Configuration or environment variable to prevent lower pnpm versions from using compatible lockfile versions

[zllkjc]

Contribution

• I'd be willing to implement this feature (contributing guide)

Describe the user story

As a developer, I want to ensure that my project builds are reproducible and consistent across different environments.

Currently, when using pnpm with a lockfile created by a newer version, older pnpm versions can still use it if the lockfile version is compatible. This can sometimes lead to unexpected behaviors.

For example, if a user uses different versions of pnpm locally(pnpm 9) and on the build machine(pnpm 8.7.0), this can cause the lockfile to become invalid, resulting in different dependency versions being installed locally and on the build machine.

To avoid these issues, I would like a way to enforce the use of the exact pnpm version specified in the project configuration.

Or if such a configuration already exists and I missed it in the documentation hhh.

Describe the solution you'd like

I propose introducing a new configuration option or environment variable (e.g., PNPM_STRICT_LOCKFILE_VERSION) that, when enabled, will cause pnpm to throw an error if the current pnpm version does not match exactly the lockfile version specified in the pnpm-lock.yaml file.

This way, even if a compatible lockfile version exists, it will not be used unless the exact version requirement is met.

Describe the drawbacks of your solution

/

Describe alternatives you've considered

/

[zllkjc]

Of course, tools like corepack can be used to solve this problem, but this relies on certain local environments and developer behavior. I hope to have this safeguard by default.