Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
What is pnpm?
pnpm is a fast, disk space efficient package manager for JavaScript that works with the npm and Yarn registries. It uses hard links and symlinks to save disk space and improve installation speed. It also has a strict node_modules structure that helps to avoid issues with phantom dependencies.
What are pnpm's main functionalities?
Installing packages
Installs the lodash package into your project. This is similar to npm install or yarn add.
pnpm install lodashCreating a new project
Initializes a new package.json file for your project, similar to npm init or yarn init.
pnpm initAdding a package to dependencies
Adds the react package to your project's dependencies, similar to npm install react --save or yarn add react.
pnpm add reactAdding a package to devDependencies
Adds the typescript package to your project's devDependencies, similar to npm install typescript --save-dev or yarn add typescript --dev.
pnpm add --save-dev typescriptUpdating packages
Updates all the packages in your project to their latest versions based on the specified ranges in package.json, similar to npm update or yarn upgrade.
pnpm updateRunning scripts
Runs the script named 'build' specified in your package.json, similar to npm run build or yarn run build.
pnpm run buildOther packages similar to pnpm
npm
npm is the default package manager for Node.js and is the most widely used. It has a large ecosystem and is well-supported, but it can be slower and use more disk space compared to pnpm.
yarn
Yarn is a package manager that was created by Facebook to address some of npm's shortcomings. It introduced lockfiles and deterministic installations. Yarn is faster than npm but can still use more disk space compared to pnpm.
pnpm
Performant npm installations
pnpm is a fast implementation of npm install. It is loosely based off ied.
Read our contributing guide if you're looking to contribute.
Follow the pnpm Twitter account for updates.
Table of Contents
Background
pnpm maintains a flat storage of all your dependencies in node_modules/.store. They are then symlinked wherever they're needed.
This nets you the benefits of less disk space usage, while keeping your node_modules clean.
See store layout for an explanation.
.
└─ node_modules/
├─ .store/
│ ├─ chalk@1.1.1/_/
│ │ └─ node_modules/
│ │ ├─ ansi-styles -> ../../../ansi-styles@2.1.0/_
│ │ └─ has-ansi -> ../../../has-ansi@2.0.0/_
│ ├─ ansi-styles@2.1.0/_/
│ └─ has-ansi@2.0.0/_/
└─ chalk -> .store/chalk@1.1.1/_
Install
Install it via npm.
npm install -g pnpm
Do you wanna use pnpm on CI servers? See: Continuous Integration.
Usage
Use pnpm in place of npm. It overrides pnpm i, pnpm install and some other command, the rest will passthru to npm.
pnpm install lodash
For using globally installed packages, see: global install.
For using the programmatic API, see: API.
Known issues
Some packages are trying to find and use other packages in node_modules.
However, when installed via pnpm, all the dependencies in node_modules are
just symlinks. Node's require ignores symlinks when resolving modules and this
causes a lot of issues. Luckily, starting from v6.3.0, Node.js has a CLI option to
preserve symlinks when resolving modules (--preserve-symlinks).
Things to remember:
- pnpm is best used on Node.js >= 6.3.0
- it is recommended to run Node with the
--preserve-symlinksoption. E.g.node --preserve-symlinks index. Note: it is important that--preserve-symlinksis at the beginning of the command, otherwise it is ignored. - CLI apps installed with pnpm are configured to correctly work with symlinked dependency trees. If a global package is used to work with a pnpm package, the global package should be installed via pnpm.
Benchmark
pnpm is usually 10 times faster than npm and 30% faster than yarn. See this benchmark which compares the three package managers on different types of applications.
time npm i babel-preset-es2015 browserify chalk debug minimist mkdirp
66.15 real 15.60 user 3.54 sys
time pnpm i babel-preset-es2015 browserify chalk debug minimist mkdirp
11.04 real 6.85 user 2.85 sys
Prior art
Preview release
pnpm will stay in <1.0.0 until it's achieved feature parity with npm install. See roadmap for details.
License
MIT © Rico Sta. Cruz and contributors
FAQs
Fast, disk space efficient package manager
The npm package pnpm receives a total of 12,096,458 weekly downloads. As such, pnpm popularity was classified as popular.
We found that pnpm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 19 Nov 2016
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024
Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
By Sarah Gooding - Nov 26, 2024