Mastodawn

[pnpm v11 릴리즈

pnpm v11이 릴리즈되었습니다. 주요 변경 사항으로는 Node.js 22+ 필수 지원, 공급망 보호 기능의 기본 활성화, 빌드 관련 설정의 통합(allowBuilds), 글로벌 설치 격리, SQLite 기반 스토어 인덱스 도입, 네이티브 퍼블리시 명령어 지원, 그리고 .npmrc 설정의 역할 제한 등이 포함됩니다. 특히 보안 강화와 성능 최적화에 초점을 맞춘 업데이트입니다.

https://news.hada.io/topic?id=29097

#pnpm #nodejs #javascript #packagemanager #supplychainsecurity

pnpm v11 릴리즈 | GeekNews

공급망 보호(Supply-chain protection) 기본 활성화: 보안 강화를 위해 minimumReleaseAge 기본값이 1440(1일)으로 설정됩니다. (새로 배포된 패키지는 24시간이 지나야 설치 가능) 또한 blockExoticSubdeps가 기본적으로 true가 됩니다.Node.js 22+ 필요: 이제 Node.js 22 버전 이상이 필수입

GeekNews

gihyo.jp Apr 30

pnpm 11.0リリース ——新規公開の依存パッケージをデフォルトで1日後に解決対象に
https://gihyo.jp/article/2026/04/pnpm-v11-release?utm_source=feed

#gihyo #技術評論社 #gihyo_jp #pnpm #JavaScript

pnpm 11.0リリース ——新規公開の依存パッケージをデフォルトで1日後に解決対象に | gihyo.jp

npmと同様に使えるパッケージマネージャー「pnpm」のメジャーバージョンとなるpnpm 11.0が、2026年4月28日に公開された。

gihyo.jp

Frontend Dogma Apr 29

pnpm 11.0, by @kochan.io (@pnpm):

https://pnpm.io/blog/releases/11.0

#releasenotes #pnpm

pnpm 11.0 | pnpm

pnpm 11 is here! This release tightens the security defaults introduced throughout the v10 cycle, drops the npm CLI fallback for publishing in favor of a native implementation, replaces the JSON-per-package store index with a single SQLite database, and isolates global installs so they no longer interfere with each other.

Nemeski Apr 28

pnpm 11.0 released

https://mander.xyz/post/51207010

pnpm 11.0 released - Mander

Lemmy

Frontend Dogma Apr 9

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios

Redirecting to: /posts/simplest-supply-chain-defense

Steve Fenton ➜Apr 6

Supply-chain security woes! Here's a simple configuration that will improve your PNPM security posture along with a nudge towards something even deeper!

https://coderlegion.com/14098/configuring-pnpm-to-tackle-the-supply-chain-bonfire

#NodeJS #Security #PNPM

Configuring PNPM to tackle the supply chain bonfire

You have probably faced the same dilemma. If you let you dependencies get out of date, the chances are you'll harbor a code vulnerability. If you update them too soon, you potentially introduce a malicious version with a supply chain attack. This may...

Coder Legion

Frontend Dogma Apr 1

pnpm 11 Beta 0, by @pnpm:

https://github.com/pnpm/pnpm/releases/tag/v11.0.0-beta.0

#releasenotes #pnpm

Release pnpm 11 Beta 0 · pnpm/pnpm

Major Changes Store Runtime dependencies are always linked from the global virtual store #10233. Optimized index file format to store the hash algorithm once per file instead of repeating it for e...

GitHub

Gea-Suan Lin Mar 31

https://blog.gslin.org/archives/2026/04/01/12962/axios-%e8%a2%ab%e6%a4%8d-malware/

axios 被植 malware

#attack #axios #bun #chain #code #ecosystem #javascript #js #malicious #malware #npm #pnpm #python #security #supply #uv

axios 被植 malware

昨天的大新聞，這次的 supply chain attack 爆在 axios 上：「axios Compromised on npm - Malicious Versions Drop Remote Access Trojan (via)」，除非你的專案有刻意避開，儘量使用原生的 Fetch API 處理，不然幾乎都會用到，如果剛好在這段時間 npm update 的話就會中... 透過 dependency + postinstall 執行 malicious code： The malicious versions inject a new dependency, [email protected].

Gea-Suan Lin's BLOG