mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 01:45:30 -04:00
e2dab007f8
* ci(pnpr): publish a Docker image on release Add a `docker` job to the pnpr release workflow that builds and pushes a multi-arch (linux/amd64, linux/arm64) image to ghcr.io/pnpm/pnpr after the npm packages are published. The image is built from the static musl binaries the release job already produces, so no Rust toolchain runs in the Docker build and the image matches exactly what ships to npm. It is based on debian:stable-slim with ca-certificates (pnpr reaches upstream registries over HTTPS via rustls' platform cert verifier), runs as a non-root user, declares storage and cache volumes, exposes 7677, and defaults to binding 0.0.0.0 so the server is reachable from outside the container. The build self-checks that `pnpr --version` matches the PNPR_VERSION build-arg. Stable releases also move the mutable `latest` tag; prereleases (versions containing a hyphen) only get the exact-version tag. * ci(pnpr): drop unused id-token permission from docker job The docker job uses only docker/build-push-action's built-in provenance and SBOM attestations, which are pushed to GHCR via GITHUB_TOKEN. It does not call actions/attest-build-provenance, so the OIDC id-token: write permission was unused. Drop it to follow least privilege. * ci(pnpr): verify staged binary checksum in the docker image build The build job now pins each binary's SHA256 at build time and uploads it with the artifact. The docker job verifies the staged binaries against those checksums and passes them as build-args, and the Dockerfile re-verifies the binary it copies before trusting it. A 'pnpr --version' check only confirms reported metadata, so it cannot stand in for an integrity check on the binary itself. Mirrors the existing pnpm image. * ci(pnpr): extract release artifacts into an isolated directory Extract the downloaded musl tarballs into a throwaway directory and move only the expected, checksum-verified regular files into the Docker build context. A malformed archive (path traversal or symlink entries) can no longer escape into the workspace and overwrite the Dockerfile or staged binaries before the image is pushed to GHCR. * docs(pnpr): add a language to the docker README code fence The image-name fenced block lacked a language identifier, tripping markdownlint MD040. Tag it as text.
简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro
Fast, disk space efficient package manager:
- Fast. Up to 2x faster than the alternatives (see benchmark).
- Efficient. Files inside
node_modulesare linked from a single content-addressable storage. - Great for monorepos.
- Strict. A package can access only dependencies that are specified in its
package.json. - Deterministic. Has a lockfile called
pnpm-lock.yaml. - Works as a Node.js version manager. See pnpm runtime.
- Works everywhere. Supports Windows, Linux, and macOS.
- Battle-tested. Used in production by teams of all sizes since 2016.
- Experimental Rust port. Includes pacquet, an experimental port of the CLI written in Rust.
- See the full feature comparison with npm and Yarn.
To quote the Rush team:
Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.
Platinum Sponsors
|
|
Gold Sponsors
|
|
|
|
|
|
|
|
Silver Sponsors
|
|
|
|
|
|
|
|
|
| ⏱️ Time.now |
Support this project by becoming a sponsor.
Background
pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:
- If you depend on different versions of lodash, only the files that differ are added to the store.
If lodash has 100 files, and a new version has a change only in one of those files,
pnpm updatewill only add 1 new file to the storage. - All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).
As a result, you save gigabytes of space on your disk and you have a lot faster installations!
If you'd like more details about the unique node_modules structure that pnpm creates and
why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.
💖 Like this project? Let people know with a tweet
Getting Started
Benchmark
pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.
Benchmarks on an app with lots of dependencies:
License
MIT, except the pnpr/ directory, which is source-available under the PolyForm Shield License 1.0.0.