Verify latest release
pnpm version
11.5.0
Which area(s) of pnpm are affected? (leave empty if unsure)
Dependencies resolver
Link to the code that reproduces this issue or a replay of the bug
See below for minimal code to reproduce
Reproduction steps
Create a directory with three files:
pnpm-workspace.yaml, containing $ references in the overrides section like this:
overrides:
react: $react
react-dom: $react-dom
- A minimal
package.json which contains only the packageManager field:
{"packageManager": "pnpm@11.5.0"}
- A valid
pnpm-lock.yaml generated by pnpm i somewhere else previously.
Under these conditions, pnpm fetch fails with this error: ERROR Cannot resolve version $react in overrides. The direct dependencies don't have dependency "react".
Describe the Bug
We run into this situation in our Docker builds, which copy these three files in for the fetch to better take advantage of Docker layer caching, as advised by the pnpm fetch docs. We add the minimal package.json so that pnpm can automatically install the correct version for a given app, and that seems to be what causes the problem; the fetch works fine without the package.json there. But adding in the package.json with only a packageManager field causes the dependency resolution to break. The same happens with the devEngines.packageManager field in pnpm 11+.
Side note: as a workaround, I've used yaml anchors instead, since we wanted our overrides to match the versions in the catalog:
catalog:
react: &react ^18.3.1
react-dom: &react-dom ^18.3.1
overrides:
react: *react
react-dom: *react-dom
Expected Behavior
It seems like there is some validation happening when package.json is present, but I do not believe pnpm fetch needs to resolve these overrides at all; it should just be fetching the dependencies from the lock file and not re-resolving them. It can do that, as shown by the fact it works when package.json is not there.
If pnpm fetch needs to do some resolution based on the package.json, it should check for the existence of a dependencies key within it, not purely on the existence of a package.json
Which Node.js version are you using?
v24.12.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Alpine Linux v3.22 (Docker image)
Verify latest release
pnpm version
11.5.0
Which area(s) of pnpm are affected? (leave empty if unsure)
Dependencies resolver
Link to the code that reproduces this issue or a replay of the bug
See below for minimal code to reproduce
Reproduction steps
Create a directory with three files:
pnpm-workspace.yaml, containing$references in the overrides section like this:package.jsonwhich contains only thepackageManager field:{"packageManager": "pnpm@11.5.0"}pnpm-lock.yamlgenerated bypnpm isomewhere else previously.Under these conditions,
pnpm fetchfails with this error:ERROR Cannot resolve version $react in overrides. The direct dependencies don't have dependency "react".Describe the Bug
We run into this situation in our Docker builds, which copy these three files in for the fetch to better take advantage of Docker layer caching, as advised by the pnpm fetch docs. We add the minimal
package.jsonso that pnpm can automatically install the correct version for a given app, and that seems to be what causes the problem; the fetch works fine without thepackage.jsonthere. But adding in thepackage.jsonwith only apackageManagerfield causes the dependency resolution to break. The same happens with thedevEngines.packageManagerfield in pnpm 11+.Side note: as a workaround, I've used yaml anchors instead, since we wanted our overrides to match the versions in the catalog:
Expected Behavior
It seems like there is some validation happening when
package.jsonis present, but I do not believepnpm fetchneeds to resolve these overrides at all; it should just be fetching the dependencies from the lock file and not re-resolving them. It can do that, as shown by the fact it works whenpackage.jsonis not there.If
pnpm fetchneeds to do some resolution based on thepackage.json, it should check for the existence of adependencieskey within it, not purely on the existence of apackage.jsonWhich Node.js version are you using?
v24.12.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Alpine Linux v3.22 (Docker image)