installing a dependency, by default, installs the lowest matching version of that dependency

[antony]

When installing a dependency, or working with a project without pnpm, without a lockfile, or from a template, unless that package.json has the exact latest version selector for that dependency, or has a static version of the dependency specified, an older, version of that dependency will be installed, meaning that buggy, stale, feature-lacking or security-compromised versions of a dependency are likely to be installed.

This means that maintaining a template becomes exceptionally arduous and maintenance intensive. It also means attempting to work with a project which has no pnpm lockfile (such as a project whose dependencies were previously managed with npm or yarn) is exceptionally prone to having outdated dependencies, which will cause the issues with outdated packages listed above.

The default behaviour should be the previous behaviour, with a configuration option to change that to the less desirable (imho) behaviour. It's hard to understand the reason for these new defaults, and a lot of quite serious problems (and spurious bug reports on OSS projects) are likely to arise as a result.

As a real world example, we encourage creation of a new svelte project with:

npx init svelte@latest 

which would result in getting the dependency @sveltejs/kit@1.5.0 due to the specifier "@sveltejs/kit": "^1.5.0". This version is quite old, has unresolved bugs, security issues, and lacks features we now document, but having this minimum pinned has been fine up until now, because pnpm <8 and other package managers will install the latest version by default.

Last pnpm version that worked:

v7.x.x

pnpm version:

v8.x.x

Code to reproduce the issue:

none

Expected behavior:

installing a dependency, by default, uses the latest matching version of that dependency.

Actual behavior:

installing a dependency, by default, uses the lowest matching version of that dependency.

Additional information:

This works as the docs describe, but this functionality feels like a regression because of the stark difference to how you would expect pnpm to manage dependencies, as well as how other equivalent tools manage dependencies.

Further to this, I couldn't fathom the reason for this change. Is there some missing context?

[lorenzodallavecchia]

Looks like the change is intentional:
https://github.com/pnpm/pnpm/releases/tag/v8.0.0

resolution-mode: set to lowest-direct by default.

[antony]

Looks like the change is intentional: https://github.com/pnpm/pnpm/releases/tag/v8.0.0

resolution-mode: set to lowest-direct by default.

Yes, that's why I've marked this as a regression. I've also mentioned the docs link under "Additional Information". I just don't think the change makes sense, and could have very bad consequences.

[zkochan]

is exceptionally prone to having outdated dependencies, which will cause the issues with outdated packages listed above.

Exactly, that is why you need to update you version specs. If you don't update the range then your package might get installed with a version of the dependency that you did not test. There is no guarantee that your package that has "@sveltejs/kit": "^1.5.0" in the dependencies, will be installed with the latest version of @sveltejs/kit matching ^1.5.0. 1.5.0 is also matching the range, so a package manager can decide to use it. For instance, if prefer-offline is enabled by the user and the latest version in the cache is 1.5.0. Or if there is already 1.5.0 in the lockfile and the package manager deduplicates.

[zkochan]

For templates we can come up with workarounds. Maybe when pnpm create is executed, we can install the latest versions matching the ranges and automatically update the ranges. Would that be fine?

[patak-cat]

For templates we can come up with workarounds. Maybe when pnpm create is executed, we can install the latest versions matching the ranges and automatically update the ranges. Would that be fine?

How would the fact that you run pnpm create be communicated to the next pnpm install? Right now pnpm create vite will create a folder with the template without a lock file, then the user cd into it and will pnpm install (or it could use a different pm). So resolving the deps in the templates is not part of pnpm create, no? If there is some way to mark this, I would prefer that the first pnpm install after a pnpm create will work as highest without modifying the ranges in package.json. But I think I'm missing some context here.

[Rich-Harris]

1.5.0 is also matching the range, so a package manager can decide to use it

But no other package manager does. ^1.5.0 is universally interpreted as 'the highest version compatible with 1.5.0'. To all intents and purposes pnpm now interprets it as 1.5.0, and if that's what the package author intended, they would have specified that. It means that pnpm is no longer a drop-in replacement for npm — up until this change I've recommended pnpm as an npm replacement without equivocation, but this change breaks expectations very substantially.

[dominikg]

Exactly, that is why you need to update you version specs. If you don't update the range then your package might get installed with a version of the dependency that you did not test.

If we didn't trust a dependency to adhere to semver, we would opt to "~1.1.0" or even "1.1.0" in package.json. with lowest-direct by default it takes away the usefulness of these semver selectors to get the most up2date versions upon first install.

fwiw in sveltekit we do test create-svelte without a lockfile present: https://github.com/sveltejs/kit/blob/master/packages/create-svelte/test/check.js . I don't expect everyone to go these lenghts and it's not perfect, but between that and user reports I think it's good enough to not have to expect users to remember to run pnpm update immediately after first pnpm install

[Conduitry]

The latest version of the create-svelte CLI now adds resolution-mode=highest to the .npmrc it creates, so users won't need to run pnpm update.

I don't think it should be the responsibility of a create-* CLI to have to prompt users for what package manager they want to use and then to run it for them - so pnpm install would continue to be a separate step from pnpm create anyway. I don't know how the pnpm create would be able to convey to pnpm install that it should grab the newest dependencies - other than by specifying resolution-mode=highest in .npmrc like it's now doing.

So there's a workaround in place now specifically for the SvelteKit template - but this still seems like very confusing behavior that is going to trip up a whole bunch of people using a whole bunch of starter templates for a whole bunch of things.

[zkochan]

If you want the old behaviour, you can change the resolution-mode setting to highest.

I understand your concern with the templates. We can think about it. If you create a .npmrc with resolution-mode=highest then I guess that is good enough? But I am open to other suggestions.

The reason we decided to change resolution-mode was to allow better caching in the future. I would actually want to change it to time-based but this is the first step in that direction. The current resolution-mode doesn't allow us to create an intermediate registry that would have a cache of the package metadata files and would do all the resolution on the server side instead of on the client side. This is something that stackblitz is doing currently but they don't always update the version to the latest one as they read the metadata from the cache. By changing the expectations of our users we will be able to make installations faster.

At the moment, package managers basically aren't using local metadata cache at all because of this expectation of "always resolving dependencies to the latest no matter what".

It means that pnpm is no longer a drop-in replacement for npm — up until this change I've recommended pnpm as an npm replacement without equivocation, but this change breaks expectations very substantially.

I don't agree with this statement because so far there weren't many complaints about this change. I have always reverted breaking changes when there was a backlash. For instance, this breaking change was reverted in pnpm v8 because there were many concerned users: "Direct dependencies are deduped. If a dependency is present in both a project and the workspace root, it will only be linked to the workspace root."

But there were no issues related to the resolution-mode change.

[Rich-Harris]

The reason we decided to change resolution-mode was to allow better caching in the future

With respect, I don't think this is the right trade-off. The old adage goes 'make it work, make it right, then make it fast' — in other words, correctness > performance. There's room for debate over what 'correct' means in this context, but I think most people would agree that the correct behaviour for a package manager is to install the most up-to-date packages allowed by the semver ranges that were specified by the package/template author.

there weren't many complaints about this change

It's a subtle change that will go unnoticed by many, and will make most people go 'huh, weird' when they encounter it, without connecting it to this change in behaviour. It's most visible to people maintaining templates, because we're the ones on the receiving end of bug reports.

I'd also argue that adding new non-standard fields to .npmrc is inherently problematic — this isn't npm runtime configuration, it's pnpm runtime configuration, and polluting the file limits npm's ability to make changes in future. At the very least, I think fields like resolution-mode should be namespaced.

[zkochan]

With respect, I don't think this is the right trade-off. The old adage goes 'make it work, make it right, then make it fast' — in other words, correctness > performance. There's room for debate over what 'correct' means in this context, but I think most people would agree that the correct behaviour for a package manager is to install the most up-to-date packages allowed by the semver ranges that were specified by the package/template author.

That is why it was only done for direct dependencies and for non-direct dependencies it will have to be discussed more.

the correct behaviour for a package manager is to install the most up-to-date packages allowed by the semver ranges that were specified by the package/template author.

This expectation is already broken with the introduction of lockfiles.

Also, performance is not the only reason. I have listed other issues above with the current resolution mode.

In my opinion even with templates this behaviour is good because users will get always a working template. But that is up to you. As far as I know, most of the init scripts run install as part of the initialization, so if that is the case, it should be enough just to run update instead of install and pnpm will update all the dependencies in package.json (respecting semver). If you want to just write the package.json without installing, then probably it makes sense to resolve the dependencies to their latest versions and write up-to-date ranges to package.json.

[benmccann]

For templates we can come up with workarounds. Maybe when pnpm create is executed, we can install the latest versions matching the ranges and automatically update the ranges. Would that be fine?

This would somewhat solve the issue, but I think there's a lot of cases where people use templates without using pnpm create. E.g. there's a large list of community-created templates on https://sveltesociety.dev/templates. Most of those are just GitHub repos where the user clones them and starts from there without running pnpm create. I fear that users will be getting outdated versions of their other dependencies by default. As a library author this is frustrating to me because I expect I'll get a lot more reports where I have to tell people to first update their dependencies and then try again. Of course template authors can setup a GitHub bot like rennovate to continuously bump their dependencies to the latest version. However, that's creating a much higher barrier to setting up any template and I expect it mostly won't happen - especially since it's only pnpm that has this behavior and not the two larger package managers. For templates that do it, it will create a huge amount of churn and the commit log will be filled with messages about updating to the latest dependency and it will be harder to see what actual code changes might have been made.

How would the fact that you run pnpm create be communicated to the next pnpm install?

I was going to say that perhaps if there's no pnpm-lock.yaml it could use the highest mode? But then I don't know when the lowest mode would ever be used as we have the lockfile the rest of the time...

The reason we decided to change resolution-mode was to allow better caching in the future.

Thanks for sharing this background! I would certainly say that one of the reasons I've loved pnpm is its speed and caching. Running npm install and then sitting there waiting is something I experience frequently, but with pnpm I don't really have that. At this point it's already fast enough that I don't think I'd really notice the difference. Of course opportunities to make things faster should always be considered, but I feel in this case that having updated dependencies by default is a larger win for the user experience than having a faster first install time.

In my opinion even with templates this behaviour is good because users will get always a working template.

I think that if templates had wanted this behavior they would have pinning their dependencies by omitting ^. The fact that they nearly universally have chosen to use ^ while knowing it will install the latest version means that they value that over installing a specific known version.