pnpm v10 now blocks dependency lifecycle scripts by default
Key update
pnpm v10 (stable) changes the default install behavior so that lifecycle scripts defined in dependencies no longer run during installation unless explicitly allowed (via pnpm.onlyBuiltDependencies, an allowlist file, or by approving builds). This is a deliberate, breaking change aimed at preventing supply‑chain attacks that execute malicious postinstall/preinstall scripts. (github.com)
Why it matters
This is a practical security pivot with immediate operational impact. Teams using pnpm may see CI and local installs fail for packages that rely on build/install scripts (native modules like bcrypt, Prisma engines, esbuild, sqlite3, etc.), because those scripts are now ignored until you approve them. The change reduces automatic attack surface from untrusted dependency scripts, but it requires a small migration: either pre-approve required packages with the new pnpm approve-builds command or add approved names to pnpm.onlyBuiltDependencies (or use a managed onlyBuiltDependenciesFile supplied by an internal policy package). In CI you should pin the pnpm version via the packageManager field, pre-seed the allowlist (or run a deterministic, non-interactive approval step), and test builds end-to-end before rolling the change across monorepos. For teams that cannot adopt the allowlist immediately, pnpm provides a way to restore pre-v10 behavior by configuring neverBuiltDependencies, but relying on that forfeits the security benefit. Overall, this is a small upfront operational cost that meaningfully hardens installs against common install‑script supply‑chain attacks. (github.com)
Source
Read Next
AWS CDK splits the CLI from the Construct Library (independent releases & new CLI repo)
August 31, 2025AWS announced the CDK CLI and the CDK Construct Library will be released independently and the CLI is moving to a new repository — this changes how you version, install, and automate CDK in CI.
Bun adds Bun.SQL — a zero‑dependency unified SQL client (MySQL, PostgreSQL, SQLite)
August 30, 2025Bun v1.2.21 (Aug 25, 2025) introduces Bun.SQL: a single, zero‑dependency SQL client that supports MySQL/MariaDB (Zig driver), PostgreSQL and SQLite with a consistent tagged‑template API.
pnpm 10.12 (v10.12.1) adds an experimental global virtual store for near‑instant local installs
August 29, 2025pnpm 10.12 introduces a central, graph-hashed virtual store that lets multiple projects reuse exact dependency graphs, dramatically speeding up local installs on warm caches and improving monorepo workflows.