← Cheatsheets
Tags: package-manager, npm, yarn, pnpm, node, javascript,
dependencies
Last updated: 2026-06-26
Package Managers Cheatsheet
Quick Reference
| Command | npm | yarn | pnpm |
| Install all deps |
npm install |
yarn |
pnpm install |
| Add a package |
npm i <pkg> |
yarn add <pkg> |
pnpm add <pkg> |
| Add dev dep |
npm i -D <pkg> |
yarn add -D <pkg> |
pnpm add -D <pkg> |
| Remove a package |
npm un <pkg> |
yarn remove <pkg> |
pnpm remove <pkg> |
| Run a script |
npm run <name> |
yarn <name> |
pnpm <name> |
| Global install |
npm i -g <pkg> |
yarn global add <pkg> |
pnpm add -g <pkg> |
| Update packages |
npm update |
yarn upgrade |
pnpm update |
| List outdated |
npm outdated |
yarn outdated |
pnpm outdated |
| Init project |
npm init |
yarn init |
pnpm init |
| Run a one-off |
npx <pkg> |
yarn dlx <pkg> |
pnpm dlx <pkg> |
Installation & Project Setup
npm
# Ships with Node.js — check version
$ node -v && npm -v
# Update npm itself
$ npm install -g npm@latest
yarn (classic v1)
$ npm install -g yarn
$ yarn --version
yarn (modern / Berry, v2+)
$ corepack enable
$ yarn set version stable
$ yarn --version
pnpm
$ npm install -g pnpm
# or via corepack
$ corepack enable && corepack prepare pnpm@latest --activate
$ pnpm --version
Starting a Project
$ npm init # Interactive
$ npm init -y # Skip prompts, use defaults
$ yarn init -y
$ pnpm init
Installing Dependencies
Add to a Project
# Production dependency
$ npm install lodash
$ yarn add lodash
$ pnpm add lodash
# Dev dependency
$ npm install -D typescript
$ yarn add -D typescript
$ pnpm add -D typescript
# Optional dependency
$ npm install -O chokidar
$ yarn add -O chokidar
$ pnpm add --save-optional chokidar
Install from Various Sources
$ npm install user/repo # GitHub repo
$ npm install user/repo#branch # Specific branch
$ npm install file:../local-pkg # Local tarball or folder
$ npm install <pkg>@1.2.3 # Exact version
$ npm install <pkg>@latest # Latest tag
Install All Dependencies (Fresh)
$ npm ci # Clean install from lockfile
$ yarn install --frozen-lockfile # Don't update lockfile
$ pnpm install --frozen-lockfile
Removing & Updating
Remove
$ npm uninstall lodash
$ yarn remove lodash
$ pnpm remove lodash
Update
$ npm update # Update all within semver range
$ npm update lodash # Update a single package
$ yarn upgrade # Update all
$ yarn upgrade lodash # Update one
$ pnpm update # Update all
$ pnpm update lodash # Update one
# Check what's outdated
$ npm outdated
$ yarn outdated
$ pnpm outdated
Audit & Fix
$ npm audit # Show vulnerability report
$ npm audit fix # Auto-fix non-breaking vulns
$ npm audit fix --force # Fix breaking changes too (careful)
$ yarn audit
$ pnpm audit
Running Scripts
# npm
$ npm run dev
$ npm run build
$ npm test # Shortcut for "npm run test"
$ npm start # Shortcut for "npm run start"
# yarn — "run" is optional
$ yarn dev
$ yarn build
$ yarn test
# pnpm — "run" is optional
$ pnpm dev
$ pnpm build
$ pnpm test
Adding Scripts (package.json)
{
"scripts": {
"dev": "vite",
"build": "vite build",
"lint": "eslint . --ext .ts,.tsx",
"test": "vitest run",
"format": "prettier --write ."
}
}
npx / dlx — Run Packages Without Installing
# Run a one-off command from an npm package
$ npx create-react-app my-app
$ npx eslint --init
$ npx http-server . # Serve current directory
$ npx kill-port 3000 # Kill process on a port
# yarn modern
$ yarn dlx create-react-app my-app
# pnpm
$ pnpm dlx create-react-app my-app
# pnpm (shorter alias)
$ pnpx create-react-app my-app
Linking & Local Development
npm link
# In the package you want to link FROM (a library)
$ cd ~/projects/my-lib
$ npm link
# In the project that wants to USE it
$ cd ~/projects/my-app
$ npm link my-lib
# Unlink later
$ npm unlink my-lib
yarn link
$ cd ~/projects/my-lib && yarn link
$ cd ~/projects/my-app && yarn link my-lib
$ yarn unlink my-lib
pnpm link
$ cd ~/projects/my-lib && pnpm link --global
$ cd ~/projects/my-app && pnpm link --global my-lib
Workspaces (Monorepo)
# package.json at root
{ "workspaces": ["packages/*"] }
# Add a dep from one workspace package to another
$ npm i shared-lib -w packages/app
$ yarn workspace app add shared-lib
$ pnpm --filter app add shared-lib
Publishing
npm publish (Public Registry)
$ npm login
$ npm publish # Publish to npm
$ npm publish --access public # Scoped package, public
$ npm version patch # Bump 1.0.0 → 1.0.1
$ npm version minor # Bump 1.0.0 → 1.1.0
$ npm version major # Bump 1.0.0 → 2.0.0
$ npm version prerelease --preid beta # 1.0.0 → 1.0.1-beta.0
$ npm pack # Create .tgz for inspection
$ npm unpublish <pkg>@1.2.3 # Unpublish a version
$ npm deprecate <pkg>@1.x "Use v2" # Mark version deprecated
yarn publish
$ yarn login
$ yarn publish
$ yarn publish --access public
$ yarn version patch
pnpm publish
$ pnpm login
$ pnpm publish
$ pnpm publish --access public
Lockfiles & Versioning
| Tool | Lockfile | Note |
| npm |
package-lock.json |
Auto-generated, commit it |
| yarn v1 |
yarn.lock |
Always commit |
| yarn v2+ |
.yarn/cache/ + yarn.lock |
Zero-installs possible |
| pnpm |
pnpm-lock.yaml |
Always commit |
package.json Version Ranges
{
"dependencies": {
"lodash": "4.17.21", // Exact
"react": "^18.2.0", // Compatible (18.x.x)
"vue": "~3.3.0", // Approximately (3.3.x)
"axios": ">=1.0.0", // Any 1.0.0 or newer
"chalk": "*" // Any version
}
}
Caching & Cleanup
# Clear npm cache
$ npm cache clean --force
# Clear yarn cache
$ yarn cache clean
# Clear pnpm store
$ pnpm store prune
# Fresh start (delete node_modules and lockfile)
$ rm -rf node_modules package-lock.json && npm install
$ rm -rf node_modules yarn.lock && yarn
$ rm -rf node_modules pnpm-lock.yaml && pnpm install
.npmrc Essentials
# ~/.npmrc or project .npmrc
# Registry
registry=https://registry.npmjs.org/
# Scoped registry
@mycompany:registry=https://npm.mycompany.com/
# Auth token (from npm login)
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
# Strict SSL (default: true)
strict-ssl=true
# Save exact versions (no ^ prefix)
save-exact=true
# Don't generate package-lock.json
package-lock=false
Speed Comparison
| Feature | npm | yarn | pnpm |
| Install speed | Good | Fast | Very fast |
| Disk usage | High | Medium |
Low (content-addressable) |
| Strictness | Loose | Stricter | Strictest |
| Monorepo support | Workspaces | Workspaces |
Workspaces (best) |
| Lockfile format | JSON | YAML | YAML |
| Plug'n'Play | No | Yes (v2+) | No |
Tips
- Use
npm ci instead of npm install in CI —
it's faster and respects the lockfile exactly.
npx is great for scaffolding and one-off tools without
global installs.
- For monorepos, pnpm handles cross-package linking
natively with no hoisting surprises.
- If switching between npm/yarn/pnpm in the same project, delete
node_modules and the old lockfile first.
- Run
npm doctor to check your npm installation
health.
- Use
.npmrc to enforce save-exact=true if
you prefer pinned versions.