An In‑Depth Overview of pnpm: Fast, Disk‑Space‑Efficient Package Manager

This article shares an outstanding industry package manager— pnpm . With over 9.8k GitHub stars, pnpm is a mature and stable fork of npm/Yarn that resolves internal bugs, dramatically optimizes performance, and expands usage scenarios.

1. What is pnpm?

The official documentation describes pnpm as a "Fast, disk space efficient package manager". While it functions as a standard package manager like npm/Yarn, its two killer advantages are:

Extremely fast package installation.

Highly efficient disk‑space utilization.

Installation is also very simple:

npm i -g pnpm

2. Feature Overview

1. Speed

Benchmarks using the React package show that pnpm is generally 2–3 times faster than npm/Yarn across most scenarios.

Compared with Yarn's Plug'n'Play mode, pnpm still delivers superior speed due to its design.

2. Efficient Disk‑Space Utilization

pnpm uses a content‑addressable file system, which prevents duplicate installations. If 100 projects depend on lodash, pnpm stores a single copy and creates hard links for subsequent uses.

Even different versions of the same package share unchanged files via hard links, only adding new files when necessary.

3. Monorepo Support

pnpm natively supports monorepos. All sub‑projects reside under a packages directory, each representing a package. Commands like pnpm add A -r add a dependency to every package, and --filter can target specific packages.

4. High Security

pnpm enforces strict dependency declarations, preventing illegal access to transitive dependencies that can occur with npm/Yarn's flat node_modules structure.

3. Dependency Management

npm/Yarn Install Principles

Installation involves four steps: resolve version ranges, download tarballs, extract to a local cache, and copy to the project's node_modules directory. Traditional nested structures lead to deep paths, duplicate packages, and module instance inconsistencies.

Flattening (introduced in npm3 and Yarn) reduces nesting but introduces uncertainty, algorithmic complexity, and still allows undeclared dependency access.

pnpm Dependency Management

pnpm stores packages under .pnpm with a content‑addressable layout, creating soft links in the project’s node_modules . For example, after pnpm init -y and pnpm install express , the node_modules contains a symlink to .pnpm/[email protected]/node_modules/express , and all of express’s dependencies are also symlinked, keeping the structure clear and compatible with Node.

The root node_modules now mirrors the package.json declarations, with optional dependency hoisting handled transparently.

4. Further Security Discussion

pnpm’s strict dependency graph eliminates illegal access: a package not listed in package.json cannot be required. In contrast, npm/Yarn may expose transitive dependencies via hoisting, leading to version mismatches or missing packages when a module is used without an explicit declaration.

Community tools like dependency-check attempt to mitigate these issues, but pnpm’s design addresses them more comprehensively.

5. Daily Usage

For users familiar with npm/Yarn, pnpm commands are intuitive:

// install axios
pnpm install axios
// install axios as a devDependency
pnpm install axios -D
// install axios as a dependency
pnpm install axios -S

Other common commands include:

// update packages within a range
pnpm update
// uninstall a package from a specific workspace
pnpm uninstall axios --filter package-a

Linking local projects uses hard links:

pnpm link ../../axios

All standard npm scripts ( npm run start , npm test , npm publish ) work identically with pnpm. The tool is actively maintained, with over 100k weekly downloads, demonstrating its stability and wide adoption.

In summary, pnpm offers superior performance, disk‑space efficiency, robust monorepo handling, and stricter security compared to npm/Yarn, making it a compelling choice for modern JavaScript development.

References:

pnpm official documentation: https://pnpm.js.org/en/

Benchmark repository: https://github.com/dependency-check-team/dependency-check

Zoltan Kochan, "Why should we use pnpm?"

Zoltan Kochan, "pnpm's strictness helps to avoid silly bugs"

"npm install principle analysis" (cloud.tencent.com)

Yarn official documentation

Yarn Plug'n'Play feature article

Guide to Monorepos for Front‑end Code