I recently had to update a few selective npm libraries in a project that uses pnpm to apply a CVE mitigation. My first instinct was to modify the package.json file and hope that pnpm install only makes the most minimal changes. But that's not always the case, and there is a much better way.
Use pnpm up Show archive.org snapshot (aliased to update and upgrade) with a set of exact library names and versions. The resulting changes (both to the package.json and pnpm lockfile) will be minimal. Example for my CVE-2025-66478 fix:
pnpm up next@15.4.8 react@19.1.2
There is also pnpm audit --fix Show archive.org snapshot which could be interesting depending on your use case.
Posted by Michael Leimstädtner to makandra dev (2025-12-04 09:22)