Zoltan Kochan (@kochan.io)

I just review less. PRs are waiting for weeks sometimes.

21.02.2026 17:43 👍 0 🔁 0 💬 0 📌 0

pnpm fails on unknown flags. And known flags won't be installed as packages. Maybe there is some edge case where you can escape the dashes. I have never tested it.

13.02.2026 19:37 👍 3 🔁 0 💬 0 📌 0

Settings (pnpm-workspace.yaml) | pnpm pnpm gets its configuration from the command line, environment variables, pnpm-workspace.yaml, and

It is also available as an opt-in feature in v10: pnpm.io/settings#blo...

05.02.2026 21:32 👍 2 🔁 0 💬 0 📌 0

Additionally, pnpm 11 will block dependencies from exotic sources (like Git) in subdependencies.

05.02.2026 13:40 👍 20 🔁 3 💬 2 📌 0

Vox is running out of ideas.

16.12.2025 17:09 👍 2 🔁 0 💬 0 📌 0

Therein lies the rub: AI cannot have “ideas” of its own. Every “idea” you thought AI had came from a person, either through prompting or theft.

The way to jumpstart the “idea machine” is to have people focused less on survival and more on living passionately.

16.12.2025 13:29 👍 20 🔁 18 💬 4 📌 0

How We're Protecting Our Newsroom from npm Supply Chain Attacks | pnpm We got lucky with Shai-Hulud 2.0.

The Seattle Times is piloting pnpm’s client-side defenses—blocked lifecycle scripts, release cooldowns, and trust policy—to stop worms like Shai-Hulud 2.0 before they land.
Read their story:
pnpm.io/blog/2025/12...

08.12.2025 13:47 👍 14 🔁 3 💬 1 📌 2

That whole output is from codemod

04.12.2025 15:33 👍 1 🔁 0 💬 0 📌 0

I guess codemod is a package manager of itself and they have switched to some new types of codemods. That is why it prints legacy

04.12.2025 15:32 👍 0 🔁 0 💬 1 📌 0

Pnpx is not deprecated. I don’t know why there’s a warning from the codemod

03.12.2025 13:36 👍 1 🔁 0 💬 2 📌 0

Yet another reminder to use @pnpm.io's minimum dependency age.

pnpm.io/settings#min...

24.11.2025 20:33 👍 12 🔁 4 💬 1 📌 0

I somewhat agree with your points. However, this feature was the most upvoted in our repository. The npm registry has advertised provenance as the solution to the supply chain problems.

12.11.2025 13:46 👍 2 🔁 0 💬 1 📌 0

Yeah, but i think almost no packages use provenance at the moment at all

11.11.2025 19:25 👍 0 🔁 0 💬 1 📌 0

Yes, it will be possible to do both by name and version(s)

11.11.2025 19:01 👍 2 🔁 0 💬 1 📌 0

There will be a setting to exclude packages from the rule. Although some believe it is a bad idea. Someone suggested to even ship a list of exceptions.

11.11.2025 18:59 👍 1 🔁 0 💬 1 📌 0

Yes, that’s the only safe way of doing it. We’re not fixing it only for the lockfile update case

11.11.2025 18:51 👍 1 🔁 0 💬 2 📌 0

I am not sure there’s a better way to do it.

11.11.2025 17:07 👍 1 🔁 0 💬 1 📌 0

🚀 pnpm v10.21 is out!
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades

🧵👇

10.11.2025 15:18 👍 57 🔁 9 💬 1 📌 3

Sometimes I can’t tell if someone was using an agent or not but reviewing pull requests takes a lot of my time. I probably spend double the time on the review if they use agents.

10.11.2025 14:52 👍 6 🔁 0 💬 3 📌 0

pnpm 10.21 | pnpm Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.

pnpm 10.21: installing Node.js runtimes for dependencies, not installing dependencies with decreased trust levels, and more
@kochan.io @pnpm.io
pnpm.io/blog/release...

#ECMAScript #JavaScript

10.11.2025 02:52 👍 7 🔁 3 💬 0 📌 0

@pnpm.io added a `trustPolicy` option in 10.21.

It allows you to prevent installing potentially malicious dependency updates that are not signed like previous versions.

pnpm.io/blog/release...

Thank you for all the performance, productivity and security enhancements over the last years 💜

10.11.2025 09:37 👍 38 🔁 6 💬 1 📌 1

I am not making any promises about the libraries. The major version is the major version of pnpm cli x100. So a library can have up to 99 breaking changes till the next pnpm cli comes out

27.09.2025 21:46 👍 4 🔁 0 💬 1 📌 0

pnpm with Zoltan Kochan - Software Engineering Daily Traditional package management systems for JavaScript have faced several inefficiencies related to dependency storage, resolution, and project performance. pnpm is a fast, disk-efficient package manag...

Zoltan Kochan is a full stack web developer and the creator of @pnpm.io. He joins the show with @joshuakgoldberg.com to talk about the state of package management for web dev.

@kochan.io

softwareengineeringdaily.com/2025/09/18/p...

18.09.2025 10:35 👍 21 🔁 5 💬 1 📌 0

pnpm 10.16 Adds New Setting for Delayed Dependency Updates -... pnpm's new minimumReleaseAge setting delays package updates to prevent supply chain attacks, with other tools like Taze and NCU following suit.

After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.

Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.

socket.dev/blog/pnpm-10... #NodeJS

15.09.2025 18:28 👍 18 🔁 8 💬 0 📌 2

Wow, Hollywood is so creative

15.09.2025 09:47 👍 2 🔁 0 💬 0 📌 0

We need a versioning system that consists of 4 numbers, where the first one is used for marketing purposes

02.09.2025 18:13 👍 21 🔁 2 💬 2 📌 1

There were no peer dependencies in 1985

20.08.2025 00:15 👍 3 🔁 0 💬 0 📌 0

That would be the logo

31.07.2025 15:00 👍 4 🔁 0 💬 1 📌 0

I feel like pnpm will eventually grow from being a "npm alternative" to being a "nix alternative"

but "pnix" doesn't sound appropriate 😂

31.07.2025 14:47 👍 17 🔁 1 💬 3 📌 0

With the changes to the lockfile format and the new types of fetchers that were added to pnpm, now it is really easy to make pnpm an installer for anything

bsky.app/profile/pnpm...

31.07.2025 14:32 👍 17 🔁 2 💬 0 📌 0

Zoltan Kochan

Latest posts by Zoltan Kochan @kochan.io