syncEnvLockfile skipped when running via corepack, leaving packageManagerDependencies stale

[tim-gq]

First, thanks for the incredibly quick turnaround on #11387 — shipping the fix in 11.0.1 the same day was impressive!

Description

The fix in #11392 for syncing stale packageManagerDependencies entries works correctly, but is bypassed when pnpm is executed via corepack. Since devEngines.packageManager typically implies corepack usage, the fix is effectively unreachable for the primary use case.

Root Cause

In pnpm/src/main.ts, the package manager handling block (including syncEnvLockfile) is wrapped in:

if (!isExecutedByCorepack() && cmd !== 'setup' && ...) {
  // ...
  checkPackageManager(pm)
  await syncEnvLockfile(config, context)
}

When corepack invokes pnpm, COREPACK_ROOT is set, causing isExecutedByCorepack() to return true and skip the entire block.

Steps to Reproduce

1. Use devEngines.packageManager in package.json:

   {
     "devEngines": {
       "packageManager": {
         "name": "pnpm",
         "version": "11.0.1"
       }
     }
   }

2. Have a stale lockfile with old version in packageManagerDependencies:

   packageManagerDependencies:
     pnpm:
       specifier: 11.0.0-rc.5
       version: 11.0.0-rc.5

3. Run pnpm install (which goes through corepack due to devEngines)

4. Observe that packageManagerDependencies remains at rc.5 despite running pnpm 11.0.1

Expected Behavior

The packageManagerDependencies section should be updated to 11.0.1, matching the running pnpm version.

Actual Behavior

The stale rc.5 entry persists because syncEnvLockfile is never called when COREPACK_ROOT is set.

The Gap

• Corepack: Manages which pnpm version runs, but doesn't touch the lockfile
• pnpm: Has code to update the lockfile (syncEnvLockfile), but skips it when corepack is involved

This creates a situation where neither tool updates the packageManagerDependencies section.

Suggested Fix

Consider running syncEnvLockfile even when executed by corepack, at least for the case where devEngines.packageManager is declared. The lockfile integrity record is still valuable even when corepack handles version selection.

Environment

• pnpm version: 11.0.1
• Node.js version: 24.x
• corepack version: (bundled with Node)
• OS: macOS

Related

• No validation error when devEngines.packageManager version mismatches lockfile packageManagerDependencies #11387 (fix that introduced syncEnvLockfile)
• fix: sync env lockfile when devEngines.packageManager version is stale #11392 (PR implementing the fix)

[tim-gq]

Workaround confirmed

We were able to work around this by running pnpm directly (not via corepack) to trigger the lockfile sync:

# Install standalone pnpm (not managed by corepack)
curl -fsSL https://get.pnpm.io/install.sh | env PNPM_VERSION=11.0.1 bash

# Run install using the standalone pnpm binary
~/.local/share/pnpm/pnpm install

Because COREPACK_ROOT isn't set when running the standalone binary, syncEnvLockfile executes and updates the packageManagerDependencies section correctly.

After this one-time fix, we can continue using corepack normally — the lockfile is now in sync.

This confirms the fix in #11392 works correctly; it's just the corepack bypass that prevents it from running in the typical devEngines.packageManager workflow.

[tim-gq]

Additional data point confirming the corepack bypass:

Without corepack (standalone pnpm 11.0.0):

ERROR  This project is configured to use 11.0.1 of pnpm. Your current pnpm is v11.0.0

✅ Correctly errors about the version mismatch.

With corepack (corepack pnpm@11.0.0):

Already up to date
Done in 119ms using pnpm v11.0.0

❌ No warning, no error — runs silently despite devEngines.packageManager specifying 11.0.1.

This confirms the validation logic works correctly; it's specifically the !isExecutedByCorepack() guard that bypasses it.

[zkochan]

Why do you want to use the devEngines field at all if you use corepack? The integrities in the lockfile will never be checked by corepack.

[tim-gq]

Apologies, I'm not familiar with Corepack, have just been using it in the team's dev environment. We were also seeing noisy lockfile header diffs from our CI pnpm dedupe job, which installs pnpm via pnpm/action-setup rather than Corepack.

After looking into this more, I think I was conflating two separate workflows:

• Corepack-managed pnpm version pinning via packageManager
• pnpm-managed package-manager resolution via devEngines.packageManager

For our use case, we want Corepack-compatible exact pinning, so packageManager is the better source of truth. The packageManagerDependencies entries in the lockfile are not useful for Corepack enforcement, since Corepack won't check them.

So I don't think this is a pnpm bug in the way I originally framed it. The practical fix on our side is to keep using packageManager and remove the stale env-lockfile header, rather than migrating to devEngines.packageManager just to get lockfile metadata.

Thanks for the clarification. I'll close this.

[tim-gq]

Closing based on the clarification above.

[zkochan]

If you want to prevent pnpm from managing its own versions, you can set pmOnFail: ignore in pnpm-workspace.yaml.