`pnpm update` in `pnpm@10.31` breaks JSR packages

[hyunbinseo]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

No response

Which area(s) of pnpm are affected? (leave empty if unsure)

Lockfile

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

hyunbinseo/hyunbin@16b8ef2

Describe the Bug

After running these commands:

corepack use pnpm@latest
# Done in 1.1s using pnpm v10.31.0

pnpm update

the tarball section is stripped from pnpm-lock.yaml:

  '@jsr/std__collections@1.1.6':
-    resolution: {integrity: sha512-hmuIU7r/xepXLXIBiK9gmq1BnSalyySnfdJ1mqvT39hU2g4Pz0DJDx6z1CMWVGbUQhpxBHuVQH9diqwMoN6/pw==, tarball: https://npm.jsr.io/~/11/@jsr/std__collections/1.1.6.tgz}
+    resolution: {integrity: sha512-hmuIU7r/xepXLXIBiK9gmq1BnSalyySnfdJ1mqvT39hU2g4Pz0DJDx6z1CMWVGbUQhpxBHuVQH9diqwMoN6/pw==}

causing this installation issue:

16:05:52.926 | ERR_PNPM_FETCH_404  GET https://npm.jsr.io/@jsr/std__front-matter/-/std__front-matter-1.0.9.tgz: Not Found - 404
-- | --
16:05:52.926 |  
16:05:52.927 | No authorization header was set for the request.

Expected Behavior

Lockfile installation should work.

Which Node.js version are you using?

v24.14.0

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

[hyunbinseo]

Workaround:

corepack use pnpm@10.30
# Done in 1.3s using pnpm v10.30.3

pnpm update

[Jisagi]

The new version v10.31.0 now strips any tarball urls from the lockfile sadly (see #6667). I had the same issue on the weekend when it released. Took a bit to finally pinpoint the actual issue. Was probably not the best idea to release this under a MINOR version imho.

My current soltuion is to always and everywhere (local & cicd) use lockfile-include-tarball-url=true to add them again. This adds them for all dependencies though, not just the ones that are "non-npmjs".

For reference why this is an issue for me: pnpm auth for private npm packages (in combi with gitlab) have been rather buggy (#7807) when it comes to propagating auth header outside their scope. Having the direct tarball url in the lockfile allowed it to work at all, so without it, my workflow breaks 😉

[hyunbinseo]

@Jisagi Thanks for the insight. I'll just stick to pnpm@10.30 until this is resolved.

[eMerzh]

Yeah i got the same kind of issue with Github's repository ... and renovate that uses the latest version

[Jisagi]

Yeah i got the same kind of issue with Github's repository ... and renovate that uses the latest version

Had the same problem with selfhosted renovate. I gave it the config I mentioned above lockfile-include-tarball-url=true now. It was the initial culprit after automerging some minor eslint versions and nuking my internal dependency tarball urls in the process. Not sure how this is done when using hte publicly hosted version of renovate on github though, but should be possible somehow. In the selhosted version I put it into the npmrc in the runenr config where internal dep npm auths are.

[alumni]

Not just with JSR, but also with http links when using a private registry, e.g.:
"ssf": "https://cdn.sheetjs.com/ssf-0.11.3/ssf-0.11.3.tgz" will cause pnpm to resolve ssf in the private registry, instead of using the url. tarball is being removed from the lockfile.

[kristof-mattei]

The new version v10.31.0 now strips any tarball urls from the lockfile sadly (see #6667). I had the same issue on the weekend when it released. Took a bit to finally pinpoint the actual issue. Was probably not the best idea to release this under a MINOR version imho.

My current soltuion is to always and everywhere (local & cicd) use lockfile-include-tarball-url=true to add them again. This adds them for all dependencies though, not just the ones that are "non-npmjs".

For reference why this is an issue for me: pnpm auth for private npm packages (in combi with gitlab) have been rather buggy (#7807) when it comes to propagating auth header outside their scope. Having the direct tarball url in the lockfile allowed it to work at all, so without it, my workflow breaks 😉

I have the same issue, but with GitHub, which makes me wonder, is this is a GitHub issue? Why does the standard install not work? Because a url is tried, but not the right one.

[noahw3]

Seeing this same issue exactly as described by @Jisagi: can no longer install gitlab-hosted private npm registry packages.

[MattIPv4]

👋 We're also seeing this with Dependabot PRs alveusgg/alveusgg@9d5a6a3

[zkochan]

I will revert that change in v10.

[zkochan]

Reverted the change that caused the issue: 09ad114