On April 28, 2026, pnpm 11 was released with some of the strongest security defaults we've seen from a mainstream JavaScript package manager. The release follows a wave of npm supply chain attacks, including the recent TanStack compromise and the broader Mini Shai Hulud campaign. Both incidents exposed weaknesses in GitHub Actions workflows, CI/CD pipelines, and automated dependency installs. Modern frontend applications often depend on hundreds or thousands of transitive npm packages, which makes dependency installation one of the easiest places for supply chain attacks to spread. Inside the TanStack Attack The attack took advantage of weaknesses in GitHub Actions workflows and CI trust boundaries to publish malicious versions of multiple @tanstack/* packages. In short, attackers were able to poison CI caches, leak runtime tokens, and publish malicious packages directly to npm. TLDR from TanStack official postmortem .…