Skip to main content

pnpm Supply-Chain Protection

This workspace runs pnpm 11+, which enables several supply-chain defaults that matter day-to-day. The most visible one is minimumReleaseAge.

Minimum release age

pnpm-workspace.yaml does not override the default, so pnpm uses the v11 shipped default of 1440 minutes (24 hours). Newly published package versions will not resolve until they are at least one day old. This gives the ecosystem time to detect and yank compromised releases before any of our installs pick them up.

In practice this only bites in one scenario: you add or bump a dependency to a version that was published less than 24h ago. The install will fail to resolve.

Escape hatches (in order of preference)

  1. Wait it out. If the bump is non-urgent, leave the install for tomorrow. This is the default v11 stance and almost always the right answer.

  2. Allowlist a single package. Add the package + minimum version to minimumReleaseAgeExclude in pnpm-workspace.yaml:

    minimumReleaseAgeExclude:
    - 'some-package@>=1.2.3'

    This is what pnpm audit --fix does automatically when it patches a high-severity CVE.

  3. One-shot disable on a single install. If you're pushing a CVE fix and need the install to happen now:

    pnpm install --config.minimumReleaseAge=0

    Does not change the lockfile policy — the next person's install still respects the 24h floor unless they pass the same flag.

  4. Disable workspace-wide. Set minimumReleaseAge: 0 in pnpm-workspace.yaml. Only do this if you have a strong reason — it removes the v11 supply-chain default for everyone.

Other v11 defaults worth knowing

  • strictDepBuilds: true — installs fail when a dep wants to run a build script and isn't listed in allowBuilds. To accept a new build script, set it to true in pnpm-workspace.yaml > allowBuilds; to deny it explicitly, set it to false.

  • blockExoticSubdeps: true — git/file/exotic transitive deps are blocked. We don't use any, so this is a no-op guardrail.

  • auditConfig.ignoreGhsas — if you ever need to ignore an audit finding, use the GitHub Security Advisory ID (e.g. GHSA-xxxx-xxxx-xxxx), not the CVE ID. v10's ignoreCves is no longer recognized.

Where pnpm config lives

All pnpm settings live in pnpm-workspace.yaml. The pnpm field in package.json and most settings in .npmrc are no longer read in v11. Only auth/registry config belongs in .npmrc.