This is a bug reproduction for pnpm. When resolving versions, pnpm prefers existing versions in the pnpm-lock.yaml file, even if there's a newer version published to the NPM registry. This behavior makes builds more reproducible.
There's a bug with prerelease versions that unexpectedly causes newer versions of a dependency to be added to the pnpm-lock.yaml file instead.
Suppose package a and package b both lock to beta versions of TypeScript:
importers:
packages/a:
dependencies:
typescript:
specifier: ^5.7.0-beta
version: 5.7.0-beta
packages/b:
dependencies:
typescript:
specifier: ^5.8.0-beta
version: 5.8.0-beta
packages:
# ...
snapshots:
typescript@5.7.0-beta: {}
typescript@5.8.0-beta: {}The expected behavior is that adding a new ^5.8.0-beta specifier to a third package (e.g. c) will resolve to the existing 5.8.0-beta version.
However, if a typescript stable version is published that satisfies the ^5.8.0-beta range, adding a new dependency on ^5.8.0-beta will instead pull in that newer version rather than the existing version.
diff --git a/packages/c/package.json b/packages/c/package.json
new file mode 100644
index 0000000..a619672
--- /dev/null
+++ b/packages/c/package.json
@@ -0,0 +1,5 @@
+{
+ "dependencies": {
+ "typescript": "^5.8.0-beta"
+ }
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 79a9f7e..ed14831 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -20,6 +20,12 @@ importers:
specifier: ^5.8.0-beta
version: 5.8.0-beta
+ packages/c:
+ dependencies:
+ typescript:
+ specifier: ^5.8.0-beta
+ version: 5.9.3
+
packages:
typescript@5.7.0-beta:
@@ -32,8 +38,15 @@ packages:
engines: {node: '>=14.17'}
hasBin: true
+ typescript@5.9.3:
+ resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
+ engines: {node: '>=14.17'}
+ hasBin: true
+
snapshots:
typescript@5.7.0-beta: {}
typescript@5.8.0-beta: {}
+
+ typescript@5.9.3: {}In addition to being surprising (and likely non-desirable behavior), this is a problem for pnpm dedupe --check. This check may have previously passed, but can suddenly start failing:
❯ pnpm dedupe --check
Progress: resolved 1, reused 0, downloaded 0, added 0, done
ERR_PNPM_DEDUPE_CHECK_ISSUES Dedupe --check found changes to the lockfile
Importers
packages/a
└── typescript 5.7.0-beta → 5.9.3
packages/b
└── typescript 5.8.0-beta → 5.9.3
Packages
- typescript@5.7.0-beta
- typescript@5.8.0-beta
Run pnpm dedupe to apply the changes above.