Rust Roadmap

[zkochan]

Stage 0

• Implement a job for publishing pacquet
• Adding pacquet to the benchmarks at pnpm.io Adding pacquet to the pnpm benchmarks page pacquet#100
• Mentioning pacquet on the pnpm website and/or in the readme.

Stage 1 — Headless installer

Make pacquet install --frozen-lockfile feature-complete with pnpm install --frozen-lockfile.

Pacquet does not resolve dependencies in this stage. The user runs pnpm install (or pnpm install --lockfile-only) to produce pnpm-lock.yaml, then pacquet install --frozen-lockfile materializes node_modules from it. The lockfile is the contract between the two tools.

This mirrors pnpm's internal @pnpm/headless boundary, so the seam is natural.

Completed

• Link dependency binaries pacquet#330 (link dependency binaries)
• Support building dependencies (pnpm won't worked with node-newrelic. #397)
• .modules.yaml write and verify pacquet#331 (.modules.yaml write and verify)
• Support patchedDependencies
• Support side-effects cache
• Reporting engine + NDJSON in pnpm's @pnpm/core-loggers schema (Run post install scripts after all dependencies were installed #345). Visual parity via @pnpm/cli.default-reporter is tracked under Tier 4 below (EACCESS error on runas #344).

TODO

Ordered by implementation dependency — items lower in the list generally build on items above.

Tier 1 — Foundations. Correct snapshot filtering and lockfile loading; nothing downstream is sound until these are in place.

• Proper optionalDependencies support — umbrella pacquet#434 — Proper optionalDependencies support (umbrella). Without correct os / cpu / libc filtering, every install over-fetches and may break on platforms other than the build host. Subsumes Install respects every snapshot — no os/cpu/libc filter for optional deps pacquet#266.
• Lockfile loader v11 completeness. crates/lockfile/src/resolution.rs uses #[serde(deny_unknown_fields)] and is missing TarballResolution.gitHosted, BinaryResolution, and VariationsResolution. A real v11 pnpm-lock.yaml containing a github-tarball, a git-hosted package, or a runtime entry fails serde before the install dispatcher runs. Types covered piecemeal in Install git-hosted packages from pnpm-lock.yaml (frozen-lockfile) pacquet#436 and Install runtime dependencies (node@runtime:, deno@runtime:, bun@runtime:) from pnpm-lock.yaml pacquet#437; land them as a single unblocker so loading is correct before the install logic for each shape ships.
• Frozen-lockfile freshness check (Update ts-node to version 1.6.1 🚀 #447). Error when package.json dependencies don't match the lockfile importer entries, mirroring upstream's allProjectsAreUpToDate. Today pacquet installs regardless of staleness, which silently masks lockfile/manifest drift in CI.

Tier 2 — Real-world install enablers. Each unlocks a large slice of real pnpm repos and is largely independent of the others.

• Add workspace support to pacquet install --frozen-lockfile pacquet#431 — Support workspaces. Most real pnpm repos are workspaces; until this lands, pacquet can't install them at all.
• Partial install with --frozen-lockfile: read+write node_modules/.pnpm/lock.yaml and skip unchanged snapshots pacquet#433 — Partial install with --frozen-lockfile: read+write node_modules/.pnpm/lock.yaml and skip unchanged snapshots. Closes the warm-install perf gap.
• Add hoisting support: hoistPattern and publicHoistPattern pacquet#435 — Hoisting (hoistPattern, publicHoistPattern). Needed for ecosystem packages that rely on phantom dependencies and for editor tooling (eslint/prettier).

Tier 3 — New resolution types and layout modes. Each is a self-contained extension to the install pipeline; the ordering inside this tier is mostly arbitrary.

• Add global virtual store support to pacquet install --frozen-lockfile pacquet#432 — Support the global virtual store dir (Stage 1: frozen-lockfile install + per-importer registry). Follow-ups: Implement pacquet store prune for the global virtual store (#432 follow-up) pacquet#458 (prune sweep), Engine-agnostic GVS hash gating via allowBuilds-driven built_dep_paths (#432 follow-up) pacquet#459 (engine-agnostic hash gating); CI auto-detect / CONFIG_CONFLICT validation / e2e globalVirtualStore.ts port remain as bullets on Add global virtual store support to pacquet install --frozen-lockfile pacquet#432.
• Install git-hosted packages from pnpm-lock.yaml (frozen-lockfile) pacquet#436 — Install git-hosted packages from pnpm-lock.yaml (frozen-lockfile).
• Install runtime dependencies (node@runtime:, deno@runtime:, bun@runtime:) from pnpm-lock.yaml pacquet#437 — Install runtime dependencies (node@runtime:, deno@runtime:, bun@runtime:).
• Support nodeLinker: 'hoisted' — umbrella pacquet#438 — Support nodeLinker: 'hoisted' (umbrella). Alternative installer; orthogonal to Add hoisting support: hoistPattern and publicHoistPattern pacquet#435.
• Support named registries (will be published in v11.1).

Tier 4 — Consistency, polish, auxiliary. Quality-of-life fixes that close the parity gap once the structural work is in place.

• Surplus virtual-store cleanup. Remove packages from .pnpm/ that no longer appear in the lockfile (upstream's pruneVirtualStore). Sister to Partial install with --frozen-lockfile: read+write node_modules/.pnpm/lock.yaml and skip unchanged snapshots pacquet#433 — partial install decides what to add; this decides what to remove.
• .modules.yaml validation triggering re-install on layout change. Upstream's validateModules forces a full re-import when nodeLinker / hoistPattern / publicHoistPattern / etc. differ between runs. Pacquet writes .modules.yaml (feat(install): install from local packages #331) but does not compare on the read side, so layout-affecting setting changes are silently ignored.
• Support proper auth pacquet#336 — Support proper auth.
• Use pnpm's @pnpm/cli.default-reporter for terminal output (via NDJSON) pacquet#344 — Use pnpm's @pnpm/cli.default-reporter for terminal output (via NDJSON). Brings visual parity with pnpm install on top of the reporting engine landed in feat(reporter): implement the reporting engine (NDJSON + Reporter trait) pacquet#345.
• Support proxy setting of pnpm - feat: proxy support (.npmrc + env-var cascade, HTTP/HTTPS/SOCKS) pacquet#476.
• Hoisted-bin precedence and lifecycle-script-created bins (deferred from #333) pacquet#342 — Hoisted-bin precedence and lifecycle-script-created bins.
• chore(reporter): backfill missing log events in already-ported code pacquet#347 — Backfill missing log events in already-ported code.

Integration milestone (between Stage 1 and Stage 2)

Once the headless installer is solid, integrate pacquet as an opt-in install backend for pnpm itself — for example via an install-backend=pacquet setting, or a Node N-API addon hooked at the @pnpm/headless seam. This ships Stage 1 value to every pnpm user, not just those who install pacquet directly, and provides a feedback firehose for parity validation before Stage 2 is built.

Stage 2 — Implementing resolution

Make pacquet install feature-complete with pnpm install (no --frozen-lockfile). Pacquet reads package.json + pnpm-workspace.yaml, resolves the dependency graph, writes a pnpm-lock.yaml that round-trips byte-identically with pnpm's, and materializes node_modules. This unlocks the install subcommands that today only work via pnpm: install (default), install --lockfile-only, add, update, remove, outdated, why.

Pacquet already has scaffolding from Stage 1: crates/registry, crates/resolving-npm-resolver (metadata fetch + cache, named registries, mirroring, trust checks), crates/resolving-resolver-base, and a full lockfile writer (crates/lockfile/save_lockfile). Stage 2 fills in the parts that turn a manifest into a resolved graph.

TODO

Ordered by implementation dependency — items lower in the list generally build on items above.

Tier 1 — Foundations. Nothing downstream is sound until these land.

• Bare-specifier parser & wanted-dependency model. Port @pnpm/resolving.parse-wanted-dependency (npm alias pnpm:foo@npm:bar, scoped names, tag vs. semver) and the protocol-routing dispatcher at the top of resolving/default-resolver/src/index.ts. Slots into the existing resolving-resolver-base crate.
• Resolution graph & recursion engine. Port installing/deps-resolver/src/resolveDependencyTree.ts and resolveDependencies.ts (~2.3k LoC combined). Owns dedupe by name (pkgIdsByName), preferredVersions, direct-vs-transitive context, resolutionsByDepPath cache, pendingNodes, linked-workspace tracking. Heart of this stage.
• Verify lockfile writer parity for newly-resolved entries. Pacquet's save_lockfile round-trips Stage 1 inputs; confirm it serializes new packages / snapshots / importers / catalogs / overrides / patchedDependencies byte-identically with pnpm so pnpm install after pacquet install produces no diff.

Tier 2 — Per-protocol resolvers. Each unlocks a class of spec. Largely independent.

• npm resolver — version picking. Port pickPackage.ts / pickPackageFromMeta.ts: semver matching, tag handling, allowedDeprecatedVersions, minimumReleaseAge. Metadata fetch already exists in resolving-npm-resolver.
• Git resolver. Port resolving/git-resolver: git+ssh, github:owner/repo#ref, #semver:^1 selectors, GitHub-tarball preference. Pairs with the Stage-1 git-fetcher crate.
• Tarball resolver. Port resolving/tarball-resolver: direct https://…/foo.tgz resolution + integrity verify.
• Local-path / link / file resolver. Port resolving/local-resolver: file:../foo, link:../foo, injected deps. The Stage-1 directory-fetcher crate handles the fetch side.
• JSR specifier parser. Port resolving/jsr-specifier-parser; wires into the JSR path already drafted in resolving-npm-resolver.
• Runtime resolver. Pick versions for node@runtime: / deno@runtime: / bun@runtime:. Stage 1 already loads them from the lockfile; resolution still has to choose a version and emit the entry.
• Catalog protocol. Resolve catalog:default / catalog:react18 through pnpm-workspace.yaml's catalog(s):, then dispatch to npm. Snapshot the selections into the lockfile's catalogs: block.
• Workspace protocol. workspace:* / workspace:^ / workspace:~ / workspace:1.2.3 → link: lockfile entry + publish-time spec rewrite. Pacquet already loads workspaces (Add workspace support to pacquet install --frozen-lockfile pacquet#431).

Tier 3 — Resolution policies & constraints. Behaviors layered on top of the recursion that change which version wins or whether the install proceeds.

• Peer dependency resolution. Port resolvePeers.ts (~1k LoC). Produces dep paths with peer hashes (foo@1.0.0(react@18.0.0)). Heaviest single port in this stage.
• Overrides. pnpm.overrides from pnpm-workspace.yaml. Apply at parseWantedDependency time; record in the lockfile's overrides: block.
• allowedDeprecatedVersions + deprecation warning emission. Wire to the same NDJSON deprecation channel pnpm uses so @pnpm/cli.default-reporter formats them identically.
• blockExoticSubdeps. Reject git/tarball/file specs in transitive deps.
• patchedDependencies resolution-side. Hash the patch and attach pkgIdWithPatchHash to dep paths so the installer picks the patched store entry. crates/lockfile/pkg_id_with_patch_hash.rs already exists.
• allowNonAppliedPatches + verifyPatches.
• minimumReleaseAge at resolve time. Today it gates global installs only; extend it so new transitive versions are also rejected, mirroring upstream's resolve-path enforcement.

Tier 4 — Hooks & custom resolution. Both require running user JavaScript inside pacquet — design call needed.

• .pnpmfile.cjs / pnpmfile.cjs execution. Port the readPackage, afterAllResolved, preResolution, filterLog hook surface from hooks/pnpmfile. Implementation choice — embed a JS runtime (rquickjs / deno_core / boa) or shell out to node — has its own parity, perf, and dependency-footprint trade-offs and is worth its own design issue before code lands.
• Custom resolvers (hooks.types.CustomResolver). Same JS-execution concern as pnpmfile.

Tier 5 — Commands unlocked by resolution. Stage 1 only delivers pacquet install --frozen-lockfile. Once resolution lands, each of these is a CLI surface port that follows the underlying capability.

• pacquet install (default, non-frozen).
• pacquet install --lockfile-only.
• pacquet add (incl. -D, --save-peer, --save-exact, --save-prefix).
• pacquet update (incl. --latest, updateMatching, -i).
• pacquet remove.
• pacquet outdated.
• pacquet why.

Tier 6 — Consistency, polish, auxiliary. Close the parity gap once the structural work is in place.

• Round-trip stability. A re-resolve that picks the same versions must produce a byte-identical pnpm-lock.yaml (key ordering, anchor reuse, no spurious churn).
• Project-manifest update on add / remove / update. Port updateProjectManifest.ts: respect save-prefix, save-exact, save-workspace-protocol.
• afterAllResolved / preResolution log-event parity so @pnpm/cli.default-reporter formats them identically.
• Backfill missing log emissions in newly-ported resolution code (sister to chore(reporter): backfill missing log events in already-ported code pacquet#347).
• E2E port. Mirror pnpm/test/install.ts, add.ts, update.ts, remove.ts, outdated.ts into pacquet's test layout as each capability lands.

Integration milestone (between Stage 2 and Stage 3)

Once resolution is solid, extend the Stage-1 → Stage-2 opt-in seam (install-backend=pacquet / N-API) to route everyday pnpm install calls through pacquet end-to-end — not just --frozen-lockfile. Stage 3 then targets the non-install command surface (publish, audit, dlx, exec, run, store).

Stage 3 — TBD

---

Stage 2 plan drafted by an agent (Claude Code, claude-opus-4-7).

[anthonyshew]

@zkochan How would you feel about a Test-Driven Development (TDD) approach to the TODOs?

I imagine you have test coverage over most/many of these features in the TypeScript code, covering basic and edge case behavior. I'm figuring we could leverage that code for our purposes here.

My rough proposal would be:

1. Pick a TODO and find all (or a batch of N?) tests related to it.
2. Port to Rust and mark all the added tests as expected failures.
3. Make a PR just for the tests.

We could choose to port ~all of the tests related to the full list of TODOs up front, or we could do

1. PR(s) for a specific TODOs tests
2. PR(s) for implementation of that TODO

I'm a TDD enjoyer, especially with porting work and doubly so with coding agents in hand. I have memories of the Go → Rust port for Turborepo where TDD really helped us. It seems like the same pattern(s) that we used for that would apply well here.

I can do whatever variant of this that we think would serve us best. Also happy to do implementations and tests in one motion, too, if that's preferred. Just let me know!

[zkochan]

@KSXGitHub suggested something similar. I have no objections. If you have experience doing such things you could show the way. Maybe even write some instructions for the agents.

[anthonyshew]

I've done a few language ports, with and without agents. I'll put together a first PR for the approach I'd take now.

[KSXGitHub]

Make sure to tell the AI agents to "test the tests" before porting the tests: After porting the tests, tell the AI to temporary modify some code paths to see whether the ported tests would fail as expected.

I suspect many existing tests in pnpm don't fail when you want them to fail.

[anthonyshew]

Take a look at pnpm/pacquet#309. For now, I'm just letting us create the test code with known_failure, and leaving stubs for implementation. The TEST_PORTING.md mentions what you're saying, as well.

[KSXGitHub]

@zkochan What do you think about a unified global dependency injection pattern?

It would help with unit tests that currently require modifying the environment (such as env::set_env (unsafe) and various I/O operations).

It would help with some of the missing CodeCov Code Coverage by allowing us to write more tests.

References

I have a repo called parallel-disk-usage that makes limited use of dependency injection:

https://github.com/KSXGitHub/parallel-disk-usage/blob/2aa39917f98384d6b27f4c2030ea146acb5b4273/src/app.rs#L147

https://github.com/KSXGitHub/parallel-disk-usage/blob/2aa39917f98384d6b27f4c2030ea146acb5b4273/src/app/hdd.rs#L15-L23

https://github.com/KSXGitHub/parallel-disk-usage/blob/2aa39917f98384d6b27f4c2030ea146acb5b4273/src/app/hdd/test.rs#L28-L40

https://github.com/KSXGitHub/parallel-disk-usage/blob/2aa39917f98384d6b27f4c2030ea146acb5b4273/src/app/hdd/test.rs#L50-L64

https://github.com/KSXGitHub/parallel-disk-usage/blob/2aa39917f98384d6b27f4c2030ea146acb5b4273/src/app/hdd/test_linux.rs#L64-L83

Injected values that act in place of environment differences can be emulated with local statics

[zkochan]

Code coverage is already at 90%, which is more than in pnpm, in a language that is stricter than typescript. I think you are trying to solve issues that are not important at the moment.

I'd suggest you to create a separate issue about this and maybe someone with more experience in the area can step in.

IMO, we should just proceed with the migration.