Three parity / hardening fixes flagged in the CodeRabbit review on PR #11678: 1. **Carve out directory snapshots from the current-lockfile-skip gate** (`create_virtual_store.rs`). Directory-typed snapshots have `integrity() == None`; without the carve-out `integrity_equal` collapsed `None == None == true` and the skip filter dropped the snapshot whenever a slot for it existed on disk, so a second install never re-walked the (mutable) source dir. Mirrors pnpm's `!isDirectoryDep` clause in `depIsPresent` at <https://github.com/pnpm/pnpm/blob/94240bc046/deps/graph-builder/src/lockfileToDepGraph.ts#L226-L228>. 2. **Add `DirectoryFetch` to `is_fetch_side_failure`** (`create_virtual_store.rs`). Upstream's catch at [`lockfileToDepGraph.ts:286-298`](https://github.com/pnpm/pnpm/blob/94240bc046/deps/graph-builder/src/lockfileToDepGraph.ts#L286-L298) wraps the whole `fetchPackage` dispatch, so directory-fetcher errors on optional snapshots are swallowed uniformly with tarball / git fetch errors. Without this, an optional injected-directory dep whose source was missing would hard-fail the install instead of being dropped. 3. **Symlink-cycle guard in `walk_all_inner`** (`directory-fetcher/ src/walker.rs`). A `loop -> .` (or any ancestor-pointing) symlink previously sank the walker into infinite recursion until either ENAMETOOLONG or stack overflow fired. Skip-on-revisit keyed off `fs::canonicalize`, matching the pattern `pacquet_git_fetcher::packlist` already uses for `bundleDependencies` cycles. Pnpm's directory-fetcher has the same vulnerability; the guard is a defensible divergence because the positive-case behavior is identical to pnpm and the cycle case degrades from "crash" to "skip with a `tracing::warn`". Added a regression test (`walk_all_files_terminates_on_symlink_cycle`) that points a `loop -> root` symlink at the walk root and asserts the cycle guard short-circuits before any `loop/` descendant is recorded. --- Written by an agent (Claude Code, claude-opus-4-7).
简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro
Fast, disk space efficient package manager:
- Fast. Up to 2x faster than the alternatives (see benchmark).
- Efficient. Files inside
node_modulesare linked from a single content-addressable storage. - Great for monorepos.
- Strict. A package can access only dependencies that are specified in its
package.json. - Deterministic. Has a lockfile called
pnpm-lock.yaml. - Works as a Node.js version manager. See pnpm runtime.
- Works everywhere. Supports Windows, Linux, and macOS.
- Battle-tested. Used in production by teams of all sizes since 2016.
- See the full feature comparison with npm and Yarn.
To quote the Rush team:
Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.
Platinum Sponsors
|
|
Gold Sponsors
|
|
|
|
|
|
|
|
|
|
|
Silver Sponsors
|
|
|
|
|
|
|
|
|
⏱️ Time.now |
Support this project by becoming a sponsor.
Background
pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:
- If you depend on different versions of lodash, only the files that differ are added to the store.
If lodash has 100 files, and a new version has a change only in one of those files,
pnpm updatewill only add 1 new file to the storage. - All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).
As a result, you save gigabytes of space on your disk and you have a lot faster installations!
If you'd like more details about the unique node_modules structure that pnpm creates and
why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.
💖 Like this project? Let people know with a tweet
Getting Started
Benchmark
pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.
Benchmarks on an app with lots of dependencies: