Skip to content

gluxon/pnpm-prerelease-dedupe-issue

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Bug

This is a bug reproduction for pnpm. When resolving versions, pnpm prefers existing versions in the pnpm-lock.yaml file, even if there's a newer version published to the NPM registry. This behavior makes builds more reproducible.

There's a bug with prerelease versions that unexpectedly causes newer versions of a dependency to be added to the pnpm-lock.yaml file instead.

Example

Suppose package a and package b both lock to beta versions of TypeScript:

importers:

  packages/a:
    dependencies:
      typescript:
        specifier: ^5.7.0-beta
        version: 5.7.0-beta

  packages/b:
    dependencies:
      typescript:
        specifier: ^5.8.0-beta
        version: 5.8.0-beta

packages:
  # ...

snapshots:

  typescript@5.7.0-beta: {}

  typescript@5.8.0-beta: {}

Expected

The expected behavior is that adding a new ^5.8.0-beta specifier to a third package (e.g. c) will resolve to the existing 5.8.0-beta version.

Actual

However, if a typescript stable version is published that satisfies the ^5.8.0-beta range, adding a new dependency on ^5.8.0-beta will instead pull in that newer version rather than the existing version.

diff --git a/packages/c/package.json b/packages/c/package.json
new file mode 100644
index 0000000..a619672
--- /dev/null
+++ b/packages/c/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "typescript": "^5.8.0-beta"
+  }
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 79a9f7e..ed14831 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -20,6 +20,12 @@ importers:
         specifier: ^5.8.0-beta
         version: 5.8.0-beta
 
+  packages/c:
+    dependencies:
+      typescript:
+        specifier: ^5.8.0-beta
+        version: 5.9.3
+
 packages:
 
   typescript@5.7.0-beta:
@@ -32,8 +38,15 @@ packages:
     engines: {node: '>=14.17'}
     hasBin: true
 
+  typescript@5.9.3:
+    resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
+    engines: {node: '>=14.17'}
+    hasBin: true
+
 snapshots:
 
   typescript@5.7.0-beta: {}
 
   typescript@5.8.0-beta: {}
+
+  typescript@5.9.3: {}

Dedupe

In addition to being surprising (and likely non-desirable behavior), this is a problem for pnpm dedupe --check. This check may have previously passed, but can suddenly start failing:

❯ pnpm dedupe --check
Progress: resolved 1, reused 0, downloaded 0, added 0, done
ERR_PNPM_DEDUPE_CHECK_ISSUES Dedupe --check found changes to the lockfile

Importers
packages/a
└── typescript 5.7.0-beta → 5.9.3

packages/b
└── typescript 5.8.0-beta → 5.9.3


Packages
- typescript@5.7.0-beta
- typescript@5.8.0-beta

Run pnpm dedupe to apply the changes above.

About

Resources

Stars

Watchers

Forks

Contributors