JeezyI judge every build tool by how it performs in the context of building a Nix package
Based on this process, I do not like or recommend PNPM
At all
Nemeski
codeDude 
MattCool write up from #SeattleTimes about using #pnpm to suppress #npm lifecycle scripts: https://pnpm.io/blog/2025/12/05/newsroom-npm-supply-chain-security
Nothing like realizing you’ve been just executing arbitrary scripts from the internet for years. 😬
How We're Protecting Our Newsroom from npm Supply Chain Attacks
Tadashi Shigeoka🔒 Quick tip for #pnpm users:
Use `minimumReleaseAge` for stability, but need an emergency security update?
`minimumReleaseAgeExclude` lets you bypass the wait for specific packages without disabling your safety net.
Real-world example from our React CVE response 👇
https://codenote.net/en/posts/pnpm-minimumreleaseageexclude-for-emergency-vulnerability-fixes/
sb arms & legsMeanwhile, I'm just trying to update an application on my server, but I need a specific version of #pnpm :(
lil5 🚲 🇳🇱This is exactly what #opensourcesecuritypodcast talked about in:
https://opensourcesecurity.io/2025/2025-11-npm-charlie/
And I just found one in the wild. How?: by using #pnpm (instead of npm) and taking the short time to read the postinstall script. Not rocket science.
NPM supply chain attacks with Charlie Eriksen
Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with recent security breaches, the challenges of maintaining trust in open source software, and the importance of proactive measures to safeguard open source. The rapid pace of change is impacting our security practices and what steps can be taken to foster resilience in the face of evolving threats.