Feature request: support the `pnpm` package manager

[jbergstroem]

pnpm is an alternative to npm and yarn that has been around a fairly long time. It has its own lockfile in yaml and should be relatively straightforward to support. Would PRs/other types of help be accepted or are adding more pr's a "can of worms"?

---

[Edit] April 2022 - since the thread is growing: there is still no update on when this will be implemented. If you need this now, your best bet is to use renovatebot: https://docs.renovatebot.com/javascript/

[Edit] November 2022 - for now, github staff suggests using a workaround using the dependency submission api

[brunoparga]

Now that Microsoft own both GitHub and npm, the odds of them supporting pnpm are slim at best.

[jbergstroem]

Now that Microsoft own both GitHub and npm, the odds of them supporting pnpm are slim at best.

My interpretation is that this wouldn't necessarily be political with yarn being supported and all. It's likely due to the smaller adoption of pnpm vs npm and yarn.

[didinele]

Would absolutely love this, currently pretty awkward being forced into alternatives like renovate, which are defenitely fine, but nowhere near as satisfying.

[Jolg42]

Just found this 😢 So I guess I'm going for renovate because it supports pnpm then.

[hacknug]

pnpm became a first class citizen with the last public VSCode release (changelog & PR). Any chance this can be revisit?

[GiriB]

@feelepxyz Are contributions welcome for this? I see the following work items for this

• [ ] Update FileFetcher to fetch the pnpm lockfiles
• [ ] Update FileParser to fetch dependencies from the lockfile (Not fully sure how this works. Still need to deep dive. Why do we parse lock files? Just to get the list of dependencies? Or is there more to it?)
• [ ] Update FileUpdater and helpers to run pnpm install to generate the updated lock file.

Let me know if I overlooked some work above. I can take this up if dependabot team thinks it's a good idea.

[feelepxyz]

@GiriB we're actually thinking of splitting the npm and yarn package manager into separate ones for npm and yarn because handling multiple package managers in one has resulted in a lot of maintenance overhead making upgrades and testing harder.

We're also keen to re-think some of the architecture around package managers to make it easier to add new ones so keen to hold off on adding any new ones until we have some clarity around that 😕

[GiriB]

@feelepxyz Thanks for the response! I agree that keeping all package managers together is not the best design. I was thinking of pnpm as a separate package manager - implementing parts that are pnpm specific but re-using most of the parts from NpmAndYarn (like parsing package.json, update checker, version resolver etc) because these parts would exactly be the same.

I haven't tried the idea above yet, and pulling it off may not be clean code at all. If I get it in a good shape, maybe I'll raise a PR. Otherwise, I'll wait for the refactor to happen where we split npm and yarn. (Are there any tentative timelines where we can expect this to happen?)

[feelepxyz]

@GiriB nice one! No timeline yet, probably at least six months out unfortunately.

[Anoesj]

This would be great! pnpm has become a serious contender, and dependabot is very useful. Is anyone working on this by any chance?

[Nick-Mazuk]

+1. Though you can use dependabot to update pnpm, the lock file isn't updated—only the package.json. This is not ideal and full pnpm support would be excellent!

[jcayzac]

Please add support for pnpm. Dependabot is useless because all the PRs just fail to build:

ERROR  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up-to-date with package.json

[Purpzie]

Node's 16.9.0 release comes with corepack, which supports pnpm.

With pnpm becoming more popular, I hope dependabot supports it soon too.

[raulfdm]

Not ideal but while we don't have a support from dependabot, renovate seems supporting pnpm already: https://docs.renovatebot.com/javascript/

[McKenzieJDan]

Curious if there has been any movement here? Recently pnpm has become a default but am holding out for a couple of projects which rely on dependabot.

[keenwon]

Any updates on this?

[filiptammergard]

pnpm is supported by a larger and larger part of the ecosystem and for my team, Dependabot is the only remaining blocker. Would love to be able to use pnpm while continue to use Dependabot. Is there anything we can help out with to make this happen?

[wilhen01]

Big 👍 on this - my team use pnpm and would love to retain Dependabot's useful functionality.

[sbayd]

pnpm is used by a good amount of companies in the ecosystem. It would be nice to add this task for the next release plan. Thank you for the awesome project and your efforts!

[Nick-Mazuk]

Looks like even Vercel is now supporting pnpm natively, meaning that for many teams Dependabot is now the only thing in their CI/CD pipeline that doesn't natively support pnpm.

https://vercel.com/changelog/projects-using-pnpm-can-now-be-deployed-with-zero-configuration

[cristobal]

We have been using mono repos rather than having multiple repos, more and more at work. And also done the switch from yarn to pnpm for several of our project, which has been more of a fit for our projects and CI/CD pipelines.

However the landscape and focus when it comes to security and maintaining packages used up to date, has higher priority than it used to be couple of years ago in our company, where it-security and its voicing in our company also has a much higher say than it used to (for the better imo).

We started using Renovate and did the switch to dependabot, since dependabot met our needs much better than Renovate at the time. We would prefer sticking to using dependabot also due to its native integration into Github these days. But it may seem that we will have to go back to Renovate since after looking at the issue #3494 it may seem that from the following statement:

Long term, we're looking into what it would take to break up dependabot-core and allow folks to write their own Dependabot updaters and run them on our infrastructure, allowing folks to add arbitrary languages without the need for us to merge them into core.

Doing these changes may be a long way down the road.

Or is there any plan to add support for pnpm down the line this year or any time soon? Would be nice to have some clarification here 🙏🏽 , thanks in advance.

[lucasvazq]

pnpm with json5 please @billgates

[alexef]

Same here, would really love to have pnpm support so we can use Dependabot with our repos.

[x-way]

@feelepxyz is there any update on this? is it still planned to add pnpm support (esp. for security alerts)? and what could a potential ETA look like?

[feelepxyz]

@x-way I'm no longer working on Dependabot so can't give a good answer but pretty sure there are no imminent plans to support pnpm unfortunately.

cc pm @exvuma

[exvuma]

Good news is this quarter we are focussing on giving more support to the JS community. This is top of mind but no hard plans or deadlines yet. Thanks for the feedback everyone we are listening

[octogonz]

Now that Microsoft own both GitHub and npm, the odds of them supporting pnpm are slim at best.

My interpretation is that this wouldn't necessarily be political with yarn being supported and all. It's likely due to the smaller adoption of pnpm vs npm and yarn.

Microsoft uses PNPM themselves in their big internal monorepos for Microsoft Office, and also plenty of public repos like rushstack and azure-sdk-for-js for example. I don't think there's any politics involved, just prioritization of work.

[itpropro]

Any updates @exvuma? Many common GitHub actions like setup-node already support pnpm for a longer time. It would be interesting, when dependabot will catch up with the rest of the GitHub ecosystem.

[Drew-Kimberly]

Glad to hear this may come into focus this quarter @exvuma. My team would love to continue to use our Dependabot workflows within our growing number of pnpm projects!

[lzm0x219]

mark

[itpropro]

Good news is this quarter we are focussing on giving more support to the JS community. This is top of mind but no hard plans or deadlines yet. Thanks for the feedback everyone we are listening

Hey @exvuma, any updates? The quarter is nearly over, can we still expect pnpm support by the end of this month/quarter? More and more issues are linked to this one and afaik this is one of the last GitHub products that still doesn't support pnpm.

[FraBle]

afaik this is one of the last GitHub products that still doesn't support pnpm

What other GitHub products do already have pnpm support?

[lars-reimann]

afaik this is one of the last GitHub products that still doesn't support pnpm

What other GitHub products do already have pnpm support?

actions/setup-node for example.

[robd003]

Any traction on this @exvuma ?

[zetoke]

It would be great to have pnpm support and yarn 2+ for dependabot because of the growing community and number of projects for both of them.

[Kolahzary]

We use pnpm on our monorepository, and all pull requests created by dependabot are failed ci.

Please add support for pnpm-lock.yaml file

[Jolg42]

For your example here @Kolahzary I would say this happens because the default in CI is different https://pnpm.io/cli/install#--frozen-lockfile

--frozen-lockfile
If true, pnpm doesn't generate a lockfile and fails to install if the lockfile is out of sync with the manifest / an update is needed or no lockfile is present.

    Default:
        For non-CI: false
        For CI: true, if a lockfile is present
    Type: Boolean

So in this step, since CI=true because it's running in GitHub Actions, using pnpm install --no-frozen-lockfile would work.

[xkpx64]

yarn 4 + pnpm@next. use latest available please

[lars-reimann]

For your example here @Kolahzary I would say this happens because the default in CI is different https://pnpm.io/cli/install#--frozen-lockfile

--frozen-lockfile
If true, pnpm doesn't generate a lockfile and fails to install if the lockfile is out of sync with the manifest / an update is needed or no lockfile is present.

    Default:
        For non-CI: false
        For CI: true, if a lockfile is present
    Type: Boolean

So in this step, since CI=true because it's running in GitHub Actions, using pnpm install --no-frozen-lockfile would work.

While this might work around the issue, it also means builds by CI are no longer reproducible.

[armenr]

+1 for PNPM. The build-time gains (especially in monorepos and in cases where your CI/CD is configured for proper caching), and the local development space conservation (and implicit speed) are inarguably valuable...and the community for PNPM only continues to grow.

[hirowf]

I went with the certainty that everything was ok for pnpm, but not yet. Through this comment, I declare that it would be very interesting to have pnpm included in the dependabot package ecosystem.

[armenr]

For anyone who finds their way here, check this out - via the very clever and generous person @Purpzie who shared this via gist!

Combine this with a typical dependabot workflow, and you're good to go!

https://gist.github.com/Purpzie/8ed86ae38c73f440881bbee0523a324b

[admmasters]

Unfortunately at this stage I think this makes dependabot not fit for purpose and will move to renovatebot.

[Noxillio]

How has it been over 2.5 years and pnpm is still not only unsupported, but all but ignored? How incredibly disappointing. Renovate it is 🤷🏻‍♂️

[jhutchings1]

👋🏻 Hi folks, I appreciate everyone's patience on this issue as the team has been focused on other issues. This is our 3rd highest 👍🏻 'd issue, so it's on our radar, but I do not have an ETA to share at this time.

I did want to share an update which I hope you'll find helpful, however, which is that you can now get Dependabot alerts for pnpm using GitHub Actions and the new(ish) dependency submission API. You'll find a working workflow example you can use here: https://github.com/jhutchings1/pnpm-sample/blob/main/.github/workflows/sbom.yml.

[Anoesj]

Thanks @jhutchings1, please keep us up-to-date on your progress 😄

[mellodev]

Is there any active development being done on this feature? It's been open for 2 years now and is the #2 thumbs-up issue now.

[jhutchings1]

Is there any active development being done on this feature? It's been open for 2 years now and is the #2 thumbs-up issue now.

@mellodev Thanks for checking in. This isn't on our list for this quarter as we deal with more urgent issues, but we will keep you all updated when this is at the top. In the meantime, please see my previous comment on how you can get the benefit of Dependabot alerts for pnpm. https://github.com/dependabot/dependabot-core/issues/1736#issuecomment-1272772849

[MartinX3]

@mellodev just migrate to renovabot

They answer issue tickets / discussions quickly, the bot has many features and it almost automatically setup itself.

[jinlinux]

👋🏻 Hi folks, I appreciate everyone's patience on this issue as the team has been focused on other issues. This is our 3rd highest 👍🏻 'd issue, so it's on our radar, but I do not have an ETA to share at this time.

I did want to share an update which I hope you'll find helpful, however, which is that you can now get Dependabot alerts for pnpm using GitHub Actions and the new(ish) dependency submission API. You'll find a working workflow example you can use here: https://github.com/jhutchings1/pnpm-sample/blob/main/.github/workflows/sbom.yml.

Anyone had any luck implementing this? My github action is successful but can't see any snapshot dependecies on the repo.

Notice: Snapshot successfully created at 2022-11-16T02:58:00.770Z