By pnpm 11.2 arrived with the feature the project has been quietly building toward for over a year: an experimental opt-in into pacquet, the official Rust port of pnpm’s install backend. The headline promise is that the fetch-and-link phase — the part that dominates cold install time — will be at least twice as fast once Rust handles it. The opt-in is a two-line config change, so testing it costs almost nothing.
What pacquet is (and is not)
pacquet is not a new package manager. It is a Rust port of exactly one part of pnpm: the materialization phase that fetches packages and links them into node_modules. Everything before that handoff — dependency resolution, workspace management, lockfile creation — stays in pnpm’s TypeScript implementation.
The split works because the lockfile is a clean contract. pnpm resolves your dependency graph and writes pnpm-lock.yaml. pacquet reads that finished lockfile and materializes node_modules from it. The project’s architects chose this boundary deliberately: the fetch-and-link phase accounts for 60–70% of cold install time in most workloads. Moving it to Rust buys the most time with the least risk of altering resolution behavior.
Opting in takes two lines
Add @pnpm/pacquet to configDependencies in your pnpm-workspace.yaml:
# pnpm-workspace.yaml
configDependencies:
"@pnpm/pacquet": "latest"Or from the CLI:
pnpm add @pnpm/pacquet --configOn the next pnpm install, pnpm downloads the pacquet binary, runs resolution as usual, then hands off to pacquet for materialization. All CLI flags you already pass — --prod, --dev, --no-optional, --offline, --node-linker, --cpu/--os/--libc — are forwarded verbatim to pacquet. To revert: remove the entry from configDependencies.
The caveat is real: this is experimental. Lockfile verification features like minimumReleaseAge and trustPolicy are still being ported to Rust. If your CI depends on those or on pnpm deploy, test in a branch pipeline first. The team has not yet published measured benchmark numbers — the “2x faster” figure comes from profiling the fetch-and-link phase, not a published benchmark against a standard workload.
Three other things that shipped in 11.2
pacquet is the headline but 11.2 includes three smaller improvements worth knowing.
configDependencies now resolve optionalDependencies. Config deps that ship platform-specific native binaries via optionalDependencies — the pattern esbuild and SWC use — now work correctly. pnpm installs one level of a config dep’s optional deps (exact versions only; ranges are rejected to keep installs reproducible) and symlinks the matching binary into the global virtual store.
pnpm login –scope is finally wired up. The flag was documented since pnpm 10 but threw “Unknown option: ‘scope'” on every run. 11.2 implements it: pnpm normalizes the scope (adds @ if missing) and writes @<scope>:registry=<url> to the pnpm auth file alongside the token. Straightforward, but important for teams routing scoped packages to a private registry.
pnpm outdated now reports runtimes. Node.js, Deno, and Bun runtimes declared as runtime: specifiers were silently skipped by pnpm outdated and pnpm update --interactive. They now surface correctly.
The Rust wave finally reached the installer
The JavaScript toolchain has been undergoing a systematic Rust rewrite for two years. Biome replaced Prettier and ESLint at 25x the speed. Oxc provided a Rust-native parser running 30x faster than its JavaScript equivalents. Rolldown is in Vite 8 beta, replacing esbuild and Rollup for production builds. SWC has been handling TypeScript transpilation in Next.js for years. The package manager was the last major holdout.
Cold install time on a large monorepo CI run was still bottlenecked on Node.js handling tens of thousands of file I/O operations. pacquet closes that gap. If the profiling projections hold against real workloads, pnpm with pacquet approaches Bun-level install speeds while keeping pnpm’s mature workspace tooling, strict content-addressable store, and deterministic lockfile behavior. That is a compelling combination — assuming the Rust backend reaches stable without regressing any of those guarantees.
Run it in a branch CI job today. Check the numbers. Keep the opt-out ready. The fetch-and-link phase is a documented bottleneck, the config change is two lines, and the rollback is instant. See the official pnpm 11.2 release post and the pacquet GitHub repository for the full picture.
