pnpm 11 Release Candidate: ESM Distribution, Supply Chain Defaults and a New Store Format

2026-04-21 · Source: InfoQ · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy · Depth: Intermediate, quick

Summary

pnpm 11 Release Candidate introduces significant reworks focused on performance, supply chain safety, and a stricter configuration surface, now distributed as pure ESM and requiring Node.js v22 or later. Key features include a new SQLite-backed store index, isolated global installs via a global virtual store, and a unified `allowBuilds` setting. The release tightens security defaults with `minimumReleaseAge` set to 1 day and `blockExoticSubdeps` defaulting to true, addressing recent supply chain incidents in the npm ecosystem. Performance enhancements include a move to undici for HTTP, direct-to-store writes, and pre-allocated tarball downloads. New commands like `pnpm ci` and `pnpm sbom` further extend pnpm's advantages in security and efficiency over competitors like npm and Yarn.

Key takeaway

pnpm 11 RC significantly enhances JavaScript package management with tightened supply chain security defaults, performance improvements, and a streamlined configuration. It now requires Node.js v22+ as pure ESM, defaults to a 1-day `minimumReleaseAge` and `blockExoticSubdeps`, and introduces a SQLite-backed store and `pnpm sbom` for SBOM generation. This release offers developers and organizations a more secure, efficient, and auditable solution, crucial for mitigating modern supply chain risks.

Topics

• pnpm 11 RC
• ESM Distribution
• Supply Chain Security
• Package Manager
• Node.js v22

Code references

• orgs/pnpm

Best for: CTO, VP of Engineering/Data, MLOps Engineer, Software Engineer, DevOps Engineer, Security Engineer

Related on AIssential

• Node.js Moves to One Major Release Per Year, Starting with Node 27 — The Node.js project is shifting to one major release per year, with all versions becoming LTS, to ease maintainer burden.
• Running Pydantic's Monty Rust sandboxed Python subset in WebAssembly — Monty provides a fast, sandboxed Python subset in Rust for safely executing LLM-generated code.
• Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain Attacks — Pip 26.1 enhances Python supply chain security through dependency cooldowns and experimental "pylock.toml" lockfile support.
• New features in Stan Playground! — Stan Playground updates enhance data handling, model generation via `brms`, and project sharing.
• Transformers.js v4 Preview: Now Available on NPM! — Transformers.js v4 enhances performance and expands runtime compatibility through a new WebGPU runtime and optimized ONNX exports.
• Our response to the TanStack npm supply chain attack — Supply chain attacks targeting open-source dependencies pose a significant and evolving threat to modern software ecosystems.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.