Skip to main content

New Node Package Manager: pnpm

· 2 min read

Overview

In light of the recent Shai-Hulud worm attack, we believe it’s important to offer our customers a more secure alternative to the npm package manager.

Why move away from npm?

By design, npm executes arbitrary scripts across all dependencies—including transitive ones (the dependencies of your dependencies). This creates a risky environment where malicious code can execute unnoticed.

Enter pnpm

First released in 2016, pnpm has matured into a battle-tested package manager trusted by teams of all sizes. It combines speed, efficiency, and strict dependency management, making it especially well-suited for organizations managing multiple projects and large monorepos.

Key benefits of pnpm include:

  • Fast – Up to 2x faster than other package managers (see benchmark).
  • Efficient – Uses content-addressable storage; all projects share a single source of truth.
  • Strict – Enforces dependency boundaries from package.json.
  • Deterministic – Ensures reproducible installs with pnpm-lock.yaml.
  • Flexible – Doubles as a Node.js version manager via pnpm env use.
  • Cross-platform – Runs seamlessly on Windows, Linux, and macOS.
  • Battle-tested – In production use since 2016.

(Adapted from the official project README.md)

Why this matters now

For the context of this changelog, the most important feature is script execution control. Unlike npm, pnpm does not automatically run install scripts from dependencies. Instead, it notifies development teams, giving them the choice to explicitly allow or deny execution.

This default safeguard significantly reduces the attack surface for supply-chain exploits like the Shai-Hulud worm.

╭ Warning ─────────────────────────────────────────────────────────────────────╮
│                                                                              │
│   Ignored build scripts: @tailwindcss/oxide, esbuild.                        │
│   Run "pnpm approve-builds" to pick which dependencies should be allowed     │
│   to run scripts.                                                            │
│                                                                              │
╰──────────────────────────────────────────────────────────────────────────────╯

With this in mind, we strongly recommend development teams evaluate pnpm for their development workflows as a replacement for npm.

Available in all base images

pnpm is avaialble now in all our Node base images.

See here for the full list of images.