fix: --lockfile-only and readPackage hook modifying workspace packages (#5678)

close #5670
2025-12-24 23:58:07 -05:00 · 2022-11-27 05:31:57 +11:00
parent c615856f37
commit 868f2fb163
4 changed files with 34 additions and 1 deletions
--- a/.changeset/proud-schools-jump.md
+++ b/.changeset/proud-schools-jump.md
@@ -0,0 +1,7 @@
+---
+"@pnpm/core": patch
+"@pnpm/plugin-commands-installation": patch
+"pnpm": patch
+---
+
+readPackage hooks should not modify the `package.json` files in a workspace [#5670](https://github.com/pnpm/pnpm/issues/5670).
--- a/pkg-manager/core/src/install/index.ts
+++ b/pkg-manager/core/src/install/index.ts
@@ -690,6 +690,7 @@ export type ImporterToUpdate = {
 } & DependenciesMutation

 export interface UpdatedProject {
+  originalManifest?: ProjectManifest
  manifest: ProjectManifest
  peerDependencyIssues?: PeerDependencyIssues
  rootDir: string
--- a/pkg-manager/plugin-commands-installation/src/recursive.ts
+++ b/pkg-manager/plugin-commands-installation/src/recursive.ts
@@ -257,7 +257,7 @@ export async function recursive (
    if (opts.save !== false) {
      await Promise.all(
        mutatedPkgs
-          .map(async ({ manifest }, index) => writeProjectManifests[index](manifest))
+          .map(async ({ originalManifest, manifest }, index) => writeProjectManifests[index](originalManifest ?? manifest))
      )
    }
    return true
--- a/pnpm/test/hooks.ts
+++ b/pnpm/test/hooks.ts
@@ -37,6 +37,18 @@ test('readPackage hook in single project doesn\'t modify manifest', async () =>
  pkg = await loadJsonFile(path.resolve('package.json'))
  expect(pkg.dependencies).toBeFalsy() // remove & readPackage hook work
  await project.hasNot('is-positive')
+
+  // Reset for --lockfile-only checks
+  await fs.unlink('pnpm-lock.yaml');
+
+  await execPnpm(['install', '--lockfile-only'])
+  pkg = await loadJsonFile(path.resolve('package.json'))
+  expect(pkg.dependencies).toBeFalsy() // install --lockfile-only & readPackage hook work, without pnpm-lock.yaml
+
+  // runs with pnpm-lock.yaml should not mutate local projects
+  await execPnpm(['install', '--lockfile-only'])
+  pkg = await loadJsonFile(path.resolve('package.json'))
+  expect(pkg.dependencies).toBeFalsy() // install --lockfile-only & readPackage hook work, with pnpm-lock.yaml
 })

 test('readPackage hook in monorepo doesn\'t modify manifest', async () => {
@@ -79,6 +91,19 @@ test('readPackage hook in monorepo doesn\'t modify manifest', async () => {
  await execPnpm(['remove', 'is-positive', '--filter', 'project-a'])
  pkg = await loadJsonFile(path.resolve('project-a/package.json'))
  expect(pkg.dependencies).toBeFalsy() // remove & readPackage hook work
+
+  // Reset for --lockfile-only checks
+  await fs.unlink('pnpm-lock.yaml');
+
+  await execPnpm(['install', '--lockfile-only'])
+  pkg = await loadJsonFile(path.resolve('project-a/package.json'))
+  expect(pkg.dependencies).toBeFalsy() // install --lockfile-only & readPackage hook work, without pnpm-lock.yaml
+
+  // runs with pnpm-lock.yaml should not mutate local projects
+  await execPnpm(['install', '--lockfile-only'])
+  pkg = await loadJsonFile(path.resolve('project-a/package.json'))
+  expect(pkg.dependencies).toBeFalsy() // install --lockfile-only & readPackage hook work, with pnpm-lock.yaml
+
 })

 test('filterLog hook filters peer dependency warning', async () => {