codeinabox2d ago

Why PNPM broke my website to prevent credential leakage

https://programming.dev/post/52429020

Why PNPM broke my website to prevent credential leakage - programming.dev

Lemmy

Shiv J.M.4d ago
I only contributed to #pnpm once (in 2019) but I admit I felt a tiny pang at being removed from the Collaborators team, presumably because zkochan noticed I hadn’t participated again after that one time. Ah well. It was fun to think I was a member of the team while it lasted.
Frontend Dogma5d ago

Why pnpm No Longer Expands Environment Variables in a Repository’s .npmrc, by @kochan.io (@pnpm):

https://pnpm.io/blog/2026/06/11/env-variables-in-repository-npmrc?ref=frontenddogma.com

#pnpm #environments

Why pnpm no longer expands environment variables in a repository's .npmrc | pnpm

pnpm used to expand $ placeholders everywhere it found them — including in the .npmrc and pnpm-workspace.yaml files that live inside the repository you just cloned. That turned out to be a way for a malicious repository to steal the secrets in your environment. As of v10.34.2 and v11.5.3, pnpm stops expanding environment variables in repository-controlled registry and credential settings.

mrysavJun 10
Still don't like #javascript but damn is #pnpm fast. Switching over everything I care about to that this week.
Mathias WellnerMay 31
For my work with Angular frontend apps, I have mainly used npm for package management. For our current development project, we need a monorepo approach, as we target multiple apps with shared functionality in libraries. One option for that is pnpm, which provides workspaces. I will explore that to gain some experience.
#pnpm #dev #javascript
Show threadmichabbbMay 26

📦 Package coverage is broad: npm (#pnpm, #yarn, #bun), #PyPI, #Go modules, #RubyGems, #Composer. Reads lockfiles & install metadata — no package-manager execution, no source-file reads. Zero network calls during scans.

🔌 Also scans #MCP server configs (claude_desktop_config.json, mcp.json, Gemini CLI settings) and editor extensions for VS Code, Cursor, Windsurf, VSCodium — plus Chromium & Firefox browser extensions.

beemMay 21

I never quite thought that the meme would be realised in the form of alternative package managers to npm, all of them rewriting to rust. CRAZY haha

#npm #yarn #pnpm #bun #rustlang

Michael WestergaardMay 20

whenever there’s another #npm #supplychain attack, it’s time to start victim-blaming. unironically. don’t use npm, use #pnpm (or #bun).

pnpm stores your packages in a single central repository instead of downloading them all every time, and it also doesn’t run build scripts by default unless you ask it to. plus, it’s faster, but that’s less important.

if you use plain npm, you’re not a victim, you’re a perpetrator.

[ERR_PNPM_IGNORED_BUILDS] Ignored build scripts: @parcel/[email protected], [email protected], [email protected], [email protected] Run "pnpm approve-builds" to pick which dependencies should be allowed to run scripts.
github.com/ghostwriterMay 14

this vibe coded PR with 1,000,000+ additions is just open-source ransomware with prettier commit messages.

shoutout to the brave soul reviewing:

"LGTM" after skimming 14 lines… 🤡

uninstalling immediately!

https://github.com/oven-sh/bun/pull/30412

#npm #yarn #pnpm #bun #deno #js #javascript #typescript

Rewrite Bun in Rust by Jarred-Sumner · Pull Request #30412 · oven-sh/bun

Blog post with details coming soon. It passes Bun's pre-existing test suite on all platforms (and fixes several memory leaks and flaky tests), the binary size shrinks by 3 MB - 8 MB, the benchm...

GitHub
Nube ColectivaMay 14

NPM has been compromised, install PNPM without using NPM ! 🚨EN

NPM fue comprometido, instala PNPM sin usar NPM ! 🚨ES

#programming #coding #programación #code #webdevelopment #devs #softwaredevelopment #npm #pnpm