pnpm 11.5 Adds Support for Recognizing npm Staged Publishes
pnpm 11.5 adds support for npm staged publishing approvals as trust signals.
Summary
pnpm 11.5 now correctly recognizes npm's staged publishing approvals as the strongest trust evidence, fixing a false-positive downgrade warning that occurred when packages used npm's 2FA-backed release flow. The fix addresses a logic issue where pnpm misclassified staged publishing approval metadata as a downgrade from trusted publishing. This update reflects broader changes in npm's publishing security model following credential theft and token abuse incidents like the Mini Shai-Hulud campaign.
Full text
Security NewsFederal Audit Finds NIST Wasted Funds With No Plan to Clear NVD BacklogFederal audit finds NIST lacked a plan to clear the NVD backlog, wasted funds on duplicate work, and delayed use of CISA data.By Sarah Gooding - Jun 03, 2026