# Manage pnpm Projects Safely

Node.js teams need reliable package installs, workspace commands, and dependency controls. This skill gives Claude, Codex, and Claude Code focused pnpm guidance for common project workflows.

## Install

```bash
npx skillstore add antfu/pnpm
```

## Metadata

- - Slug: antfu-pnpm
- - Version: 1.0.0
- - Author: antfu
- - GitHub username: antfu
- - License: MIT
- - Repository: https://github.com/antfu/skills/tree/main/skills/pnpm/
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, network, filesystem, scripts, env\_access
- - Quality score: 50
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/antfu-pnpm
- - Manifest: https://skillstore.pages.dev/api/skills/antfu-pnpm/manifest

## Capabilities

- Explains pnpm install, add, remove, update, run, exec, dlx, workspace, store, audit, pack, and publish commands.
- Guides pnpm-workspace.yaml, .npmrc settings, package.json pnpm fields, and environment-based configuration.
- Supports workspace filters, catalogs, overrides, aliases, patches, hooks, and peer dependency rules.
- Provides CI, Docker, caching, frozen lockfile, Corepack, and monorepo build patterns.
- Helps migrate npm, Yarn, and Lerna projects to pnpm with rollback considerations.
- Documents performance options such as store caching, offline installs, script controls, and workspace concurrency.

## Use Cases

- Set up monorepo installs: Configure pnpm workspaces, shared lockfiles, filters, and catalogs for a multi-package repository.
- Migrate package managers: Move an npm, Yarn, or Lerna project to pnpm while handling lockfiles, phantom dependencies, and peer dependencies.
- Improve CI reliability: Add frozen lockfile installs, pnpm caching, Corepack setup, Docker builds, and targeted workspace jobs.

## Prompt Templates

### Install dependencies

```
Use the pnpm skill to explain the safest install command for this project. Check workspace and lockfile context before suggesting commands.
```

### Add workspace package

```
Use the pnpm skill to add a dependency to one workspace package. Include the filter command and any package.json changes I should review.
```

### Migrate from npm

```
Use the pnpm skill to plan an npm to pnpm migration. Cover lockfile import, missing dependencies, CI updates, and rollback steps.
```

### Design monorepo CI

```
Use the pnpm skill to design CI for a large pnpm monorepo. Include caching, frozen installs, changed-package filters, and script safety checks.
```

## Limitations

- The skill is documentation only and does not verify the current pnpm release automatically.
- Some commands can modify files, install packages, run lifecycle scripts, or publish packages.
- Project-specific registry, token, and workspace settings still need human review before use.
- Examples may need updates for teams using newer pnpm versions or custom CI platforms.

## Best Practices

- Review pnpm-workspace.yaml, package.json, lockfiles, and .npmrc before running commands that change dependencies.
- Use frozen lockfile installs in CI and make lifecycle script execution an explicit decision.
- Document overrides, aliases, patches, and hooks so future maintainers understand why they exist.

## Anti Patterns

- Do not run publish, patch, migration, or removal commands without confirming the target package and repository state.
- Do not copy registry tokens or private .npmrc contents into prompts, logs, or generated documentation.
- Do not suppress peer dependency warnings or use broad overrides without compatibility testing.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T09:08:20.987\+00:00
- - Summary: Static analysis found many command, network, filesystem, script, and sensitive-file patterns. Manual review found these are Markdown guidance and examples for pnpm, CI, configuration, hooks, and migration rather than hidden executable skill code. The skill is publishable with a medium warning because following the guidance can install packages, run lifecycle scripts, edit dependency configuration, read .npmrc files, or publish packages.

## Stats

- - Views: 218
- - Downloads: 4
- - Favorites: 0
- - Popularity score: 0