PNPM does not feel secure enough against supply chain attacks.
Yes, we have minimumReleaseAge, great, but there are some serious issues with this that make if very hard to use:
My biggest gripe, trying to keep packages up to date, using
pnpm updatedoes not respect the setting and just exists with errors. https://github.com/pnpm/pnpm/issues/11165Transitive dependencies don't respect minAge (making the feature basically broken): https://github.com/pnpm/pnpm/issues/11068
All kinds of other issues: https://github.com/pnpm/pnpm/issues?q=is%3Aissue%20is%3Aopen%20minimumReleaseAge
The issues and DX are causing people to temporarily disable the minage setting just to get unblocked. This is a massive feature failure on pnpm's side, to ship a critical security feature, but make it almost impossible to use. Esp at a time where these supply chain attacks are running rampant.