Skip to content

pnpm dedupe is behaving nondeterministically #8155

Description

@glacius-mitchell

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

At minimum, this bug affects the following versions:

  • pnpm 9.1.1
  • pnpm 9.1.2
  • pnpm 9.1.3
  • pnpm 9.1.4
  • pnpm 9.2.0

At the time of writing, the latest version is pnpm 9.2.0.

Which area(s) of pnpm are affected? (leave empty if unsure)

Dependencies resolver, Lockfile

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

Create a package.json file containing the following, and ensure Corepack is enabled via corepack enable so you're using the specified version of pnpm.

{
  "dependencies": {
    "@aws-sdk/client-s3": "3.588.0"
  },
  "packageManager": "pnpm@9.1.4"
}

Then run pnpm dedupe repeatedly. Sometimes it will finish without any changes, and sometimes it will modify the lockfile.

The same behavior is observed with pnpm dedupe --check. Sometimes it will finish without suggesting any changes, and sometimes it will say changes are required.

Here's an example of two consecutive runs of pnpm dedupe --check yielding different results:

vscode ➜ /tmp/pnpm-dedupe-bug-reproduction $ pnpm dedupe --check
Progress: resolved 98, reused 97, downloaded 0, added 0, done
vscode ➜ /tmp/pnpm-dedupe-bug-reproduction $ pnpm dedupe --check
Progress: resolved 98, reused 97, downloaded 0, added 0, done
 ERR_PNPM_DEDUPE_CHECK_ISSUES  Dedupe --check found changes to the lockfile

Packages
@aws-sdk/client-s3@3.588.0
├── @aws-sdk/client-sso-oidc 3.588.0(@aws-sdk/client-sts@3.588.0) → 3.588.0
├── @aws-sdk/client-sts 3.588.0 → 3.588.0(@aws-sdk/client-sso-oidc@3.588.0)
└── @aws-sdk/credential-provider-node 3.588.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))(@aws-sdk/client-sts@3.588.0) → 3.588.0(@aws-sdk/client-sso-oidc@3.588.0)(@aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0))

+ @aws-sdk/client-sso-oidc@3.588.0
+ @aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0)
+ @aws-sdk/credential-provider-node@3.588.0(@aws-sdk/client-sso-oidc@3.588.0)(@aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0))
+ @aws-sdk/credential-provider-web-identity@3.587.0(@aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0))
+ @aws-sdk/credential-provider-ini@3.588.0(@aws-sdk/client-sso-oidc@3.588.0)(@aws-sdk/client-sts@3.588.0(@aws-sdk/client-sso-oidc@3.588.0))
+ @aws-sdk/credential-provider-sso@3.588.0(@aws-sdk/client-sso-oidc@3.588.0)
+ @aws-sdk/token-providers@3.587.0(@aws-sdk/client-sso-oidc@3.588.0)
- @aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0)
- @aws-sdk/client-sts@3.588.0
- @aws-sdk/credential-provider-ini@3.588.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))(@aws-sdk/client-sts@3.588.0)
- @aws-sdk/credential-provider-node@3.588.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))(@aws-sdk/client-sts@3.588.0)
- @aws-sdk/credential-provider-sso@3.588.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))
- @aws-sdk/credential-provider-web-identity@3.587.0(@aws-sdk/client-sts@3.588.0)
- @aws-sdk/token-providers@3.587.0(@aws-sdk/client-sso-oidc@3.588.0(@aws-sdk/client-sts@3.588.0))

Run pnpm dedupe to apply the changes above.

Describe the Bug

pnpm dedupe and pnpm dedupe --check are behaving nondeterministically.

This means that if you include a pnpm dedupe --check step in your CI pipeline, it will fail roughly 50% of the time.

Expected Behavior

pnpm dedupe and pnpm dedupe --check should always yield the same output for the same input.

Which Node.js version are you using?

22.2.0

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

Debian 12.5

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions