Summary & Key Takeaways ​

• Tarball integrity mismatches now cause a hard failure by default, preventing silent re-resolution and lockfile overwrites.
• A new --update-checksums flag allows refreshing locked integrity values from the registry.
• Fixed a credential disclosure issue where unscoped _authToken or _auth could be sent to unintended registries.
• Client TLS credentials (cert, key) are also now scoped to their declared registry.
• pnpm runtime set now saves to devEngines.runtime by default, use --save-prod for engines.runtime.

Our Commentary ​

This is a big deal. Silently overwriting lockfile integrity was a gaping hole, and I'm glad they're mirroring Yarn's flag for a safer default. The credential fix is also crucial; it's a good reminder that even our build tools need constant vigilance. These are the kinds of security updates that truly matter for the ecosystem.