Local-only, gitignored dependency overrides for pnpm (lockfile-safe)

dev tool weekend hack •• multiple requests

Devs who want to point a dependency at a local checkout on their own machine have to either keep editing package.json and reinstalling, or commit a pnpm `overrides` entry that poisons the lockfile with local paths and breaks CI/prod installs. They want a gitignored local-overrides file that hard-links the override on their machine but builds the lockfile exactly as if it weren't there.

builder note

Build it as a pnpm plugin using the pnpmfile resolution hook (read a gitignored package-local.json, hard-link the override, skip it during lockfile generation)... the make-or-break detail is guaranteeing the lockfile is byte-identical with and without the override present, or `--frozen-lockfile` in CI will revolt.

landscape (3 existing solutions)

No tool does gitignored, lockfile-neutral local overrides today, and pnpm itself has left the request open for a year. pnpm's pnpmfile / config-dependency hook means a third party could ship this as a plugin rather than waiting on core.

pnpm overrides (committed) Lives in package.json and must be committed; pins the lockfile to local paths, which breaks CI and production installs.

pnpm link The documented alternative, but users in the thread report it fails to resolve dependencies properly and creates duplicate package instances.

pnpm patch / patchedDependencies Applies a diff to a published package, not a swap to a local working checkout, so it solves a different problem.

sources (1)

other https://github.com/pnpm/pnpm/issues/9527 "I am facing the same situation after switch to pnpm11" 2025-05-13

pnpmnodemonorepodependencieslockfile