banner
LightNews
kochan.io
Zoltan Kochan
@kochan.io
2K followers 180 following 120 posts
Developer, maker of @pnpm.io Works on dependency management at bit.dev
Posts Media Videos Starter Packs
kochan.io
Zoltan Kochan @kochan.io · 13d
I am not making any promises about the libraries. The major version is the major version of pnpm cli x100. So a library can have up to 99 breaking changes till the next pnpm cli comes out
1 3
Reposted by Zoltan Kochan
softwaredaily.bsky.social
Software Engineering Daily @softwaredaily.bsky.social · 23d
Zoltan Kochan is a full stack web developer and the creator of @pnpm.io. He joins the show with @joshuakgoldberg.com to talk about the state of package management for web dev.

@kochan.io

softwareengineeringdaily.com/2025/09/18/p...
pnpm with Zoltan Kochan - Software Engineering Daily
Traditional package management systems for JavaScript have faced several inefficiencies related to dependency storage, resolution, and project performance. pnpm is a fast, disk-efficient package manag...
softwareengineeringdaily.com
1 5 18
Reposted by Zoltan Kochan
socket.dev
Socket @socket.dev · 26d
After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.

Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.

socket.dev/blog/pnpm-10... #NodeJS
pnpm 10.16 Adds New Setting for Delayed Dependency Updates -...
pnpm's new minimumReleaseAge setting delays package updates to prevent supply chain attacks, with other tools like Taze and NCU following suit.
socket.dev
8 16
kochan.io
Zoltan Kochan @kochan.io · 26d
Wow, Hollywood is so creative
kochan.io
Zoltan Kochan @kochan.io · Sep 2
We need a versioning system that consists of 4 numbers, where the first one is used for marketing purposes
2 2 21
kochan.io
Zoltan Kochan @kochan.io · Aug 20
There were no peer dependencies in 1985
3
kochan.io
Zoltan Kochan @kochan.io · Jul 31
That would be the logo
1 4
kochan.io
Zoltan Kochan @kochan.io · Jul 31
I feel like pnpm will eventually grow from being a "npm alternative" to being a "nix alternative"

but "pnix" doesn't sound appropriate 😂
3 1 16
kochan.io
Zoltan Kochan @kochan.io · Jul 31
With the changes to the lockfile format and the new types of fetchers that were added to pnpm, now it is really easy to make pnpm an installer for anything

bsky.app/profile/pnpm...
pnpm.io
pnpm @pnpm.io · Jul 31
pnpm v10.14 is shipped with support for runtime engine installation. Node, Deno, and Bun are supported.

pnpm.io/blog/release...
2 15
Reposted by Zoltan Kochan
alexstrook.bsky.social
Alex Strook 🐭⚡️SQUEAKROSS @alexstrook.bsky.social · Jul 5
when you open a service you've been using for a decade only to find it out it caught the virus
Fake website servic welcome page. text reads: "Your favorite tool is now ruined by AI" "you might not like it but shareholders love it"
61 6K 16K
Reposted by Zoltan Kochan
pnpm.io
pnpm @pnpm.io · Jul 3
The pnpm repository has 32K stars!
A star, the number 32000 and the pnpm logo
1 1 23
kochan.io
Zoltan Kochan @kochan.io · Jun 28
I think dependency graph store is the best option

github.com/pnpm/pnpm.io...
docs: rename virtual store to dependency graph store by zkochan · Pull Request #683 · pnpm/pnpm.io
github.com
3
kochan.io
Zoltan Kochan @kochan.io · Jun 27
I am not sure we can call it a cache as these are files that are actually executed during runtime. We don't call the files inside node_modules "cache".
1
kochan.io
Zoltan Kochan @kochan.io · Jun 27
For context, this is what I am talking about: pnpm.io/settings#ena...
Settings (pnpm-workspace.yaml) | pnpm
pnpm gets its configuration from the command line, environment variables, pnpm-workspace.yaml, and
pnpm.io
1 1
kochan.io
Zoltan Kochan @kochan.io · Jun 27
I am thinking about a better name for the pnpm "virtual store". Which is where the dependency is written with its unique dependency graph. I couldn't find any prior art to this. Maybe "Package Context" could work. Or "fully resolved package store" but that's long.
4 2
kochan.io
Zoltan Kochan @kochan.io · Jun 26
Many packages request funding by printing message with postinstall scripts. What if instead of requesting funding we would promote sponsors? After all, we want companies to sponsor open source projects as they are the ones that make profit from it.
2 1 3
kochan.io
Zoltan Kochan @kochan.io · Jun 25
A lot of packages use postinstall scripts for printing out messages about funding. Could there be a better way to do this? pnpm doesn't even print the outputs from these scripts.
1
kochan.io
Zoltan Kochan @kochan.io · Jun 25
🚀 Check out what we’ve been building at Bit:

Hope AI: Architect agent that builds professional software
www.producthunt.com/products/hop...
Hope AI: Architect agent that builds professional software | Product Hunt
Build maintainable, production-grade applications. Control generation at component-level with prompts and design sketches. Compose with design system and reusable components. Deploy instantly. Generat...
www.producthunt.com
2
kochan.io
Zoltan Kochan @kochan.io · Jun 17
Talking about pnpm and Yarn
1 5
kochan.io
Zoltan Kochan @kochan.io · Jun 13
You can try it. You just need to set the ci setting to false to make pnpm think it isn’t executed in
CI environment.
1 1
kochan.io
Zoltan Kochan @kochan.io · Jun 13
Yeah, what you suggest could work. But the issue is that you can't really have a big centralized cache like this in CI as in that case you'd expose someone's private packages. I guess you could have this cache per organization but that's more resources and reduced speed benefit
2 1
kochan.io
Zoltan Kochan @kochan.io · Jun 12
I am happy you liked it
1
Reposted by Zoltan Kochan
mael.dev
Maël Nison @mael.dev · Jun 12
@kochan.io's talk about configDependencies made me realize we forgot to document remote plugins on the Yarn website 🙈
1 1
Reposted by Zoltan Kochan
mael.dev
Maël Nison @mael.dev · Jun 12
Package manager summit with @kochan.io at #JSNation !
Me and Zoltan
1 3 20
Reposted by Zoltan Kochan
stoychev.dev
Anton Stoychev @stoychev.dev · Jun 3
Ton of npm libs use github.com/cosmiconfig/... to load their config files. But, today I learned, if nodejs dies, the temporarily file created by cosmiconfig remains 🤷‍♂️

I fixed this locally in 5 mins thanks to the amazing patch ability of @pnpm.io (kudos @kochan.io!) and the LLMs era of code editors
GitHub - cosmiconfig/cosmiconfig: Find and load configuration from a package.json property, rc file, TypeScript module, and more!
Find and load configuration from a package.json property, rc file, TypeScript module, and more! - cosmiconfig/cosmiconfig
github.com
1 2