pnpm 11 ships with new supply chain security defaults: Minimum Release Age is now set to 24 hours (blocking newly published packages for one day), exotic subdependencies are blocked by default, and a new allowBuilds model consolidates build-script execution controls. The release also adds native publishing commands (no longer delegating to npm CLI), built-in SBOM generation (CycloneDX 1.7 / SPDX 2.3), audit fixes via lockfile updates, a SQLite-backed store for faster installs, and isolated global installs. Node.js 22 is now required. Looking ahead, pnpm v12 plans to integrate Pacquet, a Rust-based installation engine, with benchmarks showing install times dropping from 2.3s to under 1 second in warm-cache scenarios.
Table of contents
Supply Chain Protection On by Default #Blocking Exotic Subdeps #A New Allow Builds Model #Other Highlights From pnpm 11 #pnpm v12 Is Set to Introduce a Rust Installation Engine #3 Comments
Sort: