跳到主要内容

package.json

一个包的清单文件。 它包含包的所有元数据,包括依赖项、标题、作者等等。 这是所有主要的 Node.JS 包管理工具,包括 pnpm 的保留标准。

engines

你可以指定你的软件能够运行的 Node 版本和 pnpm 版本:

{
"engines": {
"node": ">=10",
"pnpm": ">=3"
}
}

在本地开发时, 如果其版本与 engines 字段中指定的版本不匹配,pnpm 将始终失败并报错。

当你的包作为依赖被安装时,除非用户已设置 engine-strict 配置标志 (参阅 .npmrc),否则此字段仅供参考,且只会产生警告。

dependenciesMeta

用于在 dependencies, optionalDependenciesdevDependencies 中声明的依赖项的补充元信息。

dependenciesMeta.*.injected

If this is set to true for a dependency that is a local workspace package, that package will be installed by creating a hard linked copy in the virtual store (node_modules/.pnpm).

If this is set to false or not set, then the dependency will instead be installed by creating a node_modules symlink that points to the package's source directory in the workspace. This is the default, as it is faster and ensures that any modifications to the dependency will be immediately visible to its consumers.

For example, suppose the following package.json is a local workspace package:

{
"name": "card",
"dependencies": {
"button": "workspace:1.0.0"
}
}

The button dependency will normally be installed by creating a symlink in the node_modules directory of card, pointing to the development directory for button.

But what if button specifies react in its peerDependencies? If all projects in the monorepo use the same version of react, then there is no problem. But what if button is required by card that uses react@16 and form that uses react@17? Normally you'd have to choose a single version of react and specify it using devDependencies of button. Symlinking does not provide a way for the react peer dependency to be satisfied differently by different consumers such as card and form.

The injected field solves this problem by installing a hard linked copies of button in the virtual store. To accomplish this, the package.json of card could be configured as follows:

{
"name": "card",
"dependencies": {
"button": "workspace:1.0.0",
"react": "16"
},
"dependenciesMeta": {
"button": {
"injected": true
}
}
}

Whereas the package.json of form could be configured as follows:

{
"name": "form",
"dependencies": {
"button": "workspace:1.0.0",
"react": "17"
},
"dependenciesMeta": {
"button": {
"injected": true
}
}
}

With these changes, we say that button is an "injected dependency" of card and form. When button imports react, it will resolve to react@16 in the context of card, but resolve to react@17 in the context of form.

Because injected dependencies produce copies of their workspace source directory, these copies must be updated somehow whenever the code is modified; otherwise, the new state will not be reflected for consumers. When building multiple projects with a command such as pnpm --recursive run build, this update must occur after each injected package is rebuilt but before its consumers are rebuilt. For simple use cases, it can be accomplished by invoking pnpm install again, perhaps using a package.json lifecycle script such as "prepare": "pnpm run build" to rebuild that one project. Third party tools such as pnpm-sync and pnpm-sync-dependencies-meta-injected provide a more robust and efficient solution for updating injected dependencies, as well as watch mode support.

peerDependenciesMeta

此字段列出了一些与 peerDependencies 字段中列出的依赖关系相关的额外信息。

peerDependenciesMeta.*.optional

如果设置为 true,所选的 peer dependency 将被包管理工具标记为可选的。 因此,消费方省略它将不再是 被报告为错误。

示例:

{
"peerDependencies": {
"foo": "1"
},
"peerDependenciesMeta": {
"foo": {
"optional": true
},
"bar": {
"optional": true
}
}
}

请注意,即使在peerDependencies中没有指定 bar, 但它也会被标记为可选的。 因此,pnpm 将假定任何版本的 bar 都是被允许的。 但是,foo 是可选的,但只能使用指定的版本。

publishConfig

在包被打包之前,可以覆盖清单中的某些字段。 以下字段可以被覆盖:

要覆盖字段,请将字段的要发布的版本添加到 publishConfig

例如,以下 package.json

{
"name": "foo",
"version": "1.0.0",
"main": "src/index.ts",
"publishConfig": {
"main": "lib/index.js",
"typings": "lib/index.d.ts"
}
}

将被发布为:

{
"name": "foo",
"version": "1.0.0",
"main": "lib/index.js",
"typings": "lib/index.d.ts"
}

publishConfig.executableFiles

默认情况下,出于可移植性的原因,除了 bin 字段中列出的文件之外,不会在生成的包存档中将任何文件标记为可执行文件。 executableFiles 字段允许您声明必须设置可执行标志 (+x) 的额外字段,即使它们不能通过 bin 字段直接访问。

{
"publishConfig": {
"executableFiles": [
"./dist/shim.js"
]
}
}

publishConfig.directory

您还可以使用字段 publishConfig.directory 来自定义相对于当前 package.json 的已发布子目录。

预计在指定目录中有当前包的修改版本(通常使用第三方构建工具)。

在这个例子中 "dist" 文件夹必须包含一个 package.json

{
"name": "foo",
"version": "1.0.0",
"publishConfig": {
"directory": "dist"
}
}

publishConfig.linkDirectory

  • 默认值: true
  • 类型:Boolean

当设置为 true时,项目将在本地开发期间从 publishConfig.directory 位置进行符号链接。

示例:

{
"name": "foo",
"version": "1.0.0",
"publishConfig": {
"directory": "dist",
"linkDirectory": true
}
}

pnpm.overrides

此字段允许您指示 pnpm 覆盖依赖关系图中的任何依赖项。 This is useful for enforcing all your packages to use a single version of a dependency, backporting a fix, replacing a dependency with a fork, or removing an unused dependency.

请注意,overrides 字段只能在项目的根目录下设置。

"pnpm"."overrides" 字段的示例:

{
"pnpm": {
"overrides": {
"foo": "^1.0.0",
"quux": "npm:@myorg/quux@^1.0.0",
"bar@^2.1.0": "3.0.0",
"qar@1>zoo": "2"
}
}
}

You may specify the package the overridden dependency belongs to by separating the package selector from the dependency selector with a ">", for example qar@1>zoo will only override the zoo dependency of qar@1, not for any other dependencies.

一个overide可以被定义为直接依赖项的规则的引用。 这通过依赖名称前缀一个$实现:

{
"dependencies": {
"foo": "^1.0.0"
},
"pnpm": {
"overrides": {
"foo": "$foo"
}
}
}

被引用的包不必匹配需要覆盖的包:

{
"dependencies": {
"foo": "^1.0.0"
},
"pnpm": {
"overrides": {
"bar": "$foo"
}
}
}

Added in: v9.12.0

If you find that your use of a certain package doesn’t require one of its dependencies, you may use - to remove it. For example, if package foo@1.0.0 requires a large package named bar for a function that you don’t use, removing it could reduce install time:

{
"pnpm": {
"overrides": {
"foo@1.0.0>bar": "-"
}
}
}

This feature is especially useful with optionalDependencies, where most optional packages can be safely skipped.

pnpm.packageExtensions

这个 packageExtension 字段提供了一种用额外信息扩展现有package定义的方法。 例如,如果react-redux 本应该在它的 peerDependencies 中包含 react-dom ,但却没有,则可以用 packageExtensions 来填补上react-redux

{
"pnpm": {
"packageExtensions": {
"react-redux": {
"peerDependencies": {
"react-dom": "*"
}
}
}
}
}

packageExtensions 中的键是package名称或 semver 的package名称,因此可以只修改package的某些版本:

{
"pnpm": {
"packageExtensions": {
"react-redux@1": {
"peerDependencies": {
"react-dom": "*"
}
}
}
}
}

以下字段可以使用 packageExtensions 被扩展:dependencies optionalDependencies peerDependenciespeerDependenciesMeta

一个更大的例子:

{
"pnpm": {
"packageExtensions": {
"express@1": {
"optionalDependencies": {
"typescript": "2"
}
},
"fork-ts-checker-webpack-plugin": {
"dependencies": {
"@babel/core": "1"
},
"peerDependencies": {
"eslint": ">= 6"
},
"peerDependenciesMeta": {
"eslint": {
"optional": true
}
}
}
}
}
}
提示

我们与 Yarn 一起维护一个 packageExtensions 的数据库,以便修补在生态系统中损坏的包。 如果您使用了 packageExtensions,请考虑向上游发送 PR 并将您的该扩展贡献给 @yarnpkg/extensions 数据库。

pnpm.peerDependencyRules

pnpm.peerDependencyRules.ignoreMissing

pnpm 不会打印有关依赖列表中缺少对 peerDependency 的警告。

例如,使用以下配置,如果依赖项需要 react 但未安装 react,pnpm 不会打印相应警告。

{
"pnpm": {
"peerDependencyRules": {
"ignoreMissing": ["react"]
}
}
}

包名也可以使用模式匹配

{
"pnpm": {
"peerDependencyRules": {
"ignoreMissing": ["@babel/*", "@eslint/*"]
}
}
}

pnpm.peerDependencyRules.allowedVersions

对于指定版本范围的 peerDependency,将不会打印未满足版本范围的警告。

例如,如果您有一些依赖项需要 react@16 但您知道它们可以与 react@17 一同正常工作,那么您可以使用以下配置:

{
"pnpm": {
"peerDependencyRules": {
"allowedVersions": {
"react": "17"
}
}
}
}

这将告诉 pnpm 任何在其 peerDependency 中含有 react 的依赖项都应该允许安装 react v17。

这还可以用来抑制指定包的对等依赖项引发的警告。 例如,使用以下配置时,仅当 React v17 位于 Button v2 包的对等依赖项中或在任何 Card 包的依赖项中时才允许:

{
"pnpm": {
"peerDependencyRules": {
"allowedVersions": {
"button@2>react": "17",
"card>react": "17"
}
}
}
}

pnpm.peerDependencyRules.allowAny

allowAny 是一个匹配包名的数组,任何匹配该模式的peerDependencies将可被解析为任意版本,与 peerDependencies里指定的范围无关。 例如:

{
"pnpm": {
"peerDependencyRules": {
"allowAny": ["@babel/*", "eslint"]
}
}
}

上述设置将禁用任何与 @babel/eslint 有关的 peer dependency版本不匹配的警告。

pnpm.neverBuiltDependencies

该字段允许忽略特定依赖项的构建。 安装期间不会执行所列包的 “preinstall”、“install” 和 “postinstall” 脚本。

关于 "pnpm"."neverBuiltDependencies" 字段的一个例子:

{
"pnpm": {
"neverBuiltDependencies": ["fsevents", "level"]
}
}

pnpm.onlyBuiltDependencies

允许在安装期间执行安装的包名列表。 如果此字段存在,那么只有列出的软件包可以运行安装脚本。

示例:

{
"pnpm": {
"onlyBuiltDependencies": ["fsevents"]
}
}

pnpm.onlyBuiltDependenciesFile

此配置选项允许用户指定一个 JSON 文件,该文件列出了在 pnpm 安装过程中允许运行安装脚本的唯一包。 通过使用它,您可以增强安全性或确保在安装过程中只有特定的依赖项执行脚本。

示例:

{
"dependencies": {
"@my-org/policy": "1.0.0"
},
"pnpm": {
"onlyBuiltDependenciesFile": "node_modules/@my-org/policy/onlyBuiltDependencies.json"
}
}

JSON 文件本身应包含一组包名称:

node_modules/@my-org/policy/onlyBuiltDependencies.json
[
"fsevents"
]

pnpm.allowedDeprecatedVersions

这个设置允许忽略特定包的弃用警告。

示例:

{
"pnpm": {
"allowedDeprecatedVersions": {
"express": "1",
"request": "*"
}
}
}

使用上述配置,pnpm 将不会打印任何版本的request 和v1版本的express的弃用警告。

pnpm.patchedDependencies

当您运行 pnpm patch-commit时,会自动添加/更新此字段。 它是一个字典dictionary,其中key是包名+准确的版本号。 值value应该是一个指向patch文件的相对路径

示例:

{
"pnpm": {
"patchedDependencies": {
"express@4.18.1": "patches/express@4.18.1.patch"
}
}
}

pnpm.allowNonAppliedPatches

当设置为 true时,如果 patchedDependencies 字段中的某些补丁未被应用,安装不会失败。

{
"pnpm": {
"patchedDependencies": {
"express@4.18.1": "patches/express@4.18.1.patch"
},
"allowNonAppliedPatches": true
}

pnpm.updateConfig

pnpm.updateConfig.ignoreDependencies

有时您无法更新依赖项。 例如,最新版本的依赖项开始使用 ESM,但您的项目尚未采用 ESM。 恼人的是,这样的包将始终被 pnpm outdated 命令打印出来,并在运行 pnpm update --latest时更新。 这样的话,您可以在 ignoreDependencies 字段中列出您不想更新的包:

{
"pnpm": {
"updateConfig": {
"ignoreDependencies": ["load-json-file"]
}
}
}

还支持使用模式匹配,因此您可以忽略任何在范围内的包: @babel/*

pnpm.auditConfig

pnpm.auditConfig.ignoreCves

pnpm audit 命令将忽略列表中的CVE ID

{
"pnpm": {
"auditConfig": {
"ignoreCves": [
"CVE-2022-36313"
]
}
}
}

pnpm.auditConfig.ignoreGhsas

Added in: v9.10.0

A list of GHSA Codes that will be ignored by the pnpm audit command.

{
"pnpm": {
"auditConfig": {
"ignoreGhsas": [
"GHSA-42xw-2xvc-qx8m",
"GHSA-4w2v-q235-vp99",
"GHSA-cph5-m8f7-6c5x",
"GHSA-vh95-rmgr-6w4m"
]
}
}
}

pnpm.requiredScripts

工作区的每个项目,都必须含有此数组中的所有脚本。 否则, pnpm -r run <script name> 将失败。

{
"pnpm": {
"requiredScripts": ["build"]
}
}

pnpm.supportedArchitectures

您可以指定要安装的可选依赖项的架构,即使它们与运行安装的系统的架构不匹配。

例如,以下配置指示安装 Windows x64 的可选依赖项:

{
"pnpm": {
"supportedArchitectures": {
"os": ["win32"],
"cpu": ["x64"]
}
}
}

而此配置将为 Windows、macOS 以及当前正在运行安装的系统架构安装可选依赖项。 它包括 x64 和 arm64 CPU 的工件:

{
"pnpm": {
"supportedArchitectures": {
"os": ["win32", "darwin", "current"],
"cpu": ["x64", "arm64"]
}
}
}

另外, supportedArchitectures 还支持指定系统的 libc

pnpm.ignoredOptionalDependencies

If an optional dependency has its name included in this array, it will be skipped. 示例:

{
"pnpm": {
"ignoredOptionalDependencies": ["fsevents", "@esbuild/*"]
}
}

pnpm.executionEnv.nodeVersion

Added in: v9.6.0

指定应用于项目运行时的确切 Node.js 版本。 pnpm 将自动安装指定版本的 Node.js 并将其用于执行 pnpm run 命令或 pnpm node 命令。

示例:

{
"pnpm": {
"executionEnv": {
"nodeVersion": "16.16.0"
}
}
}

resolutions

该字段的功能与 pnpm.overrides相同,旨在使从 Yarn 迁移变得更容易。

resolutionspnpm.overrides 在包解析之前合并( pnpm.overrides 优先),这在您从 Yarn 迁移并且需要仅为 pnpm 调整一些包时非常有用。