#pnpm — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #pnpm, aggregated by home.social.
-
this vibe coded PR with 1,000,000+ additions is just open-source ransomware with prettier commit messages.
shoutout to the brave soul reviewing:
"LGTM" after skimming 14 lines… 🤡
uninstalling immediately!
-
this vibe coded PR with 1,000,000+ additions is just open-source ransomware with prettier commit messages.
shoutout to the brave soul reviewing:
"LGTM" after skimming 14 lines… 🤡
uninstalling immediately!
-
this vibe coded PR with 1,000,000+ additions is just open-source ransomware with prettier commit messages.
shoutout to the brave soul reviewing:
"LGTM" after skimming 14 lines… 🤡
uninstalling immediately!
-
-
Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:
https://daniakash.com/posts/simplest-supply-chain-defense/
#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios
-
Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:
https://daniakash.com/posts/simplest-supply-chain-defense/
#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios
-
Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:
https://daniakash.com/posts/simplest-supply-chain-defense/
#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios
-
Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:
https://daniakash.com/posts/simplest-supply-chain-defense/
#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios
-
Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:
https://daniakash.com/posts/simplest-supply-chain-defense/
#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios
-
Supply-chain security woes! Here's a simple configuration that will improve your PNPM security posture along with a nudge towards something even deeper!
https://coderlegion.com/14098/configuring-pnpm-to-tackle-the-supply-chain-bonfire
-
Wow this is perfect for keeping NPM dependencies secure 🔥
👮 **deputui** — A TUI for reviewing release notes of your NPM dependencies
💯 Pipe in pnpm outdated, skim release notes and select exactly which updates to install
🦀 Written in Rust & built with @ratatui_rs
⭐ GitHub: https://github.com/twiddler/deputui
#rustlang #ratatui #tui #npm #pnpm #security #packaging #dependencies
-
pnpm in 2025, by @kochan.io (@pnpm):
-
Why not go whole hog? While not have wrapper / generic methods for actions, like "install <package>".
That way you can define what package manager you're using, without needing to know specifics. And swapping between them would be easy.
The more advanced stuff could then be handled if / when it was required 🤔This has drawbacks, and complexities, but at the moment I'm really not getting what's special or valuable about Corepack.
-
The GitHub docs state:
> In practical terms, **Corepack lets you use Yarn, npm, and pnpm without having to install them**.
But... it looks like Corepack just downloads and installs them *for you*. At least it's the right version / hash checked.
I feel like I'm missing something here...
-
This is exactly what #opensourcesecuritypodcast talked about in:
https://opensourcesecurity.io/2025/2025-11-npm-charlie/
And I just found one in the wild. How?: by using #pnpm (instead of npm) and taking the short time to read the postinstall script. Not rocket science.
-
TLDR start using pnpm.
They have those scripts turned off by default.
-
Blogged: **Aspire with Python, React, Rust and Node apps**
What's involved with integrating apps written with Python, Rust, Node and React/Vite with Aspire? Not that much as it turns out!
-
Я мигрировал свой монорепозиторий на Bun — вот мой честный отзыв
Недавно я перенёс Intlayer (решение для i18n) — монорепозиторий, состоящий из нескольких приложений (Next.js, Vite, React, design-system и т. д.) — с pnpm на Bun . Кратко (TL;DR): если бы я знал заранее, я бы, вероятно, не делал этого. Я думал, что это займёт пару часов. В итоге ушло около 20 часов . Меня привлекло обещание «всё в одном» и впечатляющие показатели производительности. Я попробовал, я собрал — всё билдилось молниеносно, круто. Затем я сделал коммит… и столкнулся с первой проблемой.
-
@antfu Thanks for your work to explore #pnpm catalogs. I agree that this is especially useful to document how and when to update certain dependencies.
Some are safe to change (testing and dev deps), and others require careful review (runtime production dependencies with access to sensitive data).
Looking forward to how this develops over time. This could create big improvements for #JavaScript and #TypeScript projects.
-
🚀 Ah yes, the groundbreaking discovery that #APFS on #macOS isn’t perfect at parallel disk I/O, unearthed by running #Git and #pnpm into the ground. 😂 Because what better way to spend a weekend than watching your Mac gasp for air while you pretend to stress test it? 🤡
https://github.com/NullVoxPopuli/disk-perf-git-and-pnpm #diskIO #stressTest #HackerNews #ngated -
disk-perf-git-and-pnpm aims to prove that something is wrong with APFS on macOS
https://github.com/NullVoxPopuli/disk-perf-git-and-pnpm
#HackerNews #diskperf #macOS #APFS #performance #issues #pnpm #git
-
🚀 Oh joy, #pnpm just invented a magical setting 🧙 to protect us from the boogeymen of supply chain attacks. Because, clearly, the solution to a complex problem is just a #checkbox away. 🙄 Who knew saving the world could be so simple? 😂
https://pnpm.io/blog/releases/10.16 #supplychain #security #innovation #simplicity #humor #HackerNews #ngated -
Pnpm has a new setting to stave off supply chain attacks
https://pnpm.io/blog/releases/10.16
#HackerNews #Pnpm #SupplyChainSecurity #PackageManagement #Cybersecurity #DeveloperTools #SoftwareUpdates
-
🎉 Oh joy, another thrilling tale of cyber mishap in the land of open-source! 😱 A malevolent #GitHub Action does the Macarena on a repository, and suddenly #npm tokens are flying off the shelves faster than toilet paper in 2020. But fear not, dear reader, for our hero bravely manages to dodge every conceivable consequence by sheer luck and a dash of #pnpm magic! 🪄💥
https://sigh.dev/posts/ctrl-tinycolor-post-mortem/ #cybersecurity #open-source #HackerNews #ngated -
[Перевод] За кулисами Bun Install
Запуск bun install работает быстро, очень быстро. В среднем, он работает примерно в 7 раз быстрее, чем npm, в 4 раза быстрее, чем pnpm, и в 17 раз быстрее, чем yarn. Разница особенно заметна в проектах с большой кодовой базой. То, что раньше занимало минуты, теперь занимает (милли)секунды. Почему это так быстро? Читайте под катом
-
Okay so i got #Headplane running manually (non-nix) on my #NixOS host, but i fail to write a working package flake.
Why oh why does it have to be a #PNPM application. The wiki does not help much either.
Did any of you know of an app where i can get inspired? Or has done it themselves?
I am so close. -
How I Manage Node & Package Manager Versions:
https://dev.to/michalbryxi/how-am-i-managing-node-package-manager-versions-3904
#Blog #IT #NodeJS #PackageManager #Versions #PNPM #Volta #VersionManagement
-
People versed in Javascript/Node.js package managers (npm, yarn, and company): Is there any reason that a lockfile *shouldn't* be committed to a repository?
I'm usually *for* committing lockfiles, but I've noticed some people in the JS ecosystem don't include them for reasons that are unclear to me.
-
https://dev.to/hmans/how-i-monorepo-october-2022-edition-1ib4 - Tools for #Monorepos: 1. #pnpm, 2. ... 3. ... 4. #GitHub Actions, 5. ... 6. Nice collection https://www.linkedin.com/in/hmans/.
