Verify latest release
pnpm version
10.29.3
Which area(s) of pnpm are affected? (leave empty if unsure)
Dependencies resolver
Link to the code that reproduces this issue or a replay of the bug
https://github.com/gluxon/pnpm-prerelease-dedupe-issue
Reproduction steps
Start with the following lockfile:
lockfileVersion: '9.0'
settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
importers:
.: {}
packages/a:
dependencies:
typescript:
specifier: ^5.7.0-beta
version: 5.7.0-beta
packages/b:
dependencies:
typescript:
specifier: ^5.8.0-beta
version: 5.8.0-beta
packages:
typescript@5.7.0-beta:
resolution: {integrity: sha512-opDlmEnzKdl082N5piLS43lsyugg0aORdv+XnNzMv5yP5VtBWuZhFDxU8lizmhW+PEFa/fZiShYRBxKsrkTDMQ==}
engines: {node: '>=14.17'}
hasBin: true
typescript@5.8.0-beta:
resolution: {integrity: sha512-7VGUiBOGi+BYhiuy3iITIgu6m2wVW2Vb4CW+OJsW6OJS/TgvezKbAN3WBfiSErE8QOLdce0ilm6VANMkzNWW1A==}
engines: {node: '>=14.17'}
hasBin: true
snapshots:
typescript@5.7.0-beta: {}
typescript@5.8.0-beta: {}
From there:
- Add
packages/c/package.json with a dependency on typescript for ^5.8.0-beta
- Run
pnpm install
- Observe that a brand new version (e.g.
5.9.2 at the time of writing) is added instead of reusing the existing 5.8.0-beta version already in the lockfile.
Describe the Bug
When resolving versions, pnpm usually prefers existing versions in the pnpm-lock.yaml file, even if there's a newer version published to the NPM registry. This behavior is good and makes builds more reproducible.
There's a bug with prerelease versions that unexpectedly causes newer versions of a dependency to be added to the pnpm-lock.yaml file instead.
Expected Behavior
Adding a new ^5.8.0-beta specifier to a third package (e.g. c) should resolve to the existing 5.8.0-beta version.
Which Node.js version are you using?
v25.6.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response
Verify latest release
pnpm version
10.29.3
Which area(s) of pnpm are affected? (leave empty if unsure)
Dependencies resolver
Link to the code that reproduces this issue or a replay of the bug
https://github.com/gluxon/pnpm-prerelease-dedupe-issue
Reproduction steps
Start with the following lockfile:
From there:
packages/c/package.jsonwith a dependency ontypescriptfor^5.8.0-betapnpm install5.9.2at the time of writing) is added instead of reusing the existing5.8.0-betaversion already in the lockfile.Describe the Bug
When resolving versions, pnpm usually prefers existing versions in the
pnpm-lock.yamlfile, even if there's a newer version published to the NPM registry. This behavior is good and makes builds more reproducible.There's a bug with prerelease versions that unexpectedly causes newer versions of a dependency to be added to the
pnpm-lock.yamlfile instead.Expected Behavior
Adding a new
^5.8.0-betaspecifier to a third package (e.g. c) should resolve to the existing5.8.0-betaversion.Which Node.js version are you using?
v25.6.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response