npmpackage.info

Gathering detailed insights and metrics for pnpm

Other packages similar to pnpm

@pnpm/types

1000.6.0

Basic types used by pnpm

@pnpm/error

1000.0.2

An error class for pnpm errors

@pnpm/constants

1001.1.0

pnpm constants

@pnpm/network.ca-file

3.0.3

Gathering detailed insights and metrics for pnpm

pnpm - 10.13.0 | npmpackage.info

pnpm

Fast, disk space efficient package manager

10.13.0

32,084

MIT

TypeScript

16.85 MB

1,635,878,018 6.1

Installations

npm install pnpm

Developer Guide

BETA

Typescript

No

Module System

CommonJS, ESM

Min. Node Version

>=18.12

Node Version

20.19.3

NPM Version

10.8.2 Pull Requests

Open

77

Total

3,613

Closed

911

Merged

2,625

Issues

Open

1,829

Total

4,826

Closed

2,997

Releases

1,010

pnpm 10.13.1

v10.13.1

Updated on Jul 09, 2025

pnpm 10.13

v10.13.0

Updated on Jul 09, 2025

pnpm 10.12.4

v10.12.4

Updated on Jun 26, 2025

pnpm 10.12.3

v10.12.3

Updated on Jun 24, 2025

pnpm 10.12.2

v10.12.2

Updated on Jun 23, 2025

pnpm 10.12.1

v10.12.1

Updated on Jun 08, 2025

View All 1,010 releases

Languages

TypeScript

JavaScript

Batchfile

Shell

TypeScript (99.44%)

JavaScript (0.54%)

Batchfile (0.02%)

Developer

pnpm

Download Statistics

Total Downloads

1,635,878,018

Last Day

4,809,813

Last Week

25,599,255

Last Month

113,933,978

Last Year

969,838,815

GitHub Statistics

MIT License

32,084 Stars

9,838 Commits

1,160 Forks

143 Watchers

281 Branches

329 Contributors

Updated on Jul 11, 2025

Sponsor this package

https://opencollective.com/pnpm

Maintainers

View All 329 Contributors

Package Meta Information

Latest Version

10.13.0

Package Id

pnpm@10.13.0

Unpacked Size

16.85 MB

Size

4.01 MB

File Count

1,111

NPM Version

10.8.2

Node Version

20.19.3

Published on

Jul 09, 2025

Total Downloads

Cumulative downloads

Total Downloads

1,635,878,018

Last Day

7.5%

4,809,813

Compared to previous day

Last Week

-2%

25,599,255

Compared to previous week

Last Month

12.9%

113,933,978

Compared to previous month

Last Year

103.4%

969,838,815

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

No dependencies detected.

简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro

Fast, disk space efficient package manager:

Fast. Up to 2x faster than the alternatives (see benchmark).
Efficient. Files inside node_modules are linked from a single content-addressable storage.
Great for monorepos.
Strict. A package can access only dependencies that are specified in its package.json.
Deterministic. Has a lockfile called pnpm-lock.yaml.
Works as a Node.js version manager. See pnpm env use.
Works everywhere. Supports Windows, Linux, and macOS.
Battle-tested. Used in production by teams of all sizes since 2016.
See the full feature comparison with npm and Yarn.

To quote the Rush team:

Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

Support this project by becoming a sponsor.

Background

pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:

If you depend on different versions of lodash, only the files that differ are added to the store. If lodash has 100 files, and a new version has a change only in one of those files, pnpm update will only add 1 new file to the storage.
All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).

As a result, you save gigabytes of space on your disk and you have a lot faster installations! If you'd like more details about the unique node_modules structure that pnpm creates and why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.

💖 Like this project? Let people know with a tweet

Getting Started

Benchmark

pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.

Benchmarks on an app with lots of dependencies:

License

MIT

High

7.5/10

Summary

pnpm incorrectly parses tar archives relative to specification

Affected Versions

>= 8.0.0, < 8.6.8

Patched Versions

8.6.8

High

7.5/10

Summary

pnpm incorrectly parses tar archives relative to specification

Affected Versions

< 7.33.4

Patched Versions

7.33.4

High

8.8/10

Summary

Untrusted Search Path in PNPM

Affected Versions

< 6.15.1

Patched Versions

6.15.1

Moderate

6.5/10

Summary

pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting

Affected Versions

< 10.0.0

Patched Versions

10.0.0

Moderate

0/10

Summary

pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion

Affected Versions

< 9.15.0

Patched Versions

9.15.0

10

Security-Policy

Determines if the project has published a security policy.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Maintained

Determines if the project is "actively maintained".

10

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

10

License

Determines if the project has defined a license.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

SAST

Determines if the project uses static code analysis.

5

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Signed-Releases

Determines if the project cryptographically signs release artifacts.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/audit.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/audit.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-latest.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 7 third-party GitHubAction dependencies pinned

0

Fuzzing

Determines if the project uses fuzzing.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

119 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-29xr-v42j-r956
Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
Warn: Project is vulnerable to: GHSA-42xw-2xvc-qx8m
Warn: Project is vulnerable to: GHSA-4w2v-q235-vp99
Warn: Project is vulnerable to: GHSA-cph5-m8f7-6c5x
Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
Warn: Project is vulnerable to: GHSA-pp7h-53gx-mx7r
Warn: Project is vulnerable to: GHSA-cwfw-4gq5-mrqx
Warn: Project is vulnerable to: GHSA-g95f-p29q-9xw4
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
Warn: Project is vulnerable to: GHSA-9j49-mfvp-vmhm
Warn: Project is vulnerable to: GHSA-j4f2-536g-r55m
Warn: Project is vulnerable to: GHSA-r7qp-cfhv-p84w
Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
Warn: Project is vulnerable to: GHSA-8r6j-v8pm-fqw3
Warn: Project is vulnerable to: MAL-2023-462
Warn: Project is vulnerable to: GHSA-44pw-h2cw-w3vq
Warn: Project is vulnerable to: GHSA-jp4x-w63m-7wgm
Warn: Project is vulnerable to: GHSA-c429-5p7v-vgjp
Warn: Project is vulnerable to: GHSA-6x33-pw7p-hmpq
Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
Warn: Project is vulnerable to: GHSA-282f-qqgm-c34q
Warn: Project is vulnerable to: GHSA-7x7c-qm48-pq9c
Warn: Project is vulnerable to: GHSA-rc3x-jf5g-xvc5
Warn: Project is vulnerable to: GHSA-6c8f-qphg-qjgp
Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Warn: Project is vulnerable to: GHSA-82v2-mx6x-wq7q
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-4c7m-wxvm-r7gc
Warn: Project is vulnerable to: GHSA-pch5-whg9-qr2r
Warn: Project is vulnerable to: GHSA-48ww-j4fc-435p
Warn: Project is vulnerable to: GHSA-hwqf-gcqm-7353
Warn: Project is vulnerable to: GHSA-9h6g-pr28-7cqp
Warn: Project is vulnerable to: GHSA-6fx8-h7jm-663j
Warn: Project is vulnerable to: GHSA-35q2-47q7-3pc3
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-hjp8-2cm3-cc45
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-fxwf-4rqh-v8g3
Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
Warn: Project is vulnerable to: GHSA-xfhh-g9f5-x4m4
Warn: Project is vulnerable to: GHSA-qm95-pgcg-qqfq
Warn: Project is vulnerable to: GHSA-cqmj-92xf-r6r9
Warn: Project is vulnerable to: GHSA-38h8-x697-gh8q
Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-f523-2f5j-gfcg
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-xc7v-wxcw-j472
Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq
Warn: Project is vulnerable to: GHSA-9m6j-fcg5-2442
Warn: Project is vulnerable to: GHSA-hh27-ffr2-f2jc
Warn: Project is vulnerable to: GHSA-rqff-837h-mm52
Warn: Project is vulnerable to: GHSA-8v38-pw62-9cw2
Warn: Project is vulnerable to: GHSA-hgjh-723h-mx2j
Warn: Project is vulnerable to: GHSA-jf5r-8hm2-f872
Warn: Project is vulnerable to: GHSA-mgfv-m47x-4wqp
Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Warn: Project is vulnerable to: GHSA-72mh-269x-7mh5
Warn: Project is vulnerable to: GHSA-h4j5-c7cj-74xg
Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
Warn: Project is vulnerable to: GHSA-gpvr-g6gh-9mc2
Warn: Project is vulnerable to: GHSA-cm5g-3pgc-8rg4
Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
Warn: Project is vulnerable to: GHSA-w9mr-4mfr-499f
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-832h-xg76-4gv6
Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5
Warn: Project is vulnerable to: GHSA-3fw8-66wf-pr7m
Warn: Project is vulnerable to: GHSA-6w62-83g6-rfhj
Warn: Project is vulnerable to: GHSA-rch9-xh7r-mqgw
Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
Warn: Project is vulnerable to: GHSA-wrvr-8mpx-r7pp
Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
Warn: Project is vulnerable to: GHSA-f9cm-p3w6-xvr3
Warn: Project is vulnerable to: GHSA-jjv7-qpx3-h62q
Warn: Project is vulnerable to: GHSA-gqgv-6jq5-jjj9
Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j
Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp

Score

6.1

/10

Last Scanned on 2025-06-30

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More