Summary & Key Takeaways ​

• pnpm v11 now requires Node.js 22+, dropping support for older versions, and is pure ESM.
• Supply-chain protection features like minimumReleaseAge and blockExoticSubdeps are enabled by default.
• The allowBuilds setting replaces several older build-dependency configurations.
• Global installs are now isolated, each with its own directory and virtual store.
• A new SQLite-backed store index (store v11) improves installation speed by reducing filesystem syscalls.
• pnpm's publish flow is now native, no longer delegating to the npm CLI for many commands.
• The .npmrc file is restricted to auth/registry settings, with other configurations moving to pnpm-workspace.yaml or config.yaml.
• Runtime installs are slimmer, excluding bundled npm, npx, and corepack.
• Several new commands have been introduced, including pnpm ci, pnpm sbom, and pnpm clean.

Our Commentary ​

This is a substantial release for pnpm, pushing the ecosystem forward with a strong focus on security and performance. The Node.js 22+ requirement is a bold move, but it aligns with modern development practices. I'm particularly excited about the default supply-chain protections and the performance gains from the new store index. It feels like pnpm is really maturing into a robust, secure, and efficient package manager.