New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaking changes with v8.6: Installing with older versions (e.g. 8.5.1) does no longer work #6648
Comments
Noticing this too unfortunately |
Update pnpm to v8.6. That is the only solution. Unfortunately there is a bug in pnpm v8.5, it thinks the lockfile v6.1 format is v5. I only noticed it after bumping the lockfile format to v6.1 |
I'm sorry, but this is bad and should not have happened. Imho this is a breaking change and should have been released as version 9. We have a lot of workspaces and pipelines. Some with pinned pnpm versions. Now a developer using 8.6 changes the lock file without realizing it is breaking and boom, all pipelines are broken. Example:
And the only solution is to get all pipelines and developers to the same version either >=8.6 or <=8.5? |
"... closed this as not planned", so what you're saying is that you're aware of a breaking change, and are refusing to even consider fixing it? The correct solution would be something like
not
|
That is not an easy task. It will cause problems for people who have already updated. What will happen then? Their lockfile will be downgraded to the previous version, and they will need to update the CI and inform everyone on the team? The only solution might be to revert the lockfile format version, which I am considering. But it should be done in a way that will not affect users who have already upgraded.
Do you think I am happy with this situation? Please refrain from attacking a person who maintains an open source project in their free time. |
Don’t you read the release notes before upgrading the version of |
Let's not blame the users. I do acknowledge that this is an issue. I will change the lockfile version field to 6.0. It should fix the issue. |
Okay, I will see if I need to make changes to my pnpm lock file parser to accommodate for that change. |
It will still have this new field: Lines 3 to 5 in 955d073
just the lockfileVersion field will be changed back to 6.0 It will work with older versions of pnpm, which just ignore the new field. |
Yeah, I meant third party tools that depend on it, e.g. Turborepo or vulnerability scanners etc |
You may want to consider deprecating v8.6.1. PS Unpublish is not recommended since v8.6.1 was published on June 5, 2023, which is more than 72 hours ago. (See https://docs.npmjs.com/unpublishing-packages-from-the-registry). |
I'd like this approach. Maybe mark some vulnerabilities in this release.
This is an OPEN-SOURCE aka FREE-OF-CHARGE program. Some of you guys acting as if you're one of the biggest sponsors of this project. You can't just ignore the release notes and blame the author after upgrading recklessly. I can only put one line of Chinese saying here: 要饭的还嫌饭馊。That is, a person as a beggar who still complains about the food given to him is dirty. |
This wasn't a security vulnerability. |
@zkochan I've upgraded but as it was spotted early enough, no big deal and really appreciate the feature (attempt) BTW. Release notes are helpful and I tend to refer to it often. Might be nice to have some kind of links to "errors" a bit like what's done in nextjs: 'Lockfile 6.1 was deprecated, see how to solve https://pnpm.io/errors/pnpm-lockfile-6.1-deprecated'... Just an idea. |
the changes to the lockfile were not reverted. There is a new field in the lockfile called "settings". It works with older versions of pnpm. Only the bump to the lockfile version was reverted. |
You should really consider raising some money and hiring more full time staff. I think it's unfortunate how this falls on the shoulder of someone who maintains it 'in their spare time'. It's a wonderful project, and I hope you consider it. |
* Related issue: pnpm/pnpm#6648
* Related issue: pnpm/pnpm#6648
Why don't people just keep their stuff up to date? |
Why don't people just keep silent, if they don't contribute anything useful? Thank you @zkochan, for the fast and simple fix. |
I agree that it was the right choice to revert the version number bump. I will lock the issue now. v8.6.0, v8.6.1, v7.33.0 had the new lockfile version. If you created a lockfile with these versions and need to use the lockfile with older pnpm versions, you may manually edit the |
pnpm version: 8.6.1
Code to reproduce the issue:
pnpm install vite
pnpm install
Expected behavior:
packages are getting installed, lockfile version is maybe being downgrade
Actual behavior:
Following error message:
Running
pnpm install --prefer-offline --frozen-lockfile
yields the following errorAdditional information:
node -v
prints: v19.3.0The text was updated successfully, but these errors were encountered: