Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
pnpm is a fast, disk space efficient package manager for JavaScript that works with the npm and Yarn registries. It uses hard links and symlinks to save disk space and improve installation speed. It also has a strict node_modules structure that helps to avoid issues with phantom dependencies.
Installing packages
Installs the lodash package into your project. This is similar to npm install or yarn add.
pnpm install lodash
Creating a new project
Initializes a new package.json file for your project, similar to npm init or yarn init.
pnpm init
Adding a package to dependencies
Adds the react package to your project's dependencies, similar to npm install react --save or yarn add react.
pnpm add react
Adding a package to devDependencies
Adds the typescript package to your project's devDependencies, similar to npm install typescript --save-dev or yarn add typescript --dev.
pnpm add --save-dev typescript
Updating packages
Updates all the packages in your project to their latest versions based on the specified ranges in package.json, similar to npm update or yarn upgrade.
pnpm update
Running scripts
Runs the script named 'build' specified in your package.json, similar to npm run build or yarn run build.
pnpm run build
npm is the default package manager for Node.js and is the most widely used. It has a large ecosystem and is well-supported, but it can be slower and use more disk space compared to pnpm.
Yarn is a package manager that was created by Facebook to address some of npm's shortcomings. It introduced lockfiles and deterministic installations. Yarn is faster than npm but can still use more disk space compared to pnpm.
简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro
Fast, disk space efficient package manager:
node_modules
are linked from a single content-addressable storage.package.json
.pnpm-lock.yaml
.To quote the Rush team:
Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.
Support this project by becoming a sponsor.
pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:
pnpm update
will only add 1 new file to the storage.As a result, you save gigabytes of space on your disk and you have a lot faster installations!
If you'd like more details about the unique node_modules
structure that pnpm creates and
why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.
💖 Like this project? Let people know with a tweet
For installation options visit our website.
Just use pnpm in place of npm/Yarn. E.g., install dependencies via:
pnpm install
For more advanced usage, read pnpm CLI on our website, or run pnpm help
.
pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.
Benchmarks on an app with lots of dependencies:
Thank you to all our backers! Become a backer
This project exists thanks to all the people who contribute. Contribute.
FAQs
Fast, disk space efficient package manager
The npm package pnpm receives a total of 12,708,643 weekly downloads. As such, pnpm popularity was classified as popular.
We found that pnpm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.