mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-27 17:35:30 -04:00
2dd79e372c
* feat(pacquet): honor NODE_EXTRA_CA_CERTS for custom CA trust pacquet's reqwest client trusts only its bundled webpki roots plus the .npmrc ca/cafile material — it ignores NODE_EXTRA_CA_CERTS. pnpm running on Node picks that variable up transitively via Node's TLS runtime, so a native port has to read it explicitly to keep real-world parity for users behind a corporate MITM proxy or a self-signed registry. Load the named PEM bundle as additional trust roots in default_client_builder (the single chokepoint every client routes through), keeping the .npmrc-derived TlsConfig env-free. Additive and lowest-priority; a missing, unreadable, or malformed file is silently ignored, matching pnpm's silent treatment of a missing cafile. Documented as the one deliberate exception to the TlsConfig no-env-vars parity note. * perf(pacquet): load NODE_EXTRA_CA_CERTS once per for_installs Addresses review on the NODE_EXTRA_CA_CERTS change: - Read and parse the bundle once in for_installs via load_node_extra_ca_certs(), then clone the parsed certs into the default client and each per-registry client. Previously default_client_builder re-read and re-parsed the file on every call, i.e. once per per-registry override. - Use the existing EnvGuard test helper (process-wide lock + restore on drop, panic-safe) instead of a hand-rolled lock with manual restore. The test now also asserts a valid bundle parses to one root and a missing file yields none. * test(pacquet): align NODE_EXTRA_CA_CERTS test with aube's Make the pacquet and aube tests mirror each other in form and coverage: exercise the same four cases in the same order — empty value, valid bundle (asserting one parsed root plus a successful client build), a readable non-PEM file, and a missing file — each asserting load_node_extra_ca_certs() yields the expected roots. Also align the env-var read in load_node_extra_ca_certs to the same let-else + filter form aube uses (no behavior change). * docs(pacquet): fix broken intra-doc links in load_node_extra_ca_certs The free function's doc used [`Self::for_installs`], but `Self` only resolves in impl/trait contexts, so rustdoc flagged it as an unresolved intra-doc link and the Rust CI Doc job (RUSTDOCFLAGS=-D warnings) failed. Reference [`ThrottledClient::for_installs`] instead.
简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro
Fast, disk space efficient package manager:
- Fast. Up to 2x faster than the alternatives (see benchmark).
- Efficient. Files inside
node_modulesare linked from a single content-addressable storage. - Great for monorepos.
- Strict. A package can access only dependencies that are specified in its
package.json. - Deterministic. Has a lockfile called
pnpm-lock.yaml. - Works as a Node.js version manager. See pnpm runtime.
- Works everywhere. Supports Windows, Linux, and macOS.
- Battle-tested. Used in production by teams of all sizes since 2016.
- See the full feature comparison with npm and Yarn.
To quote the Rush team:
Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.
Platinum Sponsors
|
|
Gold Sponsors
|
|
|
|
|
|
|
|
Silver Sponsors
|
|
|
|
|
|
|
|
|
| ⏱️ Time.now |
Support this project by becoming a sponsor.
Background
pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:
- If you depend on different versions of lodash, only the files that differ are added to the store.
If lodash has 100 files, and a new version has a change only in one of those files,
pnpm updatewill only add 1 new file to the storage. - All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).
As a result, you save gigabytes of space on your disk and you have a lot faster installations!
If you'd like more details about the unique node_modules structure that pnpm creates and
why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.
💖 Like this project? Let people know with a tweet
Getting Started
Benchmark
pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.
Benchmarks on an app with lots of dependencies:
License
MIT, except the pnpr/ directory, which is source-available under the PolyForm Shield License 1.0.0.