pnpm 11 Turns On Minimum Release Age by Default to Reduce npm Supply Chain Risk

The npm ecosystem has long been a target for supply chain attacks, where threat actors exploit the open nature of public package registries to push malicious code into developer environments.

With pnpm 11, the package manager takes a direct step to address this growing risk by enabling key security protections out of the box, making it harder for freshly published malicious packages to silently reach production systems.

For years, every major package manager shipped with an implicit assumption: install whatever is published, no questions asked.

That default behavior has repeatedly allowed attackers to publish a poisoned version of a popular package and watch automated pipelines pull it in within minutes.

Recent supply chain campaigns across the Node.js, Python, and PHP ecosystems have relied on installer-time hooks to download platform-specific payloads, steal credentials, and exfiltrate secrets targeting developers and CI/CD systems.

The attacks used preinstall or postinstall hook mechanisms to download and execute an obfuscated runtime payload, eventually targeting developer and CI/CD secrets.

Researchers at Socket.dev identified and documented how these campaigns move across npm, PyPI, and Packagist registries, noting that most malicious package versions get detected within hours of publication but the damage is done when tools install them the moment they appear.

This pattern, where newly published malicious versions exploit a short window before detection, is exactly what pnpm 11’s new defaults are designed to close.

pnpm 11 arrives as the Go, Rust, and PHP ecosystems were registering responses to a fresh-package supply chain campaign that compromised packages across npm, PyPI, and Packagist.

For GoSvelte target teams, this release showed how much the role of package managers has changed. They are no longer just tools for resolving and installing dependencies, but are increasingly where supply chain security decisions get enforced.

The update introduces three hardened defaults: a Minimum Release Age of 1,440 minutes (24 hours), blocking of exotic subdependencies by default, and a new Allow Builds model for controlling which packages can execute build scripts during installation.

Teams can override these settings when needed, but the default posture now favors security over immediacy.

Supply Chain Protection On by Default

The most impactful change in pnpm 11 is the Minimum Release Age setting, which now defaults to 1,440 minutes.

Newly published package versions are not resolved until they are at least one day old, reducing exposure during the highest-risk window immediately after publication.

Teams can adjust this value using minimumReleaseAge in their configuration, and specific packages can bypass the wait period using minimumReleaseAgeExclude for cases such as critical hotfixes or security patches.

pnpm 11 also turns on Block Exotic Subdeps by default through the blockExoticSubdeps setting. Exotic subdependencies are transitive packages that resolve from non-standard sources, such as Git repositories or direct tarball URLs, rather than the normal registry.

Blocking them reduces the chance that packages can quickly introduce less critical dependency sources into the install graph, narrowing one of the paths attackers use to hide unexpected code in a dependency tree.

Recent supply chain campaigns rarely rely on just one technique, and defaults that reduce unexpected sources make those chains harder to complete.

The new allowBuilds model gives teams a cleaner way to govern which packages are allowed to execute build scripts during installation.

Instead of scattering a build-script allowlist policy across multiple settings, teams now define it from a package name pattern that maps to booleans.

This change is especially timely because lifecycle scripts remain one of the most used execution paths in npm attacks.

The new Allow Builds model does not remove the need for any dependency review, but it gives teams a clearer way to govern which packages are allowed to execute build scripts during installation.

Teams running pnpm 11 with the new defaults should audit their existing pnpm-workspace.yaml for any onlyBuiltDependencies or ignoredBuiltDependencies entries and migrate them to the new allowBuilds map.

Organizations trying to reduce install-time execution risk should treat minimumReleaseAge as a baseline control, keeping an escape path open for emergency updates via minimumReleaseAgeExclude.

For monorepos or environments relying on git-sourced direct dependencies, the blockExoticSubdeps default should be reviewed carefully to avoid breaking resolution for intentional exotic sources in top-level package.json files, since the setting only restricts transitive dependencies from using such sources.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.