Skip to content

fix: restore pnpm frozen installs#470

Draft
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-d618
Draft

fix: restore pnpm frozen installs#470
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-d618

Conversation

@cursor

@cursor cursor Bot commented Jul 16, 2026

Copy link
Copy Markdown

Bug and impact

Recent pnpm 11 dependency config drift made clean/frozen installs fail before the app could build or deploy. The first hard failure was ERR_PNPM_LOCKFILE_CONFIG_MISMATCH because the lockfile recorded overrides from package.json#pnpm.overrides, but pnpm 11 ignores that field and reads active overrides from pnpm-workspace.yaml. After that was corrected, clean installs also failed on strict build approvals: optional node-liblzma attempted a native build on hosts without system liblzma headers, while sharp/core-js/core-js-pure were left as unreviewed build scripts.

Root cause

The pnpm 11 migration was incomplete: override pins were split between an ignored package.json field and the workspace file, and allowBuilds still allowed a nonessential optional native package while missing explicit decisions for newly surfaced build-script packages.

Fix

  • Moved the ignored override pins into pnpm-workspace.yaml and regenerated lockfile override metadata.
  • Removed the ignored package.json#pnpm.overrides block.
  • Updated allowBuilds to allow required native sharp, explicitly deny nonessential core-js/core-js-pure scripts, and deny optional node-liblzma to avoid requiring system liblzma during install.

Validation

  • corepack pnpm install --frozen-lockfile --prefer-offline from a clean node_modules state passes.
  • npx tsx scripts/test-global-error-reload-guard.ts passes.
  • npx tsx scripts/test-pdf-download-page-edits.ts passes.
Open in Web View Automation 

spent a lot of water and tokens to review your slop

Greptile Summary

This PR restores frozen pnpm installs after dependency configuration drift. The main changes are:

  • Moved active override pins from package.json into pnpm-workspace.yaml.
  • Updated pnpm-lock.yaml override metadata to match the workspace configuration.
  • Adjusted allowBuilds to allow sharp and deny core-js, core-js-pure, and node-liblzma build scripts.

Confidence Score: 5/5

Safe to merge with minimal risk.

The changes are limited to pnpm configuration and lockfile metadata, and the workspace overrides match the lockfile overrides.

No files require special attention.

T-Rex T-Rex Logs

What T-Rex did

  • Captured the initial package versions and pre-clean node_modules state in pnpm-clean-install-01-before.log.
  • Performed a clean, frozen install by moving node_modules aside and running the install, with outputs and exit code 0 captured in pnpm-clean-install-02-after.log.
  • Validated the global error reload guard script passed, as shown in global-error-reload-guard.log.
  • Validated the PDF download page edits script passed, as shown in pdf-download-page-edits.log.
  • The generated shell harness run-clean-frozen-install.sh was created to perform and capture the clean install validation.

View all artifacts

T-Rex Ran code and verified through T-Rex

Important Files Changed

Filename Overview
package.json Removed the stale pnpm.overrides block so pnpm 11 reads override policy from the workspace file instead.
pnpm-workspace.yaml Centralized dependency overrides and updated build-script approvals and denials for frozen pnpm installs.
pnpm-lock.yaml Updated lockfile override metadata to match the active workspace configuration.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Dev as Clean install
participant PNPM as pnpm 11
participant Workspace as pnpm-workspace.yaml
participant Lock as pnpm-lock.yaml
participant Scripts as Package build scripts

Dev->>PNPM: pnpm install --frozen-lockfile
PNPM->>Workspace: Read active overrides and allowBuilds
PNPM->>Lock: Compare recorded overrides
Lock-->>PNPM: Matching override metadata
PNPM->>Scripts: Apply build approvals
Scripts-->>PNPM: Allow sharp, deny core-js/core-js-pure/node-liblzma
PNPM-->>Dev: Frozen install succeeds
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Dev as Clean install
participant PNPM as pnpm 11
participant Workspace as pnpm-workspace.yaml
participant Lock as pnpm-lock.yaml
participant Scripts as Package build scripts

Dev->>PNPM: pnpm install --frozen-lockfile
PNPM->>Workspace: Read active overrides and allowBuilds
PNPM->>Lock: Compare recorded overrides
Lock-->>PNPM: Matching override metadata
PNPM->>Scripts: Apply build approvals
Scripts-->>PNPM: Allow sharp, deny core-js/core-js-pure/node-liblzma
PNPM-->>Dev: Frozen install succeeds
Loading

Reviews (1): Last reviewed commit: "fix: approve pnpm install builds" | Re-trigger Greptile

cursoragent and others added 2 commits July 16, 2026 11:04
Co-authored-by: theg1239 <theg1239@users.noreply.github.com>
Co-authored-by: theg1239 <theg1239@users.noreply.github.com>
@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examcooker-dev Error Error Jul 16, 2026 11:07am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant