DEP-006 recommended language-tooling

pnpm over npm for Node projects

Using pnpm with lockfile and packageManager field set

Question to ask

"Mixed npm and pnpm installs causing phantom dependency bugs?"

Verification guide

Severity: Recommended

Check automatically:

  1. Check which lockfile exists:

    ls -la pnpm-lock.yaml package-lock.json yarn.lock 2>/dev/null

  2. Check packageManager field in package.json:

    cat package.json | jq '.packageManager' 2>/dev/null

  3. Check for .npmrc with pnpm settings:

    cat .npmrc 2>/dev/null | grep -E "(shamefully-hoist|strict-peer-dependencies)"

  4. Check CI workflows for package manager used:

    grep -rE "(pnpm install|npm install|yarn install|npm ci|pnpm ci)" .github/workflows/ 2>/dev/null

Note: This applies to Node.js projects only. Skip for non-Node projects.

Pass criteria:

  • pnpm-lock.yaml exists (not package-lock.json or yarn.lock)
  • packageManager field set in package.json (e.g., "packageManager": "[email protected]")
  • CI uses pnpm commands

Fail criteria:

  • Using npm (package-lock.json) or yarn (yarn.lock) instead of pnpm
  • Mixed lockfiles (multiple lockfiles present)
  • CI uses different package manager than lockfile indicates

If not using pnpm, ask user: "Project uses [npm/yarn] instead of pnpm. Is there a specific reason? pnpm offers better disk efficiency and stricter dependency resolution."

If mixed lockfiles, ask user: "Found multiple lockfiles: [list]. This causes inconsistent installs. Which package manager should be used?"

Evidence to capture:

  • Lockfile present (pnpm-lock.yaml / package-lock.json / yarn.lock)
  • packageManager field value
  • Package manager used in CI
  • Any inconsistencies between local and CI

Section

02. Dependencies & Code Quality

Infrastructure & Setup

← Previous

DEP-005

Linting rules follow best practices

 Next →

DEP-007

Turborepo for monorepos