pnpm install with optional peer dependencies gives error when there is no lockfile

[dyantako]

pnpm version: 7.12.1

Code to reproduce the issue:

pnpm init
pnpm add @emotion/css@11.10.0
rm pnpm-lock.yaml
pnpm install

Expected behavior:

The pnpm add and pnpm install should show the same warning for the missing optional peer dependency

 WARN  Issues with peer dependencies found
.
└─┬ @emotion/css 11.10.0
├── ✕ missing peer @babel/core@^7.0.0
└─┬ @emotion/babel-plugin 11.10.2
├── ✕ missing peer @babel/core@^7.0.0
└─┬ @babel/plugin-syntax-jsx 7.18.6
└── ✕ missing peer @babel/core@^7.0.0-0
Peer dependencies that should be installed:
@babel/core@">=7.0.0 <8.0.0"

Actual behavior:

pnpm add shows the warning for the optional peer dependency (as above)
pnpm install shows an error for the optional peer dependency (as below)

Already up to date
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

.
└─┬ @emotion/css 11.10.0
├── ✕ missing peer @babel/core@^7.0.0
└─┬ @emotion/babel-plugin 11.10.2
├── ✕ missing peer @babel/core@^7.0.0
└─┬ @babel/plugin-syntax-jsx 7.18.6
└── ✕ missing peer @babel/core@^7.0.0-0
Peer dependencies that should be installed:
@babel/core@">=7.0.0 <8.0.0"

Additional information:

• node -v prints: 16.17.0
• Windows, macOS, or Linux?: Windows 11 running Ubuntu in WSL

We wouldn't normally be deleting the lockfile but it seems like it is part of the workflow of Renovate using pnpm. Renovate is failing for us due to missing this optional peer dependency.

[dyantako]

After investigating further, it looks like @emotion/css has a dependency on @emotion/babel-plugin which has a non-optional peer dependency on @babel/core. In which case, the error is probably correct but is it correct for the initial add to just warn?

[Canowyrms]

I'm running into a similar issue. I'll tack onto this instead of opening a separate issue.

pnpm version:

7.26.0

Code to reproduce the issue:

npx degit antfu/vitesse-webext my-webext
cd my-webext
rm pnpm-lock.yml
pnpm i

Expected behavior:

pnpm i should succeed.

Actual behavior:

pnpm i fails:

Click to expand

$ pnpm i
 WARN  deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
 WARN  deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
 WARN  deprecated fluent-syntax@0.14.0: Renamed to @fluent/syntax 0.14.0
 WARN  deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
 WARN  deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
 WARN  deprecated har-validator@5.1.5: this library is no longer supported
Packages: +858
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Packages are hard linked from the content-addressable store to the virtual store.
  Content-addressable store is at: F:\.pnpm-store\v3
  Virtual store is at:             node_modules/.pnpm
Progress: resolved 915, reused 858, downloaded 0, added 858, done
node_modules/.pnpm/esbuild@0.15.18/node_modules/esbuild: Running postinstall script, done in 356ms

devDependencies:
+ @antfu/eslint-config 0.31.1 (0.34.1 is available)
+ @ffflorian/jszip-cli 3.1.6
+ @iconify/json 2.2.12
+ @types/fs-extra 9.0.13 (11.0.1 is available)
+ @types/node 18.11.18
+ @types/webextension-polyfill 0.9.2 (0.10.0 is available)
+ @typescript-eslint/eslint-plugin 5.49.0
+ @unocss/reset 0.46.5 (0.49.0 is available)
+ @vitejs/plugin-vue 3.2.0 (4.0.0 is available)
+ @vue/compiler-sfc 3.2.45
+ @vue/test-utils 2.2.7
+ @vueuse/core 9.11.1
+ chokidar 3.5.3
+ cross-env 7.0.3
+ crx 5.0.1
+ eslint 8.32.0
+ esno 0.16.3
+ fs-extra 10.1.0 (11.1.0 is available)
+ jsdom 20.0.3 (21.1.0 is available)
+ kolorist 1.6.0
+ npm-run-all 4.1.5
+ rimraf 3.0.2 (4.1.2 is available)
+ typescript 4.9.4
+ unocss 0.46.5 (0.49.0 is available)
+ unplugin-auto-import 0.11.5 (0.12.2 is available)
+ unplugin-icons 0.14.15 (0.15.1 is available)
+ unplugin-vue-components 0.22.12
+ vite 3.2.5 (4.0.4 is available)
+ vitest 0.25.8 (0.28.2 is available)
+ vue 3.2.45
+ vue-demi 0.13.11
+ web-ext 7.5.0
+ webext-bridge 5.0.5
+ webextension-polyfill 0.10.0

 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

.
└─┬ web-ext
  └─┬ addons-linter
    └─┬ addons-scanner-utils
      └── ✕ unmet peer node-fetch@2.6.7: found 3.3.0 in web-ext

hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.

Additional information:

• node -v prints: v18.12.1
• Windows, macOS, or Linux?: Windows 10 (not in WSL in this issue)

.npmrc contents:

shamefully-hoist=true
auto-install-peers=true

I normally wouldn't delete the pnpm lockfile right off the bat, but there is a separate issue with one of the packages 404ing (see 'problem 1' here), and the solution suggested was to delete the lockfile and run pnpm i again. Well, I did that, and now pnpm i fails.

I don't think adding strict-peer-dependencies=false to .npmrc is a good idea - at least not in my case. I don't know enough about this stuff to feel confident adding that, and it feels like a bad idea allowing a different major version to satisfy a peer dep.

Link to antfu/vitesse-webext