PluginBench
Skill
Review
Audit score 70

pnpm

antfu/skills

Fast, disk-space efficient Node.js package manager with strict dependency resolution and monorepo support.

What is pnpm?

pnpm is a package manager for Node.js projects that uses content-addressable storage to deduplicate packages and enforces strict dependency resolution by default. Use it when you need efficient dependency management, monorepo/workspace support, or advanced features like catalogs, patches, and overrides.

  • Manage dependencies with strict resolution preventing phantom dependencies
  • Configure and run monorepos via pnpm-workspace.yaml with workspace filtering
  • Define centralized dependency versions using catalogs and enforce them across projects
  • Patch third-party packages and override transitive/peer dependencies
  • Share configuration, hooks, catalogs, and patches across repositories via configDependencies
  • Support peer dependency auto-install with strict mode and deduplication rules

How to install pnpm

npx skills add https://github.com/antfu/skills --skill pnpm
Prerequisites
  • Node.js installed on your system
Claude Code
Cursor
Windsurf
Cline

How to use pnpm

  1. 1.Run pnpm install to install dependencies listed in pnpm-lock.yaml
  2. 2.Check pnpm-workspace.yaml for workspace structure and configuration settings
  3. 3.Use pnpm add/remove/update to manage dependencies in the current package
  4. 4.Run pnpm run <script> to execute scripts defined in package.json
  5. 5.Use pnpm --filter <package> to run commands in specific workspace packages
  6. 6.Configure catalogs in pnpm-workspace.yaml to centralize dependency versions
  7. 7.Define patches in pnpm-workspace.yaml under patchedDependencies to modify third-party packages

Use cases

Good for
  • Setting up a monorepo with multiple interdependent packages and shared lockfile
  • Centralizing dependency versions across many projects using catalogs
  • Patching a third-party package without forking or waiting for upstream fixes
  • Migrating from npm or Yarn to pnpm while eliminating phantom dependencies
  • Configuring CI/CD pipelines with frozen lockfiles and store caching for reproducible builds
Who it's for
  • Node.js developers managing single or multi-package projects
  • Monorepo maintainers coordinating dependencies across many packages
  • Teams implementing supply-chain security and build approval workflows
  • DevOps engineers setting up CI/CD with pnpm in Docker or GitHub Actions

pnpm FAQ

Where do pnpm settings live?

Settings live in pnpm-workspace.yaml (and global config.yaml) using camelCase keys. The .npmrc file is used only for authentication and registry credentials, not general configuration.

What should I use in CI/CD pipelines?

Always use pnpm ci or --frozen-lockfile in CI environments to ensure reproducible builds from the locked dependency versions.

How does pnpm save disk space?

pnpm uses a content-addressable store to deduplicate packages across all projects on your machine, storing each package version only once and linking to it from projects that need it.

Can I use pnpm for monorepos?

Yes. pnpm has built-in monorepo support via pnpm-workspace.yaml, shared lockfiles, workspace filtering, and packageConfigs for per-package settings.

How do I patch a third-party package?

Define the patch in pnpm-workspace.yaml under patchedDependencies, then pnpm will apply it during installation.

Full instructions (SKILL.md)

Source of truth, from antfu/skills.


name: pnpm description: Node.js package manager with strict dependency resolution. Use when running pnpm specific commands, configuring workspaces via pnpm-workspace.yaml, or managing dependencies with catalogs, patches, overrides, config dependencies, or the global virtual store. metadata: author: Anthony Fu version: "2026.6.22" source: Generated from https://github.com/pnpm/pnpm, scripts located at https://github.com/antfu/skills

pnpm is a fast, disk space efficient package manager. It uses a content-addressable store to deduplicate packages across all projects on a machine, and enforces strict dependency resolution by default, preventing phantom dependencies.

Configuration model (important): pnpm settings now live in pnpm-workspace.yaml (and the global config.yaml) using camelCase keys. .npmrc is used only for authentication/registry credentials, and the pnpm field of package.json is no longer read. When working in a pnpm project, check pnpm-workspace.yaml for settings/workspace structure and .npmrc only for auth. Always use --frozen-lockfile (or pnpm ci) in CI.

The skill is based on pnpm 10.x, generated at 2026-06-22. It also covers v11 behavior changes (config split, isolated global packages, allowBuilds, pmOnFail, global virtual store) where current docs describe them.

Core

TopicDescriptionReference
CLI Commandsinstall/add/remove/update, run, dlx/pnx, workspace, runtime, publishing (version, view, sbom, stage)core-cli
Configurationpnpm-workspace.yaml settings (camelCase), global config.yaml, packageConfigs, .npmrc authcore-config
WorkspacesMonorepo support: filtering, workspace protocol, shared lockfile, packageConfigscore-workspaces
StoreContent-addressable store, virtual store, node linker modes, frozen/read-only storecore-store

Features

TopicDescriptionReference
CatalogsCentralized dependency versions; catalogMode, catalog: in overridesfeatures-catalogs
OverridesForce versions (incl. transitive & peer deps); packageExtensionsfeatures-overrides
PatchesModify third-party packages; patchedDependencies in pnpm-workspace.yamlfeatures-patches
AliasesInstall under custom names (npm:) and registry aliases (namedRegistries)features-aliases
Hooks.pnpmfile.mjs hooks (readPackage, updateConfig, beforePacking), finders, resolvers/fetchersfeatures-hooks
Peer DependenciesAuto-install, strict mode, rules, dedupePeers, peers checkfeatures-peer-deps
Config DependenciesShare hooks/settings/catalogs/patches across repos via configDependenciesfeatures-config-dependencies
Global Virtual StoreShared node_modules, git-worktree multi-agent setups, isolated global packagesfeatures-global-virtual-store
Supply-Chain SecurityBuild approval (allowBuilds), minimumReleaseAge, trustPolicy, lockfile integrityfeatures-supply-chain-security

Best Practices

TopicDescriptionReference
CI/CD SetupGitHub Actions, GitLab, Docker, pnpm ci, store caching, frozen lockfilesbest-practices-ci
Migrationnpm/Yarn → pnpm, phantom deps, and pnpm v10 → v11 config migrationbest-practices-migration
PerformanceInstall optimizations, allowBuilds, global virtual store, workspace parallelizationbest-practices-performance