Skip to main content

🚀 2025 年的 pnpm

· 9 min read
Zoltan Kochan
Zoltan Kochan
Lead maintainer of pnpm

2025 年对于 pnpm 来说是一个变革之年。虽然我们的主要关注点是重新定义包管理的安全模型,但我们也在性能和开发者体验方面取得了重大改进。

从默认阻止生命周期脚本到引入全局虚拟存储,这里回顾一下 2025 年发布的主要功能。

🌐 From blocking lifecycle scripts by default to introducing a global virtual store, here is a look back at the major features shipped in 2025.

用法

🌐 Usage

根据 [下载统计],pnpm 的下载量是 2024 年的两倍!

🌐 According to download stats pnpm was downloaded 2 times more than in 2024!

主页重新设计

🌐 Redesign of the Homepage

你可能已经注意到我们重新设计了主页!这次重新设计得以实现,归功于我们最重要的赞助商,Bit.cloud

🌐 You may have noticed that we have redesigned our homepage! This redesign was made possible by our most prominent sponsor, Bit.cloud.

新首页现在是使用 Bit 组件 构建的,而且大部分工作都是通过 Bit 的 AI 代理:Hope AI 完成的。我们现在甚至有我们自己的 设计系统 了。

🌐 The new homepage is now built with Bit components and much of the work was done using Bit's AI agent: Hope AI. We even have our own design system now.

info

我在 Bit 全职工作,负责依赖管理。在底层,Bit [使用 pnpm 进行安装]。

🌐 I work full time at Bit on dependency management. Under the hood Bit uses pnpm for installation.

在 JSNation 的演讲

🌐 Presentation at JSNation

对我个人来说,今年是一个巨大的里程碑,因为我在阿姆斯特丹的 JSNation 国际大会上进行了我的第一次现场演讲。我想感谢 JSNation 团队提供的这个绝佳机会!

🌐 This year was a huge milestone for me personally as I had my first ever live presentation at a big international conference: JSNation in June in Amsterdam. I would like to thank the JSNation team for this great opportunity!

我非常惊讶地发现 pnpm 在社区中如此知名,并且有这么多人在工作中使用它!

🌐 I was pleasantly surprised how well known pnpm is in the community and how many people use it at their work!

我的演讲是关于 config dependencies 的,你可以在 [这里] 查看录音。

🌐 My presentation was about config dependencies and you can see the recording here.

功能亮点

🌐 Feature Highlights

现在,让我们深入了解 pnpm v10 在 2025 年推出的最重要变化。

🌐 Now, let’s dive into the most significant changes shipped in pnpm v10 throughout 2025.

默认安全

🌐 Security by Default

今年最显著的变化是 pnpm 转向了“默认安全”。在 pnpm v10.0 中,我们不再默认信任已安装的包。

🌐 The most significant shift this year was pnpm's move to "Security by Default." In pnpm v10.0, we stopped implicitly trusting installed packages.

阻止生命周期脚本(v10.0

🌐 Blocking Lifecycle Scripts (v10.0)

多年来,pnpm install 意味着信任整个依赖树执行任意代码。在 v10 中,我们关闭了这个功能。pnpm 默认不再运行 preinstallpostinstall 脚本,从而消除了大量的供应链攻击向量。

🌐 For years, pnpm install meant trusting the entire dependency tree to execute arbitrary code. In v10, we turned this off. pnpm no longer runs preinstall or postinstall scripts by default, eliminating a massive class of supply chain attack vectors.

为了优化这一控制,我们在 v10.26 中引入了 allowBuilds,用更灵活的配置替换了早期的 onlyBuiltDependencies

🌐 To refine this control, we introduced allowBuilds in v10.26, replacing the earlier onlyBuiltDependencies with a more flexible configuration:

allowBuilds:
  esbuild: true
  # Only allow specific versions
  nx@21.6.4: true

纵深防御(v10.16 & v10.21

🌐 Defense in Depth (v10.16 & v10.21)

我们不仅仅停留在脚本上。我们增加了多层防御,以在恶意软件包甚至到达你的磁盘之前就将其拦截:

🌐 We didn't stop at scripts. We added layers of defense to catch malicious packages before they even reach your disk:

  • minimumReleaseAge: Blocks "zero-day" releases (e.g., packages younger than 24 hours), giving the community time to flag malicious updates.

  • trustPolicy: no-downgrade: Prevents installing updates that have weaker provenance than previous versions (e.g., a version published without CI/CD verification).

  • blockExoticSubdeps: Prevents trusted dependencies from pulling in transitive dependencies from untrusted sources.

全局虚拟存储(v10.12

🌐 Global Virtual Store (v10.12)

pnpm 最初的创新之一是内容可寻址存储,它通过去重文件来节省磁盘空间。在 v10.12 中,我们通过 [全局虚拟存储] 将这一点更进一步。

🌐 One of pnpm's original innovations was the content-addressable store, which saved disk space by deduplicating files. In v10.12, we took this a step further with the Global Virtual Store.

以前,项目都有自己的 node_modules 结构。使用 enableGlobalVirtualStore: true 后,pnpm 现在可以将依赖从磁盘上的中央位置直接链接到你的项目中。这意味着:

🌐 Previously, projects had their own node_modules structure. With enableGlobalVirtualStore: true, pnpm can now link dependencies from a central location on disk directly into your project. This means:

  1. 大幅节省磁盘空间:相同的依赖图在多个项目之间共享。
  2. 更快的安装:如果你有 10 个项目使用 react@19,pnpm 只需要在全局链接一次。

原生 JSR 支持 (v10.9)

🌐 Native JSR Support (v10.9)

我们采用了带有本地支持的新 JSR 注册表。你现在可以使用 jsr: 协议直接从 JSR 安装软件包:

🌐 We embraced the new JSR registry with native support. You can now install packages directly from JSR using the jsr: protocol:

pnpm add jsr:@std/collections

这在 package.json 中映射正确,并能与你的 npm 依赖无缝处理 JSR 包的独特解析规则。

🌐 This maps correctly in package.json and handles the unique resolution rules of JSR packages seamlessly alongside your npm dependencies.

配置依赖(v10.0)

🌐 Config Dependencies (v10.0)

对于单体仓库和复杂的设置,我们引入了 [配置依赖]。此功能允许你在多个项目之间共享和集中 pnpm 配置——例如钩子、补丁以及构建权限。

🌐 For monorepos and complex setups, we introduced Config Dependencies. This feature allows you to share and centralize pnpm configuration—like hooks, patches, and build permissions—across multiple projects.

配置依赖会在解析主依赖图之前安装到 node_modules/.pnpm-config。这意味着你可以使用它们来:

🌐 Config dependencies are installed into node_modules/.pnpm-config before the main dependency graph is resolved. This means you can use them to:

  • 在仓库之间共享 .pnpmfile.cjs 钩子。
  • 集中 patchedDependencies 的补丁文件。
  • 维护一个共享列表,列出允许为 allowBuilds 执行构建脚本的包。
pnpm-workspace.yaml
configDependencies:
  pnpm-plugin-my-company: "1.0.0+sha512-..."

这确保了你的 pnpm 配置有版本控制、一致,并且在包管理器需要时可以准确获取。

🌐 This ensures your pnpm configuration is versioned, consistent, and available exactly when the package manager needs it.

自动 JavaScript 运行时管理(v10.14 & v10.21)

🌐 Automatic JavaScript Runtime Management (v10.14 & v10.21)

我们已经支持 Node.js 运行时管理一段时间了。在 2025 年,我们将此扩展到支持其他运行时,如 Deno 和 Bun。

🌐 We have supported Node.js runtime management for a while now. In 2025, we extended this to support other runtimes like Deno and Bun.

你现在可以通过 devEngines.runtimepackage.json 中指定所需的运行时:

🌐 You can now specify the required runtime in package.json via devEngines.runtime:

package.json
{
  "devEngines": {
    "runtime": {
      "name": "node",
      "version": "24.6.0"
    }
  }
}

pnpm 将自动下载并使用该特定版本的运行时来运行该项目中的脚本。这使得“在我的机器上可以运行”成为过去式——团队中的每个人都使用完全相同的运行时,完全由 pnpm 管理。

🌐 pnpm will automatically download and use that specific version of the runtime for running scripts in that project. This makes "Works on my machine" a thing of the past—everyone on the team uses the exact same runtime, managed entirely by pnpm.

展望未来

🌐 Looking Ahead

我们已经开始着手开发 pnpm v11.0,该版本在性能上有一些显著的提升。全局虚拟存储尚未默认启用。我们将继续修复漏洞和补充缺失的功能,以便在未来的重大版本中可能默认启用它。

🌐 We have already started working on pnpm v11.0, which has some noticeable performance improvements. The global virtual store will not yet be enabled by default. We will work on bug fixes and missing features to potentially enable it by default in a future major release.