Description
What would you like?
Corepack AUTO_PIN should prompt before adding a packageManager field to an existing package.json file. It may not be a desired change.
Why is this needed?
By default, and if the environment variable COREPACK_ENABLE_AUTO_PIN is not set to 0, then Corepack adds a packageManager field to an existing package.json file if the field is not present.
Especially when working in a hybrid environment using package managers npm and Yarn in a mixture of projects, some of which are set up to work with Corepack and others are not, then some actions can lead to a packageManager field being added to an existing package.json file where this is not desired.
Consider the following scenario:
Project-npmis configured for npm without Corepack (nopackageManagerfield)Project-yarn-v1-corepackis configured for Yarn Classic with Corepack (packageManagerfield containsyarn@1.22.22+sha512...)
If my working directory cwd is in Project-npm and I execute yarn -v overlooking what project I am in, then my npm project becomes corrupted with the unwanted Yarn packageManager field. There is no prompt to allow me to recognize my mistake and prevent the package.json from being updated.
$ yarn -v
! The local project doesn't define a 'packageManager' field. Corepack will now add one referencing yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e.
! For more details about this field, consult the documentation at https://nodejs.org/api/packages.html#packagemanager
Other
COREPACK_ENABLE_AUTO_PINshould default to0#485 proposes to disableAUTO_PINby default. This is a related suggestion and it contains descriptions of scenarios whereAUTO_PINis not wanted.AUTO_PINwas added in corepack@0.26.0 March 2024