There are many ways to create a node_modules directory. Your goal must be to create the most strict one but if that is not possible, there are options to make a loose node_modules as well.
By default, pnpm v5 will create a semi-strict node_modules. Semi-strict means that your application will only be able to require packages that are added as dependencies to
package.json (with a few exceptions). However, your dependencies will be able to access any packages.
The default configuration looks like this:
pnpm supports Yarn's Plug'n'Play since v5.9. With PnP, both your application and the dependencies of your application will have access only to their declared dependencies. This is even stricter then setting
hoist=false because inside a monorepo, you're application will not be able to access even the dependencies of the root project.
To use Plug'n'Play, set these settings:
If you are not ready to use PnP yet, you can still be strict and only allow packages to access their own dependencies by setting the hoist configuration to false:
However, if some of your dependencies are trying to access packages that they don't have in dependencies, you have two options:
pnpmfile.jsand use a hook to add the missing dependency to the package's manifest.
Add a pattern to the
hoist-patternsetting. For instance, if the not found module is
babel-core, add the following setting to
Some tools might not work even with the default configuration of pnpm, which hoists everything to the root of the virtual store and some packages to the root. In this case, you can hoist either everything or a subset of dependencies to the root of the modules directory.
Hoisting everything to the the root of node_modules:
Hoisting only packages that match a pattern: