Home / pnpm / pnpm
Repository Analysis

pnpm/pnpm

Fast, disk space efficient package manager

2.9 Likely human-written View on GitHub
2.9
Adjusted Score
2.9
Raw Score
100%
Time Factor
2026-05-30
Last Push
35,296
Stars
TypeScript
Language
639,960
Lines of Code
3813
Files
1907
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 2MEDIUM 6LOW 1899

Pattern Findings

1907 matches across 9 categories. Click a row to expand file-level details.

Over-Commented Block1521 hits · 1440 pts
SeverityFileLineSnippet
LOWdeny.toml21unmaintained = "workspace"
LOWrustfmt.toml1# Make Rust more readable given most people have wide screens nowadays.
LOWdylint.toml1# Dylint configuration. cargo-dylint reads `[workspace.metadata.dylint]`
LOWdylint.toml21 # to a `let` internally before the match, so the expression is
LOWinstalling/deps-resolver/src/linkPathToPeerVersion.ts1// Converts a link: path into a stable, filename-safe token used as the
LOWinstalling/deps-resolver/src/index.ts181 // list to the install command's hook. The hook throws to abort
LOWinstalling/deps-installer/test/catalogs.ts901 // this should be the case even if pnpm-workspace.yaml still has
LOWinstalling/deps-installer/test/link.ts81// const projects = prepare(t, [
LOWinstalling/deps-installer/test/link.ts101// },
LOW…ing/deps-installer/test/install/injectLocalPackages.ts2021// it to the filesMap; the importer's fast path then wiped the target before
LOW…eps-installer/src/install/verifyLockfileResolutions.ts81 if (verifiers.length === 0) return
LOWinstalling/deps-installer/src/install/index.ts361 // cache, etc. — bypassing the local resolver's policy filters; the local
LOWinstalling/deps-installer/src/install/index.ts1981 }
LOWinstalling/env-installer/src/installConfigDeps.ts61 // The parent's GVS hash must incorporate its optional subdeps; otherwise
LOWinstalling/commands/src/runPacquet.ts81}
LOWinstalling/commands/src/installDeps.ts201 }
LOWconfig/reader/src/loadNpmrcFiles.ts141// rejects these unscoped since npm@9 (ERR_INVALID_AUTH); pnpm keeps them
LOWconfig/reader/src/loadNpmrcFiles.ts201// equivalents (`//host[:port]/path/:<key>=...`) using `source.registry` —
LOW__fixtures__/pnpm-workspace.yaml21
LOWshell/resolve-pr-conflicts.sh1#!/usr/bin/env bash
LOWresolving/local-resolver/README.md21resolveFromLocal({bareSpecifier: './example-package'}, {prefix: process.cwd()})
LOWresolving/npm-resolver/README.md41// "ava": "^0.0.4"
LOWresolving/npm-resolver/test/publishedBy.test.ts361 // would rethrow ERR_PNPM_MISSING_TIME under what used to be
LOW…olving/npm-resolver/src/createNpmResolutionVerifier.ts141 const parsed = tryParseUrl(url)
LOW…olving/npm-resolver/src/createNpmResolutionVerifier.ts381 // Fast path: if the resolver already upgraded to full meta for this
LOW…olving/npm-resolver/src/createNpmResolutionVerifier.ts401 // is more actionable than the generic "metadata is unavailable" the
LOWresolving/npm-resolver/src/pickPackage.ts441 meta,
LOWresolving/npm-resolver/src/pickPackage.ts481 const modifiedDate = meta.modified ? new Date(meta.modified) : null
LOWworkspace/projects-graph/README.md41// dependencies: ['/home/zkochan/src/bar'],
LOWlockfile/utils/src/pkgSnapshotToResolution.ts21 // - `file:` tarballs (local file on the user's machine; integrity
LOW__typings__/index.d.ts1/// <reference path="local.d.ts" />
LOWpnpm/bundle-deps.ts1import fs from 'node:fs'
LOWpnpm/bundle-deps.ts21// This is used to include certain dependencies like node-gyp out of the box
LOWpnpm/bundle-deps.ts41// │ ├── pnpm-lock.yaml │
LOWpnpm/artifacts/exe/setup.js21 // Only treat ERR_MODULE_NOT_FOUND as "platform package not installed".
LOWpnpm/artifacts/exe/setup.js61
LOWpnpm/test/packageManagerCheck.test.ts681})
LOWpnpm/test/configurationalDependencies.test.ts221
LOWpnpm/test/install/global.ts161 const pkgPath = findGlobalPkg(globalPkgDir(pnpmHome), '@pnpm.e2e/postinstall-calls-pnpm')
LOWcli/default-reporter/src/reportError.ts501`,
LOWbenchmarks/bench.sh1#!/bin/bash
LOW__utils__/jest-config/jest.transform.js21 })
LOW.github/workflows/release.yml41 # use trusted publishing (OIDC) vs. a static token. `pnpm publish` currently bails
LOW.github/workflows/release.yml61 # at the end of the step so it can't leak into the trusted-publishing step that
LOW…hub/workflows/pacquet-integrated-benchmark-comment.yml1name: Pacquet Integrated-Benchmark Comment
LOW…hub/workflows/pacquet-integrated-benchmark-comment.yml41 steps:
LOW…hub/workflows/pacquet-integrated-benchmark-comment.yml61 shell: bash
LOW.github/workflows/codeql-analysis.yml1# For most projects, this workflow file will not need changing; you simply need
LOW.github/workflows/pacquet-ci.yml201 steps:
LOW.github/workflows/pacquet-ci.yml261 - name: Install cargo-dylint and dylint-link
LOWexec/lifecycle/src/runLifecycleHook.ts41 // be spawned without the "shell: true" option.
LOWexec/commands/test/dlx.e2e.ts401 expect(fs.existsSync(path.join(builtPkg2Path, 'generated-by-install.js'))).toBeTruthy()
LOWexec/commands/src/dlx.ts261 manifest = await readProjectManifestOnly(pkgDir, opts) as PackageManifest
LOWdeps/inspection/tree-builder/test/getTree.test.ts481 ])
LOWdeps/inspection/outdated/src/outdated.ts201// - If the dep-path parses to a semver, that's the value (handles
LOW.meta-updater/src/index.ts241 // main tsconfig.json could inherit another conifg that sets composite
LOWpnpr/crates/pnpr/src/cache.rs21
LOWpnpr/crates/pnpr/src/policy.rs1//! Per-package access rules. Mirrors verdaccio's `packages:` config:
LOWpnpr/crates/pnpr/src/error.rs41 },
LOWpnpr/crates/pnpr/src/error.rs81 },
1461 more matches not shown…
Hyper-Verbose Identifiers307 hits · 308 pts
SeverityFileLineSnippet
LOWcrypto/object-hasher/src/index.ts44export function hashObjectNullableWithPrefix (object: Record<string, unknown> | undefined): PrefixedHash | undefined {
LOWcrypto/shasums-file/src/index.ts46export function pickFileChecksumFromShasumsFile (body: string, fileName: string): string {
LOWcrypto/hash/src/index.ts19export async function createHashFromMultipleFiles (files: string[]): Promise<string> {
LOWinstalling/deps-resolver/src/resolveDependencyTree.ts413function dedupeSameAliasDirectDeps (directDeps: PkgAddressOrLink[], wantedDependencies: Array<WantedDependency & { isNew
LOW…lling/deps-resolver/src/wantedDepIsLocallyAvailable.ts7export function wantedDepIsLocallyAvailable (
LOW…lling/deps-resolver/src/wantedDepIsLocallyAvailable.ts21function pickMatchingLocalVersionOrNull (
LOWinstalling/deps-resolver/src/validateDependencyAlias.ts15export function assertValidDependencyAliases (
LOWinstalling/deps-resolver/src/hoistPeers.ts67export function getHoistableOptionalPeers (
LOWinstalling/deps-resolver/src/resolvePeers.ts740function parentPkgsHaveSingleOccurrence (parentPkgs: Record<string, ParentPkgInfo>): boolean {
LOW…ing/deps-resolver/src/replaceVersionInBareSpecifier.ts3export function replaceVersionInBareSpecifier (
LOWinstalling/deps-resolver/src/index.ts395 async function waitTillAllFetchingsFinish (): Promise<void> {
LOWinstalling/deps-resolver/src/index.ts417function addDirectDependenciesToLockfile (
LOWinstalling/deps-resolver/src/index.ts500function getAliasToDependencyTypeMap (manifest: ProjectManifest): Record<string, DependenciesField> {
LOWinstalling/deps-resolver/src/toResolveImporter.ts142function getPreferredVersionsFromPackage (
LOWinstalling/deps-resolver/src/toResolveImporter.ts150function getVersionSpecsByRealNames (deps: Dependencies): VersionSpecsByRealNames {
LOWinstalling/deps-resolver/src/getWantedDependencies.ts53function getWantedDependenciesFromGivenSet (
LOWinstalling/deps-resolver/src/resolveDependencies.ts466async function resolveDependenciesOfImporters (
LOWinstalling/deps-resolver/src/resolveDependencies.ts589async function resolveDependenciesOfImporterDependency (
LOWinstalling/deps-resolver/src/resolveDependencies.ts639function filterMissingPeersFromPkgAddresses (
LOWinstalling/deps-resolver/src/resolveDependencies.ts838async function resolveDependenciesOfDependency (
LOWinstalling/deps-resolver/src/resolveDependencies.ts976export function createNodeIdForLinkedLocalPkg (lockfileDir: string, pkgDir: string): NodeId {
LOWinstalling/deps-resolver/src/resolveDependencies.ts1161function referenceSatisfiesWantedSpec (
LOWinstalling/deps-resolver/src/resolveDependencies.ts1795function peerDependenciesWithoutOwn (pkg: PackageManifest): PeerDependencies {
LOWinstalling/deps-resolver/src/resolveDependencies.ts1821function getCatalogExistingVersionFromSnapshot (
LOW…g/deps-resolver/src/getExactSinglePreferredVersions.ts9export function getExactSinglePreferredVersions (wantedDependency: WantedDependency, version: string): PreferredVersions
LOW…lling/deps-resolver/src/getNonDevWantedDependencies.ts20export function getNonDevWantedDependencies (pkg: GetNonDevWantedDependenciesManifest): WantedDependency[] {
LOW…lling/deps-resolver/src/getNonDevWantedDependencies.ts42function getWantedDependenciesFromGivenSet (
LOWinstalling/deps-restorer/test/index.ts28function prepareFixtureWithIntegrity (name: string): string {
LOW…talling/deps-restorer/src/lockfileToHoistedDepGraph.ts65export async function lockfileToHoistedDepGraph (
LOW…talling/deps-restorer/src/lockfileToHoistedDepGraph.ts304async function dirHasPackageJsonWithVersion (dir: string, expectedVersion?: string): Promise<boolean> {
LOWinstalling/deps-restorer/src/index.ts736async function symlinkDirectDependencies (
LOWinstalling/context/src/index.ts237export async function getContextForSingleImporter (
LOWinstalling/context/src/index.ts382export function arrayOfWorkspacePackagesToMap (
LOWinstalling/deps-installer/test/catalogs.ts23function preparePackagesAndReturnObjects (manifests: Array<ProjectManifest & Required<Pick<ProjectManifest, 'name'>>>) {
LOW…stalling/deps-installer/src/install/validateModules.ts135async function purgeModulesDirsOfImporter (
LOW…stalling/deps-installer/src/install/validateModules.ts145async function purgeModulesDirsOfImporters (
LOW…staller/src/install/writeLockfilesAndRecordVerified.ts20export async function writeLockfilesAndRecordVerified (
LOW…ps-installer/src/install/reportPeerDependencyIssues.ts9export function reportPeerDependencyIssues (
LOW…ps-installer/src/install/reportPeerDependencyIssues.ts33export function filterPeerDependencyIssues (
LOW…eps-installer/src/install/verifyLockfileResolutions.ts76export async function verifyLockfileResolutions (
LOW…eps-installer/src/install/verifyLockfileResolutions.ts221export async function collectResolutionPolicyViolations (
LOW…eps-installer/src/install/verifyLockfileResolutions.ts263async function iterateLockfileViolations (
LOW…nstaller/src/install/verifyLockfileResolutionsCache.ts236export function tryLockfileVerificationCache (
LOW…nstaller/src/install/verifyLockfileResolutionsCache.ts291function everyVerifierTrustsCachedRun (record: CacheRecord, verifiers: readonly VerifierCacheIdentity[]): boolean {
LOW…staller/src/install/checkCustomResolverForceResolve.ts11export async function checkCustomResolverForceResolve (
LOW…er/src/install/writeWantedLockfileAndRecordVerified.ts18export async function writeWantedLockfileAndRecordVerified (
LOWinstalling/deps-installer/src/install/index.ts233export async function mutateModulesInSingleProject (
LOWinstalling/deps-installer/src/install/index.ts1085async function runUnignoredDependencyBuilds (
LOWinstalling/deps-installer/src/install/index.ts1127function forgetResolutionsOfPrevWantedDeps (
LOWinstalling/deps-installer/src/install/index.ts1147function forgetResolutionsOfAllPrevWantedDeps (wantedLockfile: LockfileObject): void {
LOWinstalling/deps-installer/src/install/index.ts1181function isWantedDepBareSpecifierSame (
LOWinstalling/deps-installer/src/install/index.ts2045function dedupePackageNamesFromIgnoredBuilds (ignoredBuilds: IgnoredBuilds): string[] {
LOWinstalling/deps-installer/src/install/index.ts2243function applyResolvedSpecsFromLockfile (
LOWinstalling/env-installer/src/pruneEnvLockfile.ts10export function convertToLockfileEnvObject (envLockfile: EnvLockfile): LockfileObject {
LOWinstalling/env-installer/src/installConfigDeps.ts206function readOptionalSubdepsFromLockfile (
LOW…/env-installer/src/resolvePackageManagerIntegrities.ts47export async function resolvePackageManagerIntegrities (
LOW…lling/env-installer/src/resolveAndInstallConfigDeps.ts34export async function resolveAndInstallConfigDeps (
LOWinstalling/env-installer/src/migrateConfigDeps.ts24export async function migrateConfigDepsToLockfile (
LOW…lling/env-installer/src/resolveManifestDependencies.ts34export async function resolveManifestDependencies (
LOWinstalling/commands/src/handleIgnoredBuilds.ts27async function writeIgnoredBuildsToAllowBuilds (
247 more matches not shown…
Verbosity Indicators38 hits · 62 pts
SeverityFileLineSnippet
LOW…ling/deps-installer/test/install/globalVirtualStore.ts214 // Step 1: Install with no packages allowed to build (engine-agnostic hashes)
LOW…ling/deps-installer/test/install/globalVirtualStore.ts228 // Step 2: Reinstall with dep allowed to build — hashes should change
LOW…ling/deps-installer/test/install/globalVirtualStore.ts299 // Step 1: Install with builds NOT approved (simulating first `pnpm install`)
LOW…ling/deps-installer/test/install/globalVirtualStore.ts314 // Step 2: Reinstall with allowBuilds changed (simulating what approve-builds does)
LOW…ling/deps-installer/test/install/globalVirtualStore.ts322 // Step 3: Verify the hash changed and build artifacts are in the new directory
LOW…ling/deps-installer/test/install/globalVirtualStore.ts376 // Step 1: Successful install with build
LOW…ling/deps-installer/test/install/globalVirtualStore.ts390 // Step 2: Simulate a previous build failure by removing the GVS hash directory
LOW…ling/deps-installer/test/install/globalVirtualStore.ts394 // Step 3: Remove node_modules and reinstall with frozenLockfile
LOW…ling/deps-installer/test/install/globalVirtualStore.ts420 // Step 1: Install with build
LOW…ling/deps-installer/test/install/globalVirtualStore.ts437 // Step 2: Simulate a crash between import and build — write a .pnpm-needs-build
LOW…ling/deps-installer/test/install/globalVirtualStore.ts446 // Step 3: Reinstall — the GVS fast path should detect the .pnpm-needs-build
LOW…alling/deps-installer/test/install/autoInstallPeers.ts683 // Step 1: install without override — auto-installs peer-c@1.0.1
LOW…alling/deps-installer/test/install/autoInstallPeers.ts696 // Step 2: reinstall with override narrowing peer-c to 1.0.0
LOWworkspace/injected-deps-syncer/src/index.ts82 // Step 1: Link bins in .pnpm virtual store
LOWworkspace/injected-deps-syncer/src/index.ts98 // Step 2: Relink bins for all workspace projects
LOWpnpm/test/install/minimumReleaseAge.ts30 // Step 1: populate a lockfile under no policy. The resolver picks
LOWpnpm/test/install/minimumReleaseAge.ts37 // Step 2: turn on minimumReleaseAge in strict mode. The lockfile is now
LOWpnpm/test/install/minimumReleaseAge.ts81 // Step 1: populate the lockfile with no policy. is-positive@1.0.0
LOWpnpm/test/install/minimumReleaseAge.ts88 // Step 2: turn the policy on. The post-resolution gate now runs
LOWpnpm/test/install/minimumReleaseAge.ts113 // Step 3: another install with the same lockfile + policy. The cache
LOWpnpm/test/install/minimumReleaseAge.ts368 // Step 1: install with the full exclude list — verifier writes a
LOWpnpm/test/install/minimumReleaseAge.ts377 // Step 2: drop `is-odd` from the exclude list. The cached record
LOWpnpm/test/install/globalVirtualStore.ts47 // Step 1: Install with GVS, builds NOT approved
LOWpnpm/test/install/globalVirtualStore.ts57 // Step 2: approve-builds — updates config then runs install in GVS mode
LOWpnpm/test/install/globalVirtualStore.ts60 // Step 3: Verify GVS hash changed (new engine-specific directory)
LOWpnpm/test/install/misc.ts648 // Step 1: install with trust policy off. The resolver picks up the
LOWpnpm/test/install/misc.ts656 // Step 2: turn the policy on. The resolver wouldn't be invoked under
LOWpacquet/crates/network/src/tls.rs209 // Step 1: exact URL.
LOWpacquet/crates/network/src/tls.rs213 // Step 2: nerf-darted URL.
LOWpacquet/crates/network/src/tls.rs220 // Step 4: walk progressively shorter prefixes of the
LOWpacquet/crates/network/src/tls/tests.rs98 // Step 2: with no exact match, the nerf-darted URL hits the
LOWpacquet/crates/network/src/tls/tests.rs109 // Step 4: a `//host/scope/` key matches any URL under that
LOWpacquet/crates/git-fetcher/src/tarball_fetcher.rs98 // Step 1: Materialize the CAS-resident files into a writable
LOWpacquet/crates/git-fetcher/src/tarball_fetcher.rs104 // Step 2: Run `preparePackage` on the materialized tree. This
LOWpacquet/crates/git-fetcher/src/tarball_fetcher.rs145 // Step 3: Compute the packlist over the prepared tree. The
LOWpacquet/crates/git-fetcher/src/tarball_fetcher.rs155 // Step 4: Fast path — when nothing got filtered out AND
LOWpacquet/crates/git-fetcher/src/tarball_fetcher.rs199 // Step 5: Slow path — re-import the filtered file set back
LOWpacquet/crates/git-fetcher/src/tarball_fetcher.rs204 // Step 6: Queue a `PackageFilesIndex` row so a future install's
Fake / Example Data28 hits · 28 pts
SeverityFileLineSnippet
LOWinstalling/deps-installer/test/install/auth.ts18 email: 'foo@bar.com',
LOWinstalling/deps-installer/test/install/auth.ts56 email: 'foo@bar.com',
LOWinstalling/deps-installer/test/install/auth.ts77 email: 'foo@bar.com',
LOWinstalling/deps-installer/test/install/auth.ts125 email: 'foo@bar.com',
LOWinstalling/deps-installer/test/install/auth.ts173 email: 'foo@bar.com',
LOWinstalling/deps-installer/test/install/auth.ts199 email: 'foo@bar.com',
LOW__fixtures__/has-outdated-deps/pnpm-lock.yaml26 deprecated: This package is deprecated. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
LOW__fixtures__/has-outdated-deps/pnpm-lock.yaml26 deprecated: This package is deprecated. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
LOW__fixtures__/has-only-deprecated-deps/pnpm-lock.yaml16 deprecated: This package is deprecated. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
LOW__fixtures__/has-only-deprecated-deps/pnpm-lock.yaml16 deprecated: This package is deprecated. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
LOWresolving/npm-resolver/test/trustChecks.test.ts88 email: 'user@example.com',
LOWresolving/npm-resolver/test/trustChecks.test.ts104 email: 'user@example.com',
LOWresolving/npm-resolver/test/trustChecks.test.ts107 email: 'user@example.com',
LOWresolving/npm-resolver/test/trustChecks.test.ts124 email: 'user@example.com',
LOWresolving/npm-resolver/test/trustChecks.test.ts127 email: 'user@example.com',
LOWpnpm/test/dlx.ts397 email: 'foo@bar.com',
LOWdeps/compliance/sbom/test/serializeCycloneDx.test.ts27 author: 'Jane Doe',
LOWdeps/compliance/sbom/test/serializeCycloneDx.test.ts130 sbomAuthors: ['Jane Doe', 'John Smith'],
LOWdeps/compliance/sbom/test/serializeCycloneDx.test.ts134 expect(parsed.metadata.authors).toEqual([{ name: 'Jane Doe' }, { name: 'John Smith' }])
LOWdeps/compliance/sbom/test/serializeCycloneDx.test.ts249 expect(parsed.components[0].authors).toEqual([{ name: 'Jane Doe' }])
LOWdeps/inspection/commands/test/outdated/index.ts64│ @pnpm.e2e/deprecated │ 1.0.0 │ Deprecated │ This package is deprecated. Lorem ipsum │
LOWdeps/inspection/commands/test/outdated/index.ts65│ │ │ │ dolor sit amet, consectetur adipiscing │
LOWdeps/inspection/commands/test/outdated/index.ts184This package is deprecated. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
LOWdeps/inspection/commands/test/outdated/index.ts184This package is deprecated. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
LOWdeps/inspection/commands/test/outdated/index.ts529│ @pnpm.e2e/deprecated │ 1.0.0 │ Deprecated │ This package is deprecated. Lorem ipsum │
LOWdeps/inspection/commands/test/outdated/index.ts530│ │ │ │ dolor sit amet, consectetur adipiscing │
LOW…tures/packages/@pnpm.e2e/deprecated/1.0.0/package.json5 "deprecated": "This package is deprecated. Lorem ipsum dolor sit amet, consectetur adipiscing elit."
LOW…tures/packages/@pnpm.e2e/deprecated/1.0.0/package.json5 "deprecated": "This package is deprecated. Lorem ipsum dolor sit amet, consectetur adipiscing elit."
Synthetic Comment Markers2 hits · 15 pts
SeverityFileLineSnippet
HIGHinstalling/deps-installer/test/catalogs.ts987 // Double check the correct version of is-positive as requested from the
HIGHinstalling/deps-installer/test/catalogs.ts1055 // Double check the correct version of is-positive as requested from the
Decorative Section Separators3 hits · 9 pts
SeverityFileLineSnippet
MEDIUMpnpm/bundle-deps.ts39// │ ├── node_modules ──────────────┐
MEDIUMpnpm/bundle-deps.ts47// │ ├── node_modules <────────────┘
MEDIUMpacquet/crates/config/src/version_policy/tests.rs102// ─── create_package_version_policy ────────────────────────────────────
AI Slop Vocabulary3 hits · 9 pts
SeverityFileLineSnippet
MEDIUM.github/workflows/test.yml77 # The test harness serves package fixtures through the in-repo
MEDIUMpacquet/crates/package-manager/src/install/tests.rs4533 // literal here. Membership-by-name keeps the test robust to the
MEDIUMpacquet/crates/fs/src/ensure_file/tests.rs83/// those keeps the test robust without weakening what it verifies
Redundant / Tautological Comments4 hits · 6 pts
SeverityFileLineSnippet
LOW.github/workflows/pacquet-micro-benchmark.yml113 # Check if the event is not triggered by a fork
LOW.github/workflows/pacquet-micro-benchmark.yml123 # Check if the event is not triggered by a fork
LOW.github/workflows/update-lockfile.yml56 # Check if branch exists on remote
LOW.github/workflows/update-lockfile.yml73 # Check if PR already exists
Example Usage Blocks1 hit · 2 pts
SeverityFileLineSnippet
LOWshell/resolve-pr-conflicts.sh4# Usage: