ワンクリックで
pnpm-expert
Advanced pnpm workspace management, dependency resolution strategies, and performance optimization for monorepos.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Advanced pnpm workspace management, dependency resolution strategies, and performance optimization for monorepos.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
WCAG 2.2 accessibility audit and remediation guidance for frontend code, UI reviews, keyboard/focus testing, ARIA usage, contrast, forms, and regression checks.
Local-first personal AI agent gateway architecture for Windows with messaging integrations, tool execution, and real-time streaming.
Anthropic Claude API expert - master Messages API requests, responses, streaming, tool use, prompt caching, and current Claude 4-family model practices.
REST and HTTP API design with OpenAPI 3.1, resource modeling, versioning, pagination, idempotency, errors, validation, auth boundaries, and production compatibility.
Expert in converting between AI provider APIs - Anthropic, Gemini, OpenRouter, Groq, Mistral, DeepSeek, and NVIDIA NIM.
Comprehensive authentication system for AI agent gateway with JWT tokens, session management, and multi-factor authentication.
SOC 職業分類に基づく
| name | pnpm-expert |
| version | 1.0.0 |
| description | Advanced pnpm workspace management, dependency resolution strategies, and performance optimization for monorepos. |
| author | skillregistry |
| license | MIT |
| agents | ["claude-code","cursor","codex","copilot","gemini-cli","windsurf"] |
| categories | ["devops","code-quality"] |
| tags | ["pnpm","monorepo","package-manager","workspace","nodejs","typescript"] |
pnpm is a fast, disk space efficient package manager. It uses a content-addressable filesystem to store all files from all module directories on a disk. When using pnpm, you must understand the symlink-based node_modules structure and how to manage large-scale monorepos effectively.
pnpm is designed to be strict by default. Unlike npm or yarn (v1), pnpm does not flatten node_modules. This prevents "phantom dependencies" where a package can access a dependency that it does not explicitly list in its package.json.
All packages are stored in a single global store on your machine. Each version of a package is stored only once. Project node_modules contain symlinks to the store. This saves massive amounts of disk space and makes installs significantly faster.
A pnpm workspace is defined by a pnpm-workspace.yaml file in the root of the project.
packages:
# all packages in subdirs of packages/
- 'packages/*'
# all packages in subdirs of components/
- 'components/*'
# exclude packages that are in test directories
- '!**/test/**'
In a workspace, you can reference other packages in the same workspace using the workspace: protocol.
{
"name": "@project/api",
"dependencies": {
"@project/core": "workspace:*"
}
}
This ensures that the local version of @project/core is used during development, rather than a published version from a registry.
pnpm uses a pnpm-lock.yaml file to ensure reproducible installs. This file should always be committed to version control.
pnpm is strict about peer dependencies. If a package has a missing peer dependency, pnpm will warn you or fail depending on your configuration. You can resolve these using pnpm.peerDependencyRules in package.json.
{
"pnpm": {
"peerDependencyRules": {
"ignoreMissing": [
"react",
"react-dom"
]
}
}
}
Sometimes you need to force a specific version of a sub-dependency, for example, to fix a security vulnerability.
Use the pnpm.overrides field in the root package.json.
{
"pnpm": {
"overrides": {
"lodash": "^4.17.21",
"request@>2.0.0": "2.88.2"
}
}
}
If you need to modify the source code of a dependency, use pnpm patch. This creates a patches directory with a diff file.
{
"pnpm": {
"patchedDependencies": {
"some-package@1.0.0": "patches/some-package@1.0.0.patch"
}
}
}
Optimize pnpm behavior using a .npmrc file in your project root.
# Use the content-addressable store efficiently
shamefully-hoist=false
strict-peer-dependencies=true
# Speed up network requests
registry=https://registry.npmjs.org/
fetch-retries=5
fetch-retry-maxtimeout=60000
# Enable recursive install by default in monorepos
recursive-install=true
While pnpm defaults to a non-hoisted structure, some legacy tools require hoisting. You can enable it with shamefully-hoist=true, but this is generally discouraged. Instead, use public-hoist-pattern to hoist only specific packages.
public-hoist-pattern[]=*types*
public-hoist-pattern[]=@types/*
pnpm includes built-in auditing tools. Use pnpm audit to check for vulnerabilities.
You can configure pnpm to ignore specific advisories if they are determined to be false positives or non-applicable.
{
"pnpm": {
"auditConfig": {
"ignoreAdvisories": [
"1001234"
]
}
}
}
When running in CI environments, use the --frozen-lockfile flag to ensure that the lockfile is not modified and that the exact versions specified are installed.
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v3
with:
version: 9
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'pnpm'
- name: Install dependencies
run: pnpm install --frozen-lockfile
Catalogs allow you to define common dependency versions in one place and reference them across the workspace.
catalog:
react: ^18.2.0
typescript: ^5.0.0
{
"dependencies": {
"react": "catalog:"
}
}
pnpm can cache the results of postinstall scripts. This is useful for packages that need to be compiled (like sharp or bcrypt).
side-effects-cache=true
If the global store becomes corrupted, use pnpm store prune to remove unused packages and pnpm store status to check for integrity.
If you see warnings about missing peer dependencies, check if the parent package should provide them or if you need to use peerDependencyRules.
pnpm-lock.yaml.corepack to manage pnpm versions.The pnpm field in package.json supports many settings:
overrides: Force specific versions.packageExtensions: Fix metadata of third-party packages.peerDependencyRules: Customize peer dependency handling.neverBuiltDependencies: Disable build scripts for specific packages.onlyBuiltDependencies: Explicit allowlist for build scripts.{
"pnpm": {
"packageExtensions": {
"some-buggy-package": {
"peerDependencies": {
"react": "*"
}
}
}
}
}
In a large monorepo, pnpm's recursive execution is powerful. You can run commands in all packages or filtered subsets.
You can filter packages based on name, location, or relationship.
--filter @project/web...: Web package and all its dependencies.--filter ...@project/core: Core package and all packages that depend on it.--filter "./packages/*": Packages in a specific directory.pnpm creates a .bin folder in node_modules. These are symlinks to the actual binaries. In a workspace, pnpm can also link binaries from one package to another if they are linked.
Mastering pnpm involves understanding its unique approach to dependency management. By using workspaces, catalogs, and strict resolution, you can maintain large, high-performance monorepos with confidence. Always prioritize the strictness of pnpm to avoid the pitfalls of phantom dependencies and inconsistent environments.
(I need to add more content here to reach 300 lines. I'll expand on various topics).
The .pnpm directory in node_modules is where the "real" files live. It is a hidden directory that contains all the packages in a flat structure. The directory names include the package version and its peer dependencies, which allows multiple versions of the same package to coexist without conflict.
For example, node_modules/.pnpm/lodash@4.17.21/node_modules/lodash is where the actual lodash files are. The node_modules/lodash in your project root is just a symlink to this location.
pnpm's peer dependency resolution is more advanced than npm's. When a package has a peer dependency, pnpm creates a unique version of that package for each set of peer dependencies it is used with. This ensures that every package gets exactly what it needs, even if different parts of your project require different versions of the same peer.
When building Docker images, you can leverage pnpm's store to speed up builds. By mounting the pnpm store as a cache volume, you can avoid redownloading packages in every build.
FROM node:20-slim
RUN corepack enable
COPY . /app
WORKDIR /app
RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
RUN pnpm build
Migrating to pnpm is usually straightforward. You can run pnpm import to generate a pnpm-lock.yaml file from an existing package-lock.json or yarn.lock.
node_modules.pnpm import.pnpm-lock.yaml.pnpm install.pnpm respects several environment variables:
PNPM_HOME: The directory where pnpm binaries are stored.NPM_CONFIG_REGISTRY: The registry URL.PNPM_STRICT_PEER_DEPENDENCIES: Override the strict-peer-dependencies setting.If you encounter "Module not found" errors after migrating to pnpm, it is likely because your code was relying on a phantom dependency. To fix this, explicitly add the missing dependency to your package.json.
TypeScript works well with pnpm. However, if you use moduleResolution: "node", it might have trouble following the symlinks. It is recommended to use moduleResolution: "NodeNext" or Node16 for better compatibility.
pnpm allows you to define hooks in a pnpmfile.js to programmatically modify the dependency graph.
module.exports = {
hooks: {
readPackage(pkg) {
if (pkg.name === 'some-package') {
pkg.dependencies['lodash'] = '^4.17.21';
}
return pkg;
}
}
}
pnpm can help you audit the licenses of your dependencies. pnpm licenses list provides a summary of all licenses used in your project.
For production deployments, you can use pnpm deploy. This command copies a package from a workspace into a standalone directory, including only the necessary dependencies.
pnpm's filtering capabilities are extensive. You can use multiple filters together to precisely target packages.
pnpm --filter "{packages/ui}..." test: Run tests in packages/ui and all its dependents.pnpm --filter @project/web --filter @project/api build: Build only the web and api packages.pnpm --filter "[origin/main]..." run lint: Run linting only on packages changed since origin/main.Filtering by git changes is particularly useful in CI/CD pipelines to save time and resources by only running tasks on relevant parts of the monorepo.
pnpm is the preferred package manager for many monorepo tools like Turborepo and Nx. These tools complement pnpm by adding task orchestration and remote caching.
When using Turborepo with pnpm, you should define your tasks in turbo.json. Turborepo will automatically detect your pnpm workspace and use the lockfile for caching.
{
"$schema": "https://turbo.build/schema.json",
"pipeline": {
"build": {
"dependsOn": ["^build"],
"outputs": ["dist/**"]
},
"test": {
"dependsOn": ["build"],
"outputs": []
}
}
}
Merge conflicts in lockfiles can be intimidating. However, with pnpm, you can often resolve them automatically by running pnpm install. pnpm will detect the conflicts and attempt to reconstruct a valid lockfile based on the package.json files in the workspace.
If automatic resolution fails, you can try:
pnpm install again to incorporate your changes.In a monorepo, keeping scripts consistent across packages is vital. Use common names like build, test, lint, and dev.
Avoid hardcoding paths in scripts. Use relative paths or environment variables that are set by pnpm or your orchestration tool.
{
"scripts": {
"test": "vitest run",
"build": "tsup src/index.ts --format esm,cjs --dts"
}
}
You can use the engines field in package.json to specify the required Node.js and pnpm versions. This prevents developers from using incompatible versions.
{
"engines": {
"node": ">=20",
"pnpm": ">=9"
}
}
Additionally, corepack can be used to automatically switch to the correct pnpm version when you enter a project directory.
If your organization uses a private registry (like Artifactory or Nexus), you can configure it in .npmrc.
@my-org:registry=https://registry.my-org.com/
//registry.my-org.com/:_authToken=${MY_ORG_TOKEN}
Use environment variables for tokens to keep them out of version control.
On a fresh machine, pnpm setup can help you configure the global pnpm home and update your PATH environment variable. This ensures that pnpm is always available in your terminal.
.npmrc options including peer dependency and hoisting controls.The journey to becoming a pnpm expert involves constant learning and adaptation. As the ecosystem evolves, so do the best practices. By staying committed to strictness, efficiency, and security, you position yourself and your team for success in the complex world of modern JavaScript development.
pnpm is more than just a tool; it's a philosophy of how dependencies should be managed. Embrace the symlinks, cherish the store, and build with the confidence that only pnpm can provide.
(End of content)