versioned_docs/version-10.x/package-sources.md
pnpm supports installing packages from various sources. These sources are divided into two categories: trusted sources and exotic sources.
Exotic sources (like Git repositories or direct tarball URLs) can introduce supply chain risks when used by transitive dependencies. You can prevent transitive dependencies from using exotic sources by setting blockExoticSubdeps to true.
Trusted sources are considered safe for both direct and transitive dependencies.
pnpm add package-name will install the latest version of package-name from
the npm registry by default.
If executed in a workspace, the command will first try to check whether other projects in the workspace use the specified package. If so, the already used version range will be installed.
You may also install packages by:
pnpm add express@nightlypnpm add [email protected]pnpm add express@2 react@">=0.1.0 <0.2.0"Added in: v10.9.0
To install packages from the JSR registry, use the jsr: protocol prefix:
pnpm add jsr:@hono/hono
pnpm add jsr:@hono/hono@4
pnpm add jsr:@hono/hono@latest
This works just like installing from npm, but tells pnpm to resolve the package through JSR instead.
Note that when adding dependencies and working within a workspace, packages
will be installed from the configured sources, depending on whether or not
linkWorkspacePackages is set, and use of the
workspace: range protocol.
There are two ways to install from the local file system:
.tar, .tar.gz, or .tgz)Examples:
pnpm add ./package.tar.gz
pnpm add ./some-directory
When you install from a directory, a symlink will be created in the current
project's node_modules, so it is the same as running pnpm link.
Exotic sources are useful for development but may pose supply chain risks when used by transitive dependencies.
The argument must be a fetchable URL starting with "http://" or "https://".
Example:
pnpm add https://github.com/indexzero/forever/tarball/v0.5.6
pnpm add <git remote url>
Installs the package from the hosted Git provider, cloning it with Git.
You may install packages from Git by:
pnpm add kevva/is-positive
pnpm add kevva/is-positive#97edff6f525f192a3f83cea1944765f769ae2678
pnpm add kevva/is-positive#master
pnpm add zkochan/is-negative#heads/canary
pnpm add zkochan/is-negative#2.0.1
pnpm add andreineculau/npm-publish-git#v0.0.7
You can specify version (range) to install using the semver: parameter. For example:
pnpm add zkochan/is-negative#semver:1.0.0
pnpm add andreineculau/npm-publish-git#semver:v0.0.7
pnpm add kevva/is-positive#semver:^2.0.0
pnpm add andreineculau/npm-publish-git#semver:<=v0.0.7
You may also install just a subdirectory from a Git-hosted monorepo using the path: parameter. For instance:
pnpm add RexSkz/test-git-subfolder-fetch#path:/packages/simple-react-app
If you want to be more explicit or are using alternative Git hosting, you might want to spell out full Git URL:
# git+ssh
pnpm add git+ssh://[email protected]:zkochan/is-negative.git#2.0.1
# https
pnpm add https://github.com/zkochan/is-negative.git#2.0.1
You can use a protocol shorthand [provider]: for certain Git providers:
pnpm add github:zkochan/is-negative
pnpm add bitbucket:pnpmjs/git-resolver
pnpm add gitlab:pnpm/git-resolver
If [provider]: is omitted, it defaults to github:.
It is possible to combine multiple parameters by separating them with &. This can be useful for forks of monorepos:
pnpm add RexSkz/test-git-subdir-fetch.git#beta\&path:/packages/simple-react-app
Installs from the beta branch and only the subdirectory at /packages/simple-react-app.