MockRounds Logo

pnpm 10: Safer JavaScript Package Management Quiz

Explore how pnpm 10 enhances package installation security and changes default behaviors for JavaScript projects. This quiz covers new features that increase trust, prevent supply-chain attacks, and improve workflow control.

  1. Install Script Changes

    What is a major change to install scripts introduced in pnpm 10?

    1. Install scripts are blocked by default unless explicitly allowed
    2. All install scripts are permanently disabled
    3. Only postinstall scripts run automatically
    4. Install scripts now run twice by default

    Explanation: pnpm 10 stops preinstall and postinstall scripts from running automatically, requiring explicit developer approval to run. Running scripts twice is not a new behavior. Scripts are not permanently disabled; they can be enabled as needed. Only postinstall scripts running automatically is incorrect; neither preinstall nor postinstall scripts run without permission.

  2. Purpose of minimumReleaseAge

    How does the minimumReleaseAge feature in pnpm 10 improve security?

    1. It automatically updates packages every hour
    2. It sorts packages by age in search results
    3. It requires a package to be published for at least 24 hours before installation
    4. It bans packages released on weekends

    Explanation: minimumReleaseAge forces a delay so new packages (less than 24 hours old) are not installed automatically, reducing the risk from rapid attacks. Weekend bans, hourly updates, and sorting by age are not mentioned as features and do not address supply-chain risk directly.

  3. Supply Chain Risks

    Why are supply chain risks especially serious in the JavaScript ecosystem?

    1. Because the ecosystem relies on millions of small, interconnected packages
    2. Because only large companies use JavaScript dependencies
    3. Because all JavaScript code must be compiled
    4. Because JavaScript packages never have vulnerabilities

    Explanation: Security challenges increase with millions of interdependent packages, allowing a single compromised dependency to have widespread impact. Code compilation is unrelated, and the use or vulnerability status of JavaScript packages is not absolute or exclusive to certain companies.

  4. No-Downgrade Trust Policy

    What does pnpm 10's no-downgrade trust policy achieve?

    1. Automatically deletes unused packages
    2. Disables all package updates
    3. Resolves package names with typos
    4. Prevents silent replacement of packages with older, trusted versions

    Explanation: The no-downgrade policy blocks automatic downgrades to earlier versions, which could reintroduce vulnerabilities. Automatic deletion, update disabling, and typo resolution are not aims of the no-downgrade trust feature.

  5. Transitive Dependency Handling

    How does pnpm 10 handle exotic transitive dependencies?

    1. Requires reinstalling all dependencies monthly
    2. Automatically removes all transitive dependencies
    3. Allows all packages regardless of dependency structure
    4. Blocks unusual or suspicious dependency paths by default

    Explanation: pnpm 10 blocks exotic and suspicious transitive dependency paths, enhancing security by reducing attack surface. The other choices are incorrect; pnpm does not remove or reinstall dependencies arbitrarily or allow all possible dependency structures by default.

  6. Workflow Impact

    What initial effect might teams notice when using pnpm 10 for installs?

    1. No changes in install behavior compared to earlier versions
    2. Immediate speed improvements for all installs
    3. Frequent forced downgrades of packages
    4. Some installs may fail until scripts are explicitly approved

    Explanation: Teams may experience install failures for packages that expect install scripts to run automatically, requiring approval. No changes, speed increases, and forced downgrades are not described results of pnpm 10's security updates.

  7. Developer Control

    How does pnpm 10 shift responsibility for package safety?

    1. It automatically approves all install scripts
    2. It automatically determines which packages are always safe
    3. It hides package installation logs from users
    4. It lets developers explicitly decide when to allow riskier actions

    Explanation: pnpm 10 enforces conservative defaults but gives developers the ability to make explicit security choices. Automatic approvals and determination of safety are contrary to the product's approach, and hiding logs is not mentioned.

  8. Global Virtual Store Addition

    Besides security, what new feature is introduced in pnpm 10?

    1. Color-coded version numbering
    2. A global virtual store for dependencies
    3. A nightly package audit requirement
    4. Complete removal of install scripts

    Explanation: The introduction of a global virtual store means dependencies are shared more efficiently across projects. Nightly audits, full removal of scripts, and version color coding are not described as features of this release.

mockrounds.com Learn • Practice • Evaluate