Resolutions/overrides suddenly changed behavior

[buzinas]

Last pnpm version that worked

8.8.0

pnpm version

8.9.0

Code to reproduce the issue

We recently migrated a Yarn project to pnpm successfully but since the latest pnpm update today, our CI installs started throwing the following error when running pnpm i --prefer-offline --prod=false --frozen-lockfile:

ERR_PNPM_LOCKFILE_CONFIG_MISMATCH  Cannot proceed with the frozen installation. The current "overrides"
configuration doesn't match the value found in the lockfile

If I remove --frozen-lockfile, pnpm installs but completely remove my overrides configuration.

Our package.json contains the following resolutions field:

  "resolutions": {
    "ansi-regex": "5.0.1",
    "async": ">= 3.2.2",
    "axios": ">= 0.18.1",
    "backbone": "1.3.3",
    "braces": ">= 2.3.1",
    "browserslist": ">= 4.16.5",
    "brotli-size": ">= 4.0.0",
    "csv-parse": ">= 4.4.6",
    "d3": ">= 7.0.0",
    "es-abstract": ">= 1.19.1",
    "glob-parent": "^5.1.2",
    "handlebars": ">= 4.5.3",
    "json-schema": "0.4.0",
    "jquery": "3.5.1",
    "lodash": ">= 4.17.12",
    "mem": ">= 4.0.0",
    "minimist": "^1.2.6",
    "node-fetch": "^2.6.7",
    "node-notifier": "^8.0.1",
    "prismjs": ">= 1.25.0",
    "prompts": ">= 2.4.2",
    "qs": ">= 6.10.3",
    "set-value": "^4.0.1",
    "serialize-javascript": "^3.1.0",
    "ssri": "^8.0.1",
    "renderkid": "^3.0.0",
    "trim": "^0.0.3",
    "ua-parser-js": "1.0.33",
    "package-json": "^8.1.0",
    "headers-polyfill": "~3.0.10",
    "unset-value": ">= 2.0.1"
  }

Which generated in our lockfile:

overrides:
  ansi-regex: 5.0.1
  async: '>= 3.2.2'
  axios: '>= 0.18.1'
  backbone: 1.3.3
  braces: '>= 2.3.1'
  browserslist: '>= 4.16.5'
  brotli-size: '>= 4.0.0'
  csv-parse: '>= 4.4.6'
  d3: '>= 7.0.0'
  es-abstract: '>= 1.19.1'
  glob-parent: ^5.1.2
  handlebars: '>= 4.5.3'
  json-schema: 0.4.0
  jquery: 3.5.1
  lodash: '>= 4.17.12'
  mem: '>= 4.0.0'
  minimist: ^1.2.6
  node-fetch: ^2.6.7
  node-notifier: ^8.0.1
  prismjs: '>= 1.25.0'
  prompts: '>= 2.4.2'
  qs: '>= 6.10.3'
  set-value: ^4.0.1
  serialize-javascript: ^3.1.0
  ssri: ^8.0.1
  renderkid: ^3.0.0
  trim: ^0.0.3
  ua-parser-js: 1.0.33
  package-json: ^8.1.0
  headers-polyfill: ~3.0.10
  unset-value: '>= 2.0.1'

If it helps: this repo is part of a monorepo that uses a .npmrc file with shared-workspace-lockfile=false. If I extract the repo from the monorepo, installing with --frozen-lockfile still works.

Until v8.8.0 this configuration worked well inside or outside the monorepo, but now in v8.9.0 it's broken when inside.

I also tried to replace "resolutions" with "pnpm": { "overrides":, but the same happens: works when alone, breaks inside monorepo.

Expected behavior

A patch change (as described in the Release Notes) shouldn't break current workflows, so this a bug or a breaking change.

Expected behavior is that pnpm i --prefer-offline --prod=false --frozen-lockfile should just work as before, when inside a monorepo with a .npmrc file with shared-workspace-lockfile=false.

Actual behavior

When using resolutions on package.json, pnpm i --prefer-offline --prod=false --frozen-lockfile doesn't work when inside a monorepo with a .npmrc file with shared-workspace-lockfile=false.

Additional information

No response

Node.js version

18.16.1

Operating System

macOS

[zkochan]

This line was added:

pnpm/pkg-manager/plugin-commands-installation/src/installDeps.ts

Line 191 in 8605ffa

...getOptionsFromRootManifest(opts.rootProjectManifestDir!, opts.rootProjectManifest ?? {}),

Maybe it caused the issue?

[SiNONiMiTY]

Also experiencing this issue, have the same setup as OP being inside a monorepo with shared-workspace set to false

Left: pnpm 8.7.6
Right: pnpm 8.9.0

I reverted to 8.8.0 and this setup still works.

[SiNONiMiTY]

This line was added:

pnpm/pkg-manager/plugin-commands-installation/src/installDeps.ts

Line 191 in 8605ffa

...getOptionsFromRootManifest(opts.rootProjectManifestDir!, opts.rootProjectManifest ?? {}),

Maybe it caused the issue?

By the looks of this one, this might be the cause, If the options are only written on the sub-project manifest, and there are no options on the root manifest, all options will be overwritten with an empty object.

Maybe we should take into consideration in here the value for shared-workspace-lockfile

[zkochan]

@SiNONiMiTY can you check if removing that line fixes your issue?

[SiNONiMiTY]

@zkochan

I modified that line then recompiled, and tried to used the result, sadly the options are still removed.

Reverted to the original files for 8.8.0 and it worked as expected again. Aside from this line, there might be other changes that triggered this issue.

Looking at the changes from #7141 as the issue might have been introduced there.

[zkochan]

Some changes from #7141 were reverted, so the changes should be reviewed between 8.8.0 and 8.9.0

https://github.com/pnpm/pnpm/compare/v8.8.0...v8.9.0?diff=unified