Skip to docs content
SCPM

For npm users

scpm can install directly from npm lockfiles. You do not need to delete package-lock.json or remove node_modules before trying scpm.

Try the npm lockfile

scpm install

Run this once when you specifically want to verify that scpm can read and write the existing npm lockfile. For normal local work, run the command you wanted instead: scpmr build, scpm test, and scpm exec <bin> auto-install first when dependencies are stale; scpmx <pkg> handles one-off tools.

scpm reads:

  • package-lock.json
  • npm-shrinkwrap.json

It updates whichever of those two files the project already has on disk and installs packages into node_modules/.scpm/.

Keep npm working during rollout

Commit the updated package-lock.json (or npm-shrinkwrap.json) so both npm and scpm users see the same resolved versions. You do not need scpm import for a normal rollout; scpm install keeps the npm lockfile as the shared source of truth.

Use scpm import only if the team intentionally wants to convert the project to scpm-lock.yaml. After import succeeds, remove the npm lockfile so future installs keep writing scpm-lock.yaml.

Differences from npm

  • scpm's default node_modules layout is isolated, not flat.
  • Only declared direct dependencies appear at the project top level, unless you opt into nodeLinker: hoisted.
  • Dependency lifecycle scripts (preinstall, install, postinstall) do not run by default. npm runs them for every dependency; scpm runs them only for packages approved in allowBuilds; legacy pnpm.onlyBuiltDependencies entries are still honored. This follows the pnpm v11 model. Approved dependency builds can also run in a jail with package-specific env, path, and network permissions.
  • Global installs live under scpm's global package directory instead of npm's shared global node_modules.

Reference: npm install