pnpm
@pnpm.io
Fast, disk space efficient package manager
pnpm.io
pnpm.io
🎯 In short:
Safer installs 🛡️
Smarter runtime management ⚙️
Upgrade to pnpm v10.21:
pnpm self-update
Full changelog 👉 pnpm.io/blog/release...
Safer installs 🛡️
Smarter runtime management ⚙️
Upgrade to pnpm v10.21:
pnpm self-update
Full changelog 👉 pnpm.io/blog/release...
pnpm 10.21 | pnpm
Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.
pnpm.io
November 10, 2025 at 3:18 PM
🎯 In short:
Safer installs 🛡️
Smarter runtime management ⚙️
Upgrade to pnpm v10.21:
pnpm self-update
Full changelog 👉 pnpm.io/blog/release...
Safer installs 🛡️
Smarter runtime management ⚙️
Upgrade to pnpm v10.21:
pnpm self-update
Full changelog 👉 pnpm.io/blog/release...
This feature helps detect and block potentially compromised releases, such as when a package’s maintainer changes or its build pipeline loses attestation.
November 10, 2025 at 3:18 PM
This feature helps detect and block potentially compromised releases, such as when a package’s maintainer changes or its build pipeline loses attestation.
A new setting, trustPolicy, adds protection against supply-chain attacks.
When set to no-downgrade, pnpm will fail installation if a package’s trust level drops — e.g.
from a trusted publisher → provenance only → no trust evidence.
When set to no-downgrade, pnpm will fail installation if a package’s trust level drops — e.g.
from a trusted publisher → provenance only → no trust evidence.
November 10, 2025 at 3:18 PM
A new setting, trustPolicy, adds protection against supply-chain attacks.
When set to no-downgrade, pnpm will fail installation if a package’s trust level drops — e.g.
from a trusted publisher → provenance only → no trust evidence.
When set to no-downgrade, pnpm will fail installation if a package’s trust level drops — e.g.
from a trusted publisher → provenance only → no trust evidence.
If a package is a CLI app, pnpm will bind that CLI to the specified Node.js version — so it always runs with the compatible runtime, regardless of what’s installed globally.
Even postinstall scripts will be executed with the right Node.js version.
Even postinstall scripts will be executed with the right Node.js version.
November 10, 2025 at 3:18 PM
If a package is a CLI app, pnpm will bind that CLI to the specified Node.js version — so it always runs with the compatible runtime, regardless of what’s installed globally.
Even postinstall scripts will be executed with the right Node.js version.
Even postinstall scripts will be executed with the right Node.js version.
🧩 Node.js runtime installation for dependencies
pnpm can now automatically install the Node.js version required by a dependency, declared in its engines.runtime field.
Example:
pnpm can now automatically install the Node.js version required by a dependency, declared in its engines.runtime field.
Example:
November 10, 2025 at 3:18 PM
🧩 Node.js runtime installation for dependencies
pnpm can now automatically install the Node.js version required by a dependency, declared in its engines.runtime field.
Example:
pnpm can now automatically install the Node.js version required by a dependency, declared in its engines.runtime field.
Example:
The website's repository is at github.com/pnpm/pnpm.io
GitHub - pnpm/pnpm.io: pnpm's website
pnpm's website. Contribute to pnpm/pnpm.io development by creating an account on GitHub.
github.com
July 28, 2025 at 9:17 PM
The website's repository is at github.com/pnpm/pnpm.io
If a dependency has no dependencies of its own, it can be symlinked from a single location. Also, we have an option to symlink from a single location all dependencies: pnpm.io/settings#ena...
Settings (pnpm-workspace.yaml) | pnpm
pnpm gets its configuration from the command line, environment variables, pnpm-workspace.yaml, and
pnpm.io
July 21, 2025 at 11:10 AM
If a dependency has no dependencies of its own, it can be symlinked from a single location. Also, we have an option to symlink from a single location all dependencies: pnpm.io/settings#ena...
Yes, but it will be saved to devEngines in package.json. Internally for pnpm it is a new version spec and a new entry in dev deps. I am not sure yet if env use will work with it
July 20, 2025 at 9:17 AM
Yes, but it will be saved to devEngines in package.json. Internally for pnpm it is a new version spec and a new entry in dev deps. I am not sure yet if env use will work with it
