Summary & Key Takeaways ​

• pnpm 11.0.7 is a patch release addressing several important issues.
• It restores the execute bit on node-gyp shims, resolving permission denied errors on Windows.
• Fixes pn, pnpx, and pnx aliases failing in Git Bash / MSYS2 on Windows, which previously dropped users into an interactive prompt.
• Corrects an issue where pnpm install would recreate node_modules after pnpm fetch due to changes in hoist patterns.
• Introduces a security enhancement by pinning the integrity of git-hosted tarballs in the lockfile, preventing tampering or substitution.
• A new gitHosted: true field is added to lockfile resolutions for git dependencies.

Our Commentary ​

It's always good to see build tools addressing platform-specific quirks, especially on Windows where things can get tricky. The fixes for pnpx aliases and node_modules recreation are solid quality-of-life improvements.

However, the most impactful change here is the pinning of git-hosted tarball integrity. This is a crucial security enhancement that we at digestweb are thrilled to see. Relying solely on URLs for git dependencies was a significant attack vector, and this change makes the supply chain much more robust. It's a small detail that makes a big difference for trust.