for the project's roadmap and ongoing development status [1][5].

Citations:


🏁 Script executed:

cat -n pnpm-workspace.yaml | sed -n '345,360p'

Repository: pnpm/pnpm

Length of output: 377


🌐 Web query:

pacquet npm releases latest version 0.11

💡 Result:

As of June 15, 2026, pacquet—the official pnpm rewrite in Rust—is an active development project and has reached version 0.11+ in the context of its integration with pnpm [1]. While individual standalone packages (such as pacquet or @pnpm/pacquet on registries) may show version numbers like 0.2.x [2][3], pnpm has specifically introduced configuration requirements for pacquet version 0.11 or higher to enable the delegation of installation resolution [1]. Specifically, pnpm version 11.2.2 and subsequent releases include an experimental feature where pnpm install can delegate the materialization phase to the pacquet binary when pacquet is added to configDependencies in pnpm-workspace.yaml [4]. Development efforts are currently focused on reaching feature parity with pnpm, including support for commands like update and handling various dependency types [5][1][6][7]. It remains an experimental, non-production-ready tool [2][3].

Citations:


🌐 Web query:

@pnpm/pacquet versions npm registry available

💡 Result:

@pnpm/pacquet versions available on the npm registry (as of 2026-06-15): - Latest published version: 0.2.3 (May 21, 2026) [1] Notes / limitations: - The most authoritative “version list” would come from the package’s npm registry document at https://registry.npmjs.org/@pnpm/pacquet, but it wasn’t returned in the search results I could access here. So I can only confirm the latest version from the sources retrieved above, not enumerate every historical version number. [1] Sources: - npm package page summary for @pnpm/pacquet, including the “latest” version and publish date. [1] If you want, I can do a follow-up lookup specifically on https://registry.npmjs.org/@pnpm/pacquet to enumerate the full version list.

Citations:


Clarify pacquet version and verify security advisory status.

Pacquet 0.11.7 is not a published npm release; the latest public version of @pnpm/pacquet is 0.2.3 (May 21, 2026). If this is an internal development version, confirm it includes the patch for GHSA-3qhv-2rgh-x77r—a known advisory where environment variable placeholders in repository-controlled .npmrc and pnpm-workspace.yaml files could exfiltrate secrets to attacker-controlled registries. This vulnerability has been patched in pnpm v10.34.2, v11.5.3, and corresponding pacquet releases by disabling environment variable expansion in repository-controlled configuration sources.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` at line 353, Update the `@pnpm/pacquet` version in
pnpm-workspace.yaml from 0.11.7 to a publicly available and security-patched
release. The specified version 0.11.7 is not a published npm release; verify and
update to the latest stable public version (0.2.3 or newer if available) or
ensure the current version includes the patch for security advisory
GHSA-3qhv-2rgh-x77r, which addresses environment variable expansion
vulnerabilities in repository-controlled configuration files. If an internal
development version is intentionally being used, document confirmation that the
patch disabling environment variable expansion in repository-controlled sources
is included.

@github-actions

Copy link
Copy Markdown
Contributor

Integrated-Benchmark Report (Linux)

Each scenario reports direct installs and pnpr installs. Bencher consumes pacquet@HEAD and pnpr@HEAD.

Scenario: Isolated linker: fresh restore, cold cache + cold store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 3.759 ± 0.117 3.621 3.957 1.80 ± 0.11
pacquet@main 3.788 ± 0.160 3.624 4.092 1.81 ± 0.13
pnpr@HEAD 2.204 ± 0.097 2.079 2.339 1.06 ± 0.07
pnpr@main 2.088 ± 0.116 1.971 2.261 1.00
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 3.7593475716,
      "stddev": 0.11726037632494568,
      "median": 3.7397372743,
      "user": 3.6582166999999997,
      "system": 3.3053844800000007,
      "min": 3.6214874743,
      "max": 3.9569491433,
      "times": [
        3.8544025523000003,
        3.6214874743,
        3.9569491433,
        3.6715700353,
        3.7197398143,
        3.8431796373,
        3.6607095443,
        3.7597347343,
        3.6292649243,
        3.8764378563
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 3.7875540759,
      "stddev": 0.15956822537415796,
      "median": 3.7374209502999998,
      "user": 3.6754098999999996,
      "system": 3.2837043799999996,
      "min": 3.6237493833,
      "max": 4.0915631133,
      "times": [
        3.7672750843,
        3.6237493833,
        3.8202255683,
        3.6530165273,
        4.0498992383,
        3.7439486063,
        3.6884316163,
        3.7065383273,
        4.0915631133,
        3.7308932943
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 2.2042905507,
      "stddev": 0.0968405362187699,
      "median": 2.2131557668,
      "user": 2.7315512999999996,
      "system": 2.87142938,
      "min": 2.0788739113,
      "max": 2.3388365863,
      "times": [
        2.0788739113,
        2.2840279142999997,
        2.1800069783,
        2.0959904733,
        2.1243501873,
        2.2975987503,
        2.2463045553,
        2.1119592422999998,
        2.3388365863,
        2.2849569083
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 2.0880754331999993,
      "stddev": 0.11553643620824547,
      "median": 2.0376526578,
      "user": 2.7238416,
      "system": 2.8943198800000003,
      "min": 1.9705276923000001,
      "max": 2.2606978223,
      "times": [
        2.2461408813,
        1.9948779783,
        1.9705276923000001,
        2.0693150543,
        2.0059902613,
        2.2606978223,
        2.2234855963,
        2.0040793993,
        1.9900324383,
        2.1156072083
      ]
    }
  ]
}

Scenario: Isolated linker: fresh restore, hot cache + hot store

Command Mean [ms] Min [ms] Max [ms] Relative
pacquet@HEAD 634.8 ± 12.3 623.2 662.7 1.01 ± 0.03
pacquet@main 630.8 ± 11.2 611.0 646.6 1.00
pnpr@HEAD 672.7 ± 18.4 647.6 712.2 1.07 ± 0.03
pnpr@main 694.2 ± 24.1 661.8 737.9 1.10 ± 0.04
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 0.6347979607400001,
      "stddev": 0.012274161011000704,
      "median": 0.6311594380400001,
      "user": 0.38092812,
      "system": 1.30328226,
      "min": 0.62318781704,
      "max": 0.6627326650400001,
      "times": [
        0.62318781704,
        0.62462167104,
        0.62755040604,
        0.63441605704,
        0.6333257910400001,
        0.62982506204,
        0.6627326650400001,
        0.63109913204,
        0.6500012620400001,
        0.63121974404
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 0.63083827394,
      "stddev": 0.011156674294338895,
      "median": 0.63175692104,
      "user": 0.37629332000000004,
      "system": 1.30627596,
      "min": 0.6109701040400001,
      "max": 0.6466285620400001,
      "times": [
        0.63294377404,
        0.61710604104,
        0.63057006804,
        0.6109701040400001,
        0.63997231004,
        0.6466285620400001,
        0.63471560904,
        0.62779885104,
        0.62496802504,
        0.64270939504
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 0.67265496864,
      "stddev": 0.018427286742073626,
      "median": 0.6714367295400001,
      "user": 0.38759392000000004,
      "system": 1.3305381600000001,
      "min": 0.64756998404,
      "max": 0.71223911904,
      "times": [
        0.71223911904,
        0.6777066230400001,
        0.6710660310400001,
        0.6868030930400001,
        0.66000491204,
        0.6532158210400001,
        0.6798780670400001,
        0.64756998404,
        0.66625860804,
        0.67180742804
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 0.69419612714,
      "stddev": 0.024116383082051898,
      "median": 0.69061661904,
      "user": 0.39423022,
      "system": 1.33453266,
      "min": 0.6618345870400001,
      "max": 0.7379408190400001,
      "times": [
        0.7379408190400001,
        0.68350283004,
        0.68527958404,
        0.71763487104,
        0.69541296304,
        0.6858202750400001,
        0.71399789304,
        0.69868903104,
        0.66184841804,
        0.6618345870400001
      ]
    }
  ]
}

Scenario: Isolated linker: fresh install, cold cache + cold store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 4.179 ± 0.050 4.121 4.287 1.95 ± 0.11
pacquet@main 4.209 ± 0.069 4.113 4.312 1.97 ± 0.11
pnpr@HEAD 2.209 ± 0.152 2.040 2.504 1.03 ± 0.09
pnpr@main 2.140 ± 0.116 2.027 2.398 1.00
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 4.1786024800199995,
      "stddev": 0.049803962609872805,
      "median": 4.1740165314199995,
      "user": 3.772125139999999,
      "system": 3.2820125000000004,
      "min": 4.12070578092,
      "max": 4.28692559992,
      "times": [
        4.147711299919999,
        4.15069414992,
        4.20065705592,
        4.196227275919999,
        4.1884016079199995,
        4.12277525892,
        4.21229531592,
        4.12070578092,
        4.1596314549199995,
        4.28692559992
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 4.20923197002,
      "stddev": 0.06915727371670327,
      "median": 4.19376192942,
      "user": 3.7937659399999992,
      "system": 3.2901424999999995,
      "min": 4.113464060919999,
      "max": 4.31199052492,
      "times": [
        4.31199052492,
        4.2526592039199995,
        4.113464060919999,
        4.28756391692,
        4.156325273919999,
        4.16002171292,
        4.14224898892,
        4.19033395592,
        4.19718990292,
        4.280522158919999
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 2.2088848107200003,
      "stddev": 0.15214867406021407,
      "median": 2.16208700442,
      "user": 2.57012114,
      "system": 2.8234501,
      "min": 2.04009635092,
      "max": 2.50395387292,
      "times": [
        2.04009635092,
        2.13355023792,
        2.06805645992,
        2.3631394129200003,
        2.29161922592,
        2.1906237709200003,
        2.50395387292,
        2.0835852789200002,
        2.10562144892,
        2.30860204792
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 2.13995772882,
      "stddev": 0.11606151221854087,
      "median": 2.10101814692,
      "user": 2.5742454399999994,
      "system": 2.8246705000000003,
      "min": 2.02736351492,
      "max": 2.3978749229200003,
      "times": [
        2.1113919559200003,
        2.07906003792,
        2.29231662492,
        2.09991681092,
        2.3978749229200003,
        2.0697915939200002,
        2.02736351492,
        2.06229347792,
        2.10211948292,
        2.15744886592
      ]
    }
  ]
}

Scenario: Isolated linker: fresh install, hot cache + hot store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 1.338 ± 0.021 1.313 1.377 2.04 ± 0.04
pacquet@main 1.378 ± 0.079 1.336 1.600 2.10 ± 0.12
pnpr@HEAD 0.669 ± 0.021 0.644 0.717 1.02 ± 0.03
pnpr@main 0.656 ± 0.008 0.642 0.666 1.00
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 1.3383753552,
      "stddev": 0.020722498473697164,
      "median": 1.3395973069,
      "user": 1.3303943599999999,
      "system": 1.68567048,
      "min": 1.3130083834000001,
      "max": 1.3767215524,
      "times": [
        1.3135010524000001,
        1.3219231224,
        1.3238085204,
        1.3563310894,
        1.3528059584,
        1.3446121484,
        1.3767215524,
        1.3464592594,
        1.3345824654,
        1.3130083834000001
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 1.3777769487,
      "stddev": 0.07889596008540731,
      "median": 1.3543643699,
      "user": 1.3011509599999997,
      "system": 1.7485325799999998,
      "min": 1.3357089624,
      "max": 1.5998488384000003,
      "times": [
        1.3482001154,
        1.5998488384000003,
        1.3535716474000001,
        1.3551570924,
        1.3561334984000002,
        1.3445583074,
        1.3357089624,
        1.3440221264,
        1.3619301324000002,
        1.3786387664000002
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 0.6688595746000001,
      "stddev": 0.021179658280857896,
      "median": 0.6698242379,
      "user": 0.34235496,
      "system": 1.26912548,
      "min": 0.6437483864,
      "max": 0.7174498444,
      "times": [
        0.6689221414000001,
        0.6437483864,
        0.6587585794,
        0.6726723464,
        0.7174498444,
        0.6824221084000001,
        0.6739735694,
        0.6507254674,
        0.6707263344,
        0.6491969684
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 0.6564814813,
      "stddev": 0.00820476243030796,
      "median": 0.6571606193999999,
      "user": 0.33541385999999995,
      "system": 1.25918588,
      "min": 0.6417268294,
      "max": 0.6656002964,
      "times": [
        0.6561146184,
        0.6417268294,
        0.6531244534,
        0.6647264264,
        0.6656002964,
        0.6449176304,
        0.6611272424,
        0.6645062644,
        0.6582066204,
        0.6547644314
      ]
    }
  ]
}

Scenario: Isolated linker: fresh install, cold cache + hot store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 3.109 ± 0.039 3.046 3.163 4.77 ± 0.10
pacquet@main 3.113 ± 0.047 3.054 3.207 4.77 ± 0.11
pnpr@HEAD 0.655 ± 0.018 0.628 0.691 1.00 ± 0.03
pnpr@main 0.652 ± 0.010 0.633 0.664 1.00
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 3.1094409042200004,
      "stddev": 0.039477470346176435,
      "median": 3.11811951242,
      "user": 1.8380058599999998,
      "system": 1.9919653999999998,
      "min": 3.04639659192,
      "max": 3.16259045292,
      "times": [
        3.06554043992,
        3.12795776292,
        3.06303304792,
        3.1038485099199997,
        3.15372488192,
        3.11928195892,
        3.04639659192,
        3.13507832992,
        3.16259045292,
        3.11695706592
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 3.11333235652,
      "stddev": 0.046735576990396904,
      "median": 3.1063171274199997,
      "user": 1.82974826,
      "system": 2.0032189999999996,
      "min": 3.05403101492,
      "max": 3.20744205592,
      "times": [
        3.08396423492,
        3.12672197892,
        3.16146460392,
        3.09516867292,
        3.1344593659199997,
        3.11746558192,
        3.06233046292,
        3.20744205592,
        3.05403101492,
        3.09027559292
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 0.6547622267200001,
      "stddev": 0.018366240249240783,
      "median": 0.6474695689200001,
      "user": 0.34566446,
      "system": 1.2550278,
      "min": 0.62781307492,
      "max": 0.69111274192,
      "times": [
        0.69111274192,
        0.6466295229200001,
        0.64570338392,
        0.6592917179200001,
        0.64830961492,
        0.62781307492,
        0.66432991492,
        0.64564842692,
        0.6761314969200001,
        0.64265237192
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 0.6524248119200001,
      "stddev": 0.010496612469024625,
      "median": 0.65595147992,
      "user": 0.33715665999999994,
      "system": 1.2581817999999996,
      "min": 0.6330040279200001,
      "max": 0.6638360749200001,
      "times": [
        0.65404035092,
        0.6638360749200001,
        0.6330040279200001,
        0.6563483939200001,
        0.6388039109200001,
        0.65575497792,
        0.65614798192,
        0.6595988219200001,
        0.6432935619200001,
        0.6634200169200001
      ]
    }
  ]
}

@github-actions

Copy link
Copy Markdown
Contributor

🐰 Bencher Report

Branchpr/12421
Testbedpacquet
Click to view all benchmark results
BenchmarkLatencyBenchmark Result
milliseconds (ms)
(Result Δ%)
Upper Boundary
milliseconds (ms)
(Limit %)
isolated-linker.fresh-install.cold-cache.cold-store📈 view plot
🚷 view threshold
4,178.60 ms
(+2.81%)Baseline: 4,064.45 ms
4,877.34 ms
(85.67%)
isolated-linker.fresh-install.cold-cache.hot-store📈 view plot
🚷 view threshold
3,109.44 ms
(+8.31%)Baseline: 2,870.85 ms
3,445.02 ms
(90.26%)
isolated-linker.fresh-install.hot-cache.hot-store📈 view plot
🚷 view threshold
1,338.38 ms
(+7.45%)Baseline: 1,245.62 ms
1,494.74 ms
(89.54%)
isolated-linker.fresh-restore.cold-cache.cold-store📈 view plot
🚷 view threshold
3,759.35 ms
(-4.81%)Baseline: 3,949.21 ms
4,739.05 ms
(79.33%)
isolated-linker.fresh-restore.hot-cache.hot-store📈 view plot
🚷 view threshold
634.80 ms
(+1.70%)Baseline: 624.22 ms
749.06 ms
(84.75%)
🐰 View full continuous benchmarking report in Bencher

@github-actions

Copy link
Copy Markdown
Contributor

🐰 Bencher Report

Branchpr/12421
Testbedpnpr

⚠️ WARNING: No Threshold found!

Without a Threshold, no Alerts will ever be generated.

Click here to create a new Threshold
For more information, see the Threshold documentation.
To only post results if a Threshold exists, set the --ci-only-thresholds flag.

Click to view all benchmark results
BenchmarkLatencymilliseconds (ms)
isolated-linker.fresh-install.cold-cache.cold-store📈 view plot
⚠️ NO THRESHOLD
2,208.88 ms
isolated-linker.fresh-install.cold-cache.hot-store📈 view plot
⚠️ NO THRESHOLD
654.76 ms
isolated-linker.fresh-install.hot-cache.hot-store📈 view plot
⚠️ NO THRESHOLD
668.86 ms
isolated-linker.fresh-restore.cold-cache.cold-store📈 view plot
⚠️ NO THRESHOLD
2,204.29 ms
isolated-linker.fresh-restore.hot-cache.hot-store📈 view plot
⚠️ NO THRESHOLD
672.65 ms
🐰 View full continuous benchmarking report in Bencher

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 15, 2026

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit 7742b7f

@zkochan zkochan merged commit d91e2ed into main Jun 15, 2026
8 of 9 checks passed
@zkochan zkochan deleted the chore/update-lockfile branch June 15, 2026 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant