status: active
timestamp: 2026-06-20
tags: [rule, pnpm, package-manager, tooling, no-duplication]
pnpm is the package manager for every JS repo in the family
pnpm mandatory across oriz family
pnpm is the package manager for every JS repo in the family
The rule
Every JavaScript / TypeScript repo in the chirag127/oriz* family
uses pnpm as its package manager. Not npm, not yarn, not bun. No
exceptions, no per-repo opt-out. All 11+ existing sites already use
pnpm — keep it that way.
If a new repo lands without a pnpm-lock.yaml, that’s a bug to fix
before merging.
Why pnpm specifically
The hard requirement is no duplication of packages on disk when 11+ sites share dependencies (Astro, Tailwind, Firebase SDK, oriz-kit, etc.). pnpm is the only manager that solves this cleanly.
| Manager | Disk model | Family fit |
|---|---|---|
| npm | Each node_modules/ is a full copy. 11 sites with Astro = 11 × Astro on disk. | Bad — duplicates everywhere. |
| yarn classic (v1) | Same as npm. Hoisted but per-project. | Bad — same duplication problem. |
| yarn berry (PnP) | Single .yarn/cache, no node_modules/. | Compatibility issues — Astro plugins, Firebase SDK, and many TS toolchains break under PnP. |
| bun | Fast install, but uses bun’s own store and runtime. | Bun runtime is fine for some things; Astro 6 + Cloudflare Workers compatibility is the open question and we don’t want to be the test case. |
| pnpm | One global content-addressable store at ~/.pnpm-store. Each node_modules/ is symlinks/hardlinks into the store. | Best fit. Standard node_modules/ shape (max compat), single on-disk copy of every package version (no duplication). |
How pnpm satisfies “no duplication”
pnpm stores every package version exactly once at
~/.pnpm-store/v3/files/... (content-addressable by hash). When a
site does pnpm install, pnpm builds a node_modules/ made of
hardlinks (or symlinks on Windows / non-CoW filesystems) pointing
into the store.
Mental model: it’s pip without venvs. A package version exists once on disk; every project that needs it gets a cheap reference, not a copy.
For the family this means: cloning all 11+ sites and running
pnpm install in each leaves ~/.pnpm-store roughly the size of a
single site’s deps, not 11×.
Cross-refs
always-latest-deps.md— install policy that pairs with this rulerepos-work-independently.md— each repo runspnpm installstandalone../runbooks/workflow/clean-install.md— bootstrap procedure../_okf.md— OKF conventions