Zoltan Kochan
@kochan.io
Developer, maker of @pnpm.io
Works on dependency management at bit.dev
Works on dependency management at bit.dev
Reposted by Zoltan Kochan
🚀 pnpm v10.21 is out!
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
November 10, 2025 at 3:18 PM
🚀 pnpm v10.21 is out!
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
Reposted by Zoltan Kochan
pnpm 10.21: installing Node.js runtimes for dependencies, not installing dependencies with decreased trust levels, and more
@kochan.io @pnpm.io
pnpm.io/blog/release...
#ECMAScript #JavaScript
@kochan.io @pnpm.io
pnpm.io/blog/release...
#ECMAScript #JavaScript
pnpm 10.21 | pnpm
Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.
pnpm.io
November 10, 2025 at 2:52 AM
pnpm 10.21: installing Node.js runtimes for dependencies, not installing dependencies with decreased trust levels, and more
@kochan.io @pnpm.io
pnpm.io/blog/release...
#ECMAScript #JavaScript
@kochan.io @pnpm.io
pnpm.io/blog/release...
#ECMAScript #JavaScript
Reposted by Zoltan Kochan
@pnpm.io added a `trustPolicy` option in 10.21.
It allows you to prevent installing potentially malicious dependency updates that are not signed like previous versions.
pnpm.io/blog/release...
Thank you for all the performance, productivity and security enhancements over the last years 💜
It allows you to prevent installing potentially malicious dependency updates that are not signed like previous versions.
pnpm.io/blog/release...
Thank you for all the performance, productivity and security enhancements over the last years 💜
November 10, 2025 at 9:37 AM
@pnpm.io added a `trustPolicy` option in 10.21.
It allows you to prevent installing potentially malicious dependency updates that are not signed like previous versions.
pnpm.io/blog/release...
Thank you for all the performance, productivity and security enhancements over the last years 💜
It allows you to prevent installing potentially malicious dependency updates that are not signed like previous versions.
pnpm.io/blog/release...
Thank you for all the performance, productivity and security enhancements over the last years 💜
Reposted by Zoltan Kochan
Zoltan Kochan is a full stack web developer and the creator of @pnpm.io. He joins the show with @joshuakgoldberg.com to talk about the state of package management for web dev.
@kochan.io
softwareengineeringdaily.com/2025/09/18/p...
@kochan.io
softwareengineeringdaily.com/2025/09/18/p...
pnpm with Zoltan Kochan - Software Engineering Daily
Traditional package management systems for JavaScript have faced several inefficiencies related to dependency storage, resolution, and project performance. pnpm is a fast, disk-efficient package manag...
softwareengineeringdaily.com
September 18, 2025 at 10:35 AM
Zoltan Kochan is a full stack web developer and the creator of @pnpm.io. He joins the show with @joshuakgoldberg.com to talk about the state of package management for web dev.
@kochan.io
softwareengineeringdaily.com/2025/09/18/p...
@kochan.io
softwareengineeringdaily.com/2025/09/18/p...
Reposted by Zoltan Kochan
After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
pnpm 10.16 Adds New Setting for Delayed Dependency Updates -...
pnpm's new minimumReleaseAge setting delays package updates to prevent supply chain attacks, with other tools like Taze and NCU following suit.
socket.dev
September 15, 2025 at 6:28 PM
After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
Wow, Hollywood is so creative
September 15, 2025 at 9:47 AM
Wow, Hollywood is so creative
I feel like pnpm will eventually grow from being a "npm alternative" to being a "nix alternative"
but "pnix" doesn't sound appropriate 😂
but "pnix" doesn't sound appropriate 😂
July 31, 2025 at 2:47 PM
I feel like pnpm will eventually grow from being a "npm alternative" to being a "nix alternative"
but "pnix" doesn't sound appropriate 😂
but "pnix" doesn't sound appropriate 😂
With the changes to the lockfile format and the new types of fetchers that were added to pnpm, now it is really easy to make pnpm an installer for anything
bsky.app/profile/pnpm...
bsky.app/profile/pnpm...
pnpm v10.14 is shipped with support for runtime engine installation. Node, Deno, and Bun are supported.
pnpm.io/blog/release...
pnpm.io/blog/release...
July 31, 2025 at 2:32 PM
With the changes to the lockfile format and the new types of fetchers that were added to pnpm, now it is really easy to make pnpm an installer for anything
bsky.app/profile/pnpm...
bsky.app/profile/pnpm...
Reposted by Zoltan Kochan
when you open a service you've been using for a decade only to find it out it caught the virus
July 5, 2025 at 5:52 PM
when you open a service you've been using for a decade only to find it out it caught the virus
I am thinking about a better name for the pnpm "virtual store". Which is where the dependency is written with its unique dependency graph. I couldn't find any prior art to this. Maybe "Package Context" could work. Or "fully resolved package store" but that's long.
June 27, 2025 at 7:47 PM
I am thinking about a better name for the pnpm "virtual store". Which is where the dependency is written with its unique dependency graph. I couldn't find any prior art to this. Maybe "Package Context" could work. Or "fully resolved package store" but that's long.
Many packages request funding by printing message with postinstall scripts. What if instead of requesting funding we would promote sponsors? After all, we want companies to sponsor open source projects as they are the ones that make profit from it.
June 26, 2025 at 12:35 AM
Many packages request funding by printing message with postinstall scripts. What if instead of requesting funding we would promote sponsors? After all, we want companies to sponsor open source projects as they are the ones that make profit from it.
A lot of packages use postinstall scripts for printing out messages about funding. Could there be a better way to do this? pnpm doesn't even print the outputs from these scripts.
June 25, 2025 at 9:51 PM
A lot of packages use postinstall scripts for printing out messages about funding. Could there be a better way to do this? pnpm doesn't even print the outputs from these scripts.
🚀 Check out what we’ve been building at Bit:
Hope AI: Architect agent that builds professional software
www.producthunt.com/products/hop...
Hope AI: Architect agent that builds professional software
www.producthunt.com/products/hop...
Hope AI: Architect agent that builds professional software | Product Hunt
Build maintainable, production-grade applications. Control generation at component-level with prompts and design sketches. Compose with design system and reusable components. Deploy instantly. Generat...
www.producthunt.com
June 25, 2025 at 10:15 AM
🚀 Check out what we’ve been building at Bit:
Hope AI: Architect agent that builds professional software
www.producthunt.com/products/hop...
Hope AI: Architect agent that builds professional software
www.producthunt.com/products/hop...
Reposted by Zoltan Kochan
@kochan.io's talk about configDependencies made me realize we forgot to document remote plugins on the Yarn website 🙈
June 12, 2025 at 10:08 AM
@kochan.io's talk about configDependencies made me realize we forgot to document remote plugins on the Yarn website 🙈
Reposted by Zoltan Kochan
Package manager summit with @kochan.io at #JSNation !
June 12, 2025 at 4:32 PM
Package manager summit with @kochan.io at #JSNation !
Reposted by Zoltan Kochan
Ton of npm libs use github.com/cosmiconfig/... to load their config files. But, today I learned, if nodejs dies, the temporarily file created by cosmiconfig remains 🤷♂️
I fixed this locally in 5 mins thanks to the amazing patch ability of @pnpm.io (kudos @kochan.io!) and the LLMs era of code editors
I fixed this locally in 5 mins thanks to the amazing patch ability of @pnpm.io (kudos @kochan.io!) and the LLMs era of code editors
GitHub - cosmiconfig/cosmiconfig: Find and load configuration from a package.json property, rc file, TypeScript module, and more!
Find and load configuration from a package.json property, rc file, TypeScript module, and more! - cosmiconfig/cosmiconfig
github.com
June 3, 2025 at 6:33 PM
Ton of npm libs use github.com/cosmiconfig/... to load their config files. But, today I learned, if nodejs dies, the temporarily file created by cosmiconfig remains 🤷♂️
I fixed this locally in 5 mins thanks to the amazing patch ability of @pnpm.io (kudos @kochan.io!) and the LLMs era of code editors
I fixed this locally in 5 mins thanks to the amazing patch ability of @pnpm.io (kudos @kochan.io!) and the LLMs era of code editors
A short demo of pnpm's speed with a new experimental option
YouTube video by pnpm
youtu.be
June 3, 2025 at 4:54 PM
I have copied over the list of trusted dependencies maintained by bun. So, you can use it with @pnpm.io if you want:
github.com/pnpm/trusted...
github.com/pnpm/trusted...
GitHub - pnpm/trusted-deps
Contribute to pnpm/trusted-deps development by creating an account on GitHub.
github.com
May 16, 2025 at 12:28 PM
I have copied over the list of trusted dependencies maintained by bun. So, you can use it with @pnpm.io if you want:
github.com/pnpm/trusted...
github.com/pnpm/trusted...
I have searched Github for usages of "config dependencies". Found a single project for now: github.com/PSDTools/psd...
This is a hook that removes polyfills from dependencies if they are not needed.
This is a hook that removes polyfills from dependencies if they are not needed.
github.com
May 6, 2025 at 9:11 AM
I have searched Github for usages of "config dependencies". Found a single project for now: github.com/PSDTools/psd...
This is a hook that removes polyfills from dependencies if they are not needed.
This is a hook that removes polyfills from dependencies if they are not needed.
Reposted by Zoltan Kochan
We’re excited to share that the @nodejs.org website (nodejs.org) now builds using @pnpm.io! This switch has led to faster CI builds and more efficient dependency management.
Node.js — Run JavaScript Everywhere
Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine.
nodejs.org
May 2, 2025 at 11:04 PM
We’re excited to share that the @nodejs.org website (nodejs.org) now builds using @pnpm.io! This switch has led to faster CI builds and more efficient dependency management.
Reposted by Zoltan Kochan
pnpm patch is a LIFE SAVER
May 1, 2025 at 7:28 PM
pnpm patch is a LIFE SAVER
I am wondering if we should always use some custom protocols like "kahuna:" when the registry is not the public npm registry. So package.json would get something like this:
May 1, 2025 at 8:35 AM
I am wondering if we should always use some custom protocols like "kahuna:" when the registry is not the public npm registry. So package.json would get something like this:
Reposted by Zoltan Kochan
