Skip to content

Tarball package fails after pnpm update (removes integrity field) #12067

Description

@petrhora

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

No response

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

  1. install a tarball dependency using pnpm add [package]@https://...
    (in my case I used pnpm add xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz)
  2. remove pnpm-lock.yaml and node_modules
  3. run pnpm install (works)
  4. run pnpm update (works, but removes integrity field from lock file for xlsx)
  5. almost no pnpm command works afterwards due to missing integrity field

Additional info: for whatever reason sheetjs (maintainer of xlsx) decided to build their own cdn instead of using npm (only the vulnerable version 0.18.5 can be found on npm).

Describe the Bug

Running pnpm update with a tarball decency removes the integrity field from the lock file for that depency making pnpm unusable for any follow up commands.

Expected Behavior

The integrity field is not removed and pnpm continues to work after pnpm update

Which Node.js version are you using?

24.15.0

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions