pnpm 11 Released: Pure ES6 Modules Era Begins, Supply Chain Security Gets a Major Overhaul 话题

In May 2026, pnpm shipped its eleventh major version. This one is different — pure ES6 distribution, no more npm CLI under the hood, and supply chain security hardened to defaults. If you’re still on v10, this upgrade is worth a serious look.

Package management tool pnpm

Pure ES6 Module Distribution, Node.js 22 Minimum

The most visible change is it went pure ESM itself. No more CommonJS builds, and the minimum runtime is now Node.js 22 — support for versions 18, 19, 20, and 21 is gone.

The bar isn’t high — Node.js 22 hit LTS back in 2025. But if your CI images are still on Node.js 20 or older, you’ll need to update first.

Also, the standalone executable now requires glibc 2.27+. If you’re on older Docker images (CentOS 7-based), keep that in mind.

Supply Chain Security Is No Longer Optional

This is probably the biggest change, and it signals a shift in what a package manager’s role looks like in the Node.js ecosystem.

New Packages Get a Mandatory 24-Hour Delay

You know the npm attack playbook by now: hijack a maintainer’s account, push a backdoored version, wait for CI to pull it. This fast-attack pattern worked well in campaigns like Mini Shai-Hulud — attackers used preinstall hooks to download a Bun runtime and execute obfuscated credential-stealing scripts targeting developer environments.

The response is straightforward: newly published packages won’t be resolved until they’re at least 24 hours old. `minimumReleaseAge` defaults to 1440 minutes. No matter how fast an attacker pushes a malicious version, you get a full day buffer for the community to find and take down the bad package.

Need a just-released security fix urgently? `pnpm audit –fix` can automatically add the patched version to the allowlist. Or set `minimumReleaseAge: 0` to opt out entirely.

Blocking Non-Standard Dependency Sources

`blockExoticSubdeps` is now enabled by default. Exotic subdependencies come from Git repos or direct tarball URLs — sources outside the npm registry. Attackers frequently hide malicious payloads there. Blocking them by default adds a useful security checkpoint to your dependency graph.

Unified Build Script Control

The five scattered configuration options are replaced with a single `allowBuilds` field:

“`yaml

# pnpm-workspace.yaml

allowBuilds:

electron: true

core-js: false

esbuild: false

“`

Lifecycle scripts have always been the most abused execution path in npm attacks. This doesn’t replace code review, but it does make governance clearer — teams can see at a glance which packages have execution permissions.

Native Publish Flow: Goodbye npm CLI

Since day one, `pnpm publish` had been calling `npm publish` under the hood. v11 finally drops that baggage — publish, login, logout, view, deprecate, unpublish, dist-tag, version are all natively implemented.

One less dependency means one less attack surface. Bugs in the npm CLI no longer affect users, and the entire publish flow is now fully self-contained. The OTP environment variable changed from `NPM_CONFIG_OTP` to `PNPM_CONFIG_OTP`, and web-based authentication supports QR code scanning.

SQLite Store Index and Performance

The Store architecture moves to v11. The biggest change is consolidating millions of individual JSON files into a single SQLite database. WAL mode enables concurrent access, and package manifest information is stored directly in the index, eliminating repeated reads of package.json during installation.

Other improvements:

– undici replaces node-fetch for HTTP requests, with Happy Eyeballs (dual-stack) support

– Pre-allocated memory for known-size tarball downloads

– Metadata cache switches to NDJSON format with If-Modified-Since conditional requests

– CAS files written directly to content-addressed paths — cold installs save about 30,000 rename syscalls

– When global virtual store is enabled, roughly 95% of packages survive Node.js upgrades without re-import

One data point: in a warm install scenario with cache and lockfile, it takes just 2.3 seconds.

Isolated Global Installs

`pnpm add -g` behavior has changed. Each global package now gets its own directory with its own package.json, node_modules, and lockfile — no cross-interference. Peer dependency conflicts in global tools should become much less common.

Global binaries live in the `PNPM_HOME/bin` subdirectory instead of being dumped directly into `PNPM_HOME`, keeping shell auto-completion cleaner.

SBOM Generation and Audit Upgrades

There’s a new command clearly designed for enterprise: `pnpm sbom` generates a Software Bill of Materials in CycloneDX 1.7 or SPDX 2.3 format. Handy for compliance audits.

`pnpm audit` gets two updates:

1. `pnpm audit –fix=update`: Instead of fixing vulnerabilities by adding overrides, it updates packages directly in the lockfile. Far more intuitive.

2. GHSA-based filtering: npm’s registry deprecated the old CVE audit endpoints. Existing CVE entries need to be replaced with their corresponding GHSA identifiers.

Configuration System Overhaul

Configuration got cleaned up: `.npmrc` now handles auth and registry settings only. Everything specific to the tool moves to `pnpm-workspace.yaml` or the new global `config.yaml`. The `npm_config_*` environment variables are replaced by `pnpm_config_*`.

If the migration sounds like a chore, the official `pnpm-v10-to-v11` codemod handles most config changes automatically.

What’s Next: v12 and the Rust Installation Engine

The team is already working on [Pacquet](https://github.com/pnpm/pacquet), a Rust-rewritten installation engine expected to land in v12. Phase one focuses on fetching and linking, with dependency resolution coming later.

The official benchmarks are telling: in a lockfile-only install without cache, the Rust engine takes 3.1 seconds compared to v11’s 4.7 seconds. Warm install is even more dramatic — 902 milliseconds versus 2.3 seconds. Not production-ready yet, but the direction is clear.

Summary

v11’s core changes:

– Security: Supply chain protection goes from opt-in to default — delaying new packages, blocking non-standard dependencies, unifying build script control.

– Independence: No more npm CLI dependency; the entire publish flow is natively implemented.

– Performance: SQLite replaces JSON index, undici replaces node-fetch, storage architecture rewritten.

– Housekeeping: Pure ESM distribution, Node.js 22 minimum, configuration system restructuring.

For new projects, go straight to v11. For existing ones, review the breaking changes and plan the migration — most of it is automated through the codemod. The main watchpoints are Node.js version and config migration.

Next stop: v12’s Rust engine. The package manager arms race is getting more interesting by the day.

—

*References:*

[pnpm Official Release Notes — 11.0]

[pnpm 11 Adds Supply Chain Protection Defaults – Socket]

[pnpm 11 Release Candidate: ESM Distribution, Supply Chain Defaults – InfoQ]