search

pnpm / pnpm

Fast, disk space efficient package manager
https://pnpm.io
MIT License
28.47k stars 952 forks source link

--lockfile-only overrides --frozen-lockfile #6094

Open 35ujq435jq45 opened 1 year ago

35ujq435jq45 commented 1 year ago

pnpm version: 7.26.1

Code to reproduce the issue: pnpm install --frozen-lockfile --lockfile-only

Expected behavior: Lockfile is frozen and won't get modified.

Actual behavior: Lockfile is updated.

Additional information:

We want to verify our lockfile. That should include linting and verifying it against all package.json files in our repository. Since pnpm doesn't provide a --dry-run/--simulate option, we have to run pnpm install --frozen-lockfile. However, this will install all dependencies which we don't need/want. Hence, we added the --lockfile-only flag. However, it seems that this flag overrides the --frozen-lockfile flag which is undocumented behavior:

$ git status
...
nothing to commit, working tree clean

$ pnpm install --frozen-lockfile --lockfile-only
...

$ git status
...
    modified:   pnpm-lock.yaml
35ujq435jq45 commented 1 year ago

One easy fix would be to update the --help message and documentation for --lockfile-only and --frozen-lockfile.

zkochan commented 1 year ago

How would you do this with npm or Yarn?

35ujq435jq45 commented 1 year ago

@zkochan There's yarn check: link

npm directly uses package.json if I see correctly (src).

35ujq435jq45 commented 1 year ago

One workaround we want to try out is using the 'afterAllResolved' hook in .pnpmfile.cjs to kill pnpm.

zkochan commented 1 year ago

I think we can add something like pnpm install --check or pnpm check

35ujq435jq45 commented 1 year ago

That would be awesome. I think all we need to do for this is to exit after the resolution step (afterAllResolved).

SinimaWath commented 1 month ago

+1 Would be usefull