Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

No response

Which area(s) of pnpm are affected? (leave empty if unsure)

Lockfile, CLI

Link to the code that reproduces this issue or a replay of the bug

https://github.com/fpapado/pnpm-catalog-lockfile-deletion-dedupe-peer-dependents-false

Reproduction steps

1. Have a workspace with at least two projects
2. Have dedupe-peer-dependents=false in .npmrc
3. Declare a catalog (default or named) with a given dependency
4. A subset of the projects references said dependency via the catalog: protocol
5. Make a filtered pnpm add for another project, which does not reference said dependency
6. Observe that the catalog entry gets removed from the lockfile

Describe the Bug

Taking the reproduction repository, and running:

pnpm -F pkg-b add -D is-positive

Observe that the lockfile changes in an unexpected way, with catalogs being removed:

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 918fc17..99522bb 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -4,12 +4,6 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
-catalogs:
-  default:
-    storybook:
-      specifier: 8.5.5
-      version: 8.5.5
-
 importers:
 
   .: {}
@@ -20,7 +14,11 @@ importers:
         specifier: 'catalog:'
         version: 8.5.5
 
-  pkg-b: {}
+  pkg-b:
+    devDependencies:
+      is-positive:
+        specifier: ^3.1.0
+        version: 3.1.0
 
 packages:
 
@@ -314,6 +312,10 @@ packages:
     resolution: {integrity: sha512-nPUB5km40q9e8UfN/Zc24eLlzdSf9OfKByBw9CIdw4H1giPMeA0OIJvbchsCu4npfI2QcMVBsGEBHKZ7wLTWmQ==}
     engines: {node: '>= 0.4'}
 
+  [email protected]:
+    resolution: {integrity: sha512-8ND1j3y9/HP94TOvGzr69/FgbkX2ruOldhLEsTWwcJVfo4oRjwemJmJxt7RJkKYH8tz7vYBP9JcKQY8CLuJ90Q==}
+    engines: {node: '>=0.10.0'}
+
   [email protected]:
     resolution: {integrity: sha512-MjYsKHO5O7mCsmRGxWcLWheFqN9DJ/2TmngvjKXihe6efViPqc274+Fx/4fYj/r03+ESvBdTXK0V6tA3rgez1g==}
     engines: {node: '>= 0.4'}
@@ -659,6 +661,8 @@ snapshots:
       has-tostringtag: 1.0.2
       safe-regex-test: 1.1.0
 
+  [email protected]: {}
+
   [email protected]:
     dependencies:
       call-bound: 1.0.3

Expected Behavior

I would expect only the given package to be added for the specified project, and catalogs to remain untouched. By comparison, manually editing package.json to add a dependency, then running pnpm install works as expected, with no collateral lockfile changes.

This likely happens with dedupe-peer-dependents=false, because there is no installation for the whole module graph when running this command, and pnpm cleans up unused catalog references. By comparison dedupe-peer-dependents=true (the default) runs an installation for the whole graph, so I imagine the catalogs are marked as used somewhere. We use dedupe-peer-dependents=false to have more isolation between projects, and this kind of removal is unexpected, since it causes collateral lockfile changes.

I am more than happy to work on fixing this, as I've interacted with these codepaths before. For example, we could try to omit the catalog cleanup if there is only a subset of the workspace being manipulated, or to a second pass for catalog cleanup, considering the whole workspace. I am open to ideas 🗒

cc @gluxon for catalog tracking; I believe I have seen a similar issue filed before, but my search skills failed me today 😅

Which Node.js version are you using?

22.13.1

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response