Conversation
…orkspace packages When link-workspace-packages=true, the fallback resolution paths (registry 404 and no matching registry version) pass update: Boolean(opts.update) to tryResolveFromWorkspacePackages. On fresh installs without a lockfile entry, opts.update is 'compatible' (truthy), which overrides the version spec to '*' and matches any workspace package regardless of version. Change both fallback call sites to pass update: false so version constraints are always respected for non-workspace-protocol dependencies. The workspace: protocol path returns before these blocks and correctly continues to use opts.update. Closes pnpm#10173
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a regression in @pnpm/npm-resolver where, with link-workspace-packages=true, fallback-to-workspace resolution could incorrectly ignore the requested version range during fresh installs (when opts.update is truthy), causing mismatched workspace packages to be linked.
Changes:
- Pass
update: falsetotryResolveFromWorkspacePackagesin both non-workspace fallback paths so workspace fallback always respects the requested version constraint. - Add regression tests covering 404 and no-matching-registry-version scenarios to ensure mismatched workspace versions are not linked.
- Add a changeset for the patch release.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
resolving/npm-resolver/src/index.ts |
Ensures fallback-to-workspace resolution does not override dependency version constraints via update. |
resolving/npm-resolver/test/index.ts |
Adds tests that fail if a mismatching workspace version is incorrectly linked during fallback resolution. |
.changeset/legal-ways-accept.md |
Declares a patch release and documents the fix for link-workspace-packages=true. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
zkochan
approved these changes
Feb 28, 2026
|
Congrats on merging your first pull request! 🎉🎉🎉 |
zkochan
added a commit
that referenced
this pull request
Mar 7, 2026
…orkspace packages (#10704) * fix(npm-resolver): respect version constraints when falling back to workspace packages When link-workspace-packages=true, the fallback resolution paths (registry 404 and no matching registry version) pass update: Boolean(opts.update) to tryResolveFromWorkspacePackages. On fresh installs without a lockfile entry, opts.update is 'compatible' (truthy), which overrides the version spec to '*' and matches any workspace package regardless of version. Change both fallback call sites to pass update: false so version constraints are always respected for non-workspace-protocol dependencies. The workspace: protocol path returns before these blocks and correctly continues to use opts.update. Close #10173 * test: clarify npm-resolver test names for workspace version mismatch scenarios --------- Co-authored-by: Zoltan Kochan <z@kochan.io>
zkochan
added a commit
that referenced
this pull request
Mar 7, 2026
…orkspace packages (#10704) * fix(npm-resolver): respect version constraints when falling back to workspace packages When link-workspace-packages=true, the fallback resolution paths (registry 404 and no matching registry version) pass update: Boolean(opts.update) to tryResolveFromWorkspacePackages. On fresh installs without a lockfile entry, opts.update is 'compatible' (truthy), which overrides the version spec to '*' and matches any workspace package regardless of version. Change both fallback call sites to pass update: false so version constraints are always respected for non-workspace-protocol dependencies. The workspace: protocol path returns before these blocks and correctly continues to use opts.update. Close #10173 * test: clarify npm-resolver test names for workspace version mismatch scenarios --------- Co-authored-by: Zoltan Kochan <z@kochan.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix regression introduced in 81f441c.
When link-workspace-packages=true, the fallback resolution paths (registry 404
and no matching registry version) pass update: Boolean(opts.update) to
tryResolveFromWorkspacePackages. On fresh installs without a lockfile entry,
opts.update is 'compatible' (truthy), which overrides the version spec to '*'
and matches any workspace package regardless of version.
Change both fallback call sites to pass update: false so version constraints
are always respected for non-workspace-protocol dependencies. The workspace:
protocol path returns before these blocks and correctly continues to use
opts.update.
Closes #10173