Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to PNPM 10 #1341

Open
rmunn opened this issue Jan 6, 2025 · 0 comments
Open

Update to PNPM 10 #1341

rmunn opened this issue Jan 6, 2025 · 0 comments
Labels
engineering Non user-facing change enhancement New feature or request

Comments

@rmunn
Copy link
Contributor

rmunn commented Jan 6, 2025

PNPM 10 is now in RC. One of its major features is that "Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security."

I've read of several supply-chain attacks in NPM recently, many of which were aimed at installing bitcoin miners on target computers, so this strikes me as a good idea in general. But we'll need to edit package.json to include a pnpm.onlyBuiltDependencies field listing the packages that should be allowed to run their lifecycle scripts (e.g. playwright wants to download updated browser versions).

This is probably low priority since PNPM 9 is working just fine so far, but in the long run I think the extra security that will come with PNPM 10 means we'll want to upgrade once we've checked which packages should be allowed to run scripts.
@rmunn rmunn added engineering Non user-facing change enhancement New feature or request labels Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
engineering Non user-facing change enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rmunn