Skip to content

fix(ci): pin pnpm@9.15.9 and refresh lockfile with security overrides#564

Merged
isaquebock merged 4 commits into
mainfrom
fix-ci-and-bump-theme
May 21, 2026
Merged

fix(ci): pin pnpm@9.15.9 and refresh lockfile with security overrides#564
isaquebock merged 4 commits into
mainfrom
fix-ci-and-bump-theme

Conversation

@isaquebock
Copy link
Copy Markdown
Collaborator

@isaquebock isaquebock commented May 20, 2026

Summary

Fixes ERR_PNPM_LOCKFILE_CONFIG_MISMATCH in the Publish @aziontech/theme to NPM workflow (and any other CI job running pnpm install --frozen-lockfile).

Root cause

  • CI uses pnpm 9 (pnpm/action-setup@v4 with version: 9), which reads pnpm.overrides from package.json.
  • Local dev has been on pnpm 10/11, which silently ignores pnpm.overrides (it only reads overrides from pnpm-workspace.yaml).
  • The lockfile was last regenerated with a newer pnpm, so it had no overrides: section. CI's pnpm 9 saw 13 overrides in package.json vs 0 in the lockfile → frozen install rejected the divergence.
  • Side effect: the security overrides added in fix: audit packages #532 / fix: dep minimatch 9.0.0 added to overriders #544 were not actually being applied to transitive resolutions on local pnpm 11 installs.

Changes

  • package.json
    • Add "packageManager": "pnpm@9.15.9" so Corepack pins every environment (CI + local) to the same pnpm version.
    • Remove the duplicate top-level "overrides" block. pnpm doesn't read it — only pnpm.overrides matters on pnpm 9. The npm-style top-level field was noise and made the mismatch harder to diagnose.
  • pnpm-lock.yaml
    • Regenerated with pnpm 9.15.9. Now includes the overrides: section at the top (13 entries, matching pnpm.overrides) and applies them to transitive resolutions for the first time. Lockfile shrunk ~140 lines from deduping that overrides made possible.
  • packages/theme/README.md
    • Tiny copy fix in the Features bullet.

Test plan

  • pnpm install --frozen-lockfile with pnpm 9.15.9 → Lockfile is up to date (simulates the CI step that was failing).
  • Confirmed overrides: block is present in pnpm-lock.yaml (line 7).
  • CI green on this PR (Publish @aziontech/theme to NPM workflow won't run here — it's paths: packages/theme/** on main — but governance and package-webkit install paths exercise the same pnpm install --frozen-lockfile).
  • After merge, verify the next push to main touching packages/theme/** completes the theme publish job.

Notes for reviewers

  • Future-proofing: if/when the team wants to move to pnpm 10+, the migration is to relocate pnpm.overrides from package.json into pnpm-workspace.yaml and bump packageManager accordingly. Out of scope for this PR.

@isaquebock isaquebock requested a review from a team as a code owner May 20, 2026 21:22
@isaquebock isaquebock merged commit 6ac7f5e into main May 21, 2026
10 checks passed
@robsongajunior
Copy link
Copy Markdown
Collaborator

robsongajunior commented May 21, 2026

🎉 This PR is included in version 2.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gdsantana gdsantana gdsantana approved these changes

@HerbertJulio HerbertJulio HerbertJulio approved these changes

Assignees

@isaquebock isaquebock

Labels

released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@isaquebock @robsongajunior @gdsantana @HerbertJulio