Skip to content

Lockfile changed between 10.28.2 and 10.29.1 for some packages #10571

New issue
New issue
Closed
Bug
#10927
#10573
Closed
Lockfile changed between 10.28.2 and 10.29.1 for some packages#10571
Bug
#10927
#10573
Labels
type: bug
@gepbird

Description

@gepbird
gepbird
opened on Feb 8, 2026

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

10.29.1

Which area(s) of pnpm are affected? (leave empty if unsure)

Lockfile

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

  1. pnpm config set manage-package-manager-versions false
  2. git clone git@github.com:CycloneDX/cdxgen && cd cdxgen
  3. npx pnpm@10.28.2 install --frozen-lockfile, install works
  4. npx pnpm@10.29.1 install --frozen-lockfile, install fails

Describe the Bug

Installing dependencies for some projects works with frozen lockfile on 10.28.2 but not on 10.29.1:

cdxgen ❯ npx pnpm@10.29.1 install --frozen-lockfile
Scope: all 10 workspace projects
 ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>/test/data/package-json/v1/package.json

Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"

  Failure reason:
  specifiers in the lockfile don't match specifiers in package.json:
* 19 dependencies were added: @wordpress/babel-preset-default@^1.2.0, babel-core@^6.26.3, babel-eslint@^8.2.3, babel-loader@^7.1.4, classnames@^2.2.5, cross-env@^5.1.5, css-loader@^0.28.11, eslint@^4.19.1, extract-text-webpack-plugin@^3.
0.2, node-sass@^4.9.0, postcss-loader@^2.1.5, raw-loader@^0.5.1, sass-loader@^6.0.7, style-loader@^0.19.1, webpack@^3.11.0, react@16.2.0, react-autosize-textarea@2.0.0, react-dom@16.2.0, react-sortable-hoc@^0.6.8

Without frozen lockfile it generates a 15k line diff.

Lockfile integrity is important to us at nixpkgs. When packaging applications with pnpm, we only keep the latest version of each major pnpm version. To keep our builds deterministic, we hash the output of pnpm install ... and expect to get the same hash for any pnpm 10.x.x version.

Expected Behavior

I expect the pnpm lockfile to be stable on the same major version, or at least be documented in the changelog as breaking.

Which Node.js version are you using?

v24.13.0

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

NixOS unstable

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bug

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions