Why pnpm Makes Your JavaScript Supply Chain Safer

JavaScript's supply chain has a blind spot: post-install scripts that run with full privileges during pnpm install. Malicious actors can sneak code into these scripts to steal credentials, plant malware, or hijack your environment.

With pnpm v10, the security model flips from "allow all" to "deny by default" for dependency lifecycle scripts (preinstall, install, and postinstall). Scripts are blocked unless you explicitly approve them using pnpm approve-builds or the onlyBuiltDependencies setting.

What's New in pnpm v10

• Default blocking of dependency scripts
• Interactive approvals via pnpm approve-builds
• strictDepBuilds to enforce approvals in CI
• Persistent approvals stored in pnpm-workspace.yaml or package.json

Why Install Scripts Are Risky

Only about 2% of npm packages need install scripts, yet all can execute arbitrary code on your machine. Attackers have exploited this trust to exfiltrate tokens, deploy malware, and establish persistent access.

Secure Your Workflow

1. Run pnpm install and review warnings about ignored scripts.
2. Approve necessary builds with pnpm approve-builds.
3. Enable strictDepBuilds in CI to block unapproved scripts.

Capture your approvals in version control and share them across your team.

Why Choose pnpm Over npm or Yarn

• Faster installs thanks to parallel downloads and content-addressable storage.
• Reduced disk usage by sharing packages in a global store instead of duplicating.
• Built-in security: deny-by-default install scripts and explicit approvals.

Ready to upgrade? Use Corepack to install pnpm and enjoy its benefits.

Conclusion

pnpm v10's deny-by-default approach transforms package installation into a transparent, auditable process. By following these steps, you’ll minimize supply chain risks without slowing down development.