When resolving with --offline or --prefer-offline, pickPackage loaded a package's metadata from the on-disk cache mirror but never stored it in the in-memory metaCache, so every subsequent resolution of the same package (once per dependent that references it) re-read and re-parsed the full packument from disk. Store the parsed metadata in the in-memory cache on those disk-return paths, so each package's metadata is parsed at most once per command. On a large monorepo this collapses 23,746 metadata loads to 5,124 (66.8 GB of JSON parsed to 8.8 GB) and takes pnpm dedupe --offline from ~140s to ~75s with a byte-identical lockfile. The cache is the existing bounded LRU; online and network paths are untouched. Promotion alone would have made the top-of-function cache hit terminal: a disk-promoted packument that predates a later-requested range would turn a previously-recoverable network fallback into ERR_PNPM_NO_MATCHING_VERSION. Track registry-unverified disk promotions (a WeakSet keyed by object identity in TypeScript; a registry_verified flag carried inside the cache value in pacquet, so meta and state are read atomically) and let a cache hit whose pick fails on such an entry fall through to the regular network-validating flow unless offline. The revalidating fetch stores a verified entry, so each package revalidates at most once. The pre-existing exact-version fast paths on both stacks had the same latent failure mode and are covered by the same marking. Pacquet's PackageMetaCache::set_unverified is a required trait method so custom cache implementations cannot silently inherit the terminal behavior, and the TypeScript PackageMetaCache documents the object-identity contract its WeakSet relies on. Also registry-qualify pacquet's verifier shared-meta-cache reads (read_shared_meta queried bare name keys while the resolver stores registry-qualified ones, so the fast path could never hit), mirroring the TypeScript readSharedMeta lookup order. Add an isolated-linker.fresh-resolve.hot-cache.offline benchmark scenario (install --offline --lockfile-only against a warm mirror, with an untimed online pre-warm pass and per-iteration node_modules + lockfile wipes so the up-to-date short-circuit cannot skip the measured resolution) to guard offline resolution on all Bencher testbeds. Fixing it to measure real work also revived the pnpm benchmark pipeline, silently dead since the pnpm11/ move: bench.sh resolved REPO_ROOT to pnpm11/ where no Cargo.toml exists, the orchestrator probed the pre-move pnpm/dist bundle path, and continue-on-error masked every failure as a green run. The scenario measures this change directly: pnpm@HEAD resolves the fixture offline in 2.41s vs 3.17s for pnpm@main (1.31x), with metadata-mirror reads dropping from 2625 to 1297. --------- Co-authored-by: Zoltan Kochan <z@kochan.io>
jsr: and named-registry package names (empty scope/name, path separators) (#12677)
jsr: and named-registry package names (empty scope/name, path separators) (#12677)
简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro
Fast, disk space efficient package manager:
- Fast. Up to 2x faster than the alternatives (see benchmark).
- Efficient. Files inside
node_modulesare linked from a single content-addressable storage. - Great for monorepos.
- Strict. A package can access only dependencies that are specified in its
package.json. - Deterministic. Has a lockfile called
pnpm-lock.yaml. - Works as a Node.js version manager. See pnpm runtime.
- Works everywhere. Supports Windows, Linux, and macOS.
- Battle-tested. Used in production by teams of all sizes since 2016.
- Experimental Rust port. Includes pacquet, an experimental port of the CLI written in Rust.
- See the full feature comparison with npm and Yarn.
To quote the Rush team:
Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.
Platinum Sponsors
|
|
|
Gold Sponsors
|
|
|
|
|
|
|
|
|
|
|
Silver Sponsors
|
|
|
|
|
|
|
|
|
|
|
| ⏱️ Time.now |
Support this project by becoming a sponsor.
Background
pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:
- If you depend on different versions of lodash, only the files that differ are added to the store.
If lodash has 100 files, and a new version has a change only in one of those files,
pnpm updatewill only add 1 new file to the storage. - All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).
As a result, you save gigabytes of space on your disk and you have a lot faster installations!
If you'd like more details about the unique node_modules structure that pnpm creates and
why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.
💖 Like this project? Let people know with a tweet
Getting Started
Benchmark
pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.
Benchmarks on an app with lots of dependencies:
License
MIT, except the pnpr/ directory, which is source-available under the PolyForm Shield License 1.0.0.