pnpm 11 Introduces Default Minimum Release Age to Mitigate Supply Chain Risks

Severity: Low (Score: 24.9)

Sources: Gbhackers, Cybersecuritynews

Summary

pnpm 11 has been released on May 5, 2026, implementing a default Minimum Release Age of 24 hours for newly published package versions. This change aims to reduce the risk of supply chain attacks within the npm ecosystem, which has been increasingly targeted by threat actors exploiting public package registries. By delaying the availability of new package versions, pnpm 11 seeks to provide developers with a buffer period to identify and mitigate potential threats. The npm ecosystem has faced numerous incidents where malicious code was injected into packages, making this update a significant step towards enhancing security. The introduction of security-first defaults in pnpm 11 directly addresses these modern package ecosystem threats. Developers using pnpm are now better equipped to protect their environments from supply chain vulnerabilities. The current status of pnpm 11 is that it has been officially released and is available for use. Key Points: • pnpm 11 introduces a default Minimum Release Age of 24 hours for package versions. • The update aims to mitigate risks associated with supply chain attacks in the npm ecosystem. • Security-first defaults are now enabled out of the box in pnpm 11.

Key Entities

• Supply Chain Attack (attack_type)