Comment by lrvick

Pnpm cannot be built without an existing pnpm binary meaning there is no way to bootstrap it from audited source code. Perfect trusting trust attack situation.

Full source bootstrapped NPM with manually reviewed dependencies is the only reasonably secure way to use NodeJS right now.