`package-manager-strict` enforcement in pnpm 9 is a massive headache

[benmccann]

Last pnpm version that worked

8

pnpm version

9

Code to reproduce the issue

pnpm install with packageManager set to a different minor or patch version than you have installed

Expected behavior

I would expect to use the engines field to manage restrictions on what versions of package managers.

The packageManager field is used by platforms like Vercel and Netlify to choose what exact version of pnpm to use to run your project, which has been helpful for ensuring they're using a compatible major version.

However, I do not want to have to sync all of my various projects and locally installed version to always be using the same exact version of pnpm - especially with how frequently pnpm updates are released. Now I will have to constantly be updating the packageManager field in all my projects to match whatever the latest pnpm version is causing needless churn and a ton of annoying work that provides close to zero value. If I wanted to do that I already had the ability via engines.

Other users have been frustrated by this new enforcement as well. E.g. see #7956 (comment)

Actual behavior

 ERR_PNPM_BAD_PM_VERSION  This project is configured to use v9.1.1 of pnpm. Your current pnpm is v9.1.0

Additional information

Support for semver ranges is the number two issue in corepack nodejs/corepack#95. Setting package-manager-strict could make more sense after that is available. Though it would still seem to unnecessarily duplicate the engines field, so even then it wouldn't be my preference

Node.js version

20.10.0

Operating System

Linux

[zkochan]

The corepack repo is the right place to discuss this. We did not come up with this field. We just try to adhere it. In the meantime, you can disable this strictness by the setting.

[benmccann]

But pnpm 8 didn't adhere to it. Why start enforcing it now without regard for user impact?

[zkochan]

It is a breaking change, so it couldn't be done in v8.

The users have a choice to not use the field. The users also have a choice to make it less strict with the setting. So, I don't see the issue.

[benmccann]

We really don't have a choice not to use the field. Many hosting providers like Netlifly and Vercel require it to specify what version of pnpm is used. But I really just want to specify what version is used on the hosting provider and not locally. I can do this by updating all of my projects to package-manager-strict=false to get the desired behavior, but it'd be nice if that were the default.

We did not come up with this field. We just try to adhere it.

The point of the field as far as I understand is so that corepack can choose which version of a package manager to use. If a tool wants to adhere to the field by copying corepack's behavior it should automatically download and execute that version instead of bombing out. But why should it affect non-corepack users?

[trevorpfiz]

I just ran into this issue on Vercel after I had been deploying for days without issue? postinstall:  ERR_PNPM_BAD_PM_VERSION  This project is configured to use v9.1.0 of pnpm. Your current pnpm is v9.0.4. Did Vercel all of a sudden stop respecting "packageManager": "pnpm@9.1.0"? Curious if anyone else started running into this.

[dominikg]

If a tool wants to adhere to the field by copying corepack's behavior it should automatically download and execute that version instead of bombing out. But why should it affect non-corepack users?

i second this. There are many environments where corepack is not enabled by default and other tools might not use it. As long as pnpm itself is not able to run with the exact specified version on demand, this setting should not be the default.

another example: dependabot/dependabot-core#9522 (looks like dependabot uses pnpm 9.0.6 at the time of writing)

And i might be wrong but didn't corepack not download the exact patch version all the time but looked for a compatible local one first? So even corepack users might be bitten by this

[exiguus]

I just ran into this issue on Vercel after I had been deploying for days without issue? postinstall:  ERR_PNPM_BAD_PM_VERSION  This project is configured to use v9.1.0 of pnpm. Your current pnpm is v9.0.4. Did Vercel all of a sudden stop respecting "packageManager": "pnpm@9.1.0"? Curious if anyone else started running into this.

I have the same issue.
Currently we use in CI

corepack use pnpm@`pnpm -v`

as a work around.

Edit: This will set whatever pnpm version is installed on the system as "packageManager" in the package.json file and prevent the ERR_PNPM_BAD_PM_VERSION error.

[wadehammes]

corepack use pnpm@`pnpm -v`

This worked for me

corepack use pnpm@`pnpm -v` && pnpm i

Thanks @exiguus

[benmccann]

Most deployments using pnpm 9 on Vercel are failing as a result of this issue because they use pnpm 9.0.4 on their platform, so you need to set exactly "packageManager": "pnpm@9.0.4" or the deployment will fail. Thanks to @EndangeredMassa for providing these details. See vercel/vercel#11607 for more info

I think there are a few potential issues here:

• Vercel isn't following the packageManager field by default. I think it's not completely unreasonable for them to say they're going to use a specific version of pnpm, but I'm not sure they should reuse corepack's field for this if they're not also using corepack.
• By default, pnpm is enforcing that projects using the packageManager field can only be run using that specific version and basically disallowing you from running the project without corepack. I don't see why pnpm should have to enforce that you use corepack. I think it'd be nicer if pnpm knew nothing about corepack and corepack were a tool that sat on top of the various package managers
• Corepack doesn't provide a way to say you want pnpm 9 without caring about the exact version. Though I think that specifying an exact version is good practice, so I wouldn't necessarily suggest they change that. That's why we use lockfiles after all. But it does add an extra layer of annoyance to the two issues above

[EndangeredMassa]

Just dropping in to add some clarity/context to Vercel-specific support.

Many hosting providers like ... Vercel require it to specify what version of pnpm is used.

Vercel does not require this value. If you don't provide it, we'll detect the appropriate version of package manger to use based on the lockfile version. We have the most detailed mapping for pnpm, specifically.

There were some edge cases with this recently, but if you try again without the packageManager value, it should pick up the right major version of pnpm to use.

I just ran into this issue on Vercel

We did notice a lot of users started seeing this after we rolled out more complete pnpm@9 support. There are workarounds on the user end, which I described here: vercel/vercel#11607 (comment)

Vercel isn't following the packageManager field by default.

This is correct. Users can opt in to corepack support if they want, but by default, we do not use the package.json#packageManager value.

[benmccann]

Vercel does not require this value. If you don't provide it, we'll detect the appropriate version of package manger to use based on the lockfile version. We have the most detailed mapping for pnpm, specifically.

Ah, thanks! That's helpful to know. I tested it out and probably won't go that route because pnpm/action-setup also uses that field, so if I were to remove it then I'd have to duplicate the version in half a dozen different places in our GitHub workflows. Plus, with Netlify and other providers using that field still it's simpler just to have a standard solution of disabling package-manager-strict. I'll probably end up adding an .npmrc to the SvelteKit templates with package-manager-strict=false if the default isn't changed in pnpm

[kirso]

Just dropping in to add some clarity/context to Vercel-specific support.

Many hosting providers like ... Vercel require it to specify what version of pnpm is used.

Vercel does not require this value. If you don't provide it, we'll detect the appropriate version of package manger to use based on the lockfile version. We have the most detailed mapping for pnpm, specifically.

There were some edge cases with this recently, but if you try again without the packageManager value, it should pick up the right major version of pnpm to use.

I just ran into this issue on Vercel

We did notice a lot of users started seeing this after we rolled out more complete pnpm@9 support. There are workarounds on the user end, which I described here: vercel/vercel#11607 (comment)

Vercel isn't following the packageManager field by default.

This is correct. Users can opt in to corepack support if they want, but by default, we do not use the package.json#packageManager value.

Just wanted to com here and say that after a long time setting the corepack ENV variable worked for me and build finally did not fail. Thank you.