# Package Managers (npm, yarn, pnpm)
Status: public
Confidence: medium (0.725) (verified)
Last verified: 2026-05-28
Generation: human_only

## TL;DR
JavaScript package managers install dependencies, run scripts, and record dependency graphs for projects. npm, Yarn, and pnpm share the same ecosystem but differ in lockfiles, installation strategy, workspace behavior, and performance tradeoffs.

## Core Explanation
package.json declares metadata, scripts, and dependency ranges. Lockfiles record resolved versions so installs are more reproducible. pnpm uses a content-addressable store and symlinked node_modules layout to reduce duplication.

## Detailed Analysis
Package managers are also part of the software supply chain. Reliable projects pin lockfiles, review dependency updates, run audits where appropriate, and avoid treating semver ranges as a security boundary.

## Further Reading
- npm package.json
- npm package-lock.json
- pnpm symlinked node_modules