docs(only-allow-pnpm): added option to enforce pnpm with package.json and .npmrc

[karthikappiah]

TLDR

I added a non-invasive update to a single page of the docs. Currently, the docs only tell you to add npx only-allow pnpm to the preinstall script inside package.json, the option—to set the .npmrc configuration variable engine-strict as true and specify PNPM as the enforced package manager in the package.json—is not in the docs, which is why I added this option to the docs and created a pull request.

How to Enforce PNPM as the Only Package Manager

For easier reference, here is one of many GitHub threads that describe the same issue:

As per the NPM docs, to prevent the use of an unspecified package manager, from Node v16.9.0 (backported to v14.19.0) onwards, you should:

1. Create a file, if it doesn't already exist, named .npmrc at the root of your project.
2. Set the following configuration variable in your .npmrc to true:

engine-strict=true

3. Specify the following fields in your package.json:

{
  "devEngines": {
    "runtime": {
      "name": "node",
      "onFail": "error"
    },
    "packageManager": {
      "name": "pnpm",
      "version": "10.13.1",
      "onFail": "error"
    }
  },
  "engines": {
    "node": ">=18.18.0",
    "pnpm": ">=10.0.0"
  },
}

• Now, when you run npm i or npm i -D, these commands return this error (before the preinstall script can run):

username@hostname nodejs-project % npm i -D package
npm error code EBADDEVENGINES
npm error EBADDEVENGINES The developer of this package has specified the following through devEngines
npm error EBADDEVENGINES Invalid engine "packageManager"
npm error EBADDEVENGINES Invalid name "pnpm" does not match "npm" for "packageManager"
npm error EBADDEVENGINES {
npm error EBADDEVENGINES   current: { name: 'npm', version: '10.9.2' },
npm error EBADDEVENGINES   required: { name: 'pnpm', onFail: 'error' }
npm error EBADDEVENGINES }
npm error A complete log of this run can be found in: /Users/username/.npm/_logs/2021-08-21T00_00_00_000Z-debug-0.log

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

@karthikappiah is attempting to deploy a commit to the pnpm Team on Vercel.

A member of the Team first needs to authorize it.

[karthikappiah]

I created a different pull request previously with the default branch name patch-4, so I renamed my branch more descriptively, hence another pull request.

We should consider a pull request template (like a form someone must fill out), similar to how the NextAuth documentation handles pull requests. I believe this will simplify merging pull requests.