Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pnpm import completely ignores package-lock.json files #6233

Closed
kopertop opened this issue Mar 17, 2023 · 3 comments · Fixed by #6931
Closed

pnpm import completely ignores package-lock.json files #6233

kopertop opened this issue Mar 17, 2023 · 3 comments · Fixed by #6931

Comments

@kopertop
Copy link

pnpm import says it should work with a package-lock.json, however it seems to be completely ignoring it, there's no difference between doing a pnpm import and a pnpm i --lockfile-only.

Example:

package.json

{
  "name": "pnpmfail",
  "version": "0.0.0",
  "license": "UNLICENSED",
  "dependencies": {
    "@algolia/transporter": "^4.13.1"
  }
}

package-lock.json:

{
  "name": "pnpmfail",
  "version": "0.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "pnpmfail",
      "version": "0.0.0",
      "license": "UNLICENSED",
      "dependencies": {
        "@algolia/transporter": "^4.13.1"
      }
    },
    "node_modules/@algolia/cache-common": {
      "version": "4.14.3",
      "resolved": "https://registry.npmjs.org/@algolia/cache-common/-/cache-common-4.14.3.tgz",
      "integrity": "sha512-oZJofOoD9FQOwiGTzyRnmzvh3ZP8WVTNPBLH5xU5JNF7drDbRT0ocVT0h/xB2rPHYzOeXRrLaQQBwRT/CKom0Q=="
    },
    "node_modules/@algolia/logger-common": {
      "version": "4.14.3",
      "resolved": "https://registry.npmjs.org/@algolia/logger-common/-/logger-common-4.14.3.tgz",
      "integrity": "sha512-kUEAZaBt/J3RjYi8MEBT2QEexJR2kAE2mtLmezsmqMQZTV502TkHCxYzTwY2dE7OKcUTxi4OFlMuS4GId9CWPw=="
    },
    "node_modules/@algolia/requester-common": {
      "version": "4.14.3",
      "resolved": "https://registry.npmjs.org/@algolia/requester-common/-/requester-common-4.14.3.tgz",
      "integrity": "sha512-RrRzqNyKFDP7IkTuV3XvYGF9cDPn9h6qEDl595lXva3YUk9YSS8+MGZnnkOMHvjkrSCKfoLeLbm/T4tmoIeclw=="
    },
    "node_modules/@algolia/transporter": {
      "version": "4.14.3",
      "resolved": "https://registry.npmjs.org/@algolia/transporter/-/transporter-4.14.3.tgz",
      "integrity": "sha512-2qlKlKsnGJ008exFRb5RTeTOqhLZj0bkMCMVskxoqWejs2Q2QtWmsiH98hDfpw0fmnyhzHEt0Z7lqxBYp8bW2w==",
      "dependencies": {
        "@algolia/cache-common": "4.14.3",
        "@algolia/logger-common": "4.14.3",
        "@algolia/requester-common": "4.14.3"
      }
    }
  }

I run the command: pnpm import

Generated pnpm-lock.yaml

lockfileVersion: 5.4

specifiers:
  '@algolia/transporter': ^4.13.1

dependencies:
  '@algolia/transporter': 4.15.0

packages:

  /@algolia/cache-common/4.15.0:
    resolution: {integrity: sha512-Me3PbI4QurAM+3D+htIE0l1xt6+bl/18SG6Wc7bPQEZAtN7DTGz22HqhKNyLF2lR/cOfpaH7umXZlZEhIHf7gQ==}
    dev: false

  /@algolia/logger-common/4.15.0:
    resolution: {integrity: sha512-D8OFwn/HpvQz66goIcjxOKsYBMuxiruxJ3cA/bnc0EiDvSA2P2z6bNQWgS5gbstuTZIJmbhr+53NyOxFkmMNAA==}
    dev: false

  /@algolia/requester-common/4.15.0:
    resolution: {integrity: sha512-w0UUzxElbo4hrKg4QP/jiXDNbIJuAthxdlkos9nS8KAPK2XI3R9BlUjLz/ZVs4F9TDGI0mhjrNHhZ12KXcoyhg==}
    dev: false

  /@algolia/transporter/4.15.0:
    resolution: {integrity: sha512-JoWR+ixG3EmA0UPntQFN/FV5TasYcYu93d5+oKzHFeZ6Z7rtW5Im9iy/Oh/ggk1AAN5fTdqKewtbBpdaYDbKsQ==}
    dependencies:
      '@algolia/cache-common': 4.15.0
      '@algolia/logger-common': 4.15.0
      '@algolia/requester-common': 4.15.0
    dev: false

As you can see, despite the package-lock stating the version installed should have been 4.14.3, the generated pnpm-lockfile suggests it should resolve to 4.15.0.

I've also tried specifying the package-lock.json file using pnpm import package-lock.json but that had the same effect. It seems as though pnpm just totally ignores any package-lockfile that's already there.

Is there something I'm missing?
@kopertop
Copy link
Author

Digging further into this, it looks like the issue is that pnpm doesn't support the v3 package-lock formats (which no longer have a "dependencies" section which was essentially duplicate data from the "packages" sections)

@jfirebaugh
Copy link

This seems like a serious issue. Is there anything I can do to help move it along?

@woppa684
Copy link

woppa684 commented Jul 7, 2023

We recently stumbled on this issue and this is also blocking for us. We have older projects that are not converted to PNPM yet and our build server imports their NPM lock file so it can restore with PNPM. What happens now is that on the build server we get random failures because (possibly buggy) newer versions of dependencies might get installed.

nachoaldamav added a commit that referenced this issue Aug 10, 2023
@nachoaldamav
fix: add support for npm lockfile v3 in import
b59ed3b 
closes #6233
@nachoaldamav nachoaldamav mentioned this issue Aug 10, 2023
Merged
zkochan added a commit that referenced this issue Aug 17, 2023
@nachoaldamav @zkochan
fix: add support for npm lockfile v3 in import (#6931)
bf21c9b 
closes #6233

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add support for npm lockfile v3 in import pnpm/pnpm
3 participants
@kopertop @jfirebaugh @woppa684