🐛 Fixed production builds using unpinned dependencies

[9larsons]

Summary

• preserved root pnpm-workspace.yaml overrides and packageExtensions in the Ghost deploy archive
• kept the pnpm 11 lockfile regeneration flow so frozen production installs remain valid
• added validation that packaged archives include root overrides

Why

The pnpm 11 archive flow was writing a trimmed deploy workspace that dropped root overrides. That let production archives resolve a different dependency graph from the source workspace, including changed versions for packages such as @tryghost/errors, moment-timezone, juice, and other transitive dependencies.

Testing

• CI=true pnpm --filter ghost archive
• extracted ghost/core/ghost-6.42.1-rc.0.tgz and confirmed pnpm-workspace.yaml contains catalog, catalogs, overrides, packageExtensions, and minimumReleaseAge: 0
• from the extracted package: CI=true pnpm install --prod --frozen-lockfile --ignore-scripts
• confirmed the install output resolves pinned packages including @tryghost/errors 1.3.13, moment-timezone 0.5.45, and juice 9.1.0

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0a025e30-06eb-4cba-a05d-c4509b0d5732

📥 Commits

Reviewing files that changed from the base of the PR and between 2c6439e and de107d0.

📒 Files selected for processing (1)

• ghost/core/scripts/pack.js

---

Walkthrough

ghost/core/scripts/pack.js is updated to include pnpm root overrides and packageExtensions when generating the trimmed pnpm-workspace.yaml for the deploy directory. The script expands the key list when populating deployWorkspace to preserve these fields alongside existing catalog and build-related policies. A new validation step ensures the packaged workspace YAML contains non-empty root overrides. Documentation, comments, and console output are updated to reflect this new behavior of retaining (rather than removing) these fields.

Possibly related PRs

• TryGhost/Ghost#27969: Adds pnpm.packageExtensions and lodash catalog entries that will be carried forward by the updated packing mechanism.
• TryGhost/Ghost#28205: Also modifies ghost/core/scripts/pack.js to change how the deploy-local pnpm-workspace.yaml is generated and validated around root overrides.
• TryGhost/Ghost#28197: Adds root overrides and packageExtensions to the root workspace YAML that this PR's script now preserves and validates.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references fixing production builds with unpinned dependencies, which directly relates to the core change of preserving pnpm overrides in the deploy archive to ensure consistent dependency resolution.
Description check	✅ Passed	The description clearly relates to the changeset, explaining why overrides must be preserved, what problem it solves, and how it was tested with concrete verification steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-pack-preserve-pnpm-overrides

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0