Skip to content

pnpm update --filter --latest leads to the lockfile changing for unrelated project and dependencies, when dedupe-peer-dependents is false #8877

Closed
Closed
pnpm update --filter --latest leads to the lockfile changing for unrelated project and dependencies, when dedupe-peer-dependents is false#8877
@fpapado

Description

@fpapado
fpapado
opened on Dec 16, 2024

Last pnpm version that worked

9.4.0

pnpm version

9.15.0

Code to reproduce the issue

More specifically, this stopped working as expected in 9.5.0. Version 10 rc0 also does not work as expected.

I have a full reproduction at https://github.com/fpapado/pnpm-filtered-updated-changes-other-packages, so please refer to that for the full details / a cloneable set of code.

In prose:
You will need a workspace with two packages: a and b. Each of them depends (pure dependencies) on react@18.3.0.

Run pnpm --filter a update --latest react, to update react only for package a, resolving react@19.0.0. Optionally run pnpm install (the observed behaviour seems the same regardless).

Observe the lockfile diff, see that react@19.0.0 is resolved also for b. The package.json of b is unaffected.

diff --git a/packages/a/package.json b/packages/a/package.json
index 64bd07f..1dfb9e1 100644
--- a/packages/a/package.json
+++ b/packages/a/package.json
@@ -10,6 +10,6 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "react": "18.3.0"
+    "react": "19.0.0"
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index b3fe1d8..0cbf890 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -11,36 +11,21 @@ importers:
   packages/a:
     dependencies:
       react:
-        specifier: 18.3.0
-        version: 18.3.0
+        specifier: 19.0.0
+        version: 19.0.0

   packages/b:
     dependencies:
       react:
         specifier: 18.3.0
-        version: 18.3.0
+        version: 19.0.0

 packages:

-  js-tokens@4.0.0:
-    resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
-
-  loose-envify@1.4.0:
-    resolution: {integrity: sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==}
-    hasBin: true
-
-  react@18.3.0:
-    resolution: {integrity: sha512-RPutkJftSAldDibyrjuku7q11d3oy6wKOyPe5K1HA/HwwrXcEqBdHsLypkC2FFYjP7bPUa6gbzSBhw4sY2JcDg==}
+  react@19.0.0:
+    resolution: {integrity: sha512-V8AVnmPIICiWpGfm6GLzCR/W5FXLchHop40W4nXBmdlEceh16rCN8O8LNWm5bh5XUX91fh7KpA+W0TgMKmgTpQ==}
     engines: {node: '>=0.10.0'}

 snapshots:

-  js-tokens@4.0.0: {}
-
-  loose-envify@1.4.0:
-    dependencies:
-      js-tokens: 4.0.0
-
-  react@18.3.0:
-    dependencies:
-      loose-envify: 1.4.0
+  react@19.0.0: {}

pnpm ls -r react shows similar output:

pnpm ls -r react
Legend: production dependency, optional only, dev only

a@1.0.0 /Users/fotis/pnpm-filtered-updated-changes-other-packages/packages/a

dependencies:
react 19.0.0

b@1.0.0 /Users/fotis/pnpm-filtered-updated-changes-other-packages/packages/b

dependencies:
react 19.0.0

Expected behavior

That a resolves react@19.0.0 and b resolves react@18.3.0

Actual behavior

Now a resolves react@19.0.0 and b also resolves react@19.0.0

Additional information

While debugging and after reading the changelog for 9.5.0, I decided to set dedupe-peer-dependents=false in .npmrc, kind of on a whim. This actually fixes the issue, but I am confused, because we are not dealing with packages that are peer dependents.

It also seems odd to me that react@19.0.0 would be able to deduplicate react@18.3.0, since the major versions differ.

Please let me know if there is any other information I can provide; I might have missed something 😌

Node.js version

v22.12.0

Operating System

macOS

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions