Supported package sources
pnpm supports installing packages from various sources. These sources are divided into two categories: trusted sources and exotic sources.
Exotic sources (like Git repositories or direct tarball URLs) can introduce supply chain risks when used by transitive dependencies. You can prevent transitive dependencies from using exotic sources by setting blockExoticSubdeps to true.
Trusted sources
Trusted sources are considered safe for both direct and transitive dependencies.
npm registry
pnpm add package-name will install the latest version of package-name from
the npm registry by default.
워크스페이스에서 실행하는 경우, 명령은 먼저 워크스페이스에 있는 다른 프로젝트가 지정된 패키지를 사용하는지 여부를 확인합니다. 이 경우, 이미 사용된 버전이 설치됩니다.
다음을 통해 패키지를 설치할 수도 있습니다.
- tag:
pnpm add express@nightly - version:
pnpm add express@1.0.0 - version range:
pnpm add express@2 react@">=0.1.0 <0.2.0"
JSR registry
Added in: v10.9.0
To install packages from the JSR registry, use the jsr: protocol prefix:
pnpm add jsr:@hono/hono
pnpm add jsr:@hono/hono@4
pnpm add jsr:@hono/hono@latest
This works just like installing from npm, but tells pnpm to resolve the package through JSR instead.
작업 공간
Note that when adding dependencies and working within a workspace, packages
will be installed from the configured sources, depending on whether or not
linkWorkspacePackages is set, and use of the
workspace: range protocol.
Local file system
로컬 파일 시스템에서 설치하는 방법에는 두 가지가 있습니다.
- from a tarball file (
.tar,.tar.gz, or.tgz) - 디렉토리에서 설치
예시:
pnpm add ./package.tar.gz
pnpm add ./some-directory
When you install from a directory, a symlink will be created in the current
project's node_modules, so it is the same as running pnpm link.
Exotic sources
Exotic sources are useful for development but may pose supply chain risks when used by transitive dependencies.
Remote tarball
인수는 "http://" 또는 "https://"로 시작하는 가져올 수 있는 URL이어야 합니다.
예시:
pnpm add https://github.com/indexzero/forever/tarball/v0.5.6
Git repository
pnpm add <git remote url>
호스트된 Git 공급자로부터 패키지를 설치하여 Git으로 복제합니다.
You may install packages from Git by:
- Latest commit from default branch:
pnpm add kevva/is-positive
- Git commit hash:
pnpm add kevva/is-positive#97edff6f525f192a3f83cea1944765f769ae2678
- Git branch:
pnpm add kevva/is-positive#master
- Git branch relative to refs:
pnpm add zkochan/is-negative#heads/canary
- Git tag:
pnpm add zkochan/is-negative#2.0.1
- V-prefixed Git tag:
pnpm add andreineculau/npm-publish-git#v0.0.7
Install from a Git repository using semver
You can specify version (range) to install using the semver: parameter. 예시:
- Strict semver:
pnpm add zkochan/is-negative#semver:1.0.0
- V-prefixed strict semver:
pnpm add andreineculau/npm-publish-git#semver:v0.0.7
- Semver version range:
pnpm add kevva/is-positive#semver:^2.0.0
- V-prefixed semver version range:
pnpm add andreineculau/npm-publish-git#semver:<=v0.0.7
Install from a subdirectory of a Git repository
You may also install just a subdirectory from a Git-hosted monorepo using the path: parameter. 예를 들어:
pnpm add RexSkz/test-git-subfolder-fetch#path:/packages/simple-react-app
Install from a Git repository via a full URL
If you want to be more explicit or are using alternative Git hosting, you might want to spell out full Git URL:
# git+ssh
pnpm add git+ssh://git@github.com:zkochan/is-negative.git#2.0.1
# https
pnpm add https://github.com/zkochan/is-negative.git#2.0.1
Install from a Git repository using hosting providers shorthand
You can use a protocol shorthand [provider]: for certain Git providers:
pnpm add github:zkochan/is-negative
pnpm add bitbucket:pnpmjs/git-resolver
pnpm add gitlab:pnpm/git-resolver
If [provider]: is omitted, it defaults to github:.
Install from a Git repository combining different parameters
It is possible to combine multiple parameters by separating them with &. This can be useful for forks of monorepos:
pnpm add RexSkz/test-git-subdir-fetch.git#beta\&path:/packages/simple-react-app
Installs from the beta branch and only the subdirectory at /packages/simple-react-app.