pnpm 10.27 adds a new setting to ignore trust policy checks for older package versions, introduces a project registry for global virtual store pruning, and includes several bug fixes.

2025 has been a transformative year for pnpm. While our primary focus was redefining the security model of package management, we also delivered significant improvements in performance and developer experience.

From blocking lifecycle scripts by default to introducing a global virtual store, here is a look back at the major features shipped in 2025.

pnpm 10.26 introduces stricter security defaults for git-hosted dependencies, adds allowBuilds for granular script permissions, and includes a new setting to block exotic transitive dependencies.

pnpm 10.25 improves certificate handling, adds a bare pnpm init, and ships several quality-of-life fixes.

We got lucky with Shai-Hulud 2.0.

In November 2025, a self-replicating npm worm compromised 796 packages with 132 million monthly downloads. The attack used preinstall scripts to steal credentials, install persistent backdoors, and in some cases wipe entire developer environments. We weren't affected—not because we had robust defenses, but because we didn't run npm install or npm update during the attack window.

Luck isn't a security strategy.

pnpm 现在可以在高核心机器上自动扩展网络并发性，并发布了多项可靠性修复。

为 pnpm list 添加了 --lockfile-only 选项，并对 pnpm self-update 进行了各种改进。

增加了对从信任策略中排除软件包以及在发布时覆盖 engines 字段的支持。

增加了为依赖项安装 Node.js 运行时的支持，以及配置信任策略的设置。

此版本为 pnpm help 命令添加了 --all 标志，用于打印所有命令。