Support `catalog:` protocol for `pnpm dlx`

[nyarthan]

Contribution

• I'd be willing to implement this feature (contributing guide)

Describe the user story

In a pnpm workspace I would like to pin certain dependencies e.g. rarely used CLIs etc. to a specific version.
I don't want to add them as normal devDependencies since they are not used often enough to justify always installing them.

The only solution currently is to inline the version in the command e.g. pnpm dlx large-cli@1.2.3 or write a wrapper script that reads the version from the catalog definition.

Especially in the current situation with lots of malicious npm packages, I think it is important to have an easy and scalable way of pinning the versions of packages, invoked via dlx.

Describe the solution you'd like

When running pnpm dlx inside a pnpm workspace, resolve package versions from the catalog when using the catalog: protocol.

pnpm-workspace.yaml

catalog:
  large-cli: '1.2.3'

pnpm dlx large-cli@catalog: -> should run large-cli with version 1.2.3, no the latest.

Describe the drawbacks of your solution

No response

Describe alternatives you've considered

• Inlining the pinned version: would loose support for tooling like renovate, dependabot etc.
• wrapper script, that manually reads the catalog: not very ergonomic / scalable

[zkochan]

How does this help with preventing malicious packages from being installed? All the subdependencies will be freshly installed.

[nyarthan]

How does this help with preventing malicious packages from being installed? All the subdependencies will be freshly installed.

You're right, I mistakenly thought, it would be added to the lockfile..
Maybe this is something that could be configurable?

[niklashigi]

I found this issue because I was facing the same core challenge as @nyarthan (I believe):

We have several development-only tools that only a small subset of our team uses, but that, in some cases, have quite heavy dependency trees - some tools that come to mind are e.g., the Netlify CLI, GritQL, or Lingo.dev

These increase global install times across the team, can spam the console with peer dep warnings and other noise that doesn't matter to most engineers, and their postinstall scripts (which might not even have security issues - those didn't matter as much for the initial idea) can cause trouble if even just one of the packages does some funky things

I was thinking of simply cutting these from our package.json and replacing them with a "example": "pnpm dlx example@1.2.3" kind of wrapper script (that would then allow pnpm example ...) until I realized that we would lose all locking for the dependencies, potentially creating more issues than this solves after all

My head also jumped to catalogs for this reason, but then I also don't fully understand in detail how they relate to locking, or whether they would really be the solution here

I've also thought about having a whole separate package (maybe one that doesn't even contribute to the workspace) for this reason, but that introduces complexity in other ways

Ideally - and I have no idea what this would look like - I would just have entirely separate, locked dependency trees for each of those, but then still install them on-demand using a mechanism like pnpm dlx (making this an even more niche idea, I do see this)

If anyone has any creative ideas/pointers for the root problem, I would appreciate them! 🙏

[Netail]

We would like this feature too, but not for security reasons, but to use the same version locally installed in the node_modules (through as regular pnpm) as in the CICD (through pnpx - as we do not prefer to install all dependenies, just 1). Having a single source of truth for the version

Ref #10298

[Netail]

I could perhaps look into implementing this, if you see the benefit @zkochan