You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To configure pnpm to always use the absolute latest version of packages and dependencies when installing globally, you need to adjust two distinct default settings introduced in recent versions: the resolution mode (which prevents fallback to older cached or direct versions) and the minimum release age (which deliberately delays new package installations by 24 hours for security). [1, 2]
The Solution
Run the following two commands in your terminal to update your global configuration: [1, 2]
Force pnpm to resolve the absolute highest version of direct and deep dependencies
pnpm config set --global resolution-mode highest
Disable the 24-hour artificial security delay for newly published packages
pnpm config set --global minimum-release-age 0
What These Configurations Do## 1. Resolution Mode (resolution-mode)
By default, pnpm prioritises speed and stability by resolving direct dependencies using a lowest-direct policy. Changing this configuration alters the behavior globally: [1, 3]
lowest-direct (Default): Resolves the lowest possible version satisfying the direct range.
highest: Instructs the resolver to always look up and fetch the latest possible versions for both direct packages and their entire sub-dependency trees. [1, 4]
2. Minimum Release Age (minimum-release-age)
Starting in modern pnpm versions, a supply-chain security feature is active by default which prevents installing any package version that is less than 24 hours old (1440 minutes). [2]
Setting this to 0 tells pnpm to opt-out of this buffer delay, allowing you to fetch and install cutting-edge versions the exact minute they are published to the registry. [2]
Where These Settings Are Saved
Your changes are automatically saved to your system's global config file: [5]
Note: For programmatic installations or temporary runs where you want to explicitly bypass rules, you can also use pnpm add -g @latest. [6]
If you are experiencing issues with a specific package not upgrading, tell me the name of the package and your current pnpm version (pnpm -v) so we can verify if registry tagging or a specific environment bug is interfering. [7, 8]
Depending on whether you want to configure project workflows, speed up local setups, or bypass strict security protocols, pnpm config settings allow broad customization. [1]
These configuration keys can be applied globally via --global or locally inside a project’s configuration files: [2]
⚡ Performance & Package Resolution Configs
save-exact
Forces pnpm to install the exact current version of a package into your package.json rather than applying the standard carrot (^) or tilde (~) semantic versioning ranges.
pnpm config set save-exact true
node-linker
Controls how node_modules are structured. Changing this is necessary if you work with strict serverless environments, React Native, or tools that break under standard pnpm symlinks.
isolated (Default): Uses symlinks from a global virtual store.
hoisted: Creates a traditional flat structure identical to npm or Yarn Classic.
pnp: Activates zero node_modules Plug'n'Play execution.
pnpm config set node-linker hoisted
link-workspace-packages
In monorepos, this determines if local packages link directly to each other or fetch remote registry updates. Turning this off makes packages look outward by default.
pnpm config set link-workspace-packages false
[1, 3, 4, 5, 6]
*
🔒 Security, Engines, & Version Constraints
minimum-release-age-exclude
If you choose to leave the 24-hour supply chain security delay active for safety, you can add a list of trusted frameworks to always install immediately upon release.
Must be structured as a JSON array
pnpm config set --json minimum-release-age-exclude '["react", "next", "@myorg/*"]'
node-version
Overrides the system's active Node.js version. It forces pnpm to install dependencies using a specific engine target, preventing cross-environment package version fragmentation.
pnpm config set node-version 22.0.0
allow-builds
An explicit security opt-in array that declares which specific third-party dependencies are permitted to execute post-install build scripts (node-gyp, etc.).
pnpm config set --json allow-builds '{"esbuild": true}'
[3, 7, 8]
*
🎛️ System & Network Preferences
verify-store-integrity
Validates that files in the global content-addressable storage pool haven't been altered by outside tools. Disabling it speeds up execution slightly, but compromises long-term security.
pnpm config set verify-store-integrity false
package-import-method
Alters how packages cross from the central store into your project directory.
hardlink (Default): Direct pointer, saving absolute maximum disk space.
copy: Duplicates the files completely (helpful when projects cross multiple separate hard drive filesystems). [4, 5, 9]
pnpm config set package-import-method copy
Which area of your workflow are you trying to optimize (e.g., monorepo builds, Docker container image sizes, or private registry authentication)? Let me know and I can provide specific configurations.
