Verify latest release
pnpm version
No response
Which area(s) of pnpm are affected? (leave empty if unsure)
No response
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
- install a tarball dependency using
pnpm add [package]@https://...
(in my case I used pnpm add xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz)
- remove pnpm-lock.yaml and node_modules
- run
pnpm install (works)
- run
pnpm update (works, but removes integrity field from lock file for xlsx)
- almost no pnpm command works afterwards due to missing integrity field
Additional info: for whatever reason sheetjs (maintainer of xlsx) decided to build their own cdn instead of using npm (only the vulnerable version 0.18.5 can be found on npm).
Describe the Bug
Running pnpm update with a tarball decency removes the integrity field from the lock file for that depency making pnpm unusable for any follow up commands.
Expected Behavior
The integrity field is not removed and pnpm continues to work after pnpm update
Which Node.js version are you using?
24.15.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response
Verify latest release
pnpm version
No response
Which area(s) of pnpm are affected? (leave empty if unsure)
No response
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
pnpm add [package]@https://...(in my case I used
pnpm add xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz)pnpm install(works)pnpm update(works, but removes integrity field from lock file for xlsx)Additional info: for whatever reason sheetjs (maintainer of xlsx) decided to build their own cdn instead of using npm (only the vulnerable version 0.18.5 can be found on npm).
Describe the Bug
Running
pnpm updatewith a tarball decency removes the integrity field from the lock file for that depency making pnpm unusable for any follow up commands.Expected Behavior
The integrity field is not removed and pnpm continues to work after
pnpm updateWhich Node.js version are you using?
24.15.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response