Does pnpm still generate / use / recommend a "shrinkwrap.yaml" file?

[openjck]

NPM is capable of generating two different kinds of lockfiles: package-lock.json and npm-shrinkwrap.json. To my surprise, package-lock.json is not simply a newer version of npm-shrinkwrap.json; the two files serve different purposes, and there are good reasons to use one rather than the other. Personally, I find it pretty confusing, but that's how NPM works.

I know that pnpm generates a pnpm-lock.yaml file. I tried researching whether pnpm can also generate shrinkwrap files, perhaps because they're useful in different situations, like in NPM. I've found some old GitHub issues that mention a shrinkwrap.yaml file, and even one occurrence in what appears to be official documentation. Aside from those instances, it appears shrinkwrap.yaml is undocumented, leading me to believe it's not generated, used, or recommended any more.

Is shrinkwrap.yaml still generated? Should it be used? Should it be checked into source control? Should it be used in certain situations, like npm-shrinkwrap.json should?

[zkochan]

no, pnpm never generated a npm-shrinkwrap.json. In my opinion the whole idea of npm-shrinkwrap.json is not good because you have to basically promise to forever support this "lockfile" format that ships with the dependency. If you want to lock the dependencies of your package, then bundle your package with esbuild or use "bundledDependencies".

[zkochan]

shrinkwrap.yaml was just the old name of pnpm-lock.yaml but it never worked as npm-shrinkwrap.json, it worked as a regular lockfile.

[openjck]

Thank you very much. In that case, if someone is using pnpm, do you recommend checking in pnpm-lock.json in (almost) all cases, regardless of whether one is building a package or an application?

[zkochan]

yes, the lockfile should be committed to the repository.