pnpm-dedicated-lockfile
Advanced tools
Write a deterministic lockfile per workspace, based on currently installed dependencies.
Generate a lockfile that only contains dependencies of a single package.
pnpm is a package manager than greatly assists working with monorepo. It stores a manifest of all installed packages in a single file .pnpm-lock.yaml at the root of your workspace. This is necessary for pNpm to manage all dependencies in one place, with appropiate caching and shared references.
However this means it is difficult to tell when changes in an installed dependency impact a given package.
When you have CI jobs that are based on caching, updating a single dependency can trigger every job to re-run, which is slow and expensive.
Instead, you can calculate a single lockfile for a given package, and perform caching based on that.
pnpm-dedicated-lockfile is a CLI that writes this dedicated lockfile to your package.
Note that while this file is directly based on .pnpm-lock.yaml and has a similar format, it is not an actual lockfile and is not interchangeable with .pnpm-lock.yaml. Instead it should only be used for caching, and for visually inspecting dependency impacts to a given package.
npm i pnpm-dedicated-lockfile --save-dev
npx pnpm-dedicated-lockfile --projectDir ./path/to/package
Will write a file at ./path/to/package/.pnpm-lock.
npx pnpm-dedicated-lockfile --help to get started.
It is generally recommended to only include pnpm-dedicated-lockfile as a dev/test dependency.
The resulting files may be checked into version control. They are as deterministic as .pnpm-lock.yaml, but since they may only be used for caching, it is not strictly necessary.
| flag | type | default | description |
|---|---|---|---|
--projectDir | string | . | Directory containing package to calculate dedicated lockfile. |
--hash | boolean | false | Write a SHA hash instead of a large JSON file. This has benefits of reduced file size, but may more easily result in collisions. |
--lockfile-name | string | .pnpm-lock | Update the file name to whatever you prefer. |
--omit-comment | boolean | false | Exclude the // DO NOT EDIT comment at top of file. |
--omit-links | boolean | false | Exclude dependencies that are only related to local workspace links (e.g. workspace:^ specifiers). They are included by default |
--dry-run | boolean | false | Don't actually create/update the files. |
--ci | boolean | If is CI environment | If existing file is out-of-date, throws an error. Make sure to explicitly set as false if not checking files into version control. |
FAQs
Write a deterministic lockfile per workspace, based on currently installed dependencies.
The npm package pnpm-dedicated-lockfile receives a total of 3 weekly downloads. As such, pnpm-dedicated-lockfile popularity was classified as not popular.
We found that pnpm-dedicated-lockfile demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.