🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Book a DemoInstallSign in
Socket
Back

Security News

pnpm 10.12 Introduces Global Virtual Store and Expanded Version Catalogs

pnpm 10.12.1 introduces a global virtual store for faster installs and new options for managing dependencies with version catalogs.

pnpm 10.12 Introduces Global Virtual Store and Expanded Version Catalogs

Sarah Gooding

June 11, 2025

pnpm released version 10.12.1 this week, bringing some big changes to JavaScript package management. This update introduces two major improvements that developers will appreciate immediately: lightning-fast installs via a new experimental global virtual store, and powerful enhancements to pnpm's version catalog system.

Experimental Global Virtual Store Delivers Near-Instant Installs#

The standout feature in this release is an experimental global virtual store designed to make installs much faster on machines with a warm cache.

Traditionally, pnpm links dependencies into node_modules/.pnpm. With the global store enabled, those links instead point to a shared directory located at <store-path>/links, where each package is stored in a folder named after the hash of its full dependency graph.

The result: multiple projects can reuse the same dependency instances without relinking or redownloading, significantly reducing install time. pnpm maintainer Zoltan Kochan said the structure is similar to how NixOS handles package management using graph-based isolation.

pnpm will automatically disable the feature in CI environments, where warm caches typically aren’t available.

Kochan shared a demo video of how fast installs can be with this feature enabled:

The global virtual store in pnpm 10.12.1 is a continuation of ideas Kochan first proposed back in 2018. For years, pnpm stored “pure” unpacked packages in the global store, while dependency-specific combinations were built in each project. That approach had performance downsides, especially for monorepos, and didn’t play well with npm’s lockfile format.

The idea of saving packages along with their full dependency graph in the store has been discussed in detail over several issues and PRs. With the new global virtual store, pnpm now stores dependency sets hashed by graph and links them from a central location, allowing for reuse across projects and faster installs.

Version Catalog Improvements#

This update also brings new functionality to pnpm’s version catalog system, which helps enforce consistency across dependencies in monorepos or workspaces.

  • pnpm update now supports updating catalog: protocol dependencies and will update specifiers in pnpm-workspace.yaml.
  • A new catalogMode setting lets you choose how strictly catalogs are enforced:
    • manual (default): nothing added automatically
    • prefer: use catalog versions when possible
    • strict: block anything not already in the catalog
  • New CLI options let you save dependencies directly to a catalog when adding them.

Alongside the headline features, pnpm 10.12.1 includes a handful of smaller updates. The side-effects cache keys have been changed, so older caches will no longer be used. A new ci setting has been added to let users explicitly declare whether pnpm is running in a continuous integration environment. The pnpm patch command now sorts versions using semantic versioning rules, and error messages for mismatched specifiers have been improved to show clear diffs.

Growing Adoption and Ecosystem Momentum#

pnpm’s adoption has grown considerably over the past three years, with nearly 100 million monthly downloads on npm and usage across major open source projects. Its popularity stems from strict dependency isolation, efficient disk usage through content-addressable storage, and consistently fast installs, features that have made it especially appealing for monorepos and large workspaces.

With the introduction of the global virtual store in 10.12.1, pnpm is doubling down on its performance-focused design. For more details, the full changelog is available on GitHub.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a Demo

Related posts

Back to all posts