Skip to content

pnpm install fails for cdxgen #10909

New issue
New issue
Closed
#10996
#10927
Closed
pnpm install fails for cdxgen#10909
#10996
#10927
@gepbird

Description

@gepbird
gepbird
opened on Mar 8, 2026

Last pnpm version that worked

10.30.3

pnpm version

10.31.0

Code to reproduce the issue

  1. pnpm config set manage-package-manager-versions false
  2. git clone git@github.com:CycloneDX/cdxgen && cd cdxgen
  3. npx pnpm@10.30.3 install, install works, lockfile doesn't change
  4. npx pnpm@10.31.0 install, install fails, lockfile changes.

Expected behavior

I expect the install command to work after a minor release bump, or at least be documented in the changelog as breaking.
I also expect that the existing lockfiles work for future pnpm releases with the same major version with --frozen-lockfile.

Actual behavior

It fails to install.

Sometimes it tells me that many packages were added and updates the lockfile before exiting:

cdxgen ❯ npx pnpm@10.31.0 install
Need to install the following packages:
pnpm@10.31.0
Ok to proceed? (y) y

Scope: all 10 workspace projects
test/data/package-json/v1                |  WARN  deprecated react-dom@16.2.0
test/data/package-json/v1                |  WARN  deprecated extract-text-webpack-plugin@3.0.2
test/data/package-json/v1                |  WARN  deprecated node-sass@4.14.1
test/data/package-json/v1                |  WARN  deprecated babel-eslint@8.2.6
test/data/package-json/v1                |  WARN  deprecated eslint@4.19.1
test/data/package-json/v2-workspace      |  WARN  deprecated eslint@8.57.1
 WARN  28 deprecated subdependencies found: @humanwhocodes/config-array@0.13.0, @humanwhocodes/object-schema@2.0.3, @mui/base@5.0.0-beta.40-1, acorn-dynamic-import@2.0.2, are-we-there-yet@1.1.7, boolean@3.2.0, browserslist@1.7.7, circular-json@0.3.3, core-js@1.2.7, core-js@2.6.12, flatten@1.0.3, fsevents@1.2.13, gauge@2.7.4, har-validator@5.1.5, node-domexception@1.0.0, npmlog@4.1.2, q@1.5.1, request@2.88.2, resolve-url@0.2.1, rimraf@2.6.3, rimraf@3.0.2, rollup-plugin-inject@3.0.2, source-map-resolve@0.5.3, source-map-url@0.4.1, sourcemap-codec@1.4.8, svgo@0.7.2, urix@0.1.0, whatwg-encoding@3.1.1
Packages: +1263 -1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
Progress: resolved 1691, reused 1540, downloaded 31, added 1263, done
test/data/package-json/v2-workspace postinstall$ husky install && node ./scripts/postinstall.js
│ husky - .git can't be found (see https://typicode.github.io/husky/#/?id=custom-directory)
└─ Failed in 57ms at /home/gep/forks/cdxgen/test/data/package-json/v2-workspace
 ELIFECYCLE  Command failed with exit code 1.

Sometimes it says "Already up to date", then fails:

cdxgen ❯ npx pnpm@10.31.0 install
Scope: all 10 workspace projects
test/data/package-json/v1                |  WARN  deprecated babel-eslint@8.2.6
test/data/package-json/v1                |  WARN  deprecated extract-text-webpack-plugin@3.0.2
test/data/package-json/v1                |  WARN  deprecated node-sass@4.14.1
test/data/package-json/v1                |  WARN  deprecated eslint@4.19.1
test/data/package-json/v1                |  WARN  deprecated react-dom@16.2.0
test/data/package-json/v2-workspace      |  WARN  deprecated eslint@8.57.1
 WARN  28 deprecated subdependencies found: @humanwhocodes/config-array@0.13.0, @humanwhocodes/object-schema@2.0.3, @mui/base@5.0.0-beta.40-1, acorn-dynamic-import@2.0.2, are-we-there-yet@1.1.7, boolean@3.2.0, browserslist@1.7.7, circular-json@0.3.3, core-js@1.2.7, core-js@2.6.12, flatten@1.0.3, fsevents@1.2.13, gauge@2.7.4, har-validator@5.1.5, node-domexception@1.0.0, npmlog@4.1.2, q@1.5.1, request@2.88.2, resolve-url@0.2.1, rimraf@2.6.3, rimraf@3.0.2, rollup-plugin-inject@3.0.2, source-map-resolve@0.5.3, source-map-url@0.4.1, sourcemap-codec@1.4.8, svgo@0.7.2, urix@0.1.0, whatwg-encoding@3.1.1
Already up to date
Progress: resolved 1691, reused 1571, downloaded 0, added 0, done
test/data/package-json/v2-workspace postinstall$ husky install && node ./scripts/postinstall.js
│ husky - .git can't be found (see https://typicode.github.io/husky/#/?id=custom-directory)
└─ Failed in 52ms at /home/gep/forks/cdxgen/test/data/package-json/v2-workspace
 ELIFECYCLE  Command failed with exit code 1.

Additional information

There was a similar issue that I noticed with the same package in the past: #10571.

Node.js version

v24.13.0

Operating System

Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions