Why pnpm? · Learn Vibe Coding

pnpm is a package manager — the tool that installs libraries your app depends on. It does the same job as npm (which comes with Node.js) but does it better in two ways that matter.

Faster installs

pnpm keeps a single copy of each package on your machine and links to it from every project that uses it. npm copies files into each project separately. If you have 10 projects that all use React, npm stores 10 copies. pnpm stores one and shares it.

This means pnpm install is faster — especially after your first project — because most packages are already on your disk.

Strict by default

npm lets your code import packages you didn't explicitly list in package.json. This happens because npm hoists everything into a flat node_modules folder. Your code works until someone removes the hidden dependency, then it breaks mysteriously.

pnpm doesn't hoist by default. If you didn't add it to package.json, you can't import it. This catches mistakes early instead of in production.

Safer against supply chain attacks

npm packages can run scripts during installation (postinstall). Attackers exploit this — if a package or any of its dependencies gets compromised, a malicious install script can silently run code on your machine. In March 2026, this happened to axios (83M+ weekly downloads): a compromised maintainer account pushed versions that dropped malware via a hidden dependency's postinstall script.

pnpm lets you block this. The onlyBuiltDependencies setting in package.json restricts which packages are allowed to run install scripts. Everything else is silently blocked:

"pnpm": {
  "onlyBuiltDependencies": ["sharp", "better-sqlite3"]
}

Only the packages you explicitly list can execute postinstall scripts. If a compromised dependency tries to run one, pnpm ignores it. Gista.js has this configured out of the box.

Monorepo support

pnpm has built-in support for monorepos — projects with multiple packages in one repository. Gista.js uses this: the main app and the docs site live in the same repo and share dependencies efficiently. With npm, you'd need extra tooling to make this work.

Easy to switch

pnpm uses the same package.json format as npm. The commands are nearly identical — pnpm install, pnpm dev, pnpm build. If you know npm, you already know pnpm.