Local `package.json` are altered when `--lockfile-only` and `readPackage` are used together

[Silic0nS0ldier]

pnpm version: 7.16.0

Code to reproduce the issue:

foo/package.json

{
  "name": "foo"
}

.pnpmfile.cjs

module.exports = {
  hooks: {
    readPackage(pkg, ctx) {
      pkg.dependencies = {
        lodash: "*"
      };
      return pkg;
    }
  }
}

pnpm-workspace.yaml

packages:
  - foo

1. pnpm i --lockfile-only to generate pnpm-lock.yaml
2. pnpm i --lockfile-only to trigger package.json mutation bug

Expected behavior:

pnpm-lock.yaml and package.json which have invalid state are updated.

Actual behavior:

pnpm-lock.yaml and all package.json modified in readPackage hook are updated with changes from readPackage.

Note that this behavioural difference is different from running pnpm install alone.

Additional information:

• node -v prints: v16.18.0
• Windows, macOS, or Linux?: macOS
• Similar issues: Hooks modify package.json inside a monorepo #2164

[Silic0nS0ldier]

I'm still not sure why pnpm-lock.yaml is required for the bug to manifest, but I did manage to fix the issue. I'll have a PR up later today.