Pnpm Silently Drops OptionalDependencies: A Bug Report

This article delves into a peculiar bug encountered in pnpm, a popular package manager, where the minimumReleaseAge setting silently drops optionalDependencies that don't meet the specified age criteria. This behavior can lead to unexpected build failures and dependency issues, making it crucial to understand the problem and its potential solutions.

The Issue: Silent Dependency Drops

The core issue arises when pnpm's minimumReleaseAge feature, designed to prevent the use of recently released packages, interacts with optionalDependencies. In certain scenarios, pnpm might silently drop these optional dependencies without providing any warning or error message. This can be particularly problematic because these dependencies might be crucial for specific functionalities or environments, and their absence can lead to runtime errors or build failures.

The Scenario

Imagine a situation where you're using a framework like Next.js along with several optional dependencies. You've configured minimumReleaseAge to ensure stability by avoiding very recent package versions. Now, suppose you update Next.js, and some of its optional dependencies have been released more recently than your minimumReleaseAge threshold. Instead of throwing an error or warning, pnpm silently removes these optional dependencies from your pnpm.lock file. This means that subsequent installations, even with --frozen-lockfile, will fail because the lockfile is missing these dependencies.

Why This Matters

The silent dropping of dependencies can be a major headache for developers. Here's why:

• Unexpected Failures: Your application might suddenly break in production or CI/CD environments due to missing dependencies.
• Difficult Debugging: The lack of error messages makes it hard to pinpoint the root cause of the issue. You might spend hours trying to figure out why your build is failing before realizing that pnpm has silently removed dependencies.
• Inconsistent Environments: Different environments might end up with different sets of dependencies, leading to inconsistencies and unpredictable behavior.

A Real-World Example

Let's consider a real-world scenario to illustrate the problem. Suppose you're using Next.js and have the following configuration:

minimumReleaseAge: 20160
next_v15_current:
    '@next/bundle-analyzer': 15.5.2
    eslint-config-next: 15.5.2
    next: 15.5.2

Initially, your pnpm.lock file contains references to the optional dependencies of Next.js. Now, you decide to update Next.js to address a security vulnerability:

next_v15_current:
    '@next/bundle-analyzer': 15.5.7
    eslint-config-next: 15.5.7
    next: 15.5.7

minimumReleaseAgeExclude:
  - 'next@15.5.7'

After running pnpm install, you encounter an error related to a @next/something package being too recent. You add it to minimumReleaseAgeExclude. However, pnpm then silently drops a bunch of other @next/ packages from your pnpm.lock file. Subsequent installations with --frozen-lockfile fail because these packages are missing. Even a normal pnpm install or pnpm install --force doesn't re-add the missing packages due to the minimumReleaseAgeExclude setting.

The solution, in this case, is to add a blanket exclusion:

minimumReleaseAgeExclude:
  - '@next/*'
  - 'next@15.5.7'

This forces pnpm to re-add the missing packages to pnpm.lock. However, this workaround highlights the core issue: pnpm should not silently drop required packages. It should instead provide an error message and prompt the user to add the packages to minimumReleaseAgeExclude.

The Root Cause: Optional Dependencies and minimumReleaseAge

The issue seems to stem from the interaction between minimumReleaseAge and optionalDependencies. Specifically, when an optional dependency doesn't meet the minimumReleaseAge criteria, pnpm might be incorrectly treating it as completely unnecessary and removing it from the lockfile. This behavior is not ideal, as optional dependencies can still be crucial in certain scenarios.

In the example above, the dropped dependencies were @next/swc-* packages, which are transitively required by next -> @next/swc. These packages are used for compilation, and their absence can cause build failures.

Expected Behavior

The expected behavior is that pnpm should not silently drop required packages, even if they are optional dependencies. Instead, it should:

1. Error and Warn: Display an error message indicating that certain packages do not meet the minimumReleaseAge criteria.
2. Prompt for Exclusion: Suggest adding the problematic packages to minimumReleaseAgeExclude.
3. Avoid Silent Drops: Ensure that packages are not silently removed from the pnpm.lock file without explicit user intervention.

Workarounds and Solutions

While the bug persists, here are some workarounds and solutions you can use:

1. Blanket Exclusions: As demonstrated in the example, you can use blanket exclusions in minimumReleaseAgeExclude to include all packages from a specific scope (e.g., @next/*). This ensures that pnpm doesn't silently drop any packages from that scope.
2. Manual Inspection: After updating dependencies, carefully inspect your pnpm.lock file to ensure that all expected dependencies are present.
3. Remove minimumReleaseAge (Temporarily): If you're facing this issue, you might temporarily remove the minimumReleaseAge setting to allow pnpm to install all dependencies. Then, you can re-add it and selectively exclude specific packages.
4. Report the Issue: If you encounter this bug, consider reporting it to the pnpm team with a detailed reproduction case. This helps the maintainers understand the problem and develop a proper fix.

Steps to Reproduce

While a full reproduction case might be time-consuming to create, here are the general steps that can lead to this issue:

1. Set Up: Create a project with pnpm and install a framework like Next.js.
2. Configure minimumReleaseAge: Add the minimumReleaseAge setting to your package.json or .npmrc file.
3. Update Dependencies: Update a major dependency (e.g., Next.js) to a version with recently released optional dependencies.
4. Observe Silent Drops: Check your pnpm.lock file to see if any optional dependencies have been silently removed.

Conclusion

The silent dropping of optionalDependencies by pnpm's minimumReleaseAge feature is a significant bug that can lead to unexpected build failures and dependency issues. By understanding the problem and its workarounds, developers can mitigate the risks and ensure the stability of their projects. It's crucial for pnpm to address this issue by providing clearer error messages and avoiding silent dependency drops.

For more information on pnpm and its features, you can visit the official pnpm website (https://pnpm.io/).