Summary & Key Takeaways ​

• pnpm 11.1 introduces pnpm audit signatures to verify ECDSA registry signatures for installed packages, respecting scoped registries.
• It adds built-in support for installing packages from the GitHub Packages npm registry using a gh: prefix.
• Users can configure additional named registries or override the gh alias in pnpm-workspace.yaml.
• A new --no-runtime flag allows skipping runtime entry installation without modifying the lockfile, useful for CI environments.
• New commands pnpm bugs and pnpm owner are added to manage package bug trackers and owners directly from the CLI.

Our Commentary ​

This is a solid minor release for pnpm, packed with features that significantly improve security and developer workflow. The audit signatures are a crucial step towards more trustworthy package management, addressing a long-standing concern in the ecosystem. We particularly appreciate the streamlined GitHub Packages integration and the flexibility of named registries – these are quality-of-life improvements that will save developers time and headaches. The --no-runtime flag is also a smart addition for CI/CD pipelines, showing a good understanding of real-world deployment needs.