snpmv2026.5.16

Roadmap

What works today and what is still in flight

View as MarkdownView source

snpm is under active development. Most day-to-day workflows are covered; the rough edges are ecosystem-specific compatibility, performance tuning on very large repos, and a handful of diagnostics polish items.

Shipped

Core CLI

  • Full command surface: install, add, remove, upgrade, outdated, list, run, exec, dlx, init, licenses, link, unlink, pack, publish, rebuild, patch, clean, audit, why, store, login, logout, config, node, plus a <script-name> fallback.
  • Global flags propagated into subcommands: --frozen-lockfile, --no-frozen-lockfile, --prefer-frozen-lockfile, --verbose.
  • Multicall aliases: spx, snpx, pnpx (→ snpm dlx) and snpr (→ snpm run).
  • Shell completions: bash, zsh, fish, powershell, elvish.

Resolution and install

  • Lockfile-driven installs with snpm-lock.yaml (schema v1).
  • Hot-path detection via node_modules/.snpm-integrity (sub-100 ms warm installs).
  • Shared package store with auto / hardlink / symlink / copy link backends.
  • Shared virtual-store entries keyed by version + dependency closure; project-local fallbacks for patched, script-allowed, directory-backed file:, and resolver-walk-up-sensitive packages.
  • Configurable hoisting (none, single-version, all).
  • Peer dependency resolution with optional strict mode.

Workspaces

  • Discovery from snpm-workspace.yaml, pnpm-workspace.yaml, and package.json workspaces.
  • -w <name>, -r/--recursive, --filter, --filter-prod across add, remove, run, exec, upgrade, outdated, list, why, publish.
  • Graph-aware filters: pkg..., ...pkg, ^pkg..., [git-ref], glob, path, exact name, !exclude.
  • Catalogs in snpm-workspace.yaml and standalone snpm-catalog.yaml.
  • Overrides via snpm-overrides.yaml, snpm.overrides, and pnpm.overrides.

Lockfile interop

  • Imports from pnpm-lock.yaml (including branch lockfiles like pnpm-lock.feature!name.yaml), bun.lock, yarn.lock, npm-shrinkwrap.json, and package-lock.json when snpm-lock.yaml is missing.

Security

  • Install scripts blocked by default; allow-list via SNPM_ALLOW_SCRIPTS or workspace onlyBuiltDependencies / ignoredBuiltDependencies.
  • SNPM_MIN_PACKAGE_AGE_DAYS zero-day protection.
  • Tarball auth scoped to the announcing registry origin.
  • audit with --audit-level, --fix, SARIF output, CVE/GHSA exclusions, unfixable suppression.

Publishing

  • pack with --dry-run, --list, --json, and inspection findings.
  • publish with --tag, --access, --otp, --dry-run, --allow-risk, plus workspace fan-out.

Local development

  • link / unlink for global and project-local link flows.
  • patch edit / commit / remove / list, compatible with pnpm.patched_dependencies.
  • rebuild to apply script-policy changes to already-extracted packages.

Tooling

  • dlx with --offline and --prefer-offline.
  • snpm node ...: built-in nvm-style version manager with .node-version/.nvmrc/engines.node discovery and shell init script.
  • snpm-switch launcher reads packageManager from package.json and pins per-project snpm versions.
  • snpm clean interactive cache cleanup; snpm store status/path/prune for store maintenance.

In progress

  • Tighter performance on very large monorepos (5k+ projects, 100k+ resolved packages).
  • Broader compatibility with unusual package layouts and lifecycle expectations.
  • Improved diagnostics and migration messaging.
  • More compat-lab coverage of real-world JavaScript/TypeScript repositories.

Future considerations

  • Side-effect caches for install scripts.
  • Pluggable lifecycle hooks.
  • Interactive upgrade and outdated modes.
  • First-class support for additional registries beyond npm/JSR.

The GitHub issues tracker is the most up-to-date source for in-flight work.

Comparison

How snpm compares to npm, yarn, pnpm, and Bun

Troubleshooting

Common errors and how to fix them

On this page

ShippedCore CLIResolution and installWorkspacesLockfile interopSecurityPublishingLocal developmentToolingIn progressFuture considerations