Verify latest release
pnpm version
11.0.0-rc.1
Which area(s) of pnpm are affected? (leave empty if unsure)
No response
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
Update your .npmrc to pnpm install with at least 1 package from a (private) github registry.
.npmrc
@mycompany:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${github-classic-PAT}
Run these steps
- go to repository with
.npmrc
pnpm install- Remove the central store
- go back to repository
pnpm install --frozen-lockfile
You'll be greeted with the error:
WARN 2 other warnings
ERR_PNPM_FETCH_404 GET https://npm.pkg.github.com/@mycompany/my-repository/-/my-package-1.2.0.tgz: Not Found - 404B/19.44 MB
An authorization header was used: Bearer ghp_[hidden]
Progress: resolved 661, reused 0, downloaded 636, added 636
Believe me, the bearer token works because this is not an issue at pnpm 10.x and npm.
What's interesting is that pnpm install is not the issue, that one works! We get this specific error in our pipeline since it runs the pnpm install --frozen-lockfile command.
My research and resourceful pseudocolleague (claude) explained to me that potentially the issue could be:
When --frozen-lockfile skips the resolution step, pnpm constructs tarball URLs using the standard npm convention
(/@scope/name/-/name-version.tgz), but GitHub Packages serves tarballs at a
non-standard path (/download/@scope/name/version/<sha>). Without resolution,
pnpm never fetches the registry metadata that contains the correct tarball URL —
it seems to guess wrong.
Big chance that this is just hallucinations, but might be worth a look.
I also tried to add the lockfile-include-tarball-url=true flag but no luck. Does anyone have an idea?
Describe the Bug
As prior explained, potentially, the pnpm install --frozen-lockfile generates the wrong url for the SHA check of internal private packages fetched from Github.com
Expected Behavior
no 404 errors.
Which Node.js version are you using?
v24.11.1
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Mint
Verify latest release
pnpm version
11.0.0-rc.1
Which area(s) of pnpm are affected? (leave empty if unsure)
No response
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
Update your .npmrc to
pnpm installwith at least 1 package from a (private) github registry..npmrc
Run these steps
.npmrcpnpm installpnpm install --frozen-lockfileYou'll be greeted with the error:
Believe me, the bearer token works because this is not an issue at pnpm 10.x and npm.
What's interesting is that pnpm install is not the issue, that one works! We get this specific error in our pipeline since it runs the
pnpm install --frozen-lockfilecommand.My research and resourceful pseudocolleague (claude) explained to me that potentially the issue could be:
Big chance that this is just hallucinations, but might be worth a look.
I also tried to add the
lockfile-include-tarball-url=trueflag but no luck. Does anyone have an idea?Describe the Bug
As prior explained, potentially, the pnpm install --frozen-lockfile generates the wrong url for the SHA check of internal private packages fetched from Github.com
Expected Behavior
no 404 errors.
Which Node.js version are you using?
v24.11.1
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Mint