pnpm's experimental global virtual store Without the global virtual store, each worktree would have its own .pnpm virtual store inside node_modules, with hardlinks or copies of every package. With enableGlobalVirtualStore: true, pnpm keeps all package contents in a single shared directory (the global store, which you can find by running pnpm store path), and each worktree's node_modules contains symlinks pointing there: your-monorepo/ (bare git repo) > main/ (worktree: main branch) >> packages/ >> node_modules/ >>> lodash → <global-store>/links/@/lodash/... >>> express → <global-store>/links/@/express/... > feature-auth/ (worktree: feat/auth branch) >> node_modules/ >>> lodash → <global-store>/links/@/lodash/... ← same target >>> express → <global-store>/links/@/express/... > fix-api/ (worktree: fix/api-error branch) >> node_modules/ >>> lodash → <global-store>/links/@/lodash/... ← same target >>> express → <global-store>/links/@/express/...

@pnpm.io's experimental global virtual store is brilliant. The install performance gains are a game-changer for git flows. You get near-zero per-worktree overhead and instant installs for new worktrees as packages are already in the global store. @kochan.io can't stop making pnpm better 🤌

pnpm + Git Worktrees for Multi-Agent Development | pnpm When multiple AI agents need to work on the same monorepo simultaneously, they each need an isolated working copy with fully functional nodemodules. Git worktrees combined with pnpm's global virtual s...

pnpm + Git Worktrees for Multi-Agent Development

pnpm.io/11.x/git-wor...

In the github repository

No, see my last sentence. For project code it is default

Settings (pnpm-workspace.yaml) | pnpm pnpm gets its configuration from the command line, environment variables, pnpm-workspace.yaml, and

No, not by default. You have to set hoist to false pnpm.io/settings#hoist . Your project’s code can’t access b and c though

Additionally, pnpm 11 will block dependencies from exotic sources (like Git) in subdependencies.

Migrating a Multi-Repo Setup from Yarn Classic to pnpm | CKEditor How CKEditor migrated a multi-repository setup from Yarn Classic to pnpm - adding lockfiles for stable LTS builds, faster CI installs, and reliable linking.

Great write up by @filipsobol.bsky.social about our @pnpm.io migration: ckeditor.com/blog/migrati...

🚀 pnpm in 2025 | pnpm 2025 has been a transformative year for pnpm. While our primary focus was redefining the security model of package management, we also delivered significant improvements in performance and developer e...

🚀pnpm 2025 recap: 2x download growth, new homepage, my first JSNation talk, and v10 feature highlights

pnpm.io/blog/2025/12...

pnpm 10.26 | pnpm pnpm 10.26 introduces stricter security defaults for git-hosted dependencies, adds allowBuilds for granular script permissions, and includes a new setting to block exotic transitive dependencies.

Check the docs for the full changelog

pnpm.io/blog/release...

📦 Block Exotic Sub-dependencies

Want to secure your dependency tree?

Enable blockExoticSubdeps: true. This prevents transitive dependencies (deps of deps) from resolving "exotic" protocols like git+ssh: or direct https: tarballs.

Keep the weird stuff out of your deep dependency graph. 🕵️‍♂️

🔒 Stricter Git Dependencies

Security just tightened up. Git-hosted dependencies are now blocked from running prepare scripts during install by default.

To run them, you must now explicitly whitelist them in allowBuilds. This prevents malicious code from sneaking in via untrusted git repos.

The Main Feature (allowBuilds) 🛡️ Granular Script Control

Meet allowBuilds. This new setting replaces onlyBuiltDependencies as the preferred way to manage scripts.

It accepts a map to explicitly allow (true) or block (false) execution—even for specific versions!

pnpm 10.26 is here!

This release focuses heavily on locking down supply chain security and giving you granular control over build scripts.

From stricter git defaults to the new allowBuilds config, here’s a breakdown of the changes. 🧵👇

#pnpm #javascript

How We're Protecting Our Newsroom from npm Supply Chain Attacks | pnpm We got lucky with Shai-Hulud 2.0.

The Seattle Times is piloting pnpm’s client-side defenses—blocked lifecycle scripts, release cooldowns, and trust policy—to stop worms like Shai-Hulud 2.0 before they land.
Read their story:
pnpm.io/blog/2025/12...

pnpm v10.22 is out

pnpm.io/blog/release...

pnpm 10.21 | pnpm Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.

🎯 In short:
Safer installs 🛡️
Smarter runtime management ⚙️

Upgrade to pnpm v10.21:

pnpm self-update

Full changelog 👉 pnpm.io/blog/release...

This feature helps detect and block potentially compromised releases, such as when a package’s maintainer changes or its build pipeline loses attestation.

A new setting, trustPolicy, adds protection against supply-chain attacks.

When set to no-downgrade, pnpm will fail installation if a package’s trust level drops — e.g.
from a trusted publisher → provenance only → no trust evidence.

If a package is a CLI app, pnpm will bind that CLI to the specified Node.js version — so it always runs with the compatible runtime, regardless of what’s installed globally.

Even postinstall scripts will be executed with the right Node.js version.

🧩 Node.js runtime installation for dependencies

pnpm can now automatically install the Node.js version required by a dependency, declared in its engines.runtime field.

Example:

🚀 pnpm v10.21 is out!
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades

🧵👇

The pnpm repository has 33K stars!

pnpm v10.19 is out!

pnpm.io/blog/release...

pnpm with Zoltan Kochan - Software Engineering Daily Traditional package management systems for JavaScript have faced several inefficiencies related to dependency storage, resolution, and project performance. pnpm is a fast, disk-efficient package manag...

Zoltan Kochan is a full stack web developer and the creator of @pnpm.io. He joins the show with @joshuakgoldberg.com to talk about the state of package management for web dev.

@kochan.io

softwareengineeringdaily.com/2025/09/18/p...

Mitigating supply chain attacks | pnpm Sometimes npm packages are compromised and published with malware. Luckily, there are companies like [Socket], [Snyk], and [Aikido] that detect these compromised packages early. The npm registry usually removes the affected versions within hours. However, there is always a window of time between when the malware is published and when it is detected, during which you could be exposed. Fortunately, there are some things you can do with pnpm to minimize the risks.

Published an article about mitigating supply chain attacks with pnpm
pnpm.io/supply-chain...

pnpm 10.16 Adds New Setting for Delayed Dependency Updates -... pnpm's new minimumReleaseAge setting delays package updates to prevent supply chain attacks, with other tools like Taze and NCU following suit.

After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.

Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.

socket.dev/blog/pnpm-10... #NodeJS

pnpm v10.14 is shipped with support for runtime engine installation. Node, Deno, and Bun are supported.

pnpm.io/blog/release...

The website's repository is at github.com/pnpm/pnpm.io

It is explained on the github release page of v10.0.0.

Settings (pnpm-workspace.yaml) | pnpm pnpm gets its configuration from the command line, environment variables, pnpm-workspace.yaml, and

If a dependency has no dependencies of its own, it can be symlinked from a single location. Also, we have an option to symlink from a single location all dependencies: pnpm.io/settings#ena...