Zoltan Kochan da65e62625 fix: pacquet install --frozen-lockfile works against pnpm v11 repos (#525)
* fix(lockfile): skip env document in pnpm v11 combined lockfiles

Pnpm v11 writes `pnpm-lock.yaml` as a stream of up to two YAML
documents: an optional first document carries the package-manager
bootstrap (`packageManagerDependencies` and the snapshots that back
it) and the second document is the regular project lockfile. Pacquet
hands the file straight to `serde_saphyr::from_str`, which rejects a
multi-document stream with "multiple YAML documents detected" — so
every install against a v11 repo that has a `packageManager` /
`devEngines.packageManager` declaration fails before staleness
checking even runs.

Port upstream's `extractMainDocument` to a new `yaml_documents`
module: if the file starts with `---\n`, return the slice after the
next `\n---\n` separator; if there is no second separator, the file
is env-only and the loader returns `Ok(None)`. `load_from_path`
threads the lockfile content through the filter before deserializing,
matching pnpm's `_read` call site at
https://github.com/pnpm/pnpm/blob/31858c544b/lockfile/fs/src/read.ts#L103-L110.

Three unit tests in `yaml_documents/tests` mirror upstream's
`extractMainDocument` test cases, and two integration tests in
`load_lockfile/tests.rs` cover the combined-document and env-only
paths end-to-end.

---
Written by an agent (Claude Code, claude-opus-4-7).

* fix(package-manifest): reify devEngines.runtime into devDependencies

With #511 / #512 pacquet recognises `runtime:` specifiers in the
lockfile, so a frozen install against a v11 repo gets past the YAML
parse but then trips the staleness check: the lockfile lists
`node@runtime:24.6.0` under the root importer's `devDependencies`,
while the on-disk `package.json` only declares the runtime through
`devEngines.runtime`. The flat-record diff then surfaces a spurious
"node@runtime:24.6.0 was removed" mismatch.

Port upstream's `convertEnginesRuntimeToDependencies` to a new free
function in `crates/package-manifest`. For each of `node`, `deno`,
`bun`, if `devEngines.runtime` (or `engines.runtime`) declares the
runtime with `onFail: "download"` and an explicit version, and the
target dependencies bucket has no explicit entry yet, insert
`<name>: "runtime:<version>"`. Array and single-object runtime shapes
are both accepted. Skip when `onFail` is anything other than
`"download"` or when the version is absent — upstream warns on the
missing-version path; pacquet skips silently and the staleness check
still surfaces the gap if it matters downstream. WebContainer's
"no runtime download" branch is intentionally omitted since pacquet
does not run there.

`PackageManifest::read_from_file` calls the function for both
`(devEngines, devDependencies)` and `(engines, dependencies)`,
mirroring upstream's `convertManifestAfterRead` at
https://github.com/pnpm/pnpm/blob/9cad8274fd/workspace/project-manifest-reader/src/index.ts#L227-L231.

Six unit tests in `tests.rs` cover the happy path, the
no-version skip, the non-`download` `onFail` skip, preservation of
an explicit user-declared entry, the array-of-runtimes form, and the
`engines` → `dependencies` variant. A seventh test exercises the
hook through `PackageManifest::from_path` end-to-end.

Upstream reference:
https://github.com/pnpm/pnpm/blob/9cad8274fd/pkg-manifest/utils/src/convertEnginesRuntimeToDependencies.ts#L10-L45.

---
Written by an agent (Claude Code, claude-opus-4-7).
2026-05-14 15:53:59 +02:00
Description
No description provided
MIT 280 MiB
Languages
Rust 56.5%
TypeScript 43%
JavaScript 0.4%