package-manager-strict enforcement in pnpm 9 is a massive headache
#8087
Comments
|
The corepack repo is the right place to discuss this. We did not come up with this field. We just try to adhere it. In the meantime, you can disable this strictness by the setting. |
|
But pnpm 8 didn't adhere to it. Why start enforcing it now without regard for user impact? |
|
It is a breaking change, so it couldn't be done in v8. The users have a choice to not use the field. The users also have a choice to make it less strict with the setting. So, I don't see the issue. |
|
We really don't have a choice not to use the field. Many hosting providers like Netlifly and Vercel require it to specify what version of pnpm is used. But I really just want to specify what version is used on the hosting provider and not locally. I can do this by updating all of my projects to
The point of the field as far as I understand is so that corepack can choose which version of a package manager to use. If a tool wants to adhere to the field by copying corepack's behavior it should automatically download and execute that version instead of bombing out. But why should it affect non-corepack users? |
|
I just ran into this issue on Vercel after I had been deploying for days without issue? |
i second this. There are many environments where corepack is not enabled by default and other tools might not use it. As long as pnpm itself is not able to run with the exact specified version on demand, this setting should not be the default. another example: dependabot/dependabot-core#9522 (looks like dependabot uses pnpm 9.0.6 at the time of writing) And i might be wrong but didn't corepack not download the exact patch version all the time but looked for a compatible local one first? So even corepack users might be bitten by this |
I have the same issue. corepack use pnpm@`pnpm -v`as a work around.
Edit: This will set whatever pnpm version is installed on the system as "packageManager" in the |
This worked for me Thanks @exiguus |
|
Most deployments using pnpm 9 on Vercel are failing as a result of this issue because they use pnpm 9.0.4 on their platform, so you need to set exactly I think there are a few potential issues here:
|
|
Just dropping in to add some clarity/context to Vercel-specific support.
Vercel does not require this value. If you don't provide it, we'll detect the appropriate version of package manger to use based on the lockfile version. We have the most detailed mapping for There were some edge cases with this recently, but if you try again without the
We did notice a lot of users started seeing this after we rolled out more complete
This is correct. Users can opt in to corepack support if they want, but by default, we do not use the |
Ah, thanks! That's helpful to know. I tested it out and probably won't go that route because |
Just wanted to com here and say that after a long time setting the corepack ENV variable worked for me and build finally did not fail. Thank you. |
|
I have made a poll: https://x.com/pnpmjs/status/1793795772921573544 |
|
The Perhaps pnpm could instead implement the |
Just Overriding this with the above-given command in the install command step on Vercel deployment settings for my application really helped me. Thanks. |
|
I solved this problem by doing this: |
|
I filed pnpm/action-setup#124 and netlify/build#5663, which would reduce the need for changing this |
|
I sent pnpm/action-setup#126 to help with avoiding using the |
|
Sigh. I've just been told by a corepack user that I can't simply omit the I've set |
|
i'm not on twitter so i'd like to vote here for "don't crash". corepacks behavior does not work for me so i don't have it enabled. The new default in pnpm9 would cause a massive headache for me when switching between multiple open source projects i work with. my workaround for now is to put package-manager-strict=falsein my What's the reasoning behind this default? different patch releases of pnpm@9 should still resolve to the same outcome given a lockfile. Breaking changes in resolving would require a major release, so why is pinning to the patch default? And why do it in a way that requires you to use corepack? |
|
Also what would happen if you release an important bugfix in pnpm@9.1.5 and i installed that locally, but a project i want to send a fix to still has Am i supposed to send a PR to update that first ? |
|
The Twitter poll seems to be broken. It appears to be permanently stuck at 586 votes in recent days despite sooo many people having told me they've voted "don't crash" since then. I will note that while "don't crash" is currently behind by a mere 6 votes or so, nearly all the tweets in reply to the poll are write-ins for "don't crash", which means a sizable portion of the "other (comment)" vote should be registered towards "don't crash". |
|
Look, I don't like it either, that is why I don't use the "packageManager" field in my repos. According to the results of the poll most people are fine with how it works now. The comments are mostly about making it accept ranges, which is up to corepack to decide. I was fine with any solution that is why I created the poll. |
|
To me, the strictness makes total sense. It's like you lock every package to its exact patch version in the lockfile, so you should lock the package manager version to make the state of the commit ~100% reproducible. It's weird to say I specified the exact version of I guess maybe in the error message, pnpm could say "Consider using corepack(link) to switching to the correct version automatically"? I see probably the majority of the user confusing about this is because they don't aware corepack exists, but happend to come by to the project that enforce |
|
The poll might be broken indeed. I have retweeted the poll and posted to more channels but the number of votes is still 586 |
|
8 hours left. Now the results are different: 
|
|
lol. wtf. even if all 25 new votes were for "don't crash" it wouldn't result in an extra 11-12% for that option. i'm not complaining as that's my preference, but I have no idea how twitter does its math |
Yeah, I think now the poll is not correct the other way around |
|
pnpm is welcome to implement the
So in "devEngines": {
"packageManager": {
"name": "pnpm",
"version": ">= 9.0.0",
"onFail": "warn"
}
}So in other words, pnpm wouldn’t need to decide between warning or exiting; the user defining the version in If you read down that thread, the npm team is interested in supporting this field, so pnpm doing so as well would improve interoperability between projects. |
|
@GeoffreyBooth the new field that you suggest is not related to this. Regardless of your new field, the |
|
According to the final results, 58.8% of pnpm users would prefer pnpm to not fail in this case. Hence, I agree to change the behaviour. What if pnpm will only fail if the version is a different major version than the one specified in To solve the issue on Vercel we should allow older versions from the same major? |
I would prefer to use |
|
Thank you Changing the default of package-manager-strict to false ( projects can still opt in to strict behavior by adding an .npmrc to their repo with Only failing on a different (older?) major in
would be nice. In monorepos this can be achieved today with the |
|
Hi, if this is now done in the .npmrc files how does this work? Is there documentation about this? Does it work on Windows too? |
|
https://pnpm.io/npmrc and yes it works on windows too. example from this repo https://github.com/pnpm/pnpm/blob/main/.npmrc |
|
Default not to fail (or only check major) + warning on version misalignment sounds reasonable to me giving the current situation that However, I want to mention that in the case of Vercel et al, they should either ignore Really wish |
+1 thank you for all your hard work on pnpm, Zoltan!
Great point, Dominik.
+1
Agree that they should strictly follow the exact version. Ignoring it would cause lots of existing projects to break though
This is the one part I'm not sure I agree with. I think specifying an exact version to deploy to production with makes sense. Just like lockfiles specify exact versions I want to specify the exact version of the package manager to use in production. I just don't want usage of this field to stop me from running the project locally when I'm not using corepack just like pnpm won't stop me from running the project locally with pnpm if there's a |
|
I guess we could make it fail only when the package manager differs. When the version differs we can either print a warning or just don't do anything. |
Last pnpm version that worked
8
pnpm version
9
Code to reproduce the issue
pnpm installwithpackageManagerset to a different minor or patch version than you have installedExpected behavior
I would expect to use the
enginesfield to manage restrictions on what versions of package managers.The
packageManagerfield is used by platforms like Vercel and Netlify to choose what exact version of pnpm to use to run your project, which has been helpful for ensuring they're using a compatible major version.However, I do not want to have to sync all of my various projects and locally installed version to always be using the same exact version of pnpm - especially with how frequently pnpm updates are released. Now I will have to constantly be updating the
packageManagerfield in all my projects to match whatever the latest pnpm version is causing needless churn and a ton of annoying work that provides close to zero value. If I wanted to do that I already had the ability viaengines.Other users have been frustrated by this new enforcement as well. E.g. see #7956 (comment)
Actual behavior
Additional information
Support for semver ranges is the number two issue in corepack nodejs/corepack#95. Setting
package-manager-strictcould make more sense after that is available. Though it would still seem to unnecessarily duplicate theenginesfield, so even then it wouldn't be my preferenceNode.js version
20.10.0
Operating System
Linux
The text was updated successfully, but these errors were encountered: