[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIlHJLcX4mhuDWrbNg7B3wPdz8ex_rFUJ1RFoD-ErGcE":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"5e650c32-81e4-4146-88ab-e7a649386e6a","pnpm 11.10 Hardens Registry Authentication to Block Token Redirection","pnpm-11-10-hardens-registry-authentication-to-block-token-redirection-ab40b7","pnpm 11.10 was released over the weekend as a small update that includes several supply chain hardening changes. The main change is a new way to configure registry authentication that keeps a repository's own files from redirecting your registry token to a different host. The release also tightens a few build and packaging commands and adds an install path for pnpm v12, the Rust rewrite. The new _auth setting ties each token to its registry # pnpm 11.10 adds an _auth setting that stores registry credentials in one structured value, keyed by registry URL. It can be set in pnpm's global config or, for CI, in a pnpm_config__auth environment variable. The security benefit is that the credential and the host it belongs to travel together, and pnpm reads _auth only from the environment or the global config, never from a project's files. That means a malicious or compromised pnpm-workspace.yaml or .npmrc inside a repository cannot point a valid token at a different host. A tampered project file is a common way attackers get a foothold, and redirecting a registry token is a direct route to stealing it, so closing that path removes exposure. This also resolves a problem pnpm created in June, when it stopped expanding environment variables in registry credentials set from project files like .npmrc, closing a path a malicious repo file could abuse. That hardening broke authentication for teams that were legitimately using environment variables in .npmrc for private registries, and _auth is the sanctioned replacement. pnpm v12, the Rust port, is now installable # Outside the security work, 11.10 adds an install path for pnpm v12, the Rust port. pnpm has been rewriting its installation engine in Rust to make installs faster and cut the overhead of the current Node.js implementation, and v12 is the first version to carry that work. It is still pre-release, but pnpm self-update next-12 will now install and link it from the next-12 tag. Because v12 ships as a native binary with no Node.js launcher, it starts without the Node.js startup cost that pnpm pays on every command today. From v12 on, updates settle on the standard pnpm package, now the Rust executable. Other hardening in the release # Several smaller changes follow the same theme of limiting what an attacker who controls a repository's files can do. pnpm deploy and pnpm pack-app now reject output paths that point outside the project. pack-app looks for macOS code-signing tools outside the project, so a repository cannot swap in its own signer. A prototype pollution hazard tied to a dependency named __proto__ was fixed. pnpm also stopped passing upstream registry credentials to install-accelerator servers, and added a new Node.js release signing key so runtime downloads keep verifying correctly. This continues a direction pnpm has been moving for several releases. pnpm 10 stopped running dependency lifecycle scripts automatically, and pnpm 11 turned on a one-day minimum release age and began blocking exotic subdependencies by default. With 11.10, pnpm is doing more of the work of enforcing supply chain security, beyond just resolving and installing dependencies.","pnpm version 11.10 introduces significant supply chain security enhancements, primarily by overhauling registry authentication to prevent token redirection to malicious hosts. This update also strengthens build and packaging commands, and introduces an install path for the upcoming Rust-based pnpm v12.","pnpm 11.10 hardens registry authentication and tightens build commands.","Security News\u002FResearchCoordinated npm and PyPI Campaign Typosquats Popular Secure Payment AppsSocket uncovered 17 malicious npm and PyPI packages typosquatting Paysafe, Skrill, and Neteller SDKs to steal developer secrets.By Joseph Edwards - Jul 07, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fpnpm-11-1-hardens-registry-authentication?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F86c5cb6f6611cf88251939003009383095a1d6eb-1600x900.png?w=1000&q=95&fit=max&auto=format","2026-07-08T05:01:39.304+00:00","2026-07-08T08:00:07.659928+00:00",7,[18,21],{"name":19,"type":20},"pnpm","product",{"name":22,"type":23},"npm","technology","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":24,"icon":26,"name":27,"slug":28},null,"Supply Chain","supply-chain",[30,32,37,42],{"category":31},{"id":24,"icon":26,"name":27,"slug":28},{"category":33},{"id":34,"icon":26,"name":35,"slug":36},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":38},{"id":39,"icon":26,"name":40,"slug":41},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":43},{"id":44,"icon":26,"name":45,"slug":46},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]