# Roadmap (/docs/roadmap)



snpm is under active development. Most day-to-day workflows are covered; the rough edges are ecosystem-specific compatibility, performance tuning on very large repos, and a handful of diagnostics polish items.

Shipped [#shipped]

Core CLI [#core-cli]

* Full command surface: `install`, `add`, `remove`, `upgrade`, `outdated`, `list`, `run`, `exec`, `dlx`, `init`, `licenses`, `link`, `unlink`, `pack`, `publish`, `rebuild`, `patch`, `clean`, `audit`, `why`, `store`, `login`, `logout`, `config`, `node`, plus a `<script-name>` fallback.
* Global flags propagated into subcommands: `--frozen-lockfile`, `--no-frozen-lockfile`, `--prefer-frozen-lockfile`, `--verbose`.
* Multicall aliases: `spx`, `snpx`, `pnpx` (→ `snpm dlx`) and `snpr` (→ `snpm run`).
* Shell completions: `bash`, `zsh`, `fish`, `powershell`, `elvish`.

Resolution and install [#resolution-and-install]

* Lockfile-driven installs with `snpm-lock.yaml` (schema `v1`).
* Hot-path detection via `node_modules/.snpm-integrity` (sub-100 ms warm installs).
* Shared package store with `auto` / `hardlink` / `symlink` / `copy` link backends.
* Shared virtual-store entries keyed by version + dependency closure; project-local fallbacks for patched, script-allowed, directory-backed `file:`, and resolver-walk-up-sensitive packages.
* Configurable hoisting (`none`, `single-version`, `all`).
* Peer dependency resolution with optional strict mode.

Workspaces [#workspaces]

* Discovery from `snpm-workspace.yaml`, `pnpm-workspace.yaml`, and `package.json` `workspaces`.
* `-w <name>`, `-r/--recursive`, `--filter`, `--filter-prod` across `add`, `remove`, `run`, `exec`, `upgrade`, `outdated`, `list`, `why`, `publish`.
* Graph-aware filters: `pkg...`, `...pkg`, `^pkg...`, `[git-ref]`, glob, path, exact name, `!exclude`.
* Catalogs in `snpm-workspace.yaml` and standalone `snpm-catalog.yaml`.
* Overrides via `snpm-overrides.yaml`, `snpm.overrides`, and `pnpm.overrides`.

Lockfile interop [#lockfile-interop]

* Imports from `pnpm-lock.yaml` (including branch lockfiles like `pnpm-lock.feature!name.yaml`), `bun.lock`, `yarn.lock`, `npm-shrinkwrap.json`, and `package-lock.json` when `snpm-lock.yaml` is missing.

Security [#security]

* Install scripts blocked by default; allow-list via `SNPM_ALLOW_SCRIPTS` or workspace `onlyBuiltDependencies` / `ignoredBuiltDependencies`.
* `SNPM_MIN_PACKAGE_AGE_DAYS` zero-day protection.
* Tarball auth scoped to the announcing registry origin.
* `audit` with `--audit-level`, `--fix`, SARIF output, CVE/GHSA exclusions, unfixable suppression.

Publishing [#publishing]

* `pack` with `--dry-run`, `--list`, `--json`, and inspection findings.
* `publish` with `--tag`, `--access`, `--otp`, `--dry-run`, `--allow-risk`, plus workspace fan-out.

Local development [#local-development]

* `link` / `unlink` for global and project-local link flows.
* `patch edit` / `commit` / `remove` / `list`, compatible with `pnpm.patched_dependencies`.
* `rebuild` to apply script-policy changes to already-extracted packages.

Tooling [#tooling]

* `dlx` with `--offline` and `--prefer-offline`.
* `snpm node ...`: built-in nvm-style version manager with `.node-version`/`.nvmrc`/`engines.node` discovery and shell init script.
* `snpm-switch` launcher reads `packageManager` from `package.json` and pins per-project snpm versions.
* `snpm clean` interactive cache cleanup; `snpm store status/path/prune` for store maintenance.

In progress [#in-progress]

* Tighter performance on very large monorepos (5k+ projects, 100k+ resolved packages).
* Broader compatibility with unusual package layouts and lifecycle expectations.
* Improved diagnostics and migration messaging.
* More `compat-lab` coverage of real-world JavaScript/TypeScript repositories.

Future considerations [#future-considerations]

* Side-effect caches for install scripts.
* Pluggable lifecycle hooks.
* Interactive `upgrade` and `outdated` modes.
* First-class support for additional registries beyond npm/JSR.

The [GitHub issues](https://github.com/binbandit/snpm/issues) tracker is the most up-to-date source for in-flight work.