pnpm

Tarball-integrity mismatches became a hard install failure in 11.4, closing a silent supply-chain hole that existed even with a committed lockfile.¹

Staged publishing and new native commands. 11.3 added pnpm stage, bringing npm's staged-publishing workflow to pnpm — publish a version hidden from npm install until you explicitly approve it.² Native implementations of pnpm pkg, pnpm repo, and pnpm set-script also landed, continuing the project's move away from npm CLI delegation.

Lockfile and credential hardening across minor releases. 11.4 clusters fixes for lockfile integrity, credential scoping, git resolutions, patch files, and dependency aliases.³ A new --update-checksums flag provides a narrowly-scoped opt-in to re-resolve changed hashes. The trustLockfile setting (11.3) lets trusted lockfiles skip the verification pass on large workspaces.⁴

Registry and audit additions. pnpm audit signatures (11.1) verifies ECDSA signatures for installed packages against registry-published keys.⁵ Named registries landed with a built-in gh: alias for GitHub Packages. pnpm bugs and pnpm owner are now native commands.

Experimental Rust install backend. Adding @pnpm/pacquet to configDependencies in pnpm-workspace.yaml delegates the materialization phase of pnpm install to the Rust port.⁶ pnpm still owns resolution; pacquet handles fetch and import.

Version 11 raised the baseline. Node.js 22 is required; pnpm ships as pure ESM. The store index moved from millions of JSON files to a single SQLite database.⁷ Global installs got isolated directories with their own lockfiles. Native publish commands replaced the npm CLI fallback; configuration now splits between .npmrc (auth/registry only) and pnpm-workspace.yaml.