Why pnpm is the best package manager
Find out what makes pnpm stand out among package manager for Node.js projects, particularly in terms of security.
What is pnpm?
pnpm is a fast, disk-efficient package manager for Node.js projects.
I first came across pnpm when I was working with a very large frontend monorepo. It was a microfrontend setup in which many packages were redeclaring the same dependencies. However our package manager at the time, Yarn, was installing each dependency multiple times on disk. We did not want to hoist dependencies because we wanted the option of using the same package with different versions.
When I tried pnpm, it was several times faster because for every package/version combination, it would install it only once on disk and created a symlink for packages needed that instance to it. You can read more about it on the pnpm website but the TLDR is that you save both disk space and, more importantly, installation time.
pnpm node_modules structure with symlinks to hard installed packages.Why pnpm?
Speed: I’ve just mentioned it but the main reason for people adopting pnpm (at least up to now) is speed. When you run projects installation on CI a millionth time, the savings start to be meaningful and besides it’s a much nicer developer experience.
Correctness: With a flat node_modules structure, you can face many subtle, hard to debug issues which might affect your reliability. It fact, in the large monorepo I was mentioning earlier we have encountered them multiple times for our UI library and it led to very nasty user experience side effects.
Security: After the recent attacks on the node ecosystem, pnpm added support for minimumReleaseAge. It lets you delay the installation of newly published versions. Malicious releases are quickly discovered and removed from the registry, typically under one hour. And yes, even if most of the ecosystem uses this setting, I believe this would still be relevant as it would give time to security scanners and researchers to find the vulnerability. pnpm also does not run by default pre or post install scripts until you have explicitely allowed them, removing a major attack surface (like the Shai Hulud second Supply-Chain Attack in November 2025)
Convenience: pnpm is packed with quality of life utilities such as automatic Node.js runtime installation for dependencies to ensure you always run the correct version of Node.js for your dependencies.
Support: pnpm’s author Zoltan Kochan is a top maintainer, addressing issues quickly and providing useful features like the one I mentioned above continously.
