Wow this is perfect for keeping NPM dependencies secure 🔥

👮 **deputui** — A TUI for reviewing release notes of your NPM dependencies

💯 Pipe in pnpm outdated, skim release notes and select exactly which updates to install

🦀 Written in Rust & built with @ratatui_rs

⭐ GitHub: https://github.com/twiddler/deputui

#rustlang #ratatui #tui #npm #pnpm #security #packaging #dependencies

Speeding up Docker builds with pnpm store caching 🚀

If your containers keep re-downloading dependencies, you’re losing a lot of time. pnpm uses a global store—so persisting it with a named Docker volume makes pnpm install much faster after the first run.

Short guide: https://l.zfir.dev/9MFJSUo

#docker #pnpm #NodeJS #devops #dockercompose

pnpm 10.28 released

https://mander.xyz/post/45263257

pnpm in 2025, by @kochan.io (@pnpm):

https://pnpm.io/blog/2025/12/29/pnpm-in-2025

#pnpm #retrospectives

Why not go whole hog? While not have wrapper / generic methods for actions, like "install <package>".

That way you can define what package manager you're using, without needing to know specifics. And swapping between them would be easy.
The more advanced stuff could then be handled if / when it was required 🤔

This has drawbacks, and complexities, but at the moment I'm really not getting what's special or valuable about Corepack.

#webdev #code #tech #node #javascript #npm #yarn #pnpm

The GitHub docs state:

> In practical terms, **Corepack lets you use Yarn, npm, and pnpm without having to install them**.

But... it looks like Corepack just downloads and installs them *for you*. At least it's the right version / hash checked.

I feel like I'm missing something here...

#webdev #code #tech #node #javascript #npm #yarn #pnpm

`pnpm` is lockfile compatible!? I can just type this in every project instead of remembering #npm #yarn #pnpm #bun #etc!?

pnpm 10.27 released

https://mander.xyz/post/44642333

pnpm in 2025

https://mander.xyz/post/44538089

npm đang xem xét thêm tính năng "minimumReleaseAge" tương tự pnpm và yarn, giúp giới hạn thời gian cập nhật version mới của dependency, tránh rủi ro lỗi. #npm #pnpm #yarn #QuanLyPhiênBản #TechViet

https://www.reddit.com/r/programming/comments/1py8u73/npm_needs_an_analog_to_pnpms_minimumreleaseage/

pnpm 10.26 released

https://mander.xyz/post/43761013

Today I started to collaborate with the #mastodon project and to build the project I learn something named #corepack that it is a manager for #nodejs package manager hahahaha. Today I learn something new
#javascript #nodejs #npm #yarn #pnpm

Cool write up from #SeattleTimes about using #pnpm to suppress #npm lifecycle scripts: https://pnpm.io/blog/2025/12/05/newsroom-npm-supply-chain-security

Nothing like realizing you’ve been just executing arbitrary scripts from the internet for years. 😬

#javascript #security

pnpm 10.25 released

https://mander.xyz/post/43253931

How We're Protecting Our Newsroom from npm Supply Chain Attacks

https://mander.xyz/post/43195694

🔒 Quick tip for #pnpm users:

Use `minimumReleaseAge` for stability, but need an emergency security update?

`minimumReleaseAgeExclude` lets you bypass the wait for specific packages without disabling your safety net.

Real-world example from our React CVE response 👇
https://codenote.net/en/posts/pnpm-minimumreleaseageexclude-for-emergency-vulnerability-fixes/

Meanwhile, I'm just trying to update an application on my server, but I need a specific version of #pnpm :(

pnpm 10.24 released

https://mander.xyz/post/42601695

This is exactly what #opensourcesecuritypodcast talked about in:

https://opensourcesecurity.io/2025/2025-11-npm-charlie/

And I just found one in the wild. How?: by using #pnpm (instead of npm) and taking the short time to read the postinstall script. Not rocket science.

@dolanor

TLDR start using pnpm.

They have those scripts turned off by default.

#npm #pnpm #javascript