fix: install packages with incompatible libc#8569
Conversation
| cert: opts.cert, | ||
| fullMetadata, | ||
| filterMetadata: fullMetadata, | ||
| filterMetadata, |
There was a problem hiding this comment.
you should filter metadata always. Just update the code that filters to keep the libc field.
There was a problem hiding this comment.
It does mean that the bug won't immediately be fixed unless the user clears the old metadata cache.
There was a problem hiding this comment.
you can bump the version in FULL_FILTERED_META_DIR
| workspace?: boolean | ||
| includeOnlyPackageFiles?: boolean | ||
| prepareExecutionEnv: PrepareExecutionEnv | ||
| fetchFullMetadata?: boolean | null |
There was a problem hiding this comment.
why is null needed? This already support undefined.
| fetchFullMetadata?: boolean | null | |
| fetchFullMetadata?: boolean |
There was a problem hiding this comment.
I think ? true : null would be clearer than ?? true.
There was a problem hiding this comment.
why would you use ?? true? That wouldn't work correctly. You'd use ? true : undefined
There was a problem hiding this comment.
I'm sorry, I meant && true. (I got the symbol mixed up)
There was a problem hiding this comment.
ok, well use ? true : undefined. That is less confusing.
There was a problem hiding this comment.
I chose instead to explicitly specify the type as true | undefined (7cd1b89).
I think ? true : undefined would risk future me going back and do refactor or even somebody even change it to actual boolean due to misunderstanding underfined as false.
pnpm/pnpm#9654 (and the earlier pnpm/pnpm#7362, partially addressed by pnpm/pnpm#8569) leaves every optional native binding from the lockfile on disk when installing via --frozen-lockfile: pnpm honours `os` and `cpu` from the binding's package.json but ignores `libc`, so a glibc slim image ends up shipping both `@napi-rs/canvas-linux-x64-gnu` and `@napi-rs/canvas-linux-x64-musl` (and the same for @rollup/rollup, etc.). The lockfile pins the musl variants only as a side effect of the optional-dep declaration -- it never intended them to ship to a glibc target -- so we drop them by hand after pnpm finishes and the --frozen-lockfile reproducibility contract is unaffected. Peer-dep dribble (e.g. valibot@1.2.0's optional `typescript` peer that pnpm 8+'s default `auto-install-peers=true` baked into the lockfile) is intentionally NOT pruned here. pnpm pins `autoInstallPeers` in the lockfile and refuses --frozen-lockfile if it changes (ERR_PNPM_LOCKFILE_CONFIG_MISMATCH), so deleting those entries would quietly break the lockfile contract this slim build still claims.
Fixes #7362