Zoltan Kochan - PodRocket - AUDIO EDIT
===

Noel: [00:00:00] Hello, and welcome to PodRocket, a web development podcast brought to you by LogRocket. I'm Noel, and today I'm here with Zoltan Kocsen, lead maintainer of pnpm, and we're here to talk about pnpm 11. How's it going, Zoltan?

Zoltan: Go, Atario.

Noel: ~I'm good.~ I'm good. I'm excited to kinda jump in here.

~I've, uh, I've, I've done--~ I did kinda like a quick reading of the release notes, but I'm excited to kinda,~ um, you know, ~dig into the details a little bit. ~Um, ~I guess to start off, can you kinda just give us,~ uh,~ an overview of what kind of the biggest shift here is and what the largest motivations are?

~Um, like why is this a,~ why is this a major release?

Zoltan: ~Well, uh, ~there were a lot of,~ uh,~

huge changes in this release. ~Uh, ~maybe the most important one it appears,~ uh,~ is the change of the,~ uh,~ minimum release age,~ uh,~ setting. ~Uh, ~so now from v11, by default, it's,~ uh,~ going to be,~ uh,~ one day,~ uh,~ which means,~ uh,~ you won't,~ uh,~ see,~ um,~ new versions,~ uh,~ from your,~ uh,~ dependencies that are less than,~ uh,~ 24 hours old.

~Um, as, uh,~ as we've seen during the last year or so,~ um,~ all the a- attacks that were [00:01:00] successful,~ uh,~ on the... these open source,~ uh,~ packages in the NPM registry were discovered,~ uh,~ in the first,~ uh,~ like three, four hours, I think, because there are so many,~ uh,~ companies that are constantly scanning these,~ uh, uh, ~packages.

~Uh, I, ~I can't even name all of them. I know like Socket... Yeah, Socket and Aikido, and there are a couple more. ~Uh, ~and they basically compete with each other who will,~ uh,~ catch this,~ uh,~ first. So yeah, we did a poll about this, and,~ uh,~ like we did,~ uh,~ a poll last summer, and mo- most of the people,~ uh,~ said they don't want this to be changed.

And since then, there were so many incidents that I did this poll again,~ uh,~ like in April or so, and,~ uh,~ the,~ uh,~ majority of,~ uh,~ our users voted to,~ uh,~ introduce this change, like 75% ~or, ~or so.

Noel: Yeah. How did you guys settle on one day,~ um,~ as the default?

Zoltan: ~So, uh, ~this was just because,~ um,~

as we,~ uh,~ as we... as I mentioned earlier,~ uh,~ most of the [00:02:00] incidents are,~ uh,~ cached,~ uh,~ in ~like ~a few hours, so we don't want to be too strict about it. ~Uh,~

Noel: Yeah.

Zoltan: day, not like seven weeks.

Noel: Yeah. You said that ~the, the, the, ~the sentiment shift quite a bit, it sounded like ~over the, ~over the span of 12 months there. Did you guys get ~any, ~any pushback on, ~you know, ~having this,~ um,~ on by default, having the default set? ~Was there, was there, ~was there much kinda discussion happening?

Zoltan: So the comments, there, there was a loud minority. There were a few people that were really unhappy about it. But, ~you know, ~p- when you have so many users, there will be always a few people that, that is unhappy with something. You can't do anything that,~ uh,~ satisfies everyone. ~Uh, ~but that's why it's,~ uh,~ a setting, so you can change it.

~Uh, ~if you want, you can disable it. ~Um, ~but,~ uh,~ the vast majority was very happy about it.

Noel: Yeah, I'm sure I d- ~I, ~I have to imagine th-this was like a, an option or a, ~you know, ~a con- a configurable [00:03:00] option that there probably wasn't a lot of demand, like people just didn't care about, and then it suddenly got onto everyone's radar, like you said, ~with the, ~with the polling before. ~Like, ~suddenly everyone cared about it a lot.

~Um, ~did you guys... And was there any kinda, was there a plan for this feature ahead of time? Had you considered this in prior versions and just like now felt like the right time? Or what was the,~ um, like, you know, what, ~what was the history of deciding to get a minimum release age added?

Zoltan: So this was l- like ~a, ~a chain of changes,~ uh,~ that we were doing ~since, I guess, uh,~

Noel: ~Hmm.~

Zoltan: ~The, uh... ~So because,~ uh,~ in V10, the first thing we did,~ uh,~ last year was to block,~ uh, uh, ~the post-install scripts of dependencies. ~Uh, this was, uh... ~We were not the first one,~ uh,~ who did this,~ uh,~ but we were the more strict ones because,~ uh, you know, uh, ~BAN,~ uh,~ does this as well, but they have,~ uh, a, ~a, like- default a list of trusted,~ uh,~ packages,~ like, uh, ~bun by default,~ uh,~ allows to run scripts for ~like ~the five hundred most popular,~ uh,~ packages in the registry.

And we also considered this,~ uh,~ but in that case,~ um,~ like our... This [00:04:00] actually also shifted,~ uh,~ because this decision was,~ uh,~ done,~ uh,~ internally by the-- our,~ um,~ core contributors.

Noel: ~Mm-hmm.~

Zoltan: ~Uh, ~we voted to don't have the default list, and actually most of our users were pretty unhappy about this one,

Noel: ~Yeah,~ yeah.

Zoltan: a year ago. And then,~ uh,~ I did a poll before releasing V-V11,~ uh,~ because I wanted to know if people want to,~ uh,~ have this default list, and,~ uh,~ most of the users,~ uh,~ voted against it. This also shifted like in a year drastically. ~Um, ~then we also added a setting called trusted,~ uh,~ I think trusted policy it's called,

Noel: ~Mm.~

Zoltan: and this one is currently an opt-in,~ uh,~ feature. And,~ uh,~ what it does is,~ uh,~ it checks if previous versions of a package were released with a,~ like,~ higher level of trust, so with provenance or with,~ uh,~ how it's called, OIDC,

Noel: I see.

Zoltan: like the,~ uh,~ re-release from GitHub actions.

Noel: Gotcha.

Zoltan: ~uh, ~a package had this,~ uh, uh, ~OIDC,~ uh,~ configured in the past [00:05:00] and now a new version came out released,~ uh,~ with an auth token,~ uh,~ then,~ uh,~ with this setting,~ uh,~ installation will fail and,~ uh, you'll, ~you'll get an error message. So this can catch some issues like,~ uh, like ~an... I think Nx would have been caught with this,

Noel: ~Mm.~

Zoltan: the Nx incident because the...

they were released without this,~ uh,~ OIDC. But this is,~ uh,~ currently an opt-in feature.

Noel: Gotcha. No, it makes sense. ~Like, ~yeah,~ if,~ if suddenly there's a strange, I'm air quoting, like strange deployment pattern on one of your packages, like it seems like it'd be worth ~kind of ~having pause there before moving forward.

Zoltan: So ~the, ~the main issue with this,~ uh,~ ch-- both of these changes, ~uh- Uh, ~like the minimum relea- release age and the trusted policy is that,~ uh,~ they need,~ um,~ time information, like timestamps of versions. And the registry, the npm registry doesn't provide this information,~ uh,~ in the obfuscated,~ uh,~

Noel: ~Uh.~

Zoltan: metadata, so you need to,~ uh,~ fetch like the whole metadata.

Noel: Gotcha.

Zoltan: you, ~um... ~That's why initially I [00:06:00] was against,~ uh,~ enabling it by default because it makes installation slower.

Noel: Yeah, I was gonna ask, is there a pretty large performance hit if you have to pull down,~ like,~ full metadata for a pack? Especially, ~I guess, ~when the tree's kind of branching out quite a bit.

Zoltan: Yeah, but then I came up with some hacks how to make it faster.

Noel: Okay. Yeah.

Zoltan: so now it's,~ uh,~ actually as fast.

Noel: Nice.

Zoltan: yeah.

Noel: ~Yeah, ~yeah. Comparable. Cool. Let's,~ uh,~ let's rewind a little bit to the, um, kind of post-install script,~ uh,~ changes. There,~ there's,~ there's a few changes here. ~Uh, ~I remember the,~ uh,~ allow builds setting is kinda, ~kind of ~different as well. ~Um, ~what is that-- ~Like, ~what is that new allow builds allowing for?

How does that ch- differ from what people had access to before?

Zoltan: Yeah, so

Noel: ~Mm.~

Zoltan: ~we, ~we were,~ uh,~ we were moving really fast in V10,~ uh,~ when we shipped this change. Like it was almost before the V10 stable release that we introduced this breaking change. ~So, uh, ~the configuration was a bit,~ uh,~ messy. ~Uh, ~we had ~like, uh, ~only built dependencies with an, which is an array,~ uh,~ of,~ uh,~ package names, [00:07:00] and we had,~ uh,~ another set in,~ uh,~ called ignored built dependencies, which is,~ uh,~ also an array of strings,~ uh,~ of package names.

So basically in V10, in the early versions, you would put,~ uh,~ a package with, which has post install scripts to one of these arrays. ~Uh, ~so in VL11, we just,~ uh,~ refactored this,~ uh,~ to be in, inside a single,~ uh, uh, ~map,~ uh,~ allow builds where the key is,~ uh,~ the,~ uh,~ package name and,~ uh,~ the value is either,~ uh,~ true or false.

Noel: ~Mm.~

Zoltan: And also this,~ uh,~ setting is pre-populated. ~So, uh- ~You can just open up, ~uh... ~After installation, you can just open up the pnpm-workspace.yaml and,~ uh,~ there ~you'll, ~you'll see the,~ uh,~ packages already there with a placeholder that says, "Change this to true or false."

Noel: ~Oh, I see. Yeah. Do you think that that will be, um... I guess, is, is that, ~is that mechanism quite a bit cleaner for how most people were ~using, ~using these settings before? ~Like, ~will-- do you think this will simplify most people's configuration quite a bit?

Zoltan: Yeah, I think it's easier to understand. ~Uh,~

for me, it's a lot,~ uh,~ cleaner

Noel: Yeah.

Zoltan: easier to pronounce, ~like ~[00:08:00] allow builds versus,~ uh,~ only build dependencies.

Noel: ~Right. Right. ~Yeah.

Zoltan: ~these, ~these two settings were inside pnpm for a long time, for a f- a few years already. We just changed the default in v10.

Noel: Gotcha. 

Zoltan: ~Um.~

Noel: and ~people, ~people probably started leaning on it quite a bit more, kinda especially as there was some scrutiny around the post-install steps and all this stuff.

Zoltan: Yeah, there were a lot of incidents. ~Like, uh, ~a few years ago, there were- was like one, two incident a year, and now it's one, two ~a, ~a month.

Noel: Exactly, yeah. Yeah. ~Um, ~kinda I guess this is changing,~ uh, shifting, ~shifting gears a little bit here. ~Um, ~but I also saw a note on global installs working a little bit differently. Can you ~explain, ~explain that? Is that a security thing or is that mainly just a developer,~ um,~ ergonomics ~kind of, ~kind of change?

Zoltan: ~Mm, ~that's, yeah, more like performance and,~ uh,~ correctness,~ uh, I guess.~

Noel: Gotcha.

Zoltan: ~Um, ~yeah,~ uh,~ actually, there were a lot of changes related to,~ uh,~ the global virtual store, if you have heard about it. ~Uh, ~so this one is,~ uh,~ about,~ um,~

Noel: ~Mm.~

Zoltan: it's hard to explain because we have like [00:09:00] several layers of this global store.

Noel: I see.

Zoltan: ~uh, ~content addressable store where,~ uh,~ every file of every package is stored by its,~ uh, um, uh, ~content hash,~ uh,~ right? And that's then,~ uh,~ normally,~ uh,~ you'll have ~like, uh, ~hard links to your node modules,~ um,~ or like ref links,~ uh,~ on,~ uh,~ systems that support them ~Uh, ~which,~ mm,~ and,~ uh,~ but still you get ~like, uh, ~you save space,~ uh,~ you save a lot of disk space with this design because,~ uh,~ y- the files are not duplicated into node modules.

But,~ uh,~ during install,~ uh,~ you s- in pnpm will still,~ uh,~ create like hundreds of,~ uh,~ directories and,~ uh,~

Noel: Yeah.

Zoltan: ~uh, ~like thousands of these hard links,~ uh,~ and this is takes a lot of time. ~Uh, ~and with, ~uh... ~So to,~ uh, like ~to make this faster,~ uh,~ I came up with this idea to move out,~ uh,~ all the packages from the... your project's node modules to a central location on the disk where every,~ uh,~ package is stored in a directory,~ uh,~ which is calculated,~ uh,~ from the dependency graph of this,~ uh, uh, ~package.

And then when you run install, [00:10:00] y- if you have ~like ~a hot cache,~ uh,~ basically ~all, ~all that pnpm does is it creates,~ uh,~ a few symlinks,~ uh,~ to this,~ uh,~ central location. So instead of creating,~ uh,~ thou- instead of thousands of,~ uh,~ file system operations,~ uh,~ pnpm will, will just do,~ uh,~ like 12 if you have 12 direct dependencies.

Noel: Gotcha.

Zoltan: And,~ um,~ but this is a big change. ~Uh, ~I recommend everyone to use it. ~Uh, ~you can... They can enable it with,~ uh, uh, ~enableGlobalVirtualStore in their pnpm-workspace.yaml.

Noel: ~Mm.~

Zoltan: ~Uh, ~but it was,~ uh,~ early to make it,~ uh,~ to turn it on for everyone. I think there are a lot of,~ uh,~ broken packages that will stop working with this new layout.

~Uh, ~however,~ uh,~ global packages and,~ uh,~ the packages that you are... you run with DLX are simpler because they are like ~usually, ~usually pre- precompiled,

Noel: Yeah.

Zoltan: ~uh, ~prebuilt. ~Uh, ~so for them, I have ins- enabled this,~ uh,~ by default in v- version 11.

Noel: Gotcha. ~Do, ~do some packages tend to break because they're like, they're doing, ~you know, ~something interesting like with the [00:11:00] file system and paths and ~i-is that, ~is that where the errors usually arise?

Zoltan: Yeah, usually tools that, ~uh- Uh, ~resolve dependencies using their own resolution system. Like they... Instead of relying on node,~ uh,~ node's resolution system, they usually deviate from the,~ uh,~ the standards and,~ uh,~ the,~ mm,~ they might only test it on,~ uh,~

Noel: Yeah.

Zoltan: a flat node modules. ~Well, ~actually n- now pnpm is so popular that,~ uh,~ I guess we could be an,~ uh,~ I ~could, ~could be an asshole and just break it, and then,~ uh,~

Noel: People would update their packages.

Zoltan: Yeah, they would storm those,~ uh,~ packages with,~ uh,~ issues.

Noel: Yeah. Yeah. ~Um, ~gotcha. Yeah, so ~like, I guess, is this, ~is this mainly a benefit if you have, ~you know, ~like more-- multiple projects, ~I guess, ~kinda on your system? ~Like, if you, ~if you're only op- working with one project,~ would, would, ~would this global change really help you? Or is it mainly ~so, like, you know, ~you're not just re- kinda rehashing with, ~you know, ~if you'll forgive the abuse of the term, the same,~ um,~

Zoltan: So I, I think for local development,~ it's,~ it's...

I can't come up with a scenario ~where, ~where it's bad. For CI, it might be [00:12:00] worse because on CI you mostly have cold cache, so it's, ~uh...~

Noel: Yeah, that's true.

Zoltan: so probably it might make no sense,~ uh,~ in CI, but,~ um,~

Noel: I guess it depends, though. ~Like, ~someone could have,~ like,~ a multi-step build where there's,~ like,~ a cached layer in there, and it's checking,

Zoltan: But,~ uh, you know, ~the best,~ uh,~ use for this feature is now v- for,~ uh,~ working with agents,~ uh,~ because,~ uh,~ I,~ uh,~ I started using,~ uh,~ Git worktrees heavily. ~Uh, ~so y- ~uh, ~I even,~ uh,~ wr- ~um, ~I,~ uh,~ read... I have written,~ uh,~ an article about it in the pnpm website. ~Uh, ~you can search for it. ~Uh, ~ju- just search for Git worktrees with pnpm, and I describe how I,~ uh,~ use worktrees in the pnpm,~ uh,~ repository.

~Uh, ~so basically,~ um,~ the issue with worktrees is that,~ uh, well, ~it, it takes a lot of time to set up a new worktree, right? Git is,~ uh,~ like Git creates a new worktree ~very, ~very rapidly, like in a few seconds. But then you have... If you're,~ uh,~ ins- run install, it will take,~ uh,~ like at least twenty seconds And then TypeScript will take another ~like, uh, ~four minutes to, to build everything [00:13:00] without cache.

However, in 2026, both of these issues are gone because with, ~uh... ~If you enable this global virtual store, then if you had a previous work tree where you already ran install, then the next one will immediately complete because,~ uh,~ pnpm will just create a few symlinks. And then TypeScript,~ uh,~ has a TS,~ uh,~ rewritten in Go,

Noel: ~Mm-hmm.~

Zoltan: which is not the latest yet, but I don't know if it has any issues because I use it like for several months already, and it works perfectly.

And TS Go,~ uh,~

also compiles like in 30 seconds maybe versus four minutes.

Noel: ~Right, right.~

Zoltan: yeah, golden age for development.

Noel: ~Yeah, ~yeah. I think that's ~kind of ~an interesting question. To, to what extent,~ um,~ are these, ~you know, uh, ~pe- people using agents for development? ~Like, ~I think ~that ~that is, is changing w- ~uh, ~how developers work and kinda what-- how they interact with their tooling, right?

~Like, the, ~the way, the things, the demands of their tooling change rapidly. ~Um, like, you know, ~at the, this Worktrees example [00:14:00] is a good one. ~Is, ~is that-- Are you guys paying pretty close attention to that? ~Like, ~is there, is that kind of influencing, ~I guess, ~decisions that you're making on how pnpm works?

Zoltan: Yeah, it does. We can,~ uh,~ have an advantage if,~ uh,~ pnpm works ac- ~uh, ~good with,~ uh,~ AI. ~Uh, ~actually, there was a s- I don't remember how this website is called. ~Uh, ~there is a website, someone posted it on Twitter, which,~ uh,~ lists,~ uh,~ what stack,~ uh,~ different agents prefer.

Noel: ~Mm.~

Zoltan: ~Um, ~and I think,

Noel: Yeah.

Zoltan: a few months ago,~ I,~ I checked it, and it preferred pnpm, uh,~ uh,~

Noel: Yeah.

Zoltan: because someone just asks an agent to create a new project, and,~ uh,~ the, their agent will pick pnpm if they don't have their own ~like, uh, ~reference configured.

Noel: Yeah.

Zoltan: ~Um, ~so yeah,~ this,~ this global virtual store,

~um,~ is very good

for this. But Yeah,

we also use agents for, yeah, sorry,~ uh,~ for development ourselves. Like it completely,~ uh,~ transformed how we,~ uh,~ develop pnpm, and that's why there are so many changes in, ~uh- Uh, ~in v11 because we were able [00:15:00] to make a few changes,~ uh,~ that were in the backlog for years,~ uh,~ and we couldn't do it.

But now we could.

Noel: ~Yeah, yeah. There's the-- Is the, uh... ~I saw ~the, ~the,~ um,~ NPM CLI fallback. That seemed like a feature that maybe was something... That re-implementation seemed like a thing that was like, "Oh,~ maybe,~ maybe, ~you know, ~AI development kinda helped get this one across the line

Zoltan: And also the Rust rewrite. ~Like, ~actually I talked to Mael,~ uh,~ a year ago,~ uh, you know, ~the lead maintainer of Yarn.

Noel: ~Mm.~

Zoltan: ~Um, ~and he shared back then that,~ uh,~ he will... He works on the Yarn rewrite to Rust. ~Um, ~and I jokingly said, ~like ~not jokingly, I meant it that I will postpone it,~ uh,~ till AI,~ uh,~ will be able to do it for me.

~Uh, ~and it took like less than a year for this to become true. That now I can... Like for the last two or three weeks, I'm working on the,~ uh,~ Rust rewrite of pnpm, and it works perfectly.

Noel: ~Yeah, yeah, ~yeah.

Zoltan: It blows my mind.

Noel: Yeah. It is,~ uh, it is, ~it is crazy. I think especially if ~it, ~it's in an environment with,~ like,~ a good amount of tests and everything like that, you kinda have-- [00:16:00] Having something it can iterate against ~is, ~is quite helpful, it seems. ~Um, yeah. Yeah, I guess, uh, is there, on that, um... Kinda I guess~ s-speaking to, like, large scale changes, I also~ I also saw-- I mean, even at the, kinda the top, the top of your guys's, or top,~ the top of the release notes,~ um, you know, ~talking about Node.js 22 being required and kinda ~the, ~the dropping of what was supported before, 18?

18 plus?

Zoltan: So yeah, 18 was supported and now 22.

Noel: 22. ~Yeah, ~yeah. Was there-- ~Was this, ~was this kinda-- ~Were, ~were you thinking about this in the same way? Was it like, "Eh, people can update their projects more easily now," or was there just something you needed in particular in 22 that felt like a, ~you know, ~a logical break point here?

Zoltan: ~Uh, ~so ~I, ~I don't worry that much about the supported Node.js versions because,~ uh,~ we actually,~ um,~ ship,~ uh,~ a binary version of pnpm,~ uh,~ which we generate with,~ uh,~ nodes... Like in the past we generated it with,~ uh,~ pack- pkg,~ uh, you know, ~by Vercel.

Noel: Yeah.

Zoltan: And now we switched actually in v11 to ~Uh, ~packet with,~ uh,~ nodes ~built, ~built in,~ uh,~ single executable application

Noel: Oh, I see.

Zoltan: feature.

And we actually added ~a, a, ~a command [00:17:00] to pnpm for others to use if they want to do the

Noel: cool.

Zoltan: for their CLI. So yeah,~ uh,~ I recommend everyone to use this,~ uh, uh, ~binary version of pnpm because then they can install it on a system which doesn't even have Node.js installed. ~Uh, ~and then they can,~ uh,~ use pnpm to install Node.js.

Noel: ~Yeah, ~yeah. Nice.

Zoltan: now I,~ uh,~ work on a GitHub action which,~ uh,~ can be used instead of the,~ uh,~ Node.js GitHub action. ~Uh, ~so they... Instead of having,~ uh,~ one action for installing Node.js and another one for installing,~ uh,~ pnpm, they can have just this single,~ uh,~ action and run install, and it will install both the dependencies and Node.js.

Noel: Yeah, nice. Is that-- are, are-- what's the main kind of use case that you've found there? So ~like, people, ~people dropping into systems that don't have this installed, or is it like for ~like ~CICD pipelines to remove a step there? ~What's the, ~what's the main use case?

Zoltan: I think,~ uh,~ it's one less tool to use. ~Uh, ~it's more secure because,~ uh,~

~uh, ~because we store,~ uh,~ all [00:18:00] the integrity checksums of Node.js,~ uh,~ in the log file like any other dependency.

Noel: Yeah.

Zoltan: ~Uh, like, ~usually other tools are used, ~you know, uh, ~personally,~ uh,~ by every developer,~ uh,~ on their machine, and not all of these tools work on all operating systems. ~Um, ~I, ~uh... ~Usually, in the past, there was o-one tool that worked good on Windows, and then there was another one for Linux and,~ uh,~ macOS.

Maybe it changed now. But,~ uh,~ I like... I like that it's, ~um... ~It creates a perfectly reproducible build,~ uh,~

Noel: Yeah. You don't have to

Zoltan: the runtime.

Noel: Yeah, it's not like you're not reaching for containers or something just to get ~a, ~a re-runnable build. Yeah.

Zoltan: Yeah. And also it works,~ uh,~ with Bun and Deno as well, so you can,~ uh,~ use the same commands, the same,~ uh,~ settings in packages, so on. Just replace Node with,~ uh,~ something else

Noel: Yeah. Is it pretty easy for developers to ~kind of make, ~make the switch? I'd imagine so.

Zoltan: With AI, yes.

Noel: Yeah, sure. ~Right.~

Zoltan: Actually, ~you know, uh, ~I tried,~ uh,~ to port, to move,~ uh,~ pnpm to both Deno and [00:19:00] Bun, and,~ uh,~ AI did it like in a few minutes.

Noel: Yeah.

Zoltan: It was just slower with both.

Noel: Yep. No, ~I guess, ~I guess ~I was more, ~I was more curious if you think devs should make the switch to the standalone executable. ~Like, ~do you think,~ like,~ do you think AI helps quite a bit there?

Zoltan: Sure.

Noel: Or if it's working correctly now, ~like ~don't really worry about it.

Zoltan: switching is actually easy,~ um,~ because,~ uh,~ every- everything remains the same. You just,~ uh, um, ~install a different,~ uh,~ package.

Noel: Yeah. Gotcha. Yeah, and again, that's what kind... ~I, ~I'd imagine it would just work. Like ~I don't, ~I don't... I wouldn't think there'd be m-much... ~Like ~is there ~any, ~any configuration weirdness or anything that needs to be different there?

Zoltan: No, you just open the pnpm installation,~ uh,~ page and,~ uh,~ you pick,~ uh,~ the installation script. There is one for POSIX and one for,~ uh,~ Windows.

Noel: Yeah. Yeah, cool.

Zoltan: That's it.

Noel: front, I did notice that there was some,~ uh,~ npmrc with,~ uh,~ the pnpm workspaces YAML file. There were some differences there. ~What, ~what motivated that, ~kind of ~the change in how that configuration works?

Zoltan: Yeah, that [00:20:00] was,~ uh,~ not our choice, ~I guess. ~We were ~kind of ~forced to do that because,~ uh,~ npm started showing up these warnings,~ uh,~ that this is a,~ uh,~ unknown,~ uh,~ property. So npm CLI added some strict validation to the,~ uh,~ fields that are in npmrc, and they even print out a warning that this will break in a future major version.

So we had to,~ uh,~ stop using npmrc. And,~ uh,~ pnpm-workspace.yaml was already there, so we decided to use it instead of,~ uh,~ creating a new file.

Noel: Yeah. Did that cause ~any, ~any,~ um,~ pain? Is there an- is there any kinda, I don't know, configuration, anything that feels a little bit strange now or ~is it, ~is it a pretty clean change?

Zoltan: I think it's,~ uh,~ it's better because npm... ~Well, ~like any file is a, ~uh- ~limits you. ~In a, ~in a YAML file, you, you can have,~ uh,~ much richer syntax like

Noel: Yeah, it's more structure. Yeah.

Zoltan: comments. ~Uh, ~actually, yeah, comments ~are, ~are preserved now,~ uh,~ and formatting is preserved ~in, ~in,~ uh,~ the pnpm works with YAML. This is,~ uh,~ these are also improvements in the [00:21:00] v11 version.

Noel: Yeah. Nice.

Zoltan: ~Um,~

yeah, and,~ uh,~ if you open up the release page,~ uh,~ at the top, there is a link to a migration page. ~Uh, ~and on the migration page, you can see there is a code mode you can run,

Noel: Yeah.

Zoltan: ~um, ~to automatically,~ um,~ move all these settings and do other,~ uh,~ changes that are needed, ~uh...~

Noel: Yeah. Nice. ~Uh, ~w- ~uh, ~that's kinda what I was going to ask. Have you,~ uh,~ have you seen pretty smooth, ~you know, um, ~upgrades? ~Have people, ~have people reported the upgrade going pretty smoothly?

Zoltan: It's ~hard to, ~hard to tell. I think it's smooth.

Noel: Yeah.

Zoltan: yeah,

Noel: Good.

Zoltan: it's impossible ~to, ~to release a new version without,

Noel: Some hiccups.

Zoltan: people,~ uh,~ like having issues. Even,~ uh,~ with a patch or minor release,~ uh, you, ~you can get some issues, and the major is another story. But looking at the download stats already, like v10...

v11 is, I think,~ uh,~ downloaded,~ uh,~ s- five million times, like in the last seven days, and the amount of issues in the repo is,~ uh,~ is fine. So it's pretty smooth.

Noel: Yeah, ~I was, ~I was gonna ask. Can I-- I know ~I don't, ~I don't [00:22:00] wanna,~ uh,~ sound like a broken record here. But do you think that,~ like,~ now that ~most, ~most developers, I assume, are ~using an, ~using an agent of some kind to facilitate their migration, does that kinda change... Do you think that is gonna lead to f- easier adoption for people?

~Like, do, ~do you think the agents are doing well enough at helping people migrate their projects that it's not as much a pain point anymore?

Zoltan: Maybe,~ uh,~ but I'm not sure,~ uh,~ how it works b-because agents are usually trained on,~ uh,~ other data, right? ~So, uh, ~are they able... So ~yeah, ~yeah, so actually,~ uh,~ I added to... We have ~a, ~a command,~ uh,~ for updating pnpm. It's pnpm self-update. And when you run this, ~uh- ~Command. ~If, ~if the update is going from V10 to V11, you'll get an info message,~ uh,~ that,~ um,~ tells you to open up the migration page on the website, and this was actually added to help agents to find information about,~ uh,~ the migration.

Noel: Yeah. Yeah, 'cause I'd imagine ~they'd, ~they'd j- they'd probably run the code mod if you, if they find the page to do [00:23:00] it and they're in, then they're asked... Or at least they'll surface it to the developer.

Zoltan: So the page,~ uh,~ has,~ uh,~ the code mode and it has some other instructions that should be done,~ uh,~ manually. So I hope,~ uh,~ agents can,~ uh,~ read this,~ uh,~ and do the changes.

Noel: Yeah. Is there any-- Are there anything-- Is there anything in particular that people keep getting hung up on or that, that has been ~a, ~a pain point thus far?

Zoltan: So yeah, this change,~ uh,~ of the minimum ~release, ~release age

Noel: Oh,~ yeah, yeah, ~yeah.

Zoltan: ~uh, ~it, it makes, ~uh... ~it is confusing to some people, yeah, because they run install and they don't s- don't see,~ uh,~ a package that was released,~ uh,~ today.

Noel: Yeah.

Zoltan: a few,~ uh,~ issues opened about this. ~Uh,~

and,~ uh,~ other than that, I'm not sure. ~Like there were, ~there were bugs that we fixed.

Noel: Yeah.

Zoltan: ~Uh,~

Noel: That's good, though. That's good if

Zoltan: the, yeah, the global install, the glob- the global install was a bit confusing. ~Uh, ~I changed it a bit also to, to make it less confusing.

Noel: Yeah. Nice. Good. Good. ~Well, ~let's see. I feel like I don't have ~a, ~a ton more questions. ~What are you, ~what are you kinda thinking, ~you know, ~for V12? Is there anything that you guys left out of [00:24:00] V11 that's kinda on the roadmap that you'd like to include?

Zoltan: Yeah. ~I, ~I actually have a lot of plans,~ a,~ a lot of ideas, but,~ uh,~ unfortunately,~ I, I, ~I really need to focus now on the Rustj, right?

Noel: Yeah. Yeah. Yeah.

Zoltan: Because,~ uh, you know, ~now with agents, a- anyone can do it. ~Uh, ~so if we don't do it, someone else will do it.

Noel: ~Mm-hmm.~

Zoltan: in the past, we had a big,~ uh,~ advantage because of our expertise and,~ uh,~ all that.

~Hmm, ~we need to adapt. ~Uh- ~So now I, we will concentrate on,~ uh,~ to ship,~ uh,~ a Rust engine,~ uh,~ that, that will work,~ uh,~ with an up-to-date,~ uh,~ lock file because that's, ~I mean, kind of ~easier to do be- because the resolution is a lot more complex. ~Uh, ~it's influenced by a lot more settings.

Noel: Yeah.

Zoltan: so we will solely focus on doing an, like a frozen install,~ uh,~ with Rust.

~Mm. ~And I want this to ship in version 12 and maybe if we're lucky,~ uh,~ in version 11 as an opt-in. And yes, I have a few [00:25:00] other ideas,~ uh,~ which I need to postpone for now. ~Um, ~also,~ uh,~ I mentioned the global virtual store which,~ uh,~ should... ~I would, ~I would love it,~ uh,~ I would love it to be the new default in the future. ~Uh, ~so far, there were no issues reported about it,

uh,~ ~from people,~ uh,~ using it for glob- global install.

Noel: Yeah.

Zoltan: We need somehow to,~ uh,~ increase the amount of people using this,~ uh,~ to see if there are,~ uh,~ issues and fix these issues.

Noel: Yeah, it's probably kinda tricky when you don't, you know-- It's like if something's not default, it probably has very low adoption, and then as soon as you flip it over, it's like suddenly ~tons of, ~tons of use.

Zoltan: Yeah, and ~when you, ~when you change,~ uh,~ change it in a major, it's already late ~to, ~to go back.

Noel: Yeah. ~Right, right.~

Zoltan: to see if the, if it's safe to do.

Noel: Nice. Yeah. Yeah, I'm sure. There's probably people paying attention, though. If you tell them it'll,~ uh, you know, ~make their builds faster ~and, ~and all that jazz, ~I'm sure, ~I'm sure people will start opting in.

Zoltan: Yeah, maybe we can change the website and mention it more,~ uh,~ maybe mention it on the homepage. I don't know. There are... We can come up with something.[00:26:00] 

Noel: Yeah. ~Right, right. ~We'll,~ uh, we'll, ~we'll call it out on the podcast. If you decide to come back, we'll implore people to go turn it on. ~Um, ~yeah. Cool. ~Well, I guess, ~is there anything else you wanted to mention, Zoltan, before we,~ uh,~ sign off here?

Zoltan: ~Uh, ~yeah,~ uh,~ if anyone is interested,~ uh,~ wants to have his or her name in the commit history,~ uh,~ let's,~ uh, uh, ~come to the pnpm packet,~ uh,~ repository,~ uh,~ and see the roadmap, especially if you have,~ uh,~ experience in Rust. ~Uh, ~but even if you don't have it, you can now,~ uh,~ use an AI ~to, ~to help you, and,~ uh,~ yeah, you can help us,~ uh,~ ship this,~ uh,~ sooner.

~Uh, ~or even,~ uh,~ come to our regular,~ uh,~ TypeScript repository. It also has hundreds of issues, so you can,~ uh,~ work on that. However, I need to,~ uh,~ to tell that,~ uh,~ it's really, really hard now to keep up with the huge amount, like the tsunami of,~ uh,~ new pull requests in the pnpm repository.

Noel: I'm sure.

Zoltan: ~Uh, ~it's ~really, ~really hard.

It really shifted,~ uh,~ things ~in, ~in OS,~ uh,~ in,~ uh,~ open source because in the past,~ uh, um, ~it was really rare [00:27:00] you got a good pull request,~ ~ with many changes. ~Uh, ~and now you get 10 a day,

Noel: Yeah. ~Huge, ~huge line count changes, I'm sure. Yeah.

Zoltan: So I can't really cope with it. ~I, ~I'm changing processes to, to be able to handle it, to, to sort it, ~mm...~

Noel: Yeah, ~do the, ~do the triage and ensure things are working. ~Yeah, ~yeah.

Zoltan: So that's it, ~I guess.~

Noel: ~Yeah, ~yeah. No, that's good. That's good. Cool.

Um, yeah, well, again, thank you for, for coming on and,~ uh, ~chatting with me, Zoltan. Again, if you've got,~ uh,~ if you've got the, a major version or ~even if, ~even if the,~ uh, global, ~global setting you're looking at ~more, uh,~ getting more support there,~ uh,~ let us know. ~Um,~

Zoltan: Thank

Noel: so much.

Zoltan: Thank you for having me. Have a nice day