We have four Node package managers now. npm, Yarn, pnpm, Bun - all alive, all producing their own lock files. On any given project, exactly one of them is right.
I watched someone run npm install in a project that relies on pnpm. A package-lock.json turned up in the PR. Not a catastrophe, but a mess - and the kind of thing that quietly erodes trust in a repo’s tooling over time.
I built pm-guard to catch it. Drop it in CI and it’ll exit 1 if a foreign lock file is detected:
npx pm-guard
It infers the intended package manager from the packageManager field in package.json, or from whichever lock file is already present. If you want to be explicit:
npx pm-guard --expect bun
There’s also a clean command if you’ve already got conflicting lock files and want to sort it out interactively.
npx pm-guard clean
That’s it. One less thing to catch in review.
