[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fL3TvDLgLuWCtrhhbij3XPN_JbfOzRkQK02UoXZvTn5c":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"96cf1692-e89a-4e3c-9a5d-f81d0c5bcdf9","pnpm 11.5 Adds Support for Recognizing npm Staged Publishes","pnpm-11-5-adds-support-for-recognizing-npm-staged-publishes-01e522","pnpm 11.5 now treats npm staged publishing approvals as strong trust evidence, fixing a false-positive downgrade warning that could appear when packages used npm’s newer 2FA-backed release flow. The change lands as npm continues tightening package publishing controls after a series of credential theft and token abuse incidents. In the Mini Shai-Hulud campaign, attackers used stolen npm tokens to publish malicious package versions, prompting npm to invalidate granular access tokens and accelerate changes that reduce reliance on long-lived publishing credentials. Staged publishing places a package version in a staging state before it becomes installable, requiring a maintainer with publish access to approve the release through a 2FA challenge. When a package version’s registry metadata includes an approver field, pnpm now ranks it above trusted publishing and provenance attestations. Staged publish approval is treated as pnpm’s strongest trust signal, rather than being mistaken for a fallback to less-secure traditional token-based publishing. Staged Approval Metadata Triggered a False Downgrade # The fix follows a report from Kevin Deng, who found that pnpm’s trustPolicy: no-downgrade setting could incorrectly treat staged publishing approval as a downgrade from trusted publishing. The no-downgrade policy is meant to warn when a package appears to move from a stronger publishing mechanism to a weaker one. That is useful for detecting suspicious changes, such as a package that previously used trusted publishing but later appears to fall back to classic account or token-based publishing. Staged publishing complicated that logic. The issue noted that pnpm appeared to infer whether a package used trusted publishing by inspecting the _npmUser field. But when staged publishing is enabled, _npmUser may point to the npm user who approved the staged publish. That made a package version look like a false downgrade, even when the release still came through a trusted publishing flow. pnpm 11.5 resolves this by recognizing staged publishing approval as its own trust signal. If registry metadata includes an approver, pnpm treats the release as having the strongest trust evidence rather than classifying it as a downgrade. # The related npm community discussion points to a larger metadata problem for package managers and security tools. In that discussion, Deng asked npm to expose explicit registry metadata showing how a package version was published, including whether it used trusted publishing or staged publishing. The issue is that tools should not have to infer publishing security properties from fields like _npmUser, especially as npm adds more publishing modes. npm now supports several release paths with different security properties: Classic publishing can still involve user credentials, automation tokens, and 2FA depending on the project’s configuration. Trusted publishing lets maintainers publish from supported CI\u002FCD providers using OIDC instead of long-lived npm tokens. Staged publishing adds a review step before a version becomes installable, requiring a maintainer with publish access to approve the release through 2FA. Those mechanisms can also be combined. npm has said staged publishing works with trusted publishing, allowing CI to push a version into staging while a human maintainer separately approves it before release. For package managers and scanners, this adds a new responsibility to accurately interpret the security properties of a version based on the metadata exposed by the registry. pnpm’s fix is a practical example of how package managers are adapting to npm’s newer security model. As registry publishing workflows become more granular, install tools need more precise metadata to avoid both missed warnings and noisy false positives. Other Supply Chain Updates in pnpm 11.5 # pnpm 11.5 includes several other supply chain-adjacent fixes: improved minimumReleaseAgeExclude handling, so excluded packages are not pinned to stale versions in npm resolution fast paths preservation of the integrity field for remote HTTPS tarball dependencies when unrelated packages are installed afterward browser-based 2FA handling for pnpm dist-tag add and pnpm dist-tag rm against npmjs.org For staged publishes, the update is mainly about avoiding misclassification. pnpm 11.5 keeps staged publishes from being misread as a downgrade from trusted publishing to classic user or token-based publishing, which should reduce noisy no-downgrade alerts for projects using npm’s newer release controls.","pnpm 11.5 now correctly recognizes npm's staged publishing approvals as the strongest trust evidence, fixing a false-positive downgrade warning that occurred when packages used npm's 2FA-backed release flow. The fix addresses a logic issue where pnpm misclassified staged publishing approval metadata as a downgrade from trusted publishing. This update reflects broader changes in npm's publishing security model following credential theft and token abuse incidents like the Mini Shai-Hulud campaign.","pnpm 11.5 adds support for npm staged publishing approvals as trust signals.","Security NewsFederal Audit Finds NIST Wasted Funds With No Plan to Clear NVD BacklogFederal audit finds NIST lacked a plan to clear the NVD backlog, wasted funds on duplicate work, and delayed use of CISA data.By Sarah Gooding - Jun 03, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fpnpm-11-5-adds-support-for-recognizing-npm-staged-publishes?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fe1bb94bf0c46665f4340b88dc24e774748442c71-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-06-04T03:50:53.125+00:00","2026-06-04T06:00:07.443924+00:00",7,[18,21,23,26,28,30],{"name":19,"type":20},"pnpm","product",{"name":22,"type":20},"npm",{"name":24,"type":25},"OIDC","technology",{"name":27,"type":25},"2FA",{"name":29,"type":25},"Trusted Publishing",{"name":31,"type":32},"Mini Shai-Hulud","campaign","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":33,"icon":35,"name":36,"slug":37},null,"Supply Chain","supply-chain",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[]]