pnpm does not warn about issues with peer dependencies if the lockfile is up to date

[SystemParadox]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

7.33.6, 8.7.5

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

pnpm i react@17.0.0
pnpm i react-dom@18.0.0
rm -rf node_modules
pnpm i

Describe the Bug

After installing/removing/changing packages, pnpm will print peer dependency warnings:

$ pnpm i react-dom@18.0.0
Packages: +2
++
Progress: resolved 6, reused 4, downloaded 2, added 2, done

dependencies:
+ react-dom 18.0.0 (18.2.0 is available)

 WARN  Issues with peer dependencies found
.
└─┬ react-dom 18.0.0
  └── ✕ unmet peer react@^18.0.0: found 17.0.0

Done in 2.5s

However, after this pnpm never prints these warnings again until you actually install/remove/change a package or delete the lockfile:

$ pnpm i
Lockfile is up to date, resolution step is skipped
Already up to date
Done in 660ms

Even if you delete node_modules and pnpm reinstalls the packages it doesn't show it:

$ rm -rf node_modules; pnpm i
Lockfile is up to date, resolution step is skipped
Packages: +6
++++++
Progress: resolved 6, reused 6, downloaded 0, added 6, done

dependencies:
+ react 17.0.0
+ react-dom 18.0.0

Done in 710ms

Even with strict-peer-dependencies=true, if the lockfile is up to date then pnpm will happily install these packages without even printing any warnings.

pnpm list doesn't mention it either:

$ pnpm list
Legend: production dependency, optional only, dev only

foo@1.0.0 /home/simon/dc/foo

dependencies:
react 17.0.0
react-dom 18.0.0

Aside from the fact that there appears to be no way to check peer state once the lockfile is up to date, a massive issue with this is that if somebody else installs a package and pushes the lockfile with an invalid peer state (via git), pnpm will happily install this bad state for me and I will never have been warned about it, since it will only have printed the warning when the other dev installed it.

We've wasted hours trying to track down bugs that were already fixed but didn't realise that the peer hadn't been updated because pnpm wouldn't tell us.

Expected Behavior

pnpm i and pnpm list should always print peer dependencies warnings, regardless of whether anything is being updated or not. Or at the very least, there should be some sort of pnpm check command that can be used to check this.

NOTE: npm i always prints peer dependency warnings. pnpm should do the same.

Which Node.js version are you using?

16.20.1

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

Debian 11

[zkochan]

A separate command sounds good. Doing it on all installs is not a good idea because peers resolution is an expensive operation. We could add some field to the lockfile to tell pnpm install that there are unresolved peer dependency issues and print a warning about it.

[stevenpetryk]

I think it'd be great to at least have the option to force resolution, for environments like CI. pnpm install --force-resolution would be a nice complement to --resolution-only. I guess for now a good stopgap would be to run pnpm install --resolution-only and then pnpm install.

[izhovkin]

pnpm install --resolution-only does not work on CI because of #8433 .
Is there any workaround to enforce strict-peer-dependencies on CI currently?

[RDeluxe]

Discovering this can of worms too: how the hell are we supposed to use strict-peer-dependencies if the base commands do not check for them if a lockfile is present and --resolution-only does not work in CI?

[zkochan]

PR: #11061