Skip to content

pnpm fetch fails with $ references in pnpm-workspace.yaml #12160

Description

@Rwwn

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

11.5.0

Which area(s) of pnpm are affected? (leave empty if unsure)

Dependencies resolver

Link to the code that reproduces this issue or a replay of the bug

See below for minimal code to reproduce

Reproduction steps

Create a directory with three files:

  1. pnpm-workspace.yaml, containing $ references in the overrides section like this:
overrides:
  react: $react
  react-dom: $react-dom
  1. A minimal package.json which contains only the packageManager field:
{"packageManager": "pnpm@11.5.0"}
  1. A valid pnpm-lock.yaml generated by pnpm i somewhere else previously.

Under these conditions, pnpm fetch fails with this error:  ERROR  Cannot resolve version $react in overrides. The direct dependencies don't have dependency "react".

Describe the Bug

We run into this situation in our Docker builds, which copy these three files in for the fetch to better take advantage of Docker layer caching, as advised by the pnpm fetch docs. We add the minimal package.json so that pnpm can automatically install the correct version for a given app, and that seems to be what causes the problem; the fetch works fine without the package.json there. But adding in the package.json with only a packageManager field causes the dependency resolution to break. The same happens with the devEngines.packageManager field in pnpm 11+.

Side note: as a workaround, I've used yaml anchors instead, since we wanted our overrides to match the versions in the catalog:

catalog:
  react: &react ^18.3.1
  react-dom: &react-dom ^18.3.1

overrides:
  react: *react
  react-dom: *react-dom

Expected Behavior

It seems like there is some validation happening when package.json is present, but I do not believe pnpm fetch needs to resolve these overrides at all; it should just be fetching the dependencies from the lock file and not re-resolving them. It can do that, as shown by the fact it works when package.json is not there.

If pnpm fetch needs to do some resolution based on the package.json, it should check for the existence of a dependencies key within it, not purely on the existence of a package.json

Which Node.js version are you using?

v24.12.0

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

Alpine Linux v3.22 (Docker image)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions