Add --lockfile-only option to pnpm list #10020
Description
Contribution
- I'd be willing to implement this feature (contributing guide)
Describe the user story
As a developer, I'd like to be able to easily check if specific packages are part of the dependency tree described by pnpm-lock.yaml, and if they would be installed when running pnpm install --frozen-lockfile, even if those packages are not currently installed (for example before running pnpm install or after changing branches).
Currently pnpm list seems to only list currently installed packages under node_modules. If you remove node_modules/ then pnpm list <packages...> will not find anything even if those packages are referenced in package.json or pnpm-lock.yaml.
This is especially relevant now due to the recent npm supply-chain attacks. Having this new option would make it easier and faster to check if your lockfile contains malicious packages.
Describe the solution you'd like
npm has the option --package-lock-only for npm list. I want a similar option for pnpm, but the naming should probably be --lockfile-only as that is already available for pnpm install (https://pnpm.io/cli/install#--lockfile-only)
Describe the drawbacks of your solution
No response
Describe alternatives you've considered
Currently when I want to check for example if my pnpm-lock.yaml in some branch/commit includes some known malicious packages I need to do something like this:
# switch to commit where I want to check the lockfile
git switch --detach <ref>
# remove all node_modules directories under my repo to get a clean state before pnpm install
pnpm dlx rimraf -g '**/node_modules/' -I
# run pnpm install so I can use pnpm list
pnpm install --frozen-lockfile --ignore-scripts
pnpm list -r --depth Infinity <packages...>But this can be very slow depending on the number of dependencies in your project.
If pnpm list had this feature similar to npm list --package-lock-only then I could just do this instead:
# switch to commit where I want to check the lockfile
git switch --detach <ref>
pnpm list -r --depth Infinity --lockfile-only <packages...>There might be other ways to parse pnpm-lock.yaml directly but the pnpm CLI should have an easy way to do this without external scripts/tools.