About npm / yarn / pnpm Cheatsheet

Install, run, audit across all three package managers. Part of the DevTools Surf developer suite. Browse more tools in the Cheatsheets collection.

Use Cases

• Comparing install commands when switching between package managers
• Looking up audit commands to scan for vulnerable dependencies
• Finding the right workspace command for monorepo package linking
• Referencing publish commands when releasing packages to the registry

Tips

• Compare equivalent commands across npm, yarn, and pnpm
• Check the audit section for security vulnerability scanning
• Review the workspace commands for monorepo management

Fun Facts

• npm was created by Isaac Schlueter in 2010 and is now the world's largest software registry with over 2.5 million packages.
• Yarn was released by Facebook in October 2016 to address npm's speed and security issues — it introduced lockfiles, which npm later adopted as package-lock.json.
• pnpm (performant npm) saves disk space by using a content-addressable store and hard links, reducing node_modules duplication by up to 70%.

FAQ

All three package managers?

Yes — npm, yarn (classic and berry), and pnpm. Common commands shown in all three for easy translation.

Does it cover workspaces?

Yes — monorepo workspaces in all three managers. The syntax differs slightly; the cheatsheet shows equivalents.

What about security auditing?

Yes — npm audit, yarn audit, pnpm audit, and how to interpret results. Plus when to ignore non-exploitable warnings.

Which one should I pick?

pnpm for monorepos and disk space (uses hard links). yarn berry for strict dependency resolution. npm for simplicity — it's the default and widely supported.