Skip to content

fix(env-installer): prune env lockfile when updating a config dep#11892

Merged
zkochan merged 1 commit into
mainfrom
fix-config-lockfile
May 23, 2026
Merged

fix(env-installer): prune env lockfile when updating a config dep#11892
zkochan merged 1 commit into
mainfrom
fix-config-lockfile

Conversation

@zkochan

@zkochan zkochan commented May 23, 2026

Copy link
Copy Markdown
Member

Summary

When updating a config dependency via pnpm add --config <pkg>, the optional subdependencies of the previously resolved version were left as orphan entries in pnpm-lock.env.yaml. The sibling resolveAndInstallConfigDeps path already prunes; this PR adds the same pruneEnvLockfile call to resolveConfigDeps before the write.

Test plan

  • New regression test in installing/env-installer/test/resolveConfigDeps.test.ts (orphan optional subdeps from a previous resolution are pruned) — pre-populates the env lockfile with an unreferenced parent + optional subdep, runs resolveConfigDeps, asserts the orphans are gone. Verified the test fails on main and passes with the fix.
  • All 6 tests in resolveConfigDeps.test.ts pass.

Pacquet parity

If pacquet has ported the config-deps install flow, this same pruning needs to land on the Rust side too — flagging for a maintainer to check before merge.


Written by an agent (Claude Code, claude-opus-4-7).

Summary by CodeRabbit

  • Bug Fixes
    • Fixed an issue where pnpm add --config left orphan entries in pnpm-lock.env.yaml for outdated configuration dependencies. The package manager now properly cleans up stale optional subdependencies when config dependencies are updated.

Review Change Stack

`pnpm add --config <pkg>` (via `resolveConfigDeps`) wrote the env
lockfile without pruning, so optional subdependencies from the
previously resolved version remained as orphans. Mirror the prune
call from `resolveAndInstallConfigDeps`.
@coderabbitai

coderabbitai Bot commented May 23, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1ef7d76f-cb79-49e8-bae3-040225b7411f

📥 Commits

Reviewing files that changed from the base of the PR and between e0bd879 and a8d5616.

📒 Files selected for processing (3)
  • .changeset/prune-env-lockfile-on-config-dep-update.md
  • installing/env-installer/src/resolveConfigDeps.ts
  • installing/env-installer/test/resolveConfigDeps.test.ts
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: ubuntu-latest / Node.js 24 / Test
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Use trailing commas in TypeScript code
Prefer functions over classes in TypeScript code
Declare functions after they are used, relying on function hoisting in TypeScript
Functions should have no more than two or three arguments; use a single options object instead for multiple parameters in TypeScript
Follow import order in TypeScript: 1) standard libraries, 2) external dependencies (alphabetically sorted), 3) relative imports
Write self-explanatory code in TypeScript; avoid comments that restate what the code already says. Use comments only for non-obvious reasons, hidden invariants, or workarounds
Use JSDoc for function contracts (preconditions, postconditions, edge cases), not for re-narrating the function body in TypeScript

Files:

  • installing/env-installer/src/resolveConfigDeps.ts
  • installing/env-installer/test/resolveConfigDeps.test.ts
**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use instanceof Error for error type checking in Jest tests; use util.types.isNativeError() instead in TypeScript

Files:

  • installing/env-installer/test/resolveConfigDeps.test.ts
🧠 Learnings (1)
📚 Learning: 2026-05-14T09:04:00.133Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11622
File: resolving/npm-resolver/test/publishedBy.test.ts:350-354
Timestamp: 2026-05-14T09:04:00.133Z
Learning: In the pnpm/pnpm repository, ESLint is the authoritative style linter. Do not raise review findings for missing trailing commas in multiline function calls (e.g., `fs.writeFileSync(...)`) when this repo’s ESLint configuration does not report them and lint passes. Prefer deferring to the ESLint results for this specific trailing-comma rule rather than enforcing it manually in code review.

Applied to files:

  • installing/env-installer/src/resolveConfigDeps.ts
  • installing/env-installer/test/resolveConfigDeps.test.ts
🔇 Additional comments (3)
.changeset/prune-env-lockfile-on-config-dep-update.md (1)

1-6: LGTM!

installing/env-installer/src/resolveConfigDeps.ts (1)

18-19: LGTM!

Also applies to: 82-83

installing/env-installer/test/resolveConfigDeps.test.ts (1)

5-5: LGTM!

Also applies to: 143-181


📝 Walkthrough

Walkthrough

This PR fixes a lockfile pollution issue where updating a config dependency in pnpm add --config left orphan entries in pnpm-lock.env.yaml from the prior resolved version. The fix integrates pruneEnvLockfile into the config resolution pipeline, removes stale optional subdependencies, and includes test validation.

Changes

Env lockfile pruning for config dependency updates

Layer / File(s) Summary
Pruning integration in resolveConfigDeps
installing/env-installer/src/resolveConfigDeps.ts
resolveConfigDeps imports and calls pruneEnvLockfile after collecting all resolved config dependencies and snapshots, ensuring stale entries are removed before the lockfile is persisted.
Test coverage for orphan subdeps pruning
installing/env-installer/test/resolveConfigDeps.test.ts
Test pre-populates an env lockfile with orphaned optional subdependencies from a prior config version (foo@99.0.0, bar@1.0.0), calls resolveConfigDeps with a newer config version (foo@100.0.0), and asserts that stale package and snapshot entries are pruned while current entries remain.
Release notes
.changeset/prune-env-lockfile-on-config-dep-update.md
Changeset documents patch releases for pnpm and @pnpm/installing.env-installer, noting that pnpm add --config no longer leaves orphan entries in pnpm-lock.env.yaml when a config dependency is updated.

Possibly related PRs

  • pnpm/pnpm#11725: Complements this PR by recording optional subdependencies into envLockfile during config-dep resolution; this PR ensures those entries are pruned when dependencies are updated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 When configs get old, the stale entries stay,
But pruning our lockfiles makes clutter away!
From ninety-nine down to the newest version bright,
Our lock files now clean, dependencies quite right! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix(env-installer): prune env lockfile when updating a config dep' directly and clearly describes the main change: pruning the env lockfile when a config dependency is updated.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-config-lockfile

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@zkochan zkochan marked this pull request as ready for review May 23, 2026 23:34
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@zkochan zkochan merged commit 155af87 into main May 23, 2026
12 checks passed
@zkochan zkochan deleted the fix-config-lockfile branch May 23, 2026 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant