Skip to content

Prerelease versions in the lockfile may not be reused, causing pnpm dedupe --check to fail on external factors #10626

Description

@gluxon

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

10.29.3

Which area(s) of pnpm are affected? (leave empty if unsure)

Dependencies resolver

Link to the code that reproduces this issue or a replay of the bug

https://github.com/gluxon/pnpm-prerelease-dedupe-issue

Reproduction steps

Start with the following lockfile:

lockfileVersion: '9.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

importers:

  .: {}

  packages/a:
    dependencies:
      typescript:
        specifier: ^5.7.0-beta
        version: 5.7.0-beta

  packages/b:
    dependencies:
      typescript:
        specifier: ^5.8.0-beta
        version: 5.8.0-beta

packages:

  typescript@5.7.0-beta:
    resolution: {integrity: sha512-opDlmEnzKdl082N5piLS43lsyugg0aORdv+XnNzMv5yP5VtBWuZhFDxU8lizmhW+PEFa/fZiShYRBxKsrkTDMQ==}
    engines: {node: '>=14.17'}
    hasBin: true

  typescript@5.8.0-beta:
    resolution: {integrity: sha512-7VGUiBOGi+BYhiuy3iITIgu6m2wVW2Vb4CW+OJsW6OJS/TgvezKbAN3WBfiSErE8QOLdce0ilm6VANMkzNWW1A==}
    engines: {node: '>=14.17'}
    hasBin: true

snapshots:

  typescript@5.7.0-beta: {}

  typescript@5.8.0-beta: {}

From there:

  1. Add packages/c/package.json with a dependency on typescript for ^5.8.0-beta
  2. Run pnpm install
  3. Observe that a brand new version (e.g. 5.9.2 at the time of writing) is added instead of reusing the existing 5.8.0-beta version already in the lockfile.

Describe the Bug

When resolving versions, pnpm usually prefers existing versions in the pnpm-lock.yaml file, even if there's a newer version published to the NPM registry. This behavior is good and makes builds more reproducible.

There's a bug with prerelease versions that unexpectedly causes newer versions of a dependency to be added to the pnpm-lock.yaml file instead.

Expected Behavior

Adding a new ^5.8.0-beta specifier to a third package (e.g. c) should resolve to the existing 5.8.0-beta version.

Which Node.js version are you using?

v25.6.0

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

Metadata

Metadata

Assignees

Labels

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions