jun 10, 2026
4 links from the engineering internet.
pnpm 11.5.3 hardens against env var expansion in untrusted registry config
the package manager stops expanding environment variables in registry, proxy, and credential values pulled from repo-controlled .npmrc and workspace registry urls. dynamic registry urls and tokens now have to come from trusted user, global, cli, or env config.
envoy 1.35.12 adds opt-in http/2 header histograms
the proxy's patch release adds opt-in histograms for http/2 header stats, covering header-entry count, header-map byte size, and reassembled cookie length, plus a runtime flag to cap reassembled cookie size. it also fixes rtds runtime-guard override removal.
transformers 5.11.0 adds diffusiongemma for faster text generation
hugging face transformers v5.11.0 adds diffusiongemma, an encoder-decoder model that denoises a full block of tokens with a diffusion sampler instead of emitting one token at a time, aiming for faster inference than standard causal decoding.
langchain 1.3.6 patches summarization trigger compatibility
the langchain core package ships a 1.3.6 patch that preserves summarization trigger compatibility, restoring prior behavior for callers that depend on the existing summarization-trigger path after recent changes.