pnpm 11 RC: ESM, SQLite, Security Defaults

pnpm's Leap Forward

The pnpm 11 RC release signifies a substantial evolution for the package manager, particularly its embrace of ESM distribution and a new SQLite-backed store index. This move to pure ESM, while requiring Node.js v22+, positions pnpm for future JavaScript ecosystem trends and promises performance gains. The SQLite index is a particularly interesting database-centric innovation, aiming to improve the efficiency of package lookups and management. The enhanced security defaults, like the 1-day minimumReleaseAge and blockExoticSubdeps defaulting to true, are a direct response to growing supply chain concerns, making pnpm a more attractive option for security-conscious developers and organizations. The consolidation of build script configuration into a single allowBuilds option simplifies the developer experience and aligns with stricter build policies. This proactive approach to security and simplified configuration demonstrates a commitment to developer productivity and trust.

However, the abrupt dropping of support for Node.js versions 18-21 might pose a challenge for some users who are not yet ready to upgrade their Node.js runtime. While a compatibility matrix is provided, the transition might require effort for those with legacy projects. The debate around the effectiveness of the 'dependency cooldown' period also highlights a nuanced aspect of security – balancing attack mitigation with the speed of critical patch deployment. While pnpm's approach aims to reduce immediate risks, it's crucial for developers to understand that this is one layer of defense, not a complete solution. The move away from the 'pnpm' field in package.json and npm_config_ environment variables, while leading to a cleaner configuration surface, will require users to adapt their existing setups and potentially update CI/CD pipelines. Despite these considerations, the overall direction of pnpm 11 RC points towards a more robust, secure, and performant package management experience, solidifying its position as a strong competitor in the JavaScript tooling landscape.

Key Points

• pnpm 11 RC introduces a new SQLite-backed store index for improved performance.
• Enhanced security defaults include a 1-day minimum release age and blocking exotic subdependencies by default.
• The package manager is now distributed as pure ESM and requires Node.js v22+, dropping support for older versions.
• Build script configuration is simplified with a single allowBuilds option.
• Global installs are now properly isolated with dedicated directories and configuration.
• New commands like pnpm ci, pnpm sbom, and pnpm clean are introduced.
• Performance optimizations include using undici with Happy Eyeballs and direct to store writes.

---

📖 Source: pnpm 11 Release Candidate: ESM Distribution, Supply Chain Defaults and a New Store Format