#pnpm

Blocking Shai-Hulud npm waves with pnpm 11 default minimumReleaseAge, Yarn 4.10 npmMinimalAgeGate, and npm v11.10 (with ignore-scripts gotchas)

Mini Shai-Hulud-class npm hijacks live for 3-12 hours before takedown. pnpm 11.0 ships minimumReleaseAge=1440 (1 day) by default, Yarn 4.10 ships npmMinimalAgeGate=3d, npm v11.10 needs explicit min-release-age. Working .npmrc / pnpm-workspace.yaml / .yarnrc.yml configs and what breaks when ignore-scripts=true (esbuild, sharp, node-gyp, Cypress).

pnpm vs npm vs yarn 2026 tested on a Next.js monorepo: install speed, hoisting gotchas, and supply chain surface

Cold install benchmarks from a Next.js 16 + Shadcn/ui + Railway monorepo show pnpm at half npm's time, but the real story is Radix UI's undeclared dependencies breaking under strict hoisting. A practical look at .npmrc tuning, Bun's flat structure trade-off, and where Next.js dependency weight dominates.

Critical vulnerabilities in pnpm < 10.26: Update now

Two critical vulnerabilities (CVE-2025-69263, CVE-2025-69264) were discovered in pnpm 10.0.0–10.25. They allow lockfile integrity bypass and remote code execution, so immediate updates are required.

npm Was Broken So I Switched to pnpm [React2Shell Vulnerability]

npm install kept failing with a mysterious error while patching Next.js/React for a security vulnerability. Switching to pnpm fixed it immediately.