All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

pnpm 10.16 Introduces Security Feature to Delay New Package Installations

By

ivanb

8mo ago· 3 min readenNews
Bagel score 85 of 100
85/100
Golden Brown
Bagelometer

Sesame, salt, and substance. A flagship bake.

Score85TypenewsSentimentpositive

Summary

pnpm 10.16 introduces a new security feature called 'minimumReleaseAge' that delays installation of newly released package versions to mitigate supply chain attacks. This setting requires a specified number of minutes to pass after a version is published before pnpm will install it, helping to avoid compromised packages that are typically discovered and removed within an hour.

Key quotes

· 3 pulled
To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies.
The new setting is called minimumReleaseAge. It specifies the number of minutes that must pass after a version is published before pnpm will install it.
In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.
Snippet from the RSS feed
Minor Changes

You might also wanna read

September 2025 NPM supply-chain attack compromises popular JavaScript packages

In September 2025, a coordinated software supply-chain attack targeted multiple popular NPM packages in the JavaScript ecosystem. The attack

projectptixiakis.github.io·3d ago