Verify latest release
pnpm version
At minimum, this bug affects the following versions:
- pnpm 9.1.1
- pnpm 9.1.2
- pnpm 9.1.3
- pnpm 9.1.4
- pnpm 9.2.0
At the time of writing, the latest version is pnpm 9.2.0.
Which area(s) of pnpm are affected? (leave empty if unsure)
Dependencies resolver, Lockfile
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
Create a package.json file containing the following, and ensure Corepack is enabled via corepack enable so you're using the specified version of pnpm.
{
"dependencies": {
"@aws-sdk/client-s3": "3.588.0"
},
"packageManager": "pnpm@9.1.4"
}
Then run pnpm dedupe repeatedly. Sometimes it will finish without any changes, and sometimes it will modify the lockfile.
The same behavior is observed with pnpm dedupe --check. Sometimes it will finish without suggesting any changes, and sometimes it will say changes are required.
Here's an example of two consecutive runs of pnpm dedupe --check yielding different results:
vscode ➜ /tmp/pnpm-dedupe-bug-reproduction $ pnpm dedupe --check
Progress: resolved 98, reused 97, downloaded 0, added 0, done
vscode ➜ /tmp/pnpm-dedupe-bug-reproduction $ pnpm dedupe --check
Progress: resolved 98, reused 97, downloaded 0, added 0, done
ERR_PNPM_DEDUPE_CHECK_ISSUES Dedupe --check found changes to the lockfile
Packages
@aws-sdk/client-s3@3.588.0
├── @aws-sdk/client-sso-oidc 3.588.0(@aws-sdk/client-sts@3.588.0) → 3.588.0
├── @aws-sdk/client-sts 3.588.0 → 3.588.0(@aws-sdk/client-sso-oidc@3.588.0)
└── @aws-sdk/credential-provider-node 3.588.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))(@aws-sdk/client-sts@3.588.0) → 3.588.0(@aws-sdk/client-sso-oidc@3.588.0)(@aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0))
+ @aws-sdk/client-sso-oidc@3.588.0
+ @aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0)
+ @aws-sdk/credential-provider-node@3.588.0(@aws-sdk/client-sso-oidc@3.588.0)(@aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0))
+ @aws-sdk/credential-provider-web-identity@3.587.0(@aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0))
+ @aws-sdk/credential-provider-ini@3.588.0(@aws-sdk/client-sso-oidc@3.588.0)(@aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0))
+ @aws-sdk/credential-provider-sso@3.588.0(@aws-sdk/client-sso-oidc@3.588.0)
+ @aws-sdk/token-providers@3.587.0(@aws-sdk/client-sso-oidc@3.588.0)
- @aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0)
- @aws-sdk/client-sts@3.588.0
- @aws-sdk/credential-provider-ini@3.588.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))(@aws-sdk/client-sts@3.588.0)
- @aws-sdk/credential-provider-node@3.588.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))(@aws-sdk/client-sts@3.588.0)
- @aws-sdk/credential-provider-sso@3.588.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))
- @aws-sdk/credential-provider-web-identity@3.587.0(@aws-sdk/client-sts@3.588.0)
- @aws-sdk/token-providers@3.587.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))
Run pnpm dedupe to apply the changes above.
Describe the Bug
pnpm dedupe and pnpm dedupe --check are behaving nondeterministically.
This means that if you include a pnpm dedupe --check step in your CI pipeline, it will fail roughly 50% of the time.
Expected Behavior
pnpm dedupe and pnpm dedupe --check should always yield the same output for the same input.
Which Node.js version are you using?
22.2.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Debian 12.5
Verify latest release
pnpm version
At minimum, this bug affects the following versions:
At the time of writing, the latest version is pnpm 9.2.0.
Which area(s) of pnpm are affected? (leave empty if unsure)
Dependencies resolver, Lockfile
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
Create a
package.jsonfile containing the following, and ensure Corepack is enabled viacorepack enableso you're using the specified version of pnpm.{ "dependencies": { "@aws-sdk/client-s3": "3.588.0" }, "packageManager": "pnpm@9.1.4" }Then run
pnpm deduperepeatedly. Sometimes it will finish without any changes, and sometimes it will modify the lockfile.The same behavior is observed with
pnpm dedupe --check. Sometimes it will finish without suggesting any changes, and sometimes it will say changes are required.Here's an example of two consecutive runs of
pnpm dedupe --checkyielding different results:Describe the Bug
pnpm dedupeandpnpm dedupe --checkare behaving nondeterministically.This means that if you include a
pnpm dedupe --checkstep in your CI pipeline, it will fail roughly 50% of the time.Expected Behavior
pnpm dedupeandpnpm dedupe --checkshould always yield the same output for the same input.Which Node.js version are you using?
22.2.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Debian 12.5