pnpm install --frozen-lockfile does not throw an error when the lockfile is out of sync with pnpm-workspace.yaml's catalog

[azu]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

10.7.1

Which area(s) of pnpm are affected? (leave empty if unsure)

Lockfile

Link to the code that reproduces this issue or a replay of the bug

https://github.com/azu/pnpm--frozen-lockfile-bug

Reproduction steps

pnpm install --frozen-lockfile does not throw an error when the lockfile is out of sync with pnpm-workspace.yaml's catalog.

Reproduce Repository

• https://github.com/azu/pnpm--frozen-lockfile-bug

This repository's lockfile and catalog reference the package version as follows:

• lodash@4.0.0 in the pnpm-workspace.yaml(catalog)
• lodash@4.17.21 in the lockfile

pnpm-workspace.yaml

• refer lodash@4.0.0 in the workspace file

catalog:
  lodash: 4.0.0

pnpm-lock.yaml

• refer lodash@4.17.21 in the lockfile

lockfileVersion: '9.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

catalogs:
  default:
    lodash:
      specifier: 4.17.21
      version: 4.17.21

importers:

  .:
    dependencies:
      lodash:
        specifier: 'catalog:'
        version: 4.17.21

packages:

  lodash@4.17.21:
    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}

snapshots:

  lodash@4.17.21: {}

Reproduce Steps

1. Run pnpm install --frozen-lockfile in the workspace root directory

git clone https://github.com/azu/pnpm--frozen-lockfile-bug
cd pnpm--frozen-lockfile-bug
pnpm install --frozen-lockfile

Describe the Bug

I expect that running pnpm install --frozen-lockfile will throw an error when the lockfile is out of sync with the pnpm-workspace.yaml's catalog.
However, the command does not throw an error in pnpm@10.7.1.

Actual Behavior

The pnpm install --frozen-lockfile does not throw an error.
But, the command pnpm install updates the lockfile to match the pnpm-workspace.yaml.

pnpm install
git diff
diff --git i/pnpm-lock.yaml w/pnpm-lock.yaml
index 41fa5a5..7d83bb3 100644
--- i/pnpm-lock.yaml
+++ w/pnpm-lock.yaml
@@ -7,8 +7,8 @@ settings:
 catalogs:
   default:
     lodash:
-      specifier: 4.17.21
-      version: 4.17.21
+      specifier: 4.0.0
+      version: 4.0.0

 importers:

@@ -16,13 +16,13 @@ importers:
     dependencies:
       lodash:
         specifier: 'catalog:'
-        version: 4.17.21
+        version: 4.0.0

 packages:

-  lodash@4.17.21:
-    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
+  lodash@4.0.0:
+    resolution: {integrity: sha512-bWpSlBobTcHYK9eUzcBYHhSBGzvSzEsxocnW5+v7p6wCRlY1icneTe2ACam3mGdAu82+RLL32cmyl7TRlJHqZw==}

 snapshots:

-  lodash@4.17.21: {}
+  lodash@4.0.0: {}

Expected Behavior

The pnpm install --frozen-lockfile should throw an error indicating that the lockfile is out of sync with the pnpm-workspace.yaml.

Which Node.js version are you using?

v22.13.1

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No.

Context

I met this issue when dependabot created a PR to update the lockfile and the catalog was not updated. (This looks like a bug in dependabot. dependabot/dependabot-core#11953)

I expected that running pnpm install --frozen-lockfile would throw an error, but it did not.
This behavior is unexpected and could lead to confusion when working with pnpm catalogs.

Related Issue

Following issue is similar to this one, but I met this issue on pnpm catalogs.

• Changes when running pnpm install not reflected when running pnpm install --frozen-lockfile #5794

[azu]

📝 Workaround

I've implemented a CI check that detects mismatches between dependencies in pnpm-workspace.yaml and pnpm-lock.yaml. Since pnpm install --frozen-lockfile doesn't reliably error when there's a mismatch due to this bug, we use the following approach instead:

# Install dependencies without frozen lockfile flag
# This should be failed when catalog and lock is mismatch
# Workaround: https://github.com/pnpm/pnpm/issues/9369
- name: Install
  run: pnpm install --no-frozen-lockfile

# Then check if there are any unexpected diffs in the lockfile
# https://github.com/pnpm/pnpm/issues/9369
- name: Check pnpm lockfile diff
  run: |
    git diff --exit-code || {
      echo "pnpm-lock.yaml is not up to date with pnpm-workspace.yaml"
      echo "Please run pnpm install and commit the changes"
      echo "diff:"
      git diff
      exit 1
    }

[gluxon]

Thanks for reporting! I agree this is a bug and should be fixed.

[oscar8880]

Hi, I'm still facing this issue in version 10.17.1

[jom-sq]

We're experiencing this exact issue in our production monorepo (308 workspaces), causing multiple incidents:

The bug: pnpm install --frozen-lockfile doesn't fail when catalog definitions in pnpm-workspace.yaml don't match pnpm-lock.yaml

Real examples:

Scenario 1: Catalog version mismatch

• Changed pnpm-workspace.yaml catalog: zod: ^3.25.57 → zod: ^4.1.12
• Forgot to run pnpm install to update lockfile
• CI with --frozen-lockfile passed silently ❌
• Production build failed when lockfile was finally regenerated

Scenario 2: Merge conflict "resolved" incorrectly

• Developer used git checkout --theirs pnpm-lock.yaml during merge
• Lockfile no longer matched workspace catalog definitions
• pnpm install --frozen-lockfile in CI passed ❌
• Production broken

Expected behavior: pnpm install --frozen-lockfile should fail with an error when catalog definitions in workspace don't match what's in the lockfile.

Our workaround (same issue you described):

1. Include pnpm-workspace.yaml SHA in CI cache key
2. After pnpm install, compare lockfile SHA - fail if modified
3. Run pnpm install --lockfile-only to detect drift even with cache hits

This validation logic should be built into --frozen-lockfile. Would love to see this fixed upstream!