mirror of https://github.com/pnpm/pnpm.git synced 2026-06-28 09:55:39 -04:00

Files

Abdullah Alaqeel 61969fbddf fix(deps-status): detect lockfile-only changes (#12106 )

## Summary

Fixes `pnpm install` with `optimisticRepeatInstall` incorrectly returning `Already up to date` when `pnpm-lock.yaml` changed but project manifests did not.

Fixes #12100.

## Root Cause

`checkDepsStatus` used modified manifest mtimes as the only signal for whether it needed to validate dependency status. If no manifest was newer than `workspaceState.lastValidatedTimestamp`, it returned `upToDate: true` before checking whether the wanted lockfile had changed.

That skipped lockfile validation for workflows like:

- `git checkout HEAD~1 -- pnpm-lock.yaml`
- restoring only `pnpm-lock.yaml` from a stash
- external tools rewriting the lockfile without touching manifests

## Changes

- Check wanted lockfile mtimes before taking the optimistic fast path.
- If any wanted lockfile is missing or newer than the workspace state timestamp, validate all projects instead of only modified manifests.
- Add a regression test proving a lockfile-only change does not skip wanted-lockfile validation.
- Add a patch changeset for `@pnpm/deps.status` and `pnpm`.

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>

2026-06-16 22:04:07 +00:00

src

fix(deps-status): detect lockfile-only changes (#12106 )

2026-06-16 22:04:07 +00:00

test

fix(deps-status): detect lockfile-only changes (#12106 )

2026-06-16 22:04:07 +00:00

CHANGELOG.md

chore(release): 11.7.0 (#12414 )

2026-06-15 08:37:08 +02:00

package.json

chore(release): 11.7.0 (#12414 )

2026-06-15 08:37:08 +02:00

README.md

refactor: rename lockfile-file to lockfile.fs

2024-07-28 01:15:20 +02:00

tsconfig.json

refactor: rename packages and consolidate runtime resolvers (#10999 )

2026-03-18 00:19:58 +01:00

tsconfig.lint.json

refactor: rename lockfile-file to lockfile.fs

2024-07-28 01:15:20 +02:00

README.md

@pnpm/lockfile.fs

Read/write pnpm-lock.yaml files

Reads and writes the wanted (pnpm-lock.yaml) and current (node_modules/.pnpm-lock.yaml) lockfile files of pnpm. Lockfile files are the state files of the node_modules installed via pnpm. They are like the package-lock.json of npm or the yarn.lock of Yarn.

Install

pnpm add @pnpm/lockfile.fs

API

`readWantedLockfile(pkgPath, opts) => Promise<Lockfile>`

Reads the pnpm-lock.yaml file from the root of the package.

Arguments

pkgPath - Path - the path to the project
opts.ignoreIncompatible - Boolean - false by default. If true, throws an error if the lockfile file format is not compatible with the current library.

`readCurrentLockfile(virtualStoreDir, opts) => Promise<Lockfile>`

Reads the lockfile file from <virtualStoreDir>/lock.yaml.

`existsNonEmptyWantedLockfile(pkgPath) => Promise<Boolean>`

Returns true if a pnpm-lock.yaml exists in the root of the package.

`writeLockfiles(opts) => Promise<void>`

Writes the wanted/current lockfile files. When they are empty, removes them.

Arguments

opts.wantedLockfile
opts.wantedLockfileDir
opts.currentLockfile
opts.currentLockfileDir
[opts.forceSharedFormat]

`writeWantedLockfile(pkgPath, wantedLockfile) => Promise<void>`

Writes the wanted lockfile file only. Sometimes it is needed just to update the wanted lockfile without touching node_modules.

`writeCurrentLockfile(virtualStoreDir, currentLockfile) => Promise<void>`

Writes the current lockfile file only.

License

MIT