diff --git a/pnpm-10.28.0.tgz b/pnpm-10.28.0.tgz
deleted file mode 100644
index 1feaa27..0000000
--- a/pnpm-10.28.0.tgz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9b0b04e6e79945566917f8411bb6f65fd2f3e1590426904e8500e1acc4b33561
-size 4186199
diff --git a/pnpm-10.28.2.tgz b/pnpm-10.28.2.tgz
new file mode 100644
index 0000000..8677359
--- /dev/null
+++ b/pnpm-10.28.2.tgz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:afa99b0b4b3d11c1dad2b472f9318ae2c78673829749ded527f89f09071479a7
+size 4197451
diff --git a/pnpm.changes b/pnpm.changes
index cb9325a..d77eece 100644
--- a/pnpm.changes
+++ b/pnpm.changes
@@ -1,3 +1,80 @@
+-------------------------------------------------------------------
+Tue Jan 27 06:31:09 UTC 2026 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.28.2:
+  * Patch Changes
+    - Security fix: prevent path traversal in directories.bin
+      field.
+    - When pnpm installs a file: or git: dependency, it now
+      validates that symlinks point within the package directory.
+      Symlinks to paths outside the package root are skipped to
+      prevent local data from being leaked into node_modules.
+      This fixes a security issue where a malicious package could
+      create symlinks to sensitive files (e.g., /etc/passwd,
+      ~/.ssh/id_rsa) and have their contents copied when the
+      package is installed.
+      Note: This only affects file: and git: dependencies. Registry
+      packages (npm) have symlinks stripped during publish and are
+      not affected.
+    - Fixed optional dependencies to request full metadata from the
+      registry to get the libc field, which is required for proper
+      platform compatibility checks #9950.
+- update to 10.28.1:
+  * Patch Changes
+    - Fixed installation of config dependencies from private
+      registries.
+      Added support for object type in configDependencies when the
+      tarball URL returned from package metadata differs from the
+      computed URL #10431.
+    - Fix path traversal vulnerability in binary fetcher ZIP
+      extraction
+      - Validate ZIP entry paths before extraction to prevent
+        writing files outside target directory
+      - Validate BinaryResolution.prefix (basename) to prevent
+        directory escape via crafted prefix
+      - Both attack vectors now throw ERR_PNPM_PATH_TRAVERSAL error
+    - Support plain http:// and https:// URLs ending with .git as
+      git repository dependencies.
+      Previously, URLs like
+      https://gitea.example.org/user/repo.git#commit were not
+      recognized as git repositories because they lacked the git+
+      prefix (e.g., git+https://). This caused issues when
+      installing dependencies from self-hosted git servers like
+      Gitea or Forgejo that don't provide tarball downloads.
+      Changes:
+      - The git resolver now runs before the tarball resolver,
+        ensuring git URLs are handled by the correct resolver
+      - The git resolver now recognizes plain http:// and https://
+        URLs ending in .git as git repositories
+      - Removed the isRepository check from the tarball resolver
+        since it's no longer needed with the new resolver order
+      Fixes #10468
+    - pnpm run -r and pnpm run --filter now fail with a non-zero
+      exit code when no packages have the specified script.
+      Previously, this only failed when all packages were selected.
+      Use --if-present to suppress this error #6844.
+    - Fixed a path traversal vulnerability in tarball extraction on
+      Windows. The path normalization was only checking for ./ but
+      not .\. Since backslashes are directory separators on
+      Windows, malicious packages could use paths like
+      foo\..\..\.npmrc to write files outside the package
+      directory.
+    - When running "pnpm exec" from a subdirectory of a project,
+      don't change the current working directory to the root of the
+      project #5759.
+    - Fixed a path traversal vulnerability in pnpm's bin linking.
+      Bin names starting with @ bypassed validation, and after
+      scope normalization, path traversal sequences like ../../
+      remained intact.
+    - Revert Try to avoid making network calls with preferOffline
+      #10334.
+    - Fix --save-peer to write valid semver ranges to
+      peerDependencies for protocol-based installs (e.g. jsr:) by
+      deriving from resolved versions when available and falling
+      back to * if none is available #10417.
+    - Do not exclude the root workspace project, when it is
+      explicitly selected via a filter #10465.
+
 -------------------------------------------------------------------
 Mon Jan 19 09:13:44 UTC 2026 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 
diff --git a/pnpm.spec b/pnpm.spec
index 505c7dd..259b3a8 100644
--- a/pnpm.spec
+++ b/pnpm.spec
@@ -23,7 +23,7 @@
 %global __nodejs_provides %{nil}
 %global __nodejs_requires %{nil}
 Name:           pnpm
-Version:        10.28.0
+Version:        10.28.2
 Release:        0
 Summary:        Fast, disk space efficient package manager
 License:        MIT