Summary & Key Takeaways ​

• pnpm 10.34.1 fixes a critical security vulnerability in package integrity verification.
• Previously, missing integrity fields in pnpm-lock.yaml could lead to unverified package installations.
• The update now rejects lockfile entries without an integrity field, preventing tampering.
• This closes a potential attack vector where malicious content could be served.

Our Commentary ​

A patch release, but a crucial one. We're seeing more and more supply chain attacks, so a fix that prevents tampered packages from being installed, even with a modified lockfile, is a big win for security. It's a good reminder to keep our package managers updated.