fix(deps): skip pnpm frozen-lockfile on Netlify to dodge catalog mismatch bug#9471
Merged
Conversation
…atch bug Workaround for pnpm/pnpm#10258: pnpm >=10.24 (including 11.x) spuriously throws ERR_PNPM_LOCKFILE_CONFIG_MISMATCH on Netlify under --frozen-lockfile even when the workspace catalog and lockfile snapshot are identical. The bump to pnpm 11.1.2 in #9447 removed the prior pin from #9364 and re-exposed it. Setting NPM_CONFIG_FROZEN_LOCKFILE=false in docs/netlify.toml drops Netlify out of frozen mode so the buggy `allCatalogsAreUpToDate` check is skipped. CI elsewhere still runs frozen, so lockfile drift is still caught. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
✅ Deploy Preview for rolldown-rs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
pnpm 11 stopped reading NPM_CONFIG_* env vars for general settings — the v11 migration renamed the prefix to PNPM_CONFIG_*. The previous commit's NPM_CONFIG_FROZEN_LOCKFILE was silently ignored, so Netlify still ran under the default CI-implied frozen-lockfile and hit the catalog bug. See pnpm/config/reader/src/env.ts: getEnvKeySuffix only accepts pnpm_config_/PNPM_CONFIG_ prefixes for settings lookup. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
PNPM_CONFIG_FROZEN_LOCKFILE=false got past the frozen-mode catalog check, but the next deploy revealed the deeper symptom: [ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC] No catalog entry '@oxc-node/core' was found for catalog 'default'. Catalogs is empty because pnpm 11 on Netlify's sandbox isn't resolving the workspace root via findUp — pnpmConfig.workspaceDir is null, so readWorkspaceManifest is never called and `catalog:` definitions never load. (Locally with the same node + pnpm versions this works.) NPM_CONFIG_WORKSPACE_DIR is the explicit override for that lookup (pnpm/workspace/root-finder/src/index.ts:7). It is still keyed under the NPM_CONFIG_* prefix even after the v11 migration — see comment in the same file. Pointing it at /opt/build/repo (Netlify's NETLIFY_REPO_DIR) forces pnpm to load pnpm-workspace.yaml directly. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
The previous deploy (NPM_CONFIG_WORKSPACE_DIR alone) was masked: frozen
mode still fired the buggy LOCKFILE_CONFIG_MISMATCH check before we
could observe whether catalog resolution worked. Layer both vars so:
- NPM_CONFIG_WORKSPACE_DIR forces pnpm to load pnpm-workspace.yaml
from /opt/build/repo (the Netlify checkout path), bypassing the
broken auto-discovery.
- PNPM_CONFIG_FROZEN_LOCKFILE=false skips the false-positive
catalog-mismatch guard so we reach actual resolution.
If catalogs now load, resolution succeeds. If they still don't, we'll
see CATALOG_ENTRY_NOT_FOUND_FOR_SPEC and know the workspace-dir
override didn't take effect.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
shulaoda
approved these changes
May 20, 2026
V1OL3TF0X
pushed a commit
to V1OL3TF0X/rolldown
that referenced
this pull request
May 25, 2026
…atch bug (rolldown#9471) ## Summary - Adds `PNPM_FLAGS = "--no-frozen-lockfile"` to `docs/netlify.toml` `[build.environment]`. - Works around [pnpm/pnpm#10258](pnpm/pnpm#10258) — pnpm >=10.24 (incl. 11.x) spuriously throws `ERR_PNPM_LOCKFILE_CONFIG_MISMATCH` on Netlify under `--frozen-lockfile`, even when the workspace catalog and lockfile snapshot are byte-for-byte equivalent. ## Context rolldown#9447 bumped `packageManager` from `[email protected]` → `[email protected]` and removed the pin from rolldown#9364. pnpm 11.x carries the same buggy `allCatalogsAreUpToDate` check introduced in pnpm 10.24.0 ([pnpm/pnpm#10231](pnpm/pnpm#10231)), so Netlify deploys started failing again with the same false-positive catalog mismatch. I confirmed locally that `pnpm install --frozen-lockfile` on this commit with pnpm 11.1.2 + Node 24.12.0 succeeds clean — the bug only fires inside Netlify's build sandbox. The upstream issue is still open with no maintainer activity and this repo as the reproduction. ## Approach The failure occurs in Netlify's **pre-install stage** (before the project's build `command` runs), so any flag we put inside the build command is too late. Netlify forwards `PNPM_FLAGS` directly to that pre-install `pnpm install` invocation, so setting `PNPM_FLAGS = "--no-frozen-lockfile"` is enough to skip the buggy guard at the right step. Earlier attempts to disable frozen mode via `NPM_CONFIG_FROZEN_LOCKFILE` / `PNPM_CONFIG_FROZEN_LOCKFILE` and to pin the workspace root via `NPM_CONFIG_WORKSPACE_DIR` were dropped — they either weren't honored by pnpm 11 (the v11 migration changed which prefixes settings are read from) or didn't address the pre-install stage at all. `PNPM_FLAGS` is Netlify's intended hook for this and turns out to be the minimal fix. Scope is intentionally narrow: - Only the Netlify env gets the flag (via `docs/netlify.toml`, not `.npmrc`). - GitHub Actions CI keeps frozen-lockfile, so genuine drift is still caught upstream. - `packageManager` stays on pnpm 11.1.2 — no rollback of rolldown#9447. - The docs build `command` is unchanged; Netlify's own pre-install handles dependencies and the `--no-frozen-lockfile` flag rides along through `PNPM_FLAGS`. --------- Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]> Co-authored-by: shulaoda <[email protected]>
Merged
shulaoda
added a commit
that referenced
this pull request
May 27, 2026
## [1.0.3] - 2026-05-27 ### 🚀 Features - transform: respect decorator strictNullChecks option (#9580) by @kylecannon - drop `defer` keyword (#9503) by @TheAlexLichter ### 🐛 Bug Fixes - ci: create target dir before cargo release-oxc update (#9584) by @shulaoda - ci: reorder prepare-release steps to avoid dirty git check failure (#9583) by @shulaoda - testing: canonicalize temp dir early and use platform-specific separator in test262 (#9582) by @shulaoda - testing: resolve symlinked temp dir in test262 snapshot normalization (#9581) by @shulaoda - testing: canonicalize temp dir path in test262 snapshot normalization (#9579) by @shulaoda - dev: `onOutput` called twice when initial build fails (#9552) by @hyf0 - dev: make `ensureCurrentBuildFinish` not returning error when engine closes (#9564) by @h-a-n-a - oxc-runtime: route require() to CJS helper variant (#9263) (#9526) by @IWANABETHATGUY - generator: use exporter chunk's export mode for CJS default re-exports (#9299) (#9529) by @IWANABETHATGUY - rolldown: always run reduced-atom static cycle check (#9441) (#9514) by @IWANABETHATGUY - apply transform.dropLabels before scanning (#9521) (#9522) by @IWANABETHATGUY - rolldown_watcher: take `rolldown` dep through the workspace (#9510) by @Boshen - cache: keep the scan-stage cache consistent when a build fails (#9495) by @h-a-n-a - skip JSON default-import namespace optimization for write targets (#9484) (#9489) by @IWANABETHATGUY - deps: skip pnpm frozen-lockfile on Netlify to dodge catalog mismatch bug (#9471) by @Boshen ### 🚜 Refactor - oxc-runtime: use Cow for helper path construction (#9538) by @IWANABETHATGUY - fold import defer phase drop into PreProcessor (#9524) by @IWANABETHATGUY - distinguish `map: null` vs `map: undefined` in transform hook output (#9497) by @sapphi-red ### 📚 Documentation - explain the policy for Rust crates (#9547) by @sapphi-red - cache: add design doc for cache (#9544) by @h-a-n-a - guide/troubleshooting: add TDZ error section (#9537) by @sapphi-red - dev-engine: add design doc for dev-engine (#9479) by @h-a-n-a - lazy-barrel: tweak some words (#9483) by @shulaoda - lazy-barrel: expand reasoning behind LARGE_BARREL_MODULES advice (#9477) by @shulaoda ### ⚡ Performance - generate: thread ast_table by value into codegen consumer (#9555) by @Boshen - finalizers: replace `_reExport` construction with a direct call to avoid calling `clone_in` (#9501) by @Dunqing - reorder hot-path boolean checks to short-circuit on cheap predicates first (#9523) by @Boshen ### 🧪 Testing - rolldown: regression fixture for #9401 (#9418) by @IWANABETHATGUY - failing test for #9441 (#9504) by @TheAlexLichter ### ⚙️ Miscellaneous Tasks - deps: upgrade oxc to 0.133.0 (#9563) by @Dunqing - deps: update crate-ci/typos action to v1.46.3 (#9576) by @renovate[bot] - deps: update mimalloc-safe to 0.1.62 (#9577) by @shulaoda - mimalloc-safe: update to a bug-fix branch for verification (#9569) by @shulaoda - deps: update test262 submodule for tests (#9551) by @rolldown-guard[bot] - point published crates' readme to root README.md (#9553) by @Boshen - replace actions-cool/issues-helper with gh CLI (#9543) by @Boshen - deps: update cargo-shear to 1.12.4 (#9541) by @Boshen - deps: update taiki-e/install-action action to v2.79.4 (#9535) by @renovate[bot] - deps: update github actions (#9532) by @renovate[bot] - deps: update rust crates (#9534) by @renovate[bot] - deps: update npm packages (#9533) by @renovate[bot] - gate experimental/testing-only items to silence dead_code in publish builds (#9517) by @Boshen - docs: deploy to Void (#9509) by @Boshen - release: set up cargo-release-oxc for publishing crates (#9476) by @Boshen - rolldown_plugin_lazy_compilation: add missing description (#9507) by @Boshen - mimalloc-safe: update to a bug-fix branch for verification (#9506) by @shulaoda - deps: update crate-ci/typos action to v1.46.2 (#9468) by @renovate[bot] ### ❤️ New Contributors * @kylecannon made their first contribution in [#9580](#9580)
shulaoda
pushed a commit
that referenced
this pull request
May 27, 2026
## [1.0.3] - 2026-05-27 ### 🚀 Features - transform: respect decorator strictNullChecks option (#9580) by @kylecannon - drop `defer` keyword (#9503) by @TheAlexLichter ### 🐛 Bug Fixes - ci: create target dir before cargo release-oxc update (#9584) by @shulaoda - ci: reorder prepare-release steps to avoid dirty git check failure (#9583) by @shulaoda - testing: canonicalize temp dir early and use platform-specific separator in test262 (#9582) by @shulaoda - testing: resolve symlinked temp dir in test262 snapshot normalization (#9581) by @shulaoda - testing: canonicalize temp dir path in test262 snapshot normalization (#9579) by @shulaoda - dev: `onOutput` called twice when initial build fails (#9552) by @hyf0 - dev: make `ensureCurrentBuildFinish` not returning error when engine closes (#9564) by @h-a-n-a - oxc-runtime: route require() to CJS helper variant (#9263) (#9526) by @IWANABETHATGUY - generator: use exporter chunk's export mode for CJS default re-exports (#9299) (#9529) by @IWANABETHATGUY - rolldown: always run reduced-atom static cycle check (#9441) (#9514) by @IWANABETHATGUY - apply transform.dropLabels before scanning (#9521) (#9522) by @IWANABETHATGUY - rolldown_watcher: take `rolldown` dep through the workspace (#9510) by @Boshen - cache: keep the scan-stage cache consistent when a build fails (#9495) by @h-a-n-a - skip JSON default-import namespace optimization for write targets (#9484) (#9489) by @IWANABETHATGUY - deps: skip pnpm frozen-lockfile on Netlify to dodge catalog mismatch bug (#9471) by @Boshen ### 🚜 Refactor - oxc-runtime: use Cow for helper path construction (#9538) by @IWANABETHATGUY - fold import defer phase drop into PreProcessor (#9524) by @IWANABETHATGUY - distinguish `map: null` vs `map: undefined` in transform hook output (#9497) by @sapphi-red ### 📚 Documentation - explain the policy for Rust crates (#9547) by @sapphi-red - cache: add design doc for cache (#9544) by @h-a-n-a - guide/troubleshooting: add TDZ error section (#9537) by @sapphi-red - dev-engine: add design doc for dev-engine (#9479) by @h-a-n-a - lazy-barrel: tweak some words (#9483) by @shulaoda - lazy-barrel: expand reasoning behind LARGE_BARREL_MODULES advice (#9477) by @shulaoda ### ⚡ Performance - generate: thread ast_table by value into codegen consumer (#9555) by @Boshen - finalizers: replace `_reExport` construction with a direct call to avoid calling `clone_in` (#9501) by @Dunqing - reorder hot-path boolean checks to short-circuit on cheap predicates first (#9523) by @Boshen ### 🧪 Testing - rolldown: regression fixture for #9401 (#9418) by @IWANABETHATGUY - failing test for #9441 (#9504) by @TheAlexLichter ### ⚙️ Miscellaneous Tasks - deps: upgrade oxc to 0.133.0 (#9563) by @Dunqing - deps: update crate-ci/typos action to v1.46.3 (#9576) by @renovate[bot] - deps: update mimalloc-safe to 0.1.62 (#9577) by @shulaoda - mimalloc-safe: update to a bug-fix branch for verification (#9569) by @shulaoda - deps: update test262 submodule for tests (#9551) by @rolldown-guard[bot] - point published crates' readme to root README.md (#9553) by @Boshen - replace actions-cool/issues-helper with gh CLI (#9543) by @Boshen - deps: update cargo-shear to 1.12.4 (#9541) by @Boshen - deps: update taiki-e/install-action action to v2.79.4 (#9535) by @renovate[bot] - deps: update github actions (#9532) by @renovate[bot] - deps: update rust crates (#9534) by @renovate[bot] - deps: update npm packages (#9533) by @renovate[bot] - gate experimental/testing-only items to silence dead_code in publish builds (#9517) by @Boshen - docs: deploy to Void (#9509) by @Boshen - release: set up cargo-release-oxc for publishing crates (#9476) by @Boshen - rolldown_plugin_lazy_compilation: add missing description (#9507) by @Boshen - mimalloc-safe: update to a bug-fix branch for verification (#9506) by @shulaoda - deps: update crate-ci/typos action to v1.46.2 (#9468) by @renovate[bot] ### ❤️ New Contributors * @kylecannon made their first contribution in [#9580](#9580)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PNPM_FLAGS = "--no-frozen-lockfile"todocs/netlify.toml[build.environment].ERR_PNPM_LOCKFILE_CONFIG_MISMATCHon Netlify under--frozen-lockfile, even when the workspace catalog and lockfile snapshot are byte-for-byte equivalent.Context
#9447 bumped
packageManagerfrom[email protected]→[email protected]and removed the pin from #9364. pnpm 11.x carries the same buggyallCatalogsAreUpToDatecheck introduced in pnpm 10.24.0 (pnpm/pnpm#10231), so Netlify deploys started failing again with the same false-positive catalog mismatch.I confirmed locally that
pnpm install --frozen-lockfileon this commit with pnpm 11.1.2 + Node 24.12.0 succeeds clean — the bug only fires inside Netlify's build sandbox. The upstream issue is still open with no maintainer activity and this repo as the reproduction.Approach
The failure occurs in Netlify's pre-install stage (before the project's build
commandruns), so any flag we put inside the build command is too late. Netlify forwardsPNPM_FLAGSdirectly to that pre-installpnpm installinvocation, so settingPNPM_FLAGS = "--no-frozen-lockfile"is enough to skip the buggy guard at the right step.Earlier attempts to disable frozen mode via
NPM_CONFIG_FROZEN_LOCKFILE/PNPM_CONFIG_FROZEN_LOCKFILEand to pin the workspace root viaNPM_CONFIG_WORKSPACE_DIRwere dropped — they either weren't honored by pnpm 11 (the v11 migration changed which prefixes settings are read from) or didn't address the pre-install stage at all.PNPM_FLAGSis Netlify's intended hook for this and turns out to be the minimal fix.Scope is intentionally narrow:
docs/netlify.toml, not.npmrc).packageManagerstays on pnpm 11.1.2 — no rollback of chore: bump pnpm to v11.1.2 #9447.commandis unchanged; Netlify's own pre-install handles dependencies and the--no-frozen-lockfileflag rides along throughPNPM_FLAGS.