pnpm 10.26 introduces stricter security defaults for git-hosted dependencies, adds allowBuilds for granular script permissions, and includes a new setting to block exotic transitive dependencies.

pnpm 10.25 improves certificate handling, adds a bare pnpm init, and ships several quality-of-life fixes.

We got lucky with Shai-Hulud 2.0.

pnpm now scales network concurrency automatically on high-core machines and ships several reliability fixes.

Added --lockfile-only option to pnpm list and various improvements to pnpm self-update.

Added support for excluding packages from trust policy and overriding the engines field on publish.

Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.

This release adds a --all flag for the pnpm help command to print all commands.

This release adds version-scoped controls to two settings: [onlyBuiltDependencies] and [minimumReleaseAgeExclude].

Minor Changes

Minor Changes

Minor Changes

Minor Changes

Added support for JavaScript runtime installation

It is the end of the year. A really hard year. As you may know, I live in Ukraine, so due to Russia's war against us, it was harder to lead this project than in previous years. Nevertheless, it was a good year for pnpm. We've got a lot of new users, contributors, and we have implemented many great features.

It is the end of the year and it was a good year for pnpm, so let's see how it went.

There are many ways to create a node_modules directory.

New users of pnpm frequently ask me about the weird structure of node_modules that pnpm creates. Why is it not flat? Where are all the sub-dependencies?