3 pnpm Settings to Protect Yourself from Supply Chain Attacks

Supply chain attacks are on the rise, but pnpm users can mitigate risks by enabling specific security settings. These include quarantining new packages, blocking non-registry subdependencies, and whitelisting build scripts. While npm and Yarn offer some similar features, pnpm remains the most robust option for these protections.

Key Points

• Set 'minimumReleaseAge' to 10080 minutes (7 days) to ensure malicious packages are detected before they reach your system.
• Enable 'blockExoticSubdeps' to stop attackers from bypassing the registry via git: or remote tarball URLs in subdependencies.
• Use 'allowBuilds' (or 'onlyBuiltDependencies' in older versions) to strictly control which packages can execute code during installation.
• pnpm is the only major package manager that supports all three of these specific supply chain security features out of the box.