pnpm.fetchDeps: ensure consistent permissions, add versioning

[gepbird]

Fixes #422889
Closes #350063

Feedback is welcome about the versioning interface :)

This is very WIP as I have to go now, haven't even tested and may need to do changes for the configHook too

cc @jfraudeau

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• Nixpkgs 25.11 Release Notes (or backporting 25.05 Nixpkgs Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
• NixOS 25.11 Release Notes (or backporting 25.05 NixOS Release notes)
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

---

Add a 👍 reaction to pull requests you find important.

[gepbird]

Do we need to also version configHook? From the original issue I heard this is working fine for people. I'm just afraid in the future the configHook will only be compatible with a fetcherVersion <= x fetchDeps and we'd need a new version of configHook. And that that point it would be easier to keep them on the same version, what do you think @Scrumplex ?

(I'm still a bit short on time to do proper research)

[Scrumplex]

What if we store fetcherVersion in $out (if greater than 1) so that we can apply logic in config hook for different fetcher versions

[gepbird]

What if we store fetcherVersion in $out (if greater than 1) so that we can apply logic in config hook for different fetcher versions

Great idea, much better than having to duplicate the fetcher version and doing something like this:

nativeBuildInputs = [
  (pnpm_10.configHook { fetcherVersion = 2; })
];

# or this:
PNPM_FETCHER_VERSION = 2;

[Scrumplex]

Currently, the first commit causes every pnpm package to fail evaluating. Perhaps we should first add the arg and default it to 1, then do the treewide change and then enforce setting the arg

[obreitwi]

Looks good from my side 👍

❓ Out of curiosity: Did you already evaluate how many hashes would actually change if fetcherVersion was set to 2, already? I would not expect a lot.

Since the original issue seemed OS-dependent and only occurred under specific circumstances, I would have expected Hydra builds to have failed if wrong hashes were submitted in PRs.

[Scrumplex]

I think this should be backported to 25.05. Because of the release notes change, this will have to be done manually.

[SuperSandro2000]

This is probably related to the sandbox. What installed was used? The cachix one with the sanbox or another one? I think I've hit the same problem before, see NuschtOS/search@2ab7909

[gepbird]

In #350063 nix-quick-install was used and the pnpm.fetchDeps generated result had 555 permissions on a ubuntu-24.04 runner and 444 permissions on ubuntu-22.04 runner (and their local env)

I'm not sure which runner was used in #422889, cc @jfraudeau @jmoggr

[SuperSandro2000]

Yep, when we tried it with nix-quick-install we also got the issue. cachix/install-nix works. I think the major difference is the sandbox.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/86