Tags: package-manager, npm, yarn, pnpm, node, javascript, dependencies Last updated: 2026-06-26

Package Managers Cheatsheet

Quick Reference

Commandnpmyarnpnpm
Install all deps npm install yarn pnpm install
Add a package npm i <pkg> yarn add <pkg> pnpm add <pkg>
Add dev dep npm i -D <pkg> yarn add -D <pkg> pnpm add -D <pkg>
Remove a package npm un <pkg> yarn remove <pkg> pnpm remove <pkg>
Run a script npm run <name> yarn <name> pnpm <name>
Global install npm i -g <pkg> yarn global add <pkg> pnpm add -g <pkg>
Update packages npm update yarn upgrade pnpm update
List outdated npm outdated yarn outdated pnpm outdated
Init project npm init yarn init pnpm init
Run a one-off npx <pkg> yarn dlx <pkg> pnpm dlx <pkg>

Installation & Project Setup

npm

# Ships with Node.js — check version
$ node -v && npm -v

# Update npm itself
$ npm install -g npm@latest

yarn (classic v1)

$ npm install -g yarn
$ yarn --version

yarn (modern / Berry, v2+)

$ corepack enable
$ yarn set version stable
$ yarn --version

pnpm

$ npm install -g pnpm
# or via corepack
$ corepack enable && corepack prepare pnpm@latest --activate
$ pnpm --version

Starting a Project

$ npm init                  # Interactive
$ npm init -y               # Skip prompts, use defaults
$ yarn init -y
$ pnpm init

Installing Dependencies

Add to a Project

# Production dependency
$ npm install lodash
$ yarn add lodash
$ pnpm add lodash

# Dev dependency
$ npm install -D typescript
$ yarn add -D typescript
$ pnpm add -D typescript

# Optional dependency
$ npm install -O chokidar
$ yarn add -O chokidar
$ pnpm add --save-optional chokidar

Install from Various Sources

$ npm install user/repo          # GitHub repo
$ npm install user/repo#branch   # Specific branch
$ npm install file:../local-pkg  # Local tarball or folder
$ npm install <pkg>@1.2.3        # Exact version
$ npm install <pkg>@latest       # Latest tag

Install All Dependencies (Fresh)

$ npm ci                   # Clean install from lockfile
$ yarn install --frozen-lockfile  # Don't update lockfile
$ pnpm install --frozen-lockfile

Removing & Updating

Remove

$ npm uninstall lodash
$ yarn remove lodash
$ pnpm remove lodash

Update

$ npm update                # Update all within semver range
$ npm update lodash         # Update a single package
$ yarn upgrade              # Update all
$ yarn upgrade lodash       # Update one
$ pnpm update               # Update all
$ pnpm update lodash        # Update one

# Check what's outdated
$ npm outdated
$ yarn outdated
$ pnpm outdated

Audit & Fix

$ npm audit                # Show vulnerability report
$ npm audit fix            # Auto-fix non-breaking vulns
$ npm audit fix --force    # Fix breaking changes too (careful)
$ yarn audit
$ pnpm audit

Running Scripts

# npm
$ npm run dev
$ npm run build
$ npm test                 # Shortcut for "npm run test"
$ npm start                # Shortcut for "npm run start"

# yarn — "run" is optional
$ yarn dev
$ yarn build
$ yarn test

# pnpm — "run" is optional
$ pnpm dev
$ pnpm build
$ pnpm test

Adding Scripts (package.json)

{
  "scripts": {
    "dev": "vite",
    "build": "vite build",
    "lint": "eslint . --ext .ts,.tsx",
    "test": "vitest run",
    "format": "prettier --write ."
  }
}

npx / dlx — Run Packages Without Installing

# Run a one-off command from an npm package
$ npx create-react-app my-app
$ npx eslint --init
$ npx http-server .          # Serve current directory
$ npx kill-port 3000         # Kill process on a port

# yarn modern
$ yarn dlx create-react-app my-app
# pnpm
$ pnpm dlx create-react-app my-app
# pnpm (shorter alias)
$ pnpx create-react-app my-app

Linking & Local Development

npm link

# In the package you want to link FROM (a library)
$ cd ~/projects/my-lib
$ npm link

# In the project that wants to USE it
$ cd ~/projects/my-app
$ npm link my-lib

# Unlink later
$ npm unlink my-lib

yarn link

$ cd ~/projects/my-lib && yarn link
$ cd ~/projects/my-app && yarn link my-lib
$ yarn unlink my-lib

pnpm link

$ cd ~/projects/my-lib && pnpm link --global
$ cd ~/projects/my-app && pnpm link --global my-lib

Workspaces (Monorepo)

# package.json at root
{ "workspaces": ["packages/*"] }

# Add a dep from one workspace package to another
$ npm i shared-lib -w packages/app
$ yarn workspace app add shared-lib
$ pnpm --filter app add shared-lib

Publishing

npm publish (Public Registry)

$ npm login
$ npm publish                         # Publish to npm
$ npm publish --access public         # Scoped package, public
$ npm version patch                   # Bump 1.0.0 → 1.0.1
$ npm version minor                   # Bump 1.0.0 → 1.1.0
$ npm version major                   # Bump 1.0.0 → 2.0.0
$ npm version prerelease --preid beta # 1.0.0 → 1.0.1-beta.0
$ npm pack                            # Create .tgz for inspection
$ npm unpublish <pkg>@1.2.3           # Unpublish a version
$ npm deprecate <pkg>@1.x "Use v2"    # Mark version deprecated

yarn publish

$ yarn login
$ yarn publish
$ yarn publish --access public
$ yarn version patch

pnpm publish

$ pnpm login
$ pnpm publish
$ pnpm publish --access public

Lockfiles & Versioning

ToolLockfileNote
npm package-lock.json Auto-generated, commit it
yarn v1 yarn.lock Always commit
yarn v2+ .yarn/cache/ + yarn.lock Zero-installs possible
pnpm pnpm-lock.yaml Always commit

package.json Version Ranges

{
  "dependencies": {
    "lodash": "4.17.21",      // Exact
    "react": "^18.2.0",       // Compatible (18.x.x)
    "vue": "~3.3.0",          // Approximately (3.3.x)
    "axios": ">=1.0.0",       // Any 1.0.0 or newer
    "chalk": "*"              // Any version
  }
}

Caching & Cleanup

# Clear npm cache
$ npm cache clean --force

# Clear yarn cache
$ yarn cache clean

# Clear pnpm store
$ pnpm store prune

# Fresh start (delete node_modules and lockfile)
$ rm -rf node_modules package-lock.json && npm install
$ rm -rf node_modules yarn.lock && yarn
$ rm -rf node_modules pnpm-lock.yaml && pnpm install

.npmrc Essentials

# ~/.npmrc or project .npmrc

# Registry
registry=https://registry.npmjs.org/

# Scoped registry
@mycompany:registry=https://npm.mycompany.com/

# Auth token (from npm login)
//registry.npmjs.org/:_authToken=${NPM_TOKEN}

# Strict SSL (default: true)
strict-ssl=true

# Save exact versions (no ^ prefix)
save-exact=true

# Don't generate package-lock.json
package-lock=false

Speed Comparison

Featurenpmyarnpnpm
Install speedGoodFastVery fast
Disk usageHighMedium Low (content-addressable)
StrictnessLooseStricterStrictest
Monorepo supportWorkspacesWorkspaces Workspaces (best)
Lockfile formatJSONYAMLYAML
Plug'n'PlayNoYes (v2+)No

Tips