pnpm 11 packageManager downgrade path fails with ERR_PNPM_BROKEN_LOCKFILE since v11.0.0-alpha.15

[mkusaka]

Verify latest release

• I verified that the issue exists in the latest pnpm release (11.0.0-rc.0).

pnpm version

11.0.0-rc.0

Which area(s) of pnpm are affected? (leave empty if unsure)

• CLI
• Lockfile
• Package manager compatibility
• Operating System (Windows, MacOS, Linux)

Link to the code that reproduces this issue or a replay of the bug

Public repo used for reproduction:

• https://github.com/mkusaka/localeja

Commit used in the repro:

• mkusaka/localeja@ea44a82

If needed, I can also provide a smaller dedicated reproduction repository, but the commands below already reproduce the issue from a clean export of that commit.

Reproduction steps

1. Start from a clean export of a repo whose package.json contains:

{
  "packageManager": "pnpm@10.32.1"
}

2. Run the following commands in Linux:

tmprepo=$(mktemp -d /tmp/localeja-repro.XXXXXX)
git clone --depth 1 https://github.com/mkusaka/localeja.git "$tmprepo"
cd "$tmprepo"
git checkout ea44a8208a3e91a084e0e344557264d7a9df5600

docker run --rm -e CI=true -v "$tmprepo":/repo -w /repo node:24.14.1 bash -lc '
set -euo pipefail
echo "packageManager:"
grep packageManager package.json

echo
echo "Case A: direct pnpm 10.32.1"
npx -y pnpm@10.32.1 --version
npx -y pnpm@10.32.1 install --frozen-lockfile --ignore-scripts

echo
echo "Case B: direct pnpm 10.32.0"
npx -y pnpm@10.32.0 --version
npx -y pnpm@10.32.0 install --frozen-lockfile --ignore-scripts

echo
echo "Case C: direct pnpm 11 rc"
npx -y pnpm@11.0.0-rc.0 --version
npx -y pnpm@11.0.0-rc.0 install --frozen-lockfile --ignore-scripts
'

3. Observe the results:

• Case A succeeds
• Case B also succeeds, and --version reports 10.32.1
• Case C reports 10.32.1 for --version, but install fails with ERR_PNPM_BROKEN_LOCKFILE

4. Optional debug run:

docker run --rm -e CI=true -v "$tmprepo":/repo -w /repo node:24.14.1 bash -lc '
set -euo pipefail
npx -y pnpm@11.0.0-rc.0 install --frozen-lockfile --ignore-scripts --reporter ndjson --loglevel debug > /tmp/pnpm11-debug.log 2>&1 || true
tail -n 20 /tmp/pnpm11-debug.log
'

Relevant output from the debug log:

{"name":"pnpm:package-manifest","initial":{"packageManager":"pnpm@10.32.1", ...}}
{"level":"error","code":"ERR_PNPM_BROKEN_LOCKFILE","message":"The lockfile at \"/repo/pnpm-lock.yaml\" is broken: expected a single document in the stream, but found more"}

The stack in the failing case points to a path like:

/repo/.pnpm-store/v11/links/@/pnpm/10.32.1/.../node_modules/pnpm/dist/pnpm.cjs

By contrast, the successful npx pnpm@10.32.0 case uses the normal npx cache path and succeeds.

Additional version-boundary data:

10.32.1                           pass
10.33.0                           pass
11.0.0-alpha.0                    pass
11.0.0-alpha.1                    pass
11.0.0-alpha.2                    pass
11.0.0-alpha.3                    pass
11.0.0-alpha.4                    pass
11.0.0-alpha.5                    pass
11.0.0-alpha.6                    pass
11.0.0-alpha.7                    pass
11.0.0-alpha.8                    pass
11.0.0-alpha.9                    pass
11.0.0-alpha.10                   pass
11.0.0-alpha.11                   pass
11.0.0-alpha.12                   pass
11.0.0-alpha.13                   pass
11.0.0-alpha.14                   pass
11.0.0-alpha.15                   fail  ERR_PNPM_BROKEN_LOCKFILE
11.0.0-alpha.16                   fail  ERR_PNPM_BROKEN_LOCKFILE
11.0.0-beta.0                     fail  ERR_PNPM_BROKEN_LOCKFILE
11.0.0-beta.4                     fail  ERR_PNPM_BROKEN_LOCKFILE
11.0.0-beta.8                     fail  ERR_PNPM_BROKEN_LOCKFILE
11.0.0-rc.0                       fail  ERR_PNPM_BROKEN_LOCKFILE

Describe the Bug

When a project declares packageManager: pnpm@10.32.1, running pnpm@11.0.0-rc.0 install --frozen-lockfile resolves to the requested 10.32.1 version at the --version level, but the actual install path still fails with:

ERR_PNPM_BROKEN_LOCKFILE
The lockfile at "/repo/pnpm-lock.yaml" is broken: expected a single document in the stream, but found more

The same project and lockfile succeed when run with:

• pnpm@10.32.1 install --frozen-lockfile
• pnpm@10.32.0 install --frozen-lockfile

The failing launcher tested here is pnpm@11.0.0-rc.0, while the project's packageManager is pnpm@10.32.1.

So this does not look like a plain lockfile corruption issue. It looks specific to the pnpm@11 -> packageManager pinned 10.x downgrade execution path.

This is also not simply “pnpm 11 ignores packageManager”. In the failing case:

• npx pnpm@11.0.0-rc.0 --version prints 10.32.1
• but npx pnpm@11.0.0-rc.0 install --frozen-lockfile still fails

So the version selection appears to happen, but the install path still behaves differently from direct pnpm@10.x.

The failure begins at v11.0.0-alpha.15.

The compare between v11.0.0-alpha.14 and v11.0.0-alpha.15 includes this lockfile-related change:

• 31858c5 fix: merge env lockfile into pnpm-lock.yaml (#10964)

Release notes for v11.0.0-alpha.15 also mention that the env lockfile is now stored as the first YAML document in pnpm-lock.yaml.

I also verified this directly against the pnpm/pnpm source code:

1. checked out v11.0.0-alpha.15
2. reverted commit 31858c5
3. rebuilt the CLI bundle from source
4. ran the rebuilt CLI against the same exported localeja reproduction

Result:

• rebuilt/reverted alpha.15 bundle reports 10.32.1
• node dist/pnpm.mjs install --frozen-lockfile --ignore-scripts passes

So reverting 31858c5 from v11.0.0-alpha.15 is sufficient to make the reproduction pass again in my environment.

Possibly related issues:

• pnpm/action-setup#225: action-setup@v6 does not take the requested pnpm version into account action-setup#225
• pnpm/action-setup#227: action-setup@v6 does not install pnpm version specified in package_json_file action-setup#227
• pnpm/action-setup#228: action-setup v6 renders invalid YAML file action-setup#228

Expected Behavior

If pnpm@11 detects packageManager: pnpm@10.32.1, then either:

• it should execute installs exactly as pnpm@10.32.1 would, or
• it should fail with a clear version-management error

It should not report the lockfile as broken when the same lockfile succeeds under direct pnpm@10.x.

Which Node.js version are you using?

v24.14.1

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

node:24.14.1 Docker image

[zkochan]

This will not happen again. pnpm v11 will not write two yaml documents to pnpm-lock.yaml if pnpm v10 is declared via the packageManager field in package.json.

[mkusaka]

Thanks for the fix, @zkochan. I confirmed on my side that the original issue is fixed with pnpm 11.0.0-rc.2.

Some GitHub Actions users still seem to be affected via pnpm/action-setup v6, so I opened a follow-up PR there as well:
pnpm/action-setup#232

Closing this issue since the original pnpm issue is fixed.