pindeps

pindeps is a CLI tool to pin dependency versions in JavaScript package managers.
It parses lockfiles and pins versions in dependency files such as package.json and pnpm-workspace.yaml.

{
  "dependencies": {
    "enogu": "0.7.0",
-   "pindeps": "^0.2.0"
+   "pindeps": "0.6.2"
  },
  "devDependencies": {
-   "typescript": "~5.9.0"
+   "typescript": "5.9.3"
  }
}

Usage

You can pin dependencies in your package.json, pnpm-workspace.yaml, and deno.json(c) by using the following command:

npx pindeps@latest

# Other package managers
yarn dlx pindeps
pnpm dlx pindeps
bunx pindeps@latest

# Secure usage with Deno (v2.6.0 or higher):
dx -rWR="." pindeps

--dev flag

If you want to pin only devDependencies, you can use --dev flag:

npx pindeps@latest --dev

--check flag

If you want to check if all dependencies are pinned without modifying files, you can use --check flag:

npx pindeps@latest --check

This command:

• Exits with code 0 if all dependencies are pinned
• Exits with code 1 if any dependencies are not pinned
• Useful for CI/CD pipelines to ensure dependencies are pinned

You can also combine it with --dev to check only devDependencies:

npx pindeps@latest --check --dev

Supported Package Managers

| Name | Manifest | Lockfile | | -------- | --------------------------------------------------------------------------------------------- | ------------------- | | npm | package.json | package-lock.json | | Yarn | package.json | yarn.lock | | pnpm | package.json, pnpm-workspace.yaml | pnpm-lock.yaml | | Bun | package.json (with comments) | bun.lock | | Deno | package.json, deno.json, deno.jsonc | deno.lock |

Feedback

Found a bug or have an idea for a new feature? Please fill out an issue.

Related

• Should you Pin your JavaScript Dependencies? - Renovate Docs provides a comprehensive explanation of dependency pinning.

• pinact by Shunsuke Suzuki - A CLI tool to pin versions of GitHub Actions and Reusable Workflows.