
Security News
Crates.io Implements Trusted Publishing Support
Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.
Sarah Gooding
June 11, 2025
pnpm released version 10.12.1 this week, bringing some big changes to JavaScript package management. This update introduces two major improvements that developers will appreciate immediately: lightning-fast installs via a new experimental global virtual store, and powerful enhancements to pnpm's version catalog system.
The standout feature in this release is an experimental global virtual store designed to make installs much faster on machines with a warm cache.
Traditionally, pnpm links dependencies into node_modules/.pnpm
. With the global store enabled, those links instead point to a shared directory located at <store-path>/links
, where each package is stored in a folder named after the hash of its full dependency graph.
The result: multiple projects can reuse the same dependency instances without relinking or redownloading, significantly reducing install time. pnpm maintainer Zoltan Kochan said the structure is similar to how NixOS handles package management using graph-based isolation.
pnpm will automatically disable the feature in CI environments, where warm caches typically aren’t available.
Kochan shared a demo video of how fast installs can be with this feature enabled:
The global virtual store in pnpm 10.12.1 is a continuation of ideas Kochan first proposed back in 2018. For years, pnpm stored “pure” unpacked packages in the global store, while dependency-specific combinations were built in each project. That approach had performance downsides, especially for monorepos, and didn’t play well with npm’s lockfile format.
The idea of saving packages along with their full dependency graph in the store has been discussed in detail over several issues and PRs. With the new global virtual store, pnpm now stores dependency sets hashed by graph and links them from a central location, allowing for reuse across projects and faster installs.
This update also brings new functionality to pnpm’s version catalog system, which helps enforce consistency across dependencies in monorepos or workspaces.
pnpm update
now supports updating catalog:
protocol dependencies and will update specifiers in pnpm-workspace.yaml
.catalogMode
setting lets you choose how strictly catalogs are enforced: manual
(default): nothing added automaticallyprefer
: use catalog versions when possiblestrict
: block anything not already in the catalogAlongside the headline features, pnpm 10.12.1 includes a handful of smaller updates. The side-effects cache keys have been changed, so older caches will no longer be used. A new ci
setting has been added to let users explicitly declare whether pnpm is running in a continuous integration environment. The pnpm patch
command now sorts versions using semantic versioning rules, and error messages for mismatched specifiers have been improved to show clear diffs.
pnpm’s adoption has grown considerably over the past three years, with nearly 100 million monthly downloads on npm and usage across major open source projects. Its popularity stems from strict dependency isolation, efficient disk usage through content-addressable storage, and consistently fast installs, features that have made it especially appealing for monorepos and large workspaces.
With the introduction of the global virtual store in 10.12.1, pnpm is doubling down on its performance-focused design. For more details, the full changelog is available on GitHub.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.
Research
/Security News
Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.
Research
/Security News
North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.