Create 2025-12-05-newsroom-npm-supply-chain-security.md

[ryansobol]

Summary

This article shares how the Seattle Times is using pnpm's client-side security controls to protect against npm supply chain attacks. It's written from the perspective of a mid-sized news organization piloting these controls in production, covering both the technical implementation and the practical realities of adopting them.

What's Covered

• Real-world context: How we're thinking about supply chain security as a news organization
• The three security layers: Lifecycle script management, release cooldowns, and trust policy—how they work individually and together
• Practical implementation: What the pilot looked like, what we learned, and how long it actually took
• Defense-in-depth in practice: Using the recent React vulnerability as an example of how exceptions work when you need them
• Guidance for other teams: What worked for us and what we'd recommend

Why This Might Be Useful

I expanded this from my original GitHub comment to provide more detail and context. The goal is to help other teams get up to speed more quickly and understand the benefits of the layered defense approach that pnpm provides—especially teams that might be hesitant about the friction these controls introduce.

This is based on our actual pilot implementation with one of our backend services, and reflects both what went well and what we're still learning.

Approvals

Everything has been reviewed and signed off by my team. Thanks @cordulack!

[vercel]

@ryansobol is attempting to deploy a commit to the pnpm Team on Vercel.

A member of the Team first needs to authorize it.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[zkochan]

wow, thanks! I'll try to merge it during the weekend.