Summary & Key Takeaways ​

• Backported the security fix preventing environment variable expansion in project .npmrc files.
• Closed a bypass allowing project .npmrc to load repo-supplied files as trusted configuration.
• Ensured package-manager bootstrap traffic is resolved exclusively through trusted registry and network configurations.
• Users are advised to move sensitive tokens out of committed .npmrc files.

Our Commentary ​

Yet another pnpm security backport. The sheer number of these recent pnpm releases focused on .npmrc security makes me wonder how long this vulnerability has been lurking. It's a good thing they're addressing it so thoroughly now.