Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
What is pnpm?
pnpm is a fast, disk space efficient package manager for JavaScript that works with the npm and Yarn registries. It uses hard links and symlinks to save disk space and improve installation speed. It also has a strict node_modules structure that helps to avoid issues with phantom dependencies.
What are pnpm's main functionalities?
Installing packages
Installs the lodash package into your project. This is similar to npm install or yarn add.
pnpm install lodashCreating a new project
Initializes a new package.json file for your project, similar to npm init or yarn init.
pnpm initAdding a package to dependencies
Adds the react package to your project's dependencies, similar to npm install react --save or yarn add react.
pnpm add reactAdding a package to devDependencies
Adds the typescript package to your project's devDependencies, similar to npm install typescript --save-dev or yarn add typescript --dev.
pnpm add --save-dev typescriptUpdating packages
Updates all the packages in your project to their latest versions based on the specified ranges in package.json, similar to npm update or yarn upgrade.
pnpm updateRunning scripts
Runs the script named 'build' specified in your package.json, similar to npm run build or yarn run build.
pnpm run buildOther packages similar to pnpm
npm
npm is the default package manager for Node.js and is the most widely used. It has a large ecosystem and is well-supported, but it can be slower and use more disk space compared to pnpm.
yarn
Yarn is a package manager that was created by Facebook to address some of npm's shortcomings. It introduced lockfiles and deterministic installations. Yarn is faster than npm but can still use more disk space compared to pnpm.
简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro
Fast, disk space efficient package manager:
- Fast. Up to 2x faster than the alternatives (see benchmark).
- Efficient. Files inside
node_modulesare linked from a single content-addressable storage. - Great for monorepos.
- Strict. A package can access only dependencies that are specified in its
package.json. - Deterministic. Has a lockfile called
pnpm-lock.yaml. - Works as a Node.js version manager. See pnpm env use.
- Works everywhere. Supports Windows, Linux, and macOS.
- Battle-tested. Used in production by teams of all sizes since 2016.
- See the full feature comparison with npm and Yarn.
To quote the Rush team:
Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.
Platinum Sponsors
|
|
Gold Sponsors
|
|
|
|
|
Silver Sponsors
|
|
|
|
|
|
|
Support this project by becoming a sponsor.
Background
pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:
- If you depend on different versions of lodash, only the files that differ are added to the store.
If lodash has 100 files, and a new version has a change only in one of those files,
pnpm updatewill only add 1 new file to the storage. - All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).
As a result, you save gigabytes of space on your disk and you have a lot faster installations!
If you'd like more details about the unique node_modules structure that pnpm creates and
why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.
💖 Like this project? Let people know with a tweet
Installation
For installation options visit our website.
Usage
Just use pnpm in place of npm/Yarn. E.g., install dependencies via:
pnpm install
For more advanced usage, read pnpm CLI on our website, or run pnpm help.
Benchmark
pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.
Benchmarks on an app with lots of dependencies:
Support
Backers
Thank you to all our backers! Become a backer
Contributors
This project exists thanks to all the people who contribute. Contribute.
License
FAQs
Fast, disk space efficient package manager
The npm package pnpm receives a total of 12,096,458 weekly downloads. As such, pnpm popularity was classified as popular.
We found that pnpm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 01 Apr 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024
Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
By Sarah Gooding - Nov 26, 2024