pnpm 11 cuts the npm umbilical cord

Issue #484.May 5, 2026.2 Minute read.
Bytes

Today’s issue: Bun slander, Jim Croce’s GitHub, and sending my agents to work in a trap house.

Welcome to #484.

Eyeballs logo

The Main Thing

Asparagus from Veggie Tales lying on the ground

Accidentally looked too deep at my dependencies again

pnpm 11 cuts the npm umbilical cord

Performant Npm has never been shy about marketing itself as the faster, more disk-efficient alternative to npm.

And it’s worked. The content-addressable store, hard links, and shared packages across projects make pnpm significantly faster and leaner than npm, which is why it’s so beloved.

But behind the scenes, it was still outsourcing core commands like publish, login, and dist-tag to the npm CLI. That arrangement finally ended last week with pnpm 11, which ships a native implementation of the entire publish workflow and allowed it to move out of mom’s basement for good.

pnpm v11 also ships as pure ESM now and added a few more cool features:

  • SQLite store index — millions of tiny per-package JSON files are now replaced by a single SQLite database, which means fewer syscalls and faster cold installs

  • Supply-chain protection on by default — newly published packages now have a 1-day minimum release age before pnpm will resolve them

  • Isolated global installspnpm add -g now gives each package its own directory, lockfile, and node_modules, so global tools stop fighting over peer dependencies

  • allowBuilds unifies five build settingsonlyBuiltDependencies, neverBuiltDependencies, and friends collapse into a single allow/deny map

Bottom Line: This was a maturity release for pnpm, which now has a cleaner architecture, better security defaults, and fewer dependencies on the npm toolchain.

Hopefully they remember how to do their own laundry.

QA Wolf logo

Our Friends
(With Benefits)

Dwight Schrute playing the recorder by a trash can

When I think about writing tests for all the AI generated code in my app

Get 80% automated test coverage in 4 months

…with zero effort from your team.

QA Wolf provides white glove automation that guarantees coverage for your entire app. Here’s how:

  • They embed with your team and design a bespoke test strategy for your product and goals

  • They automate complex coverage to help teams release 2-10x more often, on average

  • They maintain your test suite, so it scales with your application as it grows and evolves

Get a personalized demo for your team – and see why Drata’s Sr. Manager of QA said, “QA Wolf has given us full confidence on each release and we’re very happy.”

Pop Quiz logo

Pop Quiz

Sponsored by Sentry

They just launched Seer Agent in beta, which lets you ask questions about your application and get detailed answers based on everything Sentry knows about it.

What color is the <p> tag’s text?

<p class="hello">Hello</p>

<style>
  body { color: red; }
  p { color: green; }
  .hello { color: unset; }
</style>
Cool Bits logo

Cool Bits

  1. Jarred Sumner added a Zig ➡️ Rust porting guide to the Bun repo, which led to rampant speculation on HN about how this was all part of Dario’s master plan to ruin everything developers love – until Jarred chimed in saying the whole thread was an overreaction to a small experiment. Never change, HN.

  2. Blacksmith is a drop-in replacement for GitHub runners that costs 60% less and is 2x faster because it runs on bare metal gaming CPUs. And all your actions are fully observable. [sponsored]

  3. Ahmad Shadeed wrote another great interactive article, this time about why you should use range queries.

  4. A Vitest maintainer shared a proposal for a framework-agnostic Vitest. That would be great for the web, but probably less great for VoidZero’s shareholders.

  5. React Universe Summit is coming to New York City on June 23, hosted by the Callstack team. You’ll hear from speakers at Amazon, Expo, and JPMorgan Chase about how enterprise teams are applying AI in real-world React Native workflows. Early Bird pricing ends May 14. [sponsored]

  6. Mat Duggan longingly penned an article called If I could make my own GitHub. It’s best read to the tune of “Time in a Bottle” by Jim Croce.

  7. Julia Evans wrote a deep dive on testing Vue components in the browser.

  8. formisch is a modular, type-safe, and framework-agnostic form library. Aka a form library.

  9. Node.js 26 comes with the Temporal API enabled by default, updates to the V8 JavaScript engine, and other goodies.

  10. Lars Faye wrote about how Agentic coding is a trap. Fortunately I work from home, so I’ve been grinding in a trap house for years.

Pop Quiz logo

Pop Quiz: Answer

Sponsored by Sentry

What color is the <p> tag’s text?

<p class="hello">Hello</p>

<style>
  body { color: red; }
  p { color: green; }
  .hello { color: unset; }
</style>

The answer is red since unset “unsets” the style of the p tag, so it inherits from its parent – body.