Summary & Key Takeaways ​

• Backported the security fix preventing environment variable expansion in project .npmrc files.
• Stopped expanding environment variables in repository-controlled registry/proxy destinations and credential values.
• Ensured package-manager bootstrap dependencies are resolved using only trusted configuration sources.
• Rejected env-lockfile records that lack registry package paths with integrity-only resolution.

Our Commentary ​

More security backports from pnpm. This consistent patching across versions is commendable. It's a reminder that even seemingly minor configuration files can have major security implications if not handled carefully.