npmpackage.info

@pnpm/types

Fast, disk space efficient package manager

900.0.0

29,919

MIT

TypeScript

161,706,238 5.9

Installations

npm install @pnpm/types

Pull Requests

Open

66

Total

3,270

Closed

871

Merged

2,333

Issues

Open

1,640

Total

4,372

Closed

2,732

Releases

961

pnpm 10.0 Alpha 4

v10.0.0-alpha.4

Published on 25 Nov 2024

pnpm 10.0 Alpha 3

v10.0.0-alpha.3

Published on 25 Nov 2024

v9.14.2

Published on 20 Nov 2024

v9.14.1

Published on 20 Nov 2024

pnpm 10.0 Alpha 2

v10.0.0-alpha.2

Published on 15 Nov 2024

pnpm 10.0 Alpha 1

v10.0.0-alpha.1

Published on 15 Nov 2024

View all 961 releases

Developer

pnpm

Developer Guide

BETA

Module System

CommonJS, ESM

Min. Node Version

>=18.12

Typescript Support

Yes

Node Version

18.20.5

NPM Version

10.8.2 Statistics

29,919 Stars

9,387 Commits

1,024 Forks

139 Watching

255 Branches

296 Contributors

Updated on 28 Nov 2024

Languages

TypeScript (99.39%)

JavaScript (0.53%)

Shell (0.06%)

Batchfile (0.02%)

Total Downloads

Cumulative downloads

Total Downloads

161,706,238

Last day

-8.2%

350,226

Compared to previous day

Last week

5.2%

1,935,060

Compared to previous week

Last month

2.2%

8,038,291

Compared to previous month

Last year

95.3%

94,689,746

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dev Dependencies

@pnpm/types

Versions

简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro

Fast, disk space efficient package manager:

Fast. Up to 2x faster than the alternatives (see benchmark).
Efficient. Files inside node_modules are linked from a single content-addressable storage.
Great for monorepos.
Strict. A package can access only dependencies that are specified in its package.json.
Deterministic. Has a lockfile called pnpm-lock.yaml.
Works as a Node.js version manager. See pnpm env use.
Works everywhere. Supports Windows, Linux, and macOS.
Battle-tested. Used in production by teams of all sizes since 2016.
See the full feature comparison with npm and Yarn.

To quote the Rush team:

Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

Support this project by becoming a sponsor.

Background

pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:

If you depend on different versions of lodash, only the files that differ are added to the store. If lodash has 100 files, and a new version has a change only in one of those files, pnpm update will only add 1 new file to the storage.
All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).

As a result, you save gigabytes of space on your disk and you have a lot faster installations! If you'd like more details about the unique node_modules structure that pnpm creates and why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.

💖 Like this project? Let people know with a tweet

Getting Started

Benchmark

pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.

Benchmarks on an app with lots of dependencies:

Backers

Thank you to all our backers! Become a backer

Contributors

This project exists thanks to all the people who contribute. Contribute.

License

MIT

No vulnerabilities found.

10

Maintained

Determines if the project is "actively maintained".

10

Security-Policy

Determines if the project has published a security policy.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

10

License

Determines if the project has defined a license.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

9

SAST

Determines if the project uses static code analysis.

4

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/audit.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/audit.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-latest.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 7 third-party GitHubAction dependencies pinned

0

Signed-Releases

Determines if the project cryptographically signs release artifacts.

0

Fuzzing

Determines if the project uses fuzzing.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

47 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m / GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-29xr-v42j-r956
Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
Warn: Project is vulnerable to: GHSA-gpvr-g6gh-9mc2
Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-w9mr-4mfr-499f
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Warn: Project is vulnerable to: GHSA-832h-xg76-4gv6
Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-3fw8-66wf-pr7m
Warn: Project is vulnerable to: GHSA-6w62-83g6-rfhj
Warn: Project is vulnerable to: GHSA-rch9-xh7r-mqgw
Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-wrvr-8mpx-r7pp
Warn: Project is vulnerable to: GHSA-f9cm-p3w6-xvr3
Warn: Project is vulnerable to: GHSA-jjv7-qpx3-h62q
Warn: Project is vulnerable to: GHSA-gqgv-6jq5-jjj9
Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j
Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp

Score

5.9

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More