pnpm 10.28 introduces a new beforePacking hook to customize package.json at publish time, improves filtered install performance, and includes several bug fixes.

pnpm 10.27 adds a new setting to ignore trust policy checks for older package versions, introduces a project registry for global virtual store pruning, and includes several bug fixes.

2025 has been a transformative year for pnpm. While our primary focus was redefining the security model of package management, we also delivered significant improvements in performance and developer experience.

From blocking lifecycle scripts by default to introducing a global virtual store, here is a look back at the major features shipped in 2025.

pnpm 10.26 为 git 托管的依赖项引入了更严格的安全默认值，添加了 allowBuilds 以实现细粒度的脚本权限，并包含了一个新设置来阻止特殊的传递依赖项。

pnpm 10.25 改进了证书处理，添加了裸 pnpm init，并修复了一些影响用户体验的问题。

We got lucky with Shai-Hulud 2.0.

In November 2025, a self-replicating npm worm compromised 796 packages with 132 million monthly downloads. The attack used preinstall scripts to steal credentials, install persistent backdoors, and in some cases wipe entire developer environments. We weren't affected—not because we had robust defenses, but because we didn't run npm install or npm update during the attack window.

Luck isn't a security strategy.

pnpm 现在可以在高核心机器上自动扩展网络并发性，并发布了多项可靠性修复。

为 pnpm list 添加了 --lockfile-only 选项，并对 pnpm self-update 进行了各种改进。

增加了对从信任策略中排除软件包以及在发布时覆盖 engines 字段的支持。

增加了为依赖项安装 Node.js 运行时的支持，以及配置信任策略的设置。