Skip to content

Pin pnpm to 11.11.0 via packageManager field#212

Merged
yzx9 merged 2 commits into
mainfrom
pin-pnpm-packagemanager
Jul 14, 2026
Merged

Pin pnpm to 11.11.0 via packageManager field#212
yzx9 merged 2 commits into
mainfrom
pin-pnpm-packagemanager

Conversation

@yzx9

@yzx9 yzx9 commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Problem

CI's pnpm/action-setup@v6 step used a floating version: 11, which today resolved to the newly released pnpm 11.12.0. That release's self-installer crashes during its own headless install:

Switching pnpm from v11.7.0 to v11.12.0...
[ERROR] Cannot use 'in' operator to search for 'integrity' in undefined
    at createFullPkgId (.../pnpm.mjs:154891:19)
    at lockfileToDepGraph → headlessInstall → installFromLockfile
##[error] Something went wrong, self-installer exits with code 1

This fails the frontend Lint job (and would fail any frontend-using workflow) before linting runs. It is not caused by the dependency bumps — the crash happens while pnpm installs itself from its own bundled lockfile.

Fix

Make web/package.json the single source of truth for the pnpm version:

  • Add "packageManager": "pnpm@11.11.0" to web/package.json.
  • In lint.yml and deploy-pages.yml, replace the floating version: 11 with package_json_file: web/package.json, omitting version so action-setup@v6 reads the field (documented behavior).

CI and local corepack now share one pinned version, so a bad future pnpm release can no longer break CI.

Scope

  • Fixes the Lint (pnpm self-install) failures on the currently-failing Dependabot PRs (after re-run once this lands on main).
  • Does not fix the Maven-group PR's CI / Run tests failures — those are a separate issue: Dependabot bumped Jackson to 2.22, which is not yet resolvable from Maven Central / scijava (Could not find artifact ...jackson-core:jar:2.22) alongside some checksum mismatches.

Only lint.yml and deploy-pages.yml install pnpm (verified by grep across .github/workflows/).

yzx9 added 2 commits July 14, 2026 11:44
CI's pnpm/action-setup step used a floating `version: 11`, which today
resolved to the newly released pnpm 11.12.0. That release's self-installer
crashes ("Cannot use 'in' operator to search for 'integrity' in undefined"
in lockfileToDepGraph/createFullPkgId), failing the frontend Lint job
(and any frontend-using workflow) before linting ever runs.

Add a `packageManager: pnpm@11.11.0` field to web/package.json and point
action-setup at it via `package_json_file: web/package.json`, omitting the
floating version. CI and local corepack now share one pinned pnpm version,
so a bad future pnpm release can no longer break CI.

Assisted-by: Claude-Code:GLM-5.2
The Lint workflow ran `pnpm dlx vue-tsc -b`, which fetches the latest
vue-tsc and resolves its typescript peer dependency to the newest
typescript published on npm. typescript 7.0.2 removed `./lib/tsc` from
its `exports` map, so vue-tsc 3.3.7 crashes with
ERR_PACKAGE_PATH_NOT_EXPORTED — breaking the type check regardless of
the repo's own typescript pin.

vue-tsc is already a devDependency (and the project pins typescript
~5.9.3), so run `pnpm exec vue-tsc -b` to type-check against the
installed typescript, matching how `pnpm run build` already invokes it.

Assisted-by: Claude-Code:GLM-5.2
@yzx9
yzx9 merged commit 7e08d3c into main Jul 14, 2026
7 checks passed
@yzx9
yzx9 deleted the pin-pnpm-packagemanager branch July 15, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant