pnpm 11 Release Candidate: ESM Distribution, Supply Chain Defaults and a New Store Format
- 正文未提供 pnpm 11 RC 的任何具体功能细节或技术实现。
- 页面充斥注册引导、广告和导航链接,信息密度极低。
- 无法验证 ESM、供应链或存储格式等关键特性变更。
pnpm 11 Release Candidate: ESM Distribution, Supply Chain Defaults and a New Store Format - InfoQ
Your choice regarding cookies on this site
We use cookies to optimise site functionality and give you the best possible experience.
I Accept I Do Not Accept Settings
[BT](http://www.infoq.com/int/bt/ "bt")
InfoQ Software Architects' Newsletter
A monthly overview of things you need to know as an architect or aspiring architect.
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
Close
Live Webinar and Q&A: Shipping Faster, Breaking More: Rethinking Delivery Systems in the Age of AI (May 28, 2026)Save Your Seat
Close
Toggle Navigation
Facilitating the Spread of Knowledge and Innovation in Professional Software Development
English edition
[Write for InfoQ](http://www.infoq.com/write-for-infoq/ "Write for InfoQ")
Search
Unlock the full InfoQ experience
Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources.
or
Don't have an InfoQ account?
- **Stay updated on topics and peers that matter to you**Receive instant alerts on the latest insights and trends.
- **Quickly access free resources for continuous learning**Minibooks, videos with transcripts, and training materials.
- **Save articles and read at anytime**Bookmark articles to read whenever youre ready.
NewsArticlesPresentationsPodcastsGuides
Topics
[Development](http://www.infoq.com/development/ "Development")
- [Java](http://www.infoq.com/java/ "Java")
- [Kotlin](http://www.infoq.com/kotlin/ "Kotlin")
- [.Net](http://www.infoq.com/dotnet/ ".Net")
- [C#](http://www.infoq.com/c_sharp/ "C#")
- [Swift](http://www.infoq.com/swift/ "Swift")
- [Go](http://www.infoq.com/golang/ "Go")
- [Rust](http://www.infoq.com/rust/ "Rust")
- [JavaScript](http://www.infoq.com/javascript/ "JavaScript")
Featured in Development
Dany Lepage discusses the architectural journey of porting a hit VR title to seven non-VR platforms. He explains how his team solved the challenges of cross-progression, diverse input paradigms, and maintaining release velocity across Steam, iOS, and PlayStation. Beyond the tech, he shares candid lessons on the "product fit" gap when translating immersive social presence to 2D screens.
All in developmentFollow Topic
[Architecture & Design](http://www.infoq.com/architecture-design/ "Architecture & Design")
- [Architecture](http://www.infoq.com/architecture/ "Architecture")
- [Enterprise Architecture](http://www.infoq.com/enterprise-architecture/ "Enterprise Architecture")
- [Scalability/Performance](http://www.infoq.com/performance-scalability/ "Scalability/Performance")
- [Design](http://www.infoq.com/design/ "Design")
- [Case Studies](http://www.infoq.com/Case_Study/ "Case Studies")
- [Microservices](http://www.infoq.com/microservices/ "Microservices")
- [Service Mesh](http://www.infoq.com/servicemesh/ "Service Mesh")
- [Patterns](http://www.infoq.com/DesignPattern/ "Patterns")
- [Security](http://www.infoq.com/Security/ "Security")
Featured in Architecture & Design
Chris Tacey-Green discusses the shift from synchronous commands to asynchronous events within highly regulated environments. He explains the critical role of Inbox and Outbox patterns in preventing data loss, the nuances of event versioning, and how to maintain decoupling between domains. He shares "battle-tested" principles for implementing fault tolerance and managing eventual consistency.
All in architecture-designFollow Topic
[AI Infrastructure](http://www.infoq.com/ai-ml-data-eng/ "AI Infrastructure")
- [Big Data](http://www.infoq.com/bigdata/ "Big Data")
- [Machine Learning](http://www.infoq.com/machinelearning/ "Machine Learning")
- [NoSQL](http://www.infoq.com/nosql/ "NoSQL")
- [Database](http://www.infoq.com/database/ "Database")
- [Data Analytics](http://www.infoq.com/data-analytics/ "Data Analytics")
- [Streaming](http://www.infoq.com/streaming/ "Streaming")
Featured in AI, ML & Data Engineering
Sudeep Das and Pradeep Muthukrishnan explain the shift from static merchandising to dynamic, moment-aware personalization at DoorDash. They share how LLMs generate natural-language "consumer profiles" and content blueprints, while traditional deep learning handles last-mile ranking. This hybrid approach allows the platform to adapt to short-lived user intent and massive catalog abundance.
All in ai-ml-data-engFollow Topic
[Culture & Methods](http://www.infoq.com/culture-methods/ "Culture & Methods")
- [Agile](http://www.infoq.com/agile/ "Agile")
- [Diversity](http://www.infoq.com/diversity/ "Diversity")
- [Leadership](http://www.infoq.com/leadership/ "Leadership")
- [Lean/Kanban](http://www.infoq.com/lean/ "Lean/Kanban")
- [Personal Growth](http://www.infoq.com/personal-growth/ "Personal Growth")
- [Scrum](http://www.infoq.com/scrum/ "Scrum")
- [Sociocracy](http://www.infoq.com/sociocracy/ "Sociocracy")
- [Software Craftmanship](http://www.infoq.com/software_craftsmanship/ "Software Craftmanship")
- [Team Collaboration](http://www.infoq.com/team-collaboration/ "Team Collaboration")
- [Testing](http://www.infoq.com/testing/ "Testing")
- [UX](http://www.infoq.com/ux/ "UX")
Featured in Culture & Methods
Celine Pypaert discusses the ubiquitous nature of open-source software and shares a blueprint for securing modern applications. She explains how to prioritize high-risk vulnerabilities using exploitability data, the role of Software Bill of Materials (SBOM), and the importance of bridging the gap between DevOps and Security through clear accountability and automated governance.
All in culture-methodsFollow Topic
- [Infrastructure](http://www.infoq.com/infrastructure/ "Infrastructure")
- [Continuous Delivery](http://www.infoq.com/continuous_delivery/ "Continuous Delivery")
- [Automation](http://www.infoq.com/automation/ "Automation")
- [Containers](http://www.infoq.com/containers/ "Containers")
- [Cloud](http://www.infoq.com/cloud-computing/ "Cloud")
- [Observability](http://www.infoq.com/observability/ "Observability")
Featured in DevOps
Docker Extensions boost developer speed but create a "visibility gap" by isolating telemetry. To meet enterprise needs, extensions must act as bridges to centralized platforms. This article details how to use OpenTelemetry, policy-as-code, and encryption to build secure pipelines. Learn to balance developer productivity with the governance required for scalable, compliant observability.
All in devopsFollow Topic
[Events](https://events.infoq.com/ "Events")
Helpful links
- [About InfoQ](http://www.infoq.com/about-infoq "About InfoQ")
- [InfoQ Editors](http://www.infoq.com/infoq-editors "InfoQ Editors")
- [Write for InfoQ](http://www.infoq.com/write-for-infoq "Write for InfoQ")
- [About C4Media](https://c4media.com/ "About C4Media")
- [Diversity](https://c4media.com/diversity "Diversity")
Choose your language
[InfoQ Homepage](http://www.infoq.com/ "InfoQ Homepage")[News](http://www.infoq.com/news "News")pnpm 11 Release Candidate: ESM Distribution, Supply Chain Defaults and a New Store Format
[Web Development](http://www.infoq.com/Web-Development/ "Web Development")
Shipping Faster, Breaking More: Rethinking Delivery Systems in the Age of AI (Webinar May 28th)
pnpm 11 Release Candidate: ESM Distribution, Supply Chain Defaults and a New Store Format
Apr 21, 2026 2 min read
by
- Daniel Curtis
Follow UI Development Manager at Griffiths Waite
#### Write for InfoQ
**Feed your curiosity.**Help 550k+ global
senior developers
each month stay ahead.Get in touch
Log in to listen to this article
Audio ready to play
Your browser does not support the audio element.
0:00 0:00
Normal 1.25x 1.5x
Like
pnpm, the fast and disk efficient JavaScript package manager has released pnpm 11 RC, shipping a major rework that spans performance, supply chain safety, and a smaller, stricter configuration surface.
pnpm 11 RC introduces a new SQLite-backed store index, on by default supply chain protections, isolated global installs via the global virtual store, a unified `allowBuilds` setting, and a set of new commands including `pnpm ci`, `pnpm sbom`, `pnpm clean`, `pnpm peers check`, and `pnpm runtime set`, along with short `pn` and `pnx` aliases.
One of the headline changes is that pnpm is now distributed as pure ESM and requires Node.js v22 or later, with support for Node.js 18, 19, 20, and 21 dropped entirely. A compatibility matrix lives in the updated installation docs.
Security defaults are have been tightened,the `minimumReleaseAge` setting now defaults to 1 day, meaning newly published versions are not resolved for 24 hours, and `blockExoticSubdeps` defaults to true. This follows months of high profile supply chain incidents in the npm ecosystem, and drew discussion on Hacker News where commenters debated whether a grace period would meaningfully help detection.
Build script settings have been consolidated,`onlyBuiltDependencies`, `onlyBuiltDependenciesFile`, `neverBuiltDependencies`, `ignoredBuiltDependencies`, and `ignoreDepScripts` have been removed in favour of a single `allowBuilds` option, and `strictDepBuilds` is now true by default. pnpm also stops reading configuration from the `"pnpm"` field of `package.json` and from `npm_config_` environment variables, the global configuration file has moved to YAML, and `allowNonAppliedPatches`, `ignorePatchFailures`, `pnpm server`, and `useNodeVersion` are gone.
Global installs are now properly isolated, each `pnpm add -g` package receiving its own directory, `package.json`, `node_modules`, and lockfile, and the global virtual store is enabled by default for `pnpm dlx` and global packages, although it remains opt in for regular projects. Performance work includes a move to undici with Happy Eyeballs for HTTP, direct to store writes that skip the staging directory, pre-allocated tarball downloads, and an NDJSON metadata cache.
Developers can try the release today with:
pnpm self-update next-11Migration guidance lives in the pnpm 11.x docs and the v11 tracking discussion.
On Hacker News, one commenter recommended pnpm over npm outright on a thread about recent security vulnerabilities, stating that _"PNPM 10.x shutdown a lot of these attack vectors"_ and _"NPM is too insecure for production CLI usage"_, though others pushed back, arguing that _"NPM was never too insecure and remains not too insecure today"_.
The `minimumReleaseAge` default has been a particular focal point, also being referred to as 'dependency cooldowns'. AHacker News thread on dependency cooldowns drew further debate around the topic, with one commenter noting that:
The people who will benefit from a cooldown weren’t reviewing updates anyway. Without the cooldown they would just be one more malware victim
While other commenters warned:
There's no free lunch here. Delays in publishing not only slow down attacks, they _also_ slow down critical security patches. There's no one-size-fits-all policy here, you're at risk either way.
Compared to npm and Yarn, pnpm 11 retains its long standing advantages, isolated `node_modules` by default, content addressable storage, and first class monorepo support, while extending its lead on security with SBOM generation via `pnpm sbom` and stricter build script handling, areas where Yarn still lacks parity.
pnpm is an open source JavaScript package manager known for fast installs and efficient disk usage via a content addressable store and symlinked `node_modules`. It is widely used across frontend and backend ecosystems, and competes directly with npm, Yarn, and Bun.
About the Author
#### **Daniel Curtis**
Daniel Curtis is a UI Development Manager at Griffiths Waite, a software consultancy based in Birmingham, UK. He leads front-end engineering efforts with a strong focus on delivering innovative enterprise solutions using TypeScript across the stack. Daniel is passionate about modern web architecture, developer experience, and the use of AI to both support software delivery and solve real customer problems within products.
Show more Show less
#### This content is in the Web Development topic
Follow Topic
##### Related Topics:
Followers: 4088
Follow Topic
Followers: 1428
Follow Topic
Followers: 5
Follow Topic
Followers: 953
Follow Topic
Followers: 86
Follow Topic
Followers: 4
Follow Topic
Followers: 1
Follow Topic
* #### Related Editorial
- ##### State of JavaScript 2025: Survey Reveals a Maturing Ecosystem with TypeScript Cementing Dominance
- ##### Webpack Publishes 2026 Roadmap with Native CSS Support, Universal Target, and Path to Version 6
* #### Related Sponsors
- #### Related Sponsor
**Drop in Ably AI Transport.**
Purpose-built infrastructure for the entire agent-to-user experience. **Start building.**
Related Content
Apr 18, 2026
Apr 20, 2026
Apr 18, 2026
Apr 16, 2026
Apr 01, 2026
Apr 09, 2026
Mar 29, 2026
Mar 31, 2026
Apr 20, 2026 
Related Sponsors
- #### Stateful agents, stateful infra: The transport gap AI teams are patching by hand
Every AI team hits the same wall and builds the same workaround. That's not a you problem. It's a missing layer. Read Now.
- #### Does your AI stack need a session layer? A maturity framework for teams building AI agents
Explore the missing “session layer” in the AI stack—where many production failures originate. This framework outlines maturity stages for delivering continuous, stateful AI experiences, from fragile HTTP streaming to resilient, multi-device, real-time systems with durable sessions. Read Now.
- Sponsored by
Related Content
Apr 02, 2026
Apr 10, 2026
Apr 08, 2026
Apr 03, 2026
Mar 23, 2026
Mar 06, 2026 
**The InfoQ** Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
- ##### [C++26: Reflection, Memory Safety, Contracts, and a New Async Model](http://www.infoq.com/news/2026/04/cpp-26-reflection-safety-async/ "C++26: Reflection, Memory Safety, Contracts, and a New Async Model")
- ##### [From VR to Flat Screens: Bridging the Input and Immersion Gap](http://www.infoq.com/presentations/game-vr-flat-screens/ "From VR to Flat Screens: Bridging the Input and Immersion Gap")
- ##### [Cursor 3 Introduces Agent-First Interface, Moving beyond the IDE Model](http://www.infoq.com/news/2026/04/cursor-3-agent-first-interface/ "Cursor 3 Introduces Agent-First Interface, Moving beyond the IDE Model")
- ##### [Anthropic Introduces Managed Agents to Simplify AI Agent Deployment](http://www.infoq.com/news/2026/04/anthropic-managed-agents/ "Anthropic Introduces Managed Agents to Simplify AI Agent Deployment")
- ##### [Slack Rebuilds Notification System, Reports 5X Increase in Settings Engagement](http://www.infoq.com/news/2026/04/slack-new-notification-system/ "Slack Rebuilds Notification System, Reports 5X Increase in Settings Engagement")
- ##### [Cloudflare Introduces Project Think: A Durable Runtime for AI Agents](http://www.infoq.com/news/2026/04/cloudflare-project-think/ "Cloudflare Introduces Project Think: A Durable Runtime for AI Agents")
- ##### [Platform as a Product: Delivering Value While Balancing Competing Priorities](http://www.infoq.com/news/2026/04/platform-product-deliver-value/ "Platform as a Product: Delivering Value While Balancing Competing Priorities")
- ##### [Empower Your Developers: How Open Source Dependencies Risk Management Can Unlock Innovation](http://www.infoq.com/presentations/open-source-dependencies/ "Empower Your Developers: How Open Source Dependencies Risk Management Can Unlock Innovation")
- ##### [Tiger Teams, Evals and Agents: The New AI Engineering Playbook](http://www.infoq.com/podcasts/tiger-teams-evals-agents/ "Tiger Teams, Evals and Agents: The New AI Engineering Playbook")
- ##### [Dynamic Moments: Weaving LLMs into Deep Personalization at DoorDash](http://www.infoq.com/presentations/llm-personalization/ "Dynamic Moments: Weaving LLMs into Deep Personalization at DoorDash")
- ##### [Subagents in Gemini CLI Enable Task Delegation and Parallel Agent Workflows](http://www.infoq.com/news/2026/04/subagents-gemini-cli/ "Subagents in Gemini CLI Enable Task Delegation and Parallel Agent Workflows")
- ##### [Google’s Aletheia Advances the State of the Art of Fully Autonomous Agentic Math Research](http://www.infoq.com/news/2026/04/deepmind-aletheia-agentic-math/ "Google’s Aletheia Advances the State of the Art of Fully Autonomous Agentic Math Research")
- ##### [GitHub Acknowledges Recent Outages, Cites Scaling Challenges and Architectural Weaknesses](http://www.infoq.com/news/2026/04/github-outages-scaling/ "GitHub Acknowledges Recent Outages, Cites Scaling Challenges and Architectural Weaknesses")
- ##### [AWS Announces General Availability of DevOps Agent for Automated Incident Investigation](http://www.infoq.com/news/2026/04/aws-devops-agent-ga/ "AWS Announces General Availability of DevOps Agent for Automated Incident Investigation")
- ##### [Pulumi Adds Full Bun Runtime Support](http://www.infoq.com/news/2026/04/pulumi-bun-support/ "Pulumi Adds Full Bun Runtime Support")
**The InfoQ** Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example
- Get a quick overview of content published on a variety of innovator and early adopter technologies
- Learn what you don’t know that you don’t know
- Stay up to date with the latest information from the topics you are interested in
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
[Home](http://www.infoq.com/ "Home")[Create account](http://www.infoq.com/reginit.action "Create account")Log In[QCon Conferences](http://qconferences.com/ "QCon Conferences")Events[Write for InfoQ](http://www.infoq.com/write-for-infoq/ "Write for InfoQ")[InfoQ Editors](http://www.infoq.com/infoq-editors/ "InfoQ Editors")[About InfoQ](http://www.infoq.com/about-infoq/ "About InfoQ")[About C4Media](https://c4media.com/ "About C4Media")[Media Kit](https://get.infoq.com/infoq-mediakit/ "Media Kit")[InfoQ Developer Marketing Blog](https://devmarketing.c4media.com/?utm_source=infoq "InfoQ Developer Marketing Blog")[Diversity](https://c4media.com/diversity "Diversity")
#### Events
May 7, 2026
- ##### QCon AI Boston
June 1-2, 2026
June 10, 2026
- ##### QCon San Francisco
November 16-20, 2026
#### Follow us on
Youtube 232K FollowersLinkedin 26K FollowersRSS 19K ReadersX 57.1k FollowersFacebook 21K LikesBluesky NewInstagram New
#### Stay in the know
The InfoQ PodcastEngineering Culture PodcastThe Software Architects' Newsletter
General Feedback [feedback@infoq.com](mailto:feedback@infoq.com) Advertising [sales@infoq.com](mailto:sales@infoq.com) Editorial [editors@infoq.com](mailto:editors@infoq.com) Marketing [marketing@infoq.com](mailto:marketing@infoq.com)
InfoQ.com and all content copyright © 2006-2026 C4Media Inc.
Privacy Notice, Terms And Conditions, Cookie Policy
Close
[BT](http://www.infoq.com/int/bt/ "bt")