r/pnpm

PNPM does not feel secure enough against supply chain attacks.

Yes, we have minimumReleaseAge, great, but there are some serious issues with this that make if very hard to use:

My biggest gripe, trying to keep packages up to date, using pnpm update does not respect the setting and just exists with errors. https://github.com/pnpm/pnpm/issues/11165
Transitive dependencies don't respect minAge (making the feature basically broken): https://github.com/pnpm/pnpm/issues/11068
All kinds of other issues: https://github.com/pnpm/pnpm/issues?q=is%3Aissue%20is%3Aopen%20minimumReleaseAge

The issues and DX are causing people to temporarily disable the minage setting just to get unblocked. This is a massive feature failure on pnpm's side, to ship a critical security feature, but make it almost impossible to use. Esp at a time where these supply chain attacks are running rampant.

reddit.com

u/nutyourself — 9 days ago

▲ 1 r/pnpm+1 crossposts

Basically three features:

- See if your package is on the latest

- Hover to see further information about the package

- Hover -> update to latest command

- CMD + Click on catalog: to take you to the workspace catalog

- CMD + Click on workspace: to take you to the workspace package

This is very minimal and I don't have any further plans for this.

https://marketplace.visualstudio.com/items?itemName=SalminCode.pnpm-catalog-manager

u/Is_Kub — 14 days ago