devEngines.packageManager: packageManagerDependencies not written to lockfile without onFail, and not cleaned up when onFail is removed

[jiridanek]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

11.1.2

Which area(s) of pnpm are affected?

Lockfile, Package manager compatibility

Link to the code that reproduces this issue or a replay of the bug

(steps below are self-contained)

Reproduction steps

Part 1: packageManagerDependencies not written without onFail

mkdir /tmp/test-devengines && cd /tmp/test-devengines
cat > package.json << 'EOF'
{
  "private": true,
  "devEngines": {
    "packageManager": {
      "name": "pnpm",
      "version": ">=11.0.0"
    }
  },
  "dependencies": {
    "is-odd": "^3.0.1"
  }
}
EOF
cat > pnpm-workspace.yaml << 'EOF'
---
EOF
pnpm install
head -20 pnpm-lock.yaml
# Expected: packageManagerDependencies with resolved version
# Actual: no packageManagerDependencies at all

Part 2: Adding onFail: "download" triggers the write

cat > package.json << 'EOF'
{
  "private": true,
  "devEngines": {
    "packageManager": {
      "name": "pnpm",
      "version": ">=11.0.0",
      "onFail": "download"
    }
  },
  "dependencies": {
    "is-odd": "^3.0.1"
  }
}
EOF
rm -rf node_modules
pnpm install
head -20 pnpm-lock.yaml
# Now packageManagerDependencies appears with @pnpm/exe and platform-specific entries

Part 3: Removing onFail does NOT clean up

cat > package.json << 'EOF'
{
  "private": true,
  "devEngines": {
    "packageManager": {
      "name": "pnpm",
      "version": ">=11.0.0"
    }
  },
  "dependencies": {
    "is-odd": "^3.0.1"
  }
}
EOF
rm -rf node_modules
pnpm install
head -20 pnpm-lock.yaml
# Expected: packageManagerDependencies removed (onFail no longer set)
# Actual: packageManagerDependencies and all @pnpm/exe entries still present

---

Describe the Bug

Two related issues with devEngines.packageManager and lockfile behavior:

1. Without onFail: pnpm install does not write packageManagerDependencies to the lockfile at all, even though the docs say "The resolved version is stored in pnpm-lock.yaml" unconditionally. The user has to discover through trial-and-error that onFail: "download" is the trigger.

2. Removing onFail after it was set: The packageManagerDependencies entries (including ~7 @pnpm/* platform-specific binary packages) remain in the lockfile indefinitely. There's no way to clean them up short of deleting the lockfile and regenerating.

This creates a confusing experience: the feature appears broken without onFail, then once you add onFail to debug it, you get 200+ extra lines in your lockfile that you can't undo.

Expected Behavior

1. devEngines.packageManager should write packageManagerDependencies to the lockfile regardless of whether onFail is set. The onFail field controls runtime behavior (what to do on mismatch), not whether the resolution is recorded.

2. If onFail: "download" is removed, pnpm install should prune the @pnpm/exe entries from the lockfile since the download mechanism is no longer active and those entries serve no purpose.

Which Node.js version are you using?

v26.0.0

Which operating systems have you used?

• macOS
• Windows
• Linux

[jiridanek]

Source-level root cause analysis

Traced through the pnpm source at main (v11.1.2). The behavior comes from two separate code paths in pnpm/src/main.ts lines 106-127:

if (pm.onFail !== 'ignore') {
  if (pm.name === 'pnpm' && pm.onFail === 'download' && !isExecutedByCorepack()) {
    await switchCliVersion(config, context)   // PATH A
  } else {
    checkPackageManager(pm, ...)
    await syncEnvLockfile(config, context)     // PATH B
  }
}

Issue 1: packageManagerDependencies not written without onFail

Path A (onFail === "download") → switchCliVersion() (pnpm/src/switchCliVersion.ts line 39):

envLockfile = await resolvePackageManagerIntegrities(pm.version, {
  // ...
  save: persistLockfile,  // true for devEngines (shouldPersistLockfile.ts line 16)
})

This creates the packageManagerDependencies entry from scratch — it resolves the version range against the registry and writes it.

Path B (any other onFail, including the default) → syncEnvLockfile() (pnpm/src/syncEnvLockfile.ts lines 31-33):

const lockedVersion = envLockfile.importers['.'].packageManagerDependencies?.['pnpm']?.version
if (lockedVersion == null) return  // <-- EARLY RETURN: no existing entry → do nothing

This only updates an existing entry. If there's no packageManagerDependencies in the lockfile yet, it returns immediately. It never creates the initial entry.

So the initial resolution is gated behind onFail === "download" even though shouldPersistLockfile() returns true for all devEngines.packageManager declarations regardless of onFail.

Issue 2: Entries not cleaned up when onFail is removed

When onFail changes from "download" to the default:

1. Code takes Path B → syncEnvLockfile()
2. Finds existing lockedVersion (from the previous onFail: "download" run)
3. Checks semver.satisfies(lockedVersion, pm.version) → true (11.1.2 satisfies >=11.0.0)
4. Returns without doing anything

There is no code path that removes packageManagerDependencies or the associated @pnpm/exe platform-specific packages from the env lockfile. pruneEnvLockfile() (installing/env-installer/src/pruneEnvLockfile.ts line 17) treats packageManagerDependencies as a source of referenced packages:

dependencies: {
  ...envLockfile.importers['.'].configDependencies,
  ...(envLockfile.importers['.'].packageManagerDependencies ?? {}),  // always referenced
},

So the @pnpm/exe packages are considered "in use" and never pruned.

Suggested fix

For issue 1: syncEnvLockfile() should create the initial packageManagerDependencies entry when shouldPersistLockfile() returns true, not just update existing ones. The early return on lockedVersion == null should instead trigger the same resolvePackageManagerIntegrities(save: true) call that switchCliVersion does.

For issue 2: when onFail is not "download", the @pnpm/exe entries serve no purpose (pnpm won't download itself). Either syncEnvLockfile should strip @pnpm/exe from packageManagerDependencies when onFail !== "download", or pruneEnvLockfile should be aware that @pnpm/exe is only needed under the download flow.

Reproduction confirmed

All three steps from the issue description reproduced cleanly in a fresh /tmp project with pnpm 11.1.2 on macOS (Node v26.0.0).