fix: pnpm self-update binary shadowed by bootstrap on PATH#230
Merged
zkochan merged 3 commits intopnpm:masterfrom Apr 18, 2026
Merged
fix: pnpm self-update binary shadowed by bootstrap on PATH#230zkochan merged 3 commits intopnpm:masterfrom
zkochan merged 3 commits intopnpm:masterfrom
Conversation
The bootstrap pnpm binary at PNPM_HOME shadows the self-updated binary at PNPM_HOME/bin because addPath(pnpmHome) was called after addPath(pnpmHome/bin), giving the bootstrap higher PATH precedence. Swap the addPath order so the self-updated binary takes priority. The bootstrap is invoked via absolute path, so this doesn't affect the bootstrap step. Also extract the version from the packageManager field and pass it to self-update explicitly, instead of returning undefined and relying on the bootstrap's auto-switching which can modify the lockfile. Fixes pnpm#225, fixes pnpm#227, fixes pnpm#228
1 task
|
Please address this asap 🙏 |
1 task
This was referenced Apr 17, 2026
There was a problem hiding this comment.
Pull request overview
This PR fixes pnpm/action-setup v6 using the bootstrap pnpm binary instead of the requested pnpm version, ensuring pnpm self-update results are honored (including when the requested version comes from packageManager in package.json).
Changes:
- Adjust PATH setup ordering so the self-updated pnpm binary location takes precedence over the bootstrap binary location.
- Parse
packageManager: "pnpm@<version>"to extract an explicit target version forpnpm self-update.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
126
to
128
| if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) { | ||
| return undefined | ||
| return packageManager.replace('pnpm@', '').split('+')[0] | ||
| } |
There was a problem hiding this comment.
readTargetVersion() now derives the version via packageManager.replace('pnpm@', '').split('+')[0]. For malformed values like "pnpm@" or "pnpm@+sha512...", this returns an empty string, which then causes runSelfInstaller() to skip self-update (because if (targetVersion) is falsey) and succeed using the bootstrap pnpm. Consider validating the extracted version (e.g., match ^pnpm@([^+]+) and ensure it’s non-empty after trimming) and throwing a clear error when the packageManager field is present but doesn’t contain a usable version.
Keep only the PATH ordering fix from the previous commit. The packageManager field handling is a separate concern and needs more discussion before being bundled with this fix.
Member
|
I will merge the fix related to PATH. I am not convinced the other change is needed. pnpm should be able to automatically switch versions. |
The previous commit's dist/index.js was built with a stale node_modules and didn't match a reproducible build, breaking the check-dist CI job.
zkochan
added a commit
that referenced
this pull request
Apr 18, 2026
The existing version tests only check output format via regex, which is why the PATH-shadowing bug (#230) slipped through — the bootstrap pnpm's version string matched the regex just as well as the requested version. - test_version_respects_request: runs the action with `version: 9.15.5` and `version: 10.33.0` (both differ from the bootstrap) and asserts that `pnpm --version` matches exactly. Regression test for #225/#230. - test_package_manager_field: writes a `packageManager: pnpm@<v>` entry into package.json, runs the action with no `version:` input, and asserts exact match. Reproduces #227; currently expected to fail since `packageManager` extraction was intentionally not added.
6 tasks
steebchen
added a commit
to theopenco/llmgateway
that referenced
this pull request
Apr 25, 2026
v6.0.1 had a PATH bug (pnpm/action-setup#225) that caused the bootstrap pnpm v11 to shadow the self-updated v10. Fixed in v6.0.3 (pnpm/action-setup#230), so the version: 10.28.1 input is honored again and pnpm-11 compat workarounds are no longer needed. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
iskhakovt
added a commit
to iskhakovt/spreadsheet
that referenced
this pull request
Apr 25, 2026
Fixes the pnpm version input being ignored (v6.0.2 included the PATH precedence fix from pnpm/action-setup#230). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 task
iskhakovt
added a commit
to iskhakovt/spreadsheet
that referenced
this pull request
Apr 25, 2026
* chore(deps): bump pnpm/action-setup from v5 to v6 v6 adds pnpm v11 support and runs on Node.js 24. Replaces Dependabot's confusing SHA-to-SHA PR (#15) with a clean version bump. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore(deps): bump pnpm/action-setup from v6.0.0 to v6.0.3 Fixes the pnpm version input being ignored (v6.0.2 included the PATH precedence fix from pnpm/action-setup#230). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(ci): pin action version comments to exact patch versions Dependabot and Renovate can track and auto-update SHA pins when the comment contains the exact semantic version (e.g. # v6.0.3 instead of # v6). Updated all action comments in ci.yml and publish.yml. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Timur Iskhakov <ti@timur.is> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #229
Problem
pnpm self-updateinstalls the target version toPNPM_HOME/bin/pnpm, but the bootstrap binary atPNPM_HOME/pnpmhas higher PATH precedence becauseaddPath(pnpmHome)was called afteraddPath(pnpmHome/bin).@actions/core'saddPathprepends, so the later call wins — the bootstrap version shadows the self-updated binary.Fix
Swap the
addPathcall order soPNPM_HOME/bin(whereself-updateputs the target binary) has higher PATH precedence. The bootstrap pnpm is invoked via absolute path, so this doesn't affect the bootstrap step.Verification
Reproduced locally by simulating the action flow:
version: 10