Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
pnpm 10.x reference skill covering workspaces, catalogs, patches, peer deps, overrides, and CI/CD caching strategies.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/core-config.md
1---2name: pnpm-configuration3description: Configuring pnpm via pnpm-workspace.yaml (settings), the global config.yaml, and .npmrc (auth only)4---56# pnpm Configuration78pnpm settings are split into **two** categories. Knowing where each goes is the single most important config concept in current pnpm:910| Category | Stored in | Format |11|----------|-----------|--------|12| **All pnpm/install settings** (`nodeLinker`, `hoistPattern`, `autoInstallPeers`, `overrides`, `catalog`, …) | `pnpm-workspace.yaml` (project) and `config.yaml` (global) | YAML, **camelCase** keys |13| **Auth & registry credentials** (`_authToken`, `cert`, `key`, …) | `.npmrc` (project, gitignored) and global `rc` | INI |1415> **Important changes:** pnpm no longer reads settings from the `pnpm` field of `package.json`, and `.npmrc` is now used **only** for authentication/registry credentials. Everything else belongs in `pnpm-workspace.yaml`. Keys in YAML are **camelCase** (e.g. `nodeLinker`), not the kebab-case used by old `.npmrc` files.1617## pnpm-workspace.yaml (primary config)1819Place at the workspace/project root. Even a single-package project uses this file for pnpm settings.2021```yaml title="pnpm-workspace.yaml"22# Workspace packages (omit for a single-package repo)23packages:24- 'packages/*'25- 'apps/*'26- '!**/test/**'2728# Common install settings (camelCase)29nodeLinker: isolated # isolated (default) | hoisted | pnp30autoInstallPeers: true31strictPeerDependencies: false32savePrefix: '^'33saveExact: false34hoistPattern:35- '*eslint*'36- '*babel*'37publicHoistPattern: []38shamefullyHoist: false39dedupeDirectDeps: false40resolutionMode: highest # highest | time-based | lowest-direct4142# Centralized version management43catalog:44react: ^18.2.04546# Force dependency versions (root only)47overrides:48lodash: ^4.17.2149'foo@^1.0.0>bar': ^2.0.05051# Extend/patch broken package manifests52packageExtensions:53react-redux:54peerDependencies:55react-dom: '*'5657# Peer dependency rules58peerDependencyRules:59ignoreMissing:60- '@babel/*'61allowedVersions:62react: '17 || 18'63```6465## Global configuration (config.yaml)6667User-level non-auth settings live in a global YAML `config.yaml`:6869- `$XDG_CONFIG_HOME/pnpm/config.yaml` (if set)70- Linux: `~/.config/pnpm/config.yaml`71- macOS: `~/Library/Preferences/pnpm/config.yaml`72- Windows: `~/AppData/Local/pnpm/config/config.yaml`7374The companion global `rc` file (same directory, named `rc`) holds only registry/auth settings.7576## Per-project settings in a workspace (packageConfigs)7778There are no per-subproject `.npmrc` files anymore. Set per-package config via `packageConfigs` in the root `pnpm-workspace.yaml`:7980```yaml title="pnpm-workspace.yaml"81packageConfigs:82# Map form: keyed by package name83project-1:84saveExact: true85project-2:86savePrefix: '~'87# Array form: pattern-matched rules88# - match: ['project-1', 'project-2']89# modulesDir: node_modules90# saveExact: true91```9293## .npmrc — authentication only9495Keep auth tokens out of the repo (gitignore the project `.npmrc`). Auth files, highest priority first:96971. `<workspace root>/.npmrc` (project, gitignored)982. `<pnpm config>/auth.ini` (written by `pnpm login`)993. `~/.npmrc` (fallback for npm compatibility)100101```ini title=".npmrc"102//registry.npmjs.org/:_authToken=${NPM_TOKEN}103@myorg:registry=https://npm.myorg.com/104//npm.myorg.com/:_authToken=${MYORG_TOKEN}105```106107Configure registries themselves (non-secret) in `pnpm-workspace.yaml`:108109```yaml title="pnpm-workspace.yaml"110registries:111default: https://registry.npmjs.org/112'@my-org': https://private.example.com/113# Named registry aliases usable as a prefix, e.g. `pnpm add work:@corp/lib`114namedRegistries:115work: https://npm.work.example.com/116```117118> Security: since v11, env-variable expansion is disabled for registry/proxy URLs and credential keys in the **project** `.npmrc` (to stop a malicious repo from leaking secrets). Put dynamic-token lines in the user-level auth file instead.119120## The `pnpm config` command121122```bash123# Writes to global config.yaml / rc by default124pnpm config set nodeVersion 22.0.0125pnpm config set --location=project nodeVersion 22.0.0 # writes pnpm-workspace.yaml126127# JSON values create arrays/objects128pnpm config set --location=project --json allowBuilds '{"react": true}'129130# get/list print JSON (no longer INI) since v11131pnpm config get nodeLinker132pnpm config get 'allowBuilds.react'133pnpm config list134```135136## Environment variables137138Use `pnpm_config_*` (or `PNPM_CONFIG_*`). pnpm **no longer reads `npm_config_*`**.139140```bash141pnpm_config_save_exact=true pnpm add foo142```143144## Notable settings that changed names145146| Old (removed) | Replacement | Notes |147|---------------|-------------|-------|148| `onlyBuiltDependencies`, `neverBuiltDependencies`, `ignoredBuiltDependencies`, `onlyBuiltDependenciesFile` | `allowBuilds: { name: true\|false }` | Single map controlling build-script approval. See supply-chain-security. |149| `managePackageManagerVersions`, `packageManagerStrict`, `packageManagerStrictVersion`, `COREPACK_ENABLE_STRICT` | `pmOnFail: download\|ignore\|warn\|error` | Behavior when running pnpm version ≠ declared one. |150| `useNodeVersion` | `devEngines.runtime` (in `package.json`) | Runtime pinning. |151| `auditConfig.ignoreCves` | `auditConfig.ignoreGhsas` | Use GHSA IDs. |152| `allowNonAppliedPatches` | `allowUnusedPatches` | `ignorePatchFailures` removed (patches now always throw). |153| `package.json#pnpm` field | `pnpm-workspace.yaml` | No longer read at all. |154155## Package Manager / Runtime pinning (package.json)156157```json158{159"packageManager": "[email protected]",160"devEngines": {161"packageManager": { "name": "pnpm", "version": ">=11.0.0 <12.0.0", "onFail": "download" },162"runtime": { "name": "node", "version": "22.x", "onFail": "download" }163}164}165```166167`devEngines.packageManager` supports ranges (resolved version stored in lockfile); `packageManager` requires an exact version. Override `onFail` without editing the manifest via `pmOnFail` / `runtimeOnFail` settings.168169## Key Points170171- All pnpm settings go in `pnpm-workspace.yaml` (camelCase) or global `config.yaml`; `.npmrc` is auth/registry only.172- `package.json#pnpm` and `npm_config_*` env vars are no longer read.173- Use `packageConfigs` for per-package settings inside a workspace.174- Build-script approval is now one `allowBuilds` map; package-manager strictness is one `pmOnFail` setting.175- `pnpm config get`/`list` output JSON, and `--location=project` writes to `pnpm-workspace.yaml`.176177<!--178Source references:179- https://pnpm.io/settings180- https://pnpm.io/configuring181- https://pnpm.io/npmrc182- https://pnpm.io/pnpm-workspace_yaml183- https://pnpm.io/package_json184- https://pnpm.io/cli/config185-->186