Pnpm has a new setting to stave off supply chain attacks
15 hours ago
- #pnpm
- #dependency-management
- #security
- Introduction of a new setting called 'minimumReleaseAge' to delay installation of newly released dependencies to reduce the risk of installing compromised versions.
- The 'minimumReleaseAgeExclude' setting allows certain dependencies to bypass the release age restriction.
- Added support for 'finder functions' in 'pnpm list' and 'pnpm why' commands to search dependencies by properties other than name, such as peer dependencies.
- Finder functions can be declared in '.pnpmfile.cjs' and invoked with the '--find-by=<function name>' flag.
- Patch changes include fixes for deprecation warnings, exact semver version requirements for 'nodeVersion', and improvements in handling tar.gz files and process cancellation.