ERR_PNPM_FROZEN_LOCKFILE_WITH_OUTDATED_LOCKFILE with github alias

[florian-lefebvre]

We're using a github alias to use a fork (https://github.com/dumpus-app/dumpus-app/blob/main/package.json#L79). However, in our github action, running pnpm i --frozen-lockfile seems to fail with the following error:

Progress: resolved 1087, reused 0, downloaded 1082, added 1083
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install$ pnpm install
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install: Scope: all 2 workspace projects
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install:  ERR_PNPM_FROZEN_LOCKFILE_WITH_OUTDATED_LOCKFILE  Cannot perform a frozen installation because the version of the lockfile is incompatible with this version of pnpm
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install: Try either:
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install: 1. Aligning the version of pnpm that generated the lockfile with the version that installs from it, or
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install: 2. Migrating the lockfile so that it is compatible with the newer version of pnpm, or
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install: 3. Using "pnpm install --no-frozen-lockfile".
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install: Note that in CI environments, this setting is enabled by default.
...1799_6abfe4c3a828f98cdfa3edb7a31cf295 pnpm-install: Failed
 ERR_PNPM_PREPARE_PACKAGE  Failed to prepare git-hosted package fetched from "https://codeload.github.com/dumpus-app/satori/tar.gz/fd5341e9ff4e[27](https://github.com/dumpus-app/dumpus-app/actions/runs/5666408450/job/15353086678#step:5:28)918[31](https://github.com/dumpus-app/dumpus-app/actions/runs/5666408450/job/15353086678#step:5:32)46d045ad0a196[33](https://github.com/dumpus-app/dumpus-app/actions/runs/5666408450/job/15353086678#step:5:34)a1d5f8": satori@0.0.0-development pnpm-install: `pnpm install`
Exit status 1
Error: Process completed with exit code 1.

pnpm version:

latest (8.6.10)

Code to reproduce the issue:

https://github.com/dumpus-app/dumpus-app/actions/runs/5666697381/job/15353968419

Expected behavior:

Shoult not fail

Actual behavior:

Fails

Additional information:

• node -v prints: 16.20.1
• Windows, macOS, or Linux?: Linux

[KSXGitHub]

Initial debugging result: Adding --ignore-scripts OR removing --frozen-lockfile fix this problem. The lockfile doesn't change.

[florian-lefebvre]

1. Didn't know about --ignore-scripts but couldn't it cause some issues if deps need to setup things?
2. I've done it temporarily but I guess this is not expected behavior. Or is it? I only have basic knowledge about pnpm so feel free to correct me

[KSXGitHub]

Further investigation leads me to suspect that there are build scripts in satori or its dependencies that call pnpm install.

[KSXGitHub]

Further investigation leads me to suspect that there are build scripts in satori or its dependencies that call pnpm install.

After injecting a custom pnpm to PATH, my suspicion is confirmed.

[KSXGitHub]

After updating pnpm-lock.yaml in my copy of the satori repo, the lockfile error disappears, in its place is a GC error.

[zkochan]

When you install a git-hosted dependency, the dependency is built before it is added to node_modules. The git-hosted dependency is cloned to a temporary directory and its dependencies are installed with either pnpm, npm, or yarn (whichever lockfile is present).

The issue is probably the following. When pnpm runs pnpm install in a subprocess, the child process inherits all settings from the parent process. We use runLifecycleHook:

https://github.com/pnpm/pnpm/blob/dac59e63219dbf22d0e034bc57bcb08e70451403/exec/prepare-package/src/index.ts#L40C16-L40C16

Which creates npm_config_ env variables with all the current settings.

Maybe we should add an option to runLifecycleHook to disable the creating of the npm_config_ env variables.

[KSXGitHub]

@zkochan I think what we should do instead is ignoring the lock file that was found in the package.

[zkochan]

I don't think it is a good idea to ignore the lockfile. If the frozen-lockfile=true setting will not be passed to the child process, then the error will not happen.

[KSXGitHub]

I don't think it is a good idea to ignore the lockfile. If the frozen-lockfile=true setting will not be passed to the child process, then the error will not happen.

So you want the lockfile inside the package to still have some effect?

I think git package should work similar to npm packages. Does pnpm completely ignore lockfiles found inside npm packages and only read from the root lockfile? Or does the lockfiles inside npm packages still have effects?

[zkochan]

No, git-hosted package do not work similarly to packages from the registry. git-hosted package should be built. So their dependencies are installed including dev dependencies and preserving versions found in the lockfile.

[fr-haowen]

hi @zkochan, sorry I'm a newbie of pnpm, so do you mean that if we use pnpm in our repo, we need to build all git-hosted dependencies manually and put these into node_modules?