turbo prune produces a broken pnpm-lock.yaml lockfile with injected dependencies

[grigorii-zander]

What version of Turborepo are you using?

1.5.4

What package manager are you using / does the bug impact?

pnpm

What operating system are you using?

Mac

Describe the Bug

prune command produces a broken pnpm lockfile if some dependency is marked as injected. If dependency is marked as injected, pnpm creates special lockfile entry with file: protocol. But these entries are missing in turbo prune result.

Expected Behavior

The lock file should be valid.

To Reproduce

pnpm version: v7.12.2

Clone the issue example repository and install dependencies via pnpm

$ git clone git@github.com:grigorii-zander/turborepo-pnpm-injected-bug.git
$ cd turborepo-pnpm-injected-bug
$ pnpm i

This repository contains one shared package:

• internal-package just a dummy dependency
  And two apps that depend on it:
• with-regular-dep with packages/internal-package added as a regular dependency
• with-injected-dep with packages/internal-package added as "injected" dependency. Here you can find the injection directive for @monorepo/internal-package

Next, call the prune command on with-regular-dep app, and try to install the dependencies:

$ pnpm turbo prune --scope=with-regular-dep
$ cd out
$ pnpm i

The dependencies will be installed, and everything will work as expected.

Now try to do the same with with-injected-dep app:

$ cd ..
$ rm -fr ./out
$ pnpm turbo prune --scope=with-injected-dep
$ cd out
$ pnpm i

The installation will fail with the following error:

Lockfile is up to date, resolution step is skipped
 WARN  Broken lockfile: no entry for 'file:packages/internal-package' in pnpm-lock.yaml
 ERR_PNPM_ERR_PNPM_LOCKFILE_MISSING_DEPENDENCY  The lockfile is broken! Resolution step will be performed to fix it.
apps/with-injected-dep                   |  WARN  Moving date-fns that was installed by a different package manager to "node_modules/.ignored
apps/with-injected-dep                   |  WARN  Could not find preferred package file:packages/internal-package in lockfile

If we look at the original ./pnpm-lock.yaml in the root of the repository, we can find the special file:packages/internal-package entry pointing to the "injected" package. But it's missing in ./out/pnpm-lock.yaml

[chris-olszewski]

I think #2121 should fix this. Thank you so much for providing a repro, it helped a lot!

[grigorii-zander]

That was fast! Thank you!

[grigorii-zander]

I just tried to run prune with your updated implementation on my project, and now it fails with the error

 ERROR  Failed creating pruned lockfile: Unable to find package entry for  in original lockfile

It couldn't find the resolution value here. My first guess it could't find injected dev dependency, but I don't check it yet.
I'll create an example project with the issue.

[grigorii-zander]

I created an additional example with-injected-dev-dep in the same repository.

Steps to reproduce:

# pull the repository
$ git pull

$ pnpm turbo prune --scope=with-injected-dev-dep

It'll fail with the following error

 ERROR  Failed creating pruned lockfile: Unable to find package entry for  in original lockfile

I think here we can also lookup DevDependencies and it will fix the issue:

resolution, ok := importer.Dependencies[dependency]
if !ok {
    resolution, ok = importer.DevDependencies[dependency]
}

[chris-olszewski]

Thanks so much for testing out my fix and finding that issue. I updated the PR to now have better error messaging and it should handle injected dev and optional dependencies now.

[grigorii-zander]

You’re welcome, I’m glad to help.