pnpm
@pnpmjs
Followers
22K
Following
466
Media
203
Statuses
1K
Fast, disk space efficient package manager 快速且節省磁碟空間的套件管理程式 Sponsor us: on GitHub: https://t.co/cS3OP24kZH on OpenCollective: https://t.co/zyVORTsELN
Joined August 2016
The Seattle Times is piloting pnpm’s client-side defenses—blocked lifecycle scripts, release cooldowns, and trust policy—to stop worms like Shai-Hulud 2.0 before they land. Read their story: https://t.co/Vg4C9Qj9q6
pnpm.io
We got lucky with Shai-Hulud 2.0.
1
13
68
Imagine if everything in life was as good as gold. It’s easy to invest in, could help grow your wealth, and protect it too. A timeless asset that stands strong when others may not.
125
237
4K
The incidents keep happening. This remains a good idea for pnpm v11 https://t.co/tdjItvkelw
Should pnpm delay installation of package versions released less than a day or week ago?
13
2
229
Yet another reminder to use @pnpmjs's minimum dependency age‼️ https://t.co/jg8d7vUoLR
pnpm.io
pnpm gets its configuration from the command line, environment variables, pnpm-workspace.yaml, and
🔥 New npm attack DETECTED! A campaign dubbed “Sha1-Hulud: The Second Coming” has compromised hundreds of packages and over 25,000 GitHub repos. The code runs during install, steals cloud logins, and if that fails, it deletes the user’s home folder. Read more ↓
1
5
4
Maintaining a CLI app? You can now target only the latest Node.js version — pnpm will install it automatically as a dependency for your app. https://t.co/HO8oUNGq6J
🧩 Node.js runtime installation for dependencies pnpm can now automatically install the Node.js version required by a dependency, declared in its engines.runtime field. Example:
3
3
78
🚨UNEEKOR BLACK FRIDAY SALE - Up to 30% OFF best-selling golf simulators!
2
5
67
We have discovered that chokidar has switched off provenance a year ago and now it fails with the trustPolicy setting set to no-downgrade. We'll need to think about a way to deal with these cases. https://t.co/fSEJQYWr1e
A new setting, trustPolicy, adds protection against supply-chain attacks. When set to no-downgrade, pnpm will fail installation if a package’s trust level drops — e.g. from a trusted publisher → provenance only → no trust evidence.
4
2
45
🎯 In short: Safer installs 🛡️ Smarter runtime management ⚙️ Upgrade to pnpm v10.21: pnpm self-update Full changelog 👉
pnpm.io
Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.
0
0
11
This feature helps detect and block potentially compromised releases, such as when a package’s maintainer changes or its build pipeline loses attestation.
1
0
10
A new setting, trustPolicy, adds protection against supply-chain attacks. When set to no-downgrade, pnpm will fail installation if a package’s trust level drops — e.g. from a trusted publisher → provenance only → no trust evidence.
2
9
35
Lenders can more easily work with state and local agencies to find grants and programs that may help borrowers afford a home thanks to our streamlined resources. Learn how.
6
17
201
If a package is a CLI app, pnpm will bind that CLI to the specified Node.js version — so it always runs with the compatible runtime, regardless of what’s installed globally. Even postinstall scripts will be executed with the right Node.js version.
1
0
11
🧩 Node.js runtime installation for dependencies pnpm can now automatically install the Node.js version required by a dependency, declared in its engines.runtime field. Example:
2
4
27
🚀 pnpm v10.21 is out! This release introduces two powerful new security & compatibility features: 1️⃣ Automatic Node.js runtime installation for dependencies 2️⃣ Configurable trust policy for detecting supply-chain downgrades 🧵👇
1
9
75
💖 This Sep & Oct, we have forwarded our Open Collective fund to support @chris_zyyv
@webfansplz
@bluwyoo
@KazariEX_0929
@vida_0905
https://t.co/c0zAHED24w
https://t.co/x2Cmytmkfr
@pnpmjs
@iconify_design Join us to show appreciation for our deps and help them be sustainable!
esm.sh
A fast, smart & global CDN for modern(es2015+) web development.
3
11
99
Stir up the group chat with a "let’s go to Florida this weekend 😎”
0
11
209
Surprisingly, none of the package managers are published using OIDC publishing today. Even npm CLI. I did configure OIDC publishing for @pnpmjs, so it will be "trusted" in the next version
1
1
33
I remember using CKEditor at JustAnswer and being really excited when they were considering pnpm years ago. They decided not to switch back then — feels good to win them over at last. https://t.co/vhsCw8tej5
It's impressive to see how quickly @pnpmjs added support for "minimal dependency age" ( https://t.co/3Wl5MDXGBa) after the recent supply chain attacks on npm 😍 By a total coincidence, just a month ago, we finished a migration to pnpm. We definitely don’t look back 🚀 And today,
1
2
11
This is nice. We did not have to make any changes on our side to make this work https://t.co/CqNiIRgpNO
2
6
31
For the soldier who needs to go dark; the case officer making the covert drop; and the dissident who can't afford a single trace. But UP Phone isn't just for soldiers and spies; it's for you too. Ordinary people deserve privacy and to own their data.
0
12
100