Summary & Key Takeaways ​

• pnpm 10.33.4 is a patch release focusing on security and filtering behavior.
• It pins the integrity of git-hosted tarballs in the lockfile, preventing tampering or substitution of dependencies.
• A new gitHosted: true field is added to lockfile resolutions for git dependencies, improving consistency.
• Fixes a regression where pnpm --recursive --filter '!<pkg>' commands incorrectly included the workspace root.
• The workspace root is now correctly excluded by default when only negative --filter arguments are provided.

Our Commentary ​

It's great to see pnpm backporting critical security fixes like the git-hosted tarball integrity pinning to older major versions. This shows a strong commitment to user security across the board.

The --filter regression fix is also a welcome improvement for monorepo users. These kinds of subtle behavioral changes can be frustrating, so getting it right is important for developer experience. Overall, a solid maintenance release.