How pnpm v10 Protects You from Malware in npm Packages – Simple Security Tips

Source: pnpm.io - Supply Chain Security

Malicious npm packages occasionally slip through and get published, posing risks to developers and projects. Although services like security firms and npm itself act quickly-usually removing harmful versions within hours-there is always a brief period when users might unknowingly install infected code.

Key Risks and How pnpm Mitigates Them

• Malware often runs via postinstall scripts: Attackers rely on postinstall scripts to execute malicious code immediately after a package is installed.
• pnpm v10 disables automatic execution of these scripts: To block this common attack vector, pnpm version 10 turns off postinstall scripts by default in dependencies.
• Re-enable scripts carefully and selectively: You can globally re-enable them with a setting, but it’s safer to whitelist only trusted dependencies expected to run such scripts. This prevents unexpected builds or malware from firing off if a package suddenly becomes compromised.
• Stay cautious with trusted packages that use postinstall: Even familiar dependencies with build scripts may become compromised. Always monitor updates closely.

Additional Best Practices to Minimize Risk

• Delay updates to new package versions: Since detection usually happens quickly, waiting 24 hours or more before updating can prevent installing a malicious release. For example, 1440 means waiting 1 day; 10080 means 1 week before installing new versions.
• Use a lockfile and commit it to your repo: Lockfiles ensure consistency by locking your exact dependency versions, preventing unexpected or silent updates.

By combining these safeguards, pnpm users gain stronger protection against supply chain attacks, reducing the chance of running compromised packages on their machines and projects. Following these tips creates a safer ecosystem for developers, project founders, and security researchers alike.