Skip to content

pnpm v10 patched dependency hash downgraded from SHA256 to MD5 #11838

New issue
New issue
Closed
Closed
pnpm v10 patched dependency hash downgraded from SHA256 to MD5#11838
Labels
L: javascriptT: bug 🐞Something isn't working
@Silic0nS0ldier

Description

@Silic0nS0ldier
Silic0nS0ldier
opened on Mar 17, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

npm

Package manager version

pnpm 10

Language version

No response

Manifest location and content before the Dependabot update

dependabot.yml content

Updated dependency

rollup from 4.34.8 to 4.34.9.
@types/node from 22.13.7 to 22.13.8 (issue observed in 2 PRs, the merge commit for this applied the downgrade to main branch, note this particular change is also affected by #11837).

What you expected to see, versus what you actually saw

Hash for patched dependency watcher@2.3.1 to be untouched.

Native package manager behavior

Untouched SHA256 hash for watcher@2.3.1 (prior to pnpm v9 this was an MD5 hash).

Images of the diff or a link to the PR, issue, or logs

Silic0nS0ldier/vscode-git-monolithic-extension#90
Silic0nS0ldier/vscode-git-monolithic-extension#89 (downgrade merged here)

Smallest manifest that reproduces the issue

// package.json
{
    "dependencies": {
        "watcher": "2.3.1"
    },
    "pnpm": {
        "patchedDependencies": {
            "watcher@2.3.1": "patches/watcher@2.3.1.patch"
        }
    }
}

patches/watcher@2.3.1.patch

Metadata

Metadata

Assignees

No one assigned

    Labels

    L: javascriptT: bug 🐞Something isn't working

    Type

    No type

    Projects

    Dependabot

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions