I could be wrong but I believe Pnpm would not have helped with the supply chain attach that brings us here. It's simply a problem with deploying new code rapidly and automatically without verification to a billion machines at a time.

That’s my read. Even if there was some other logistical barrier, updating a bunch of external dependencies as most people do it unavoidably involves pre-trusting code you’ve never seen. I don’t think there’s any way around that, and given that, I don’t think there’s a purely technical solution. This requires having more vetting within package manager, but that’s not an easy lift.