Summary & Key Takeaways ​

• Backported the security fix preventing environment variable expansion in project .npmrc files.
• Closed a bypass allowing project .npmrc to load repo-supplied files as trusted configuration.
• Improved warning messages for ignored environment variables in .npmrc to guide migration.
• Users may need to move authentication tokens out of committed .npmrc files.

Our Commentary ​

Good to see pnpm backporting critical security fixes to older major versions. It shows a commitment to user security across the ecosystem. The bypass fix is also a smart move, closing another potential vector for malicious repos.