pnpm/pnpm

Why this case study matters

pnpm IS the canonical pnpm-workspace monorepo: 169 packages spread across ~50 functional root directories (cache/, cli/, store/, engine/pm/, installing/dedupe/, deps/compliance/, etc.) rather than the usual packages/* flat layout. Whatever convention pnpm enforces on itself becomes the reference shape for the hundreds of downstream TS/JS monorepos that copy it. The pnpm package itself ships ~16M weekly downloads at the time of capture; showing alint configures cleanly against the pnpm reference itself gives instant credibility with the JS/TS audience, and makes examples/pnpm-pnpm/.alint.yml a literal copy-paste starter for any downstream pnpm-workspace user.

Headline catch

pnpm keeps its 169 packages in lock-step through .meta-updater/, a 470-line in-tree TypeScript plugin (@pnpm-private/updater) backed by @pnpm/meta-updater. The plugin enforces 13 distinct cross-package field invariants on every install: license, funding, bugs, engines.node, type, homepage, repository, keywords, dependencies sort order, the catalog: remap, the workspace:* remap, the scripts.lint/scripts.test/scripts.compile shape, and a per-package tsconfig.json#references tree derived from pnpm-lock.yaml.

Alint covers 11 of those 13 invariants today by asserting against the expected literal value, close enough that catching drift on a new package is a one-line PR for alint vs. requiring contributors to install + run the meta-updater plugin locally. The remaining two (catalog-completeness, internal/external dep remap) close once cross_file_value_equals ships in v0.10.

This is the “hand-rolled cross-package field-sync plugin” data point: alongside microsoft/typescript (frozen, meticulously curated) and apache/airflow (109-hook pre-commit pipeline). pnpm pushed cross_file_value_equals past saturation: the 8th of 10 confirmed sources (airflow, tokio, clap, uv, react, pnpm, nodejs/node, pytorch, vscode, istio).

Where alint earns its keep here

• The meta-updater story: alint replicates the structural floor declaratively. No plugin, no install step, runs the same on every contributor machine. For any downstream pnpm-workspace user who looks at meta-updater and thinks “I’d like the discipline but not the plugin,” this is the answer.
• Agent-guardrail rules: pnpm is the only P2a repo so far that has explicitly chosen to refuse certain agent operations in-tree. The prepare-commit-msg-blocks-claude-amend and pre-commit-blocks-claude-on-main-branch hooks are a multi-hook agent-aware setup unlike anything else in the inventory; they’re a strong data point for the agent-hygiene ruleset positioning.
• Per-package field shape rules run against 169 manifests in tens of milliseconds. Sequential jq on 169 files with shell would be ~5-10 s. The cross-cutting structural floor pays back the most when the repo size is dominated by many small homogeneous package directories, exactly pnpm’s shape.
• Polyrepo layout coverage: pnpm’s ~50 functional root directories are the off-the-beaten-path case the bundled monorepo/pnpm-workspace@v1 overlay was designed not to over-fire on; the case-study config layers pnpm-specific rules using brace-alternation globs over the 33 functional root dirs.

Future story angles

• Fourth tile candidate: position as the canonical “hand-rolled cross-package field-sync plugin” tile alongside kubernetes (verify-script sprawl), airflow (109-hook pre-commit), microsoft/typescript (frozen TS toolchain).
• Downstream pnpm-workspace adoption pitch: every TS/JS monorepo that copies the pnpm-workspace shape is a candidate for the same .alint.yml. The starter config is reusable as-is across the ecosystem.
• Agent-hygiene narrative pairing: pair pnpm’s multi-hook Claude-Code refusal pattern with kubernetes’ agent-context coverage for a launch-post on the agent-hygiene ruleset positioning.
• cross_file_value_equals v0.10 ship-target post: pnpm’s meta-updater is the most concrete reference of the saturated demand (catalog completeness sub-shape adds a variant worth scoping into the design).