pnpm: 9.12.1 -> 9.12.2

[gepbird]

Release: https://github.com/pnpm/pnpm/releases/tag/v9.12.2

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[gepbird]

Most packages fail with  ERR_PNPM_NO_OFFLINE_TARBALL  A package is missing from the store but cannot download it in offline mode. The missing package may be downloaded from https://registry.npmjs.org/xxx/-/xxx.tgz.
I'll investigate this on the weekend when I'll have time.

Result of nixpkgs-review pr 349093 run on x86_64-linux 1

42 packages failed to build:

• astro-language-server
• authelia
• autoprefixer
• cdxgen
• clash-verge-rev
• en-croissant
• follow
• gitbutler
• goofcord
• heroic
• heroic-unwrapped
• homebox
• legcord
• lemmy-ui
• metacubexd
• misskey
• n8n
• overlayed
• pgrok
• pgrok.server
• postcss-cli
• renovate
• rsshub
• siyuan
• sketchybar-app-font
• stylelint-lsp
• surrealist
• syncyomi
• taler-challenger
• taler-merchant
• taler-sync
• taler-wallet-core
• teleport (teleport_16)
• teleport.client (teleport_16.client)
• vencord
• vencord-web-extension
• vesktop
• vikunja
• webcord-vencord
• wrangler
• youtube-music
• zenn-cli

2 packages built:

• pnpm
• pot

[NyCodeGHG]

Looks like upstream changed their store format, which broke most of our FOD hashes :/

[gepbird]

Looks like upstream changed their store format, which broke most of our FOD hashes :/

Running a diff for example on the old and new astro-language-server.pnpmDeps, shows only a file name change, file content is the same:

Only in /nix/store/mbawgip8msszvjkqhsjnhv0bwxj89cqv-astro-language-server-pnpm-deps/v3/files/8a: 4e547ef22ddf054acadfe74ec7e8a083af03d7fdfe918fcf0b41d155f0e3163c58f94097e4fffeffa628ded2de364f9620d0208bbe7e5ac9c01073c374aa26
Only in /nix/store/kn62rkbq14mkah57sadr3kzc58hn8dm4-astro-language-server-pnpm-deps/v3/files/8a: 4e547ef22ddf054acadfe74ec7e8a083af03d7fdfe918fcf0b41d155f0e3163c58f94097e4fffeffa628ded2de364f9620d0208bbe7e5ac9c01073c374aa26-exec

I'll update all the pnpm hashes soon.

[gepbird]

teleport failure is unrelated: https://hydra.nixos.org/build/274984883

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 349093

---

x86_64-linux

❌ 2 packages failed to build:

• teleport (teleport_16)
• teleport.client (teleport_16.client)

✅ 42 packages built:

• astro-language-server
• authelia
• autoprefixer
• cdxgen
• clash-verge-rev
• en-croissant
• follow
• gitbutler
• goofcord
• heroic
• heroic-unwrapped
• homebox
• legcord
• lemmy-ui
• metacubexd
• misskey
• n8n
• overlayed
• pgrok
• pgrok.server
• pnpm
• postcss-cli
• pot
• renovate
• rsshub
• siyuan
• sketchybar-app-font
• stylelint-lsp
• surrealist
• syncyomi
• taler-challenger
• taler-merchant
• taler-sync
• taler-wallet-core
• vencord
• vencord-web-extension
• vesktop
• vikunja
• webcord-vencord
• wrangler
• youtube-music
• zenn-cli

[Scrumplex]

podman-desktop from #343648 needs to be updated

[Scrumplex]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 349093

---

x86_64-linux

❌ 3 packages failed to build:

• podman-desktop
• teleport (teleport_16)
• teleport.client (teleport_16.client)

✅ 42 packages built:

• astro-language-server
• authelia
• autoprefixer
• cdxgen
• clash-verge-rev
• en-croissant
• follow
• gitbutler
• goofcord
• heroic
• heroic-unwrapped
• homebox
• legcord
• lemmy-ui
• metacubexd
• misskey
• n8n
• overlayed
• pgrok
• pgrok.server
• pnpm (pnpm_9)
• postcss-cli
• pot
• renovate
• rsshub
• siyuan
• sketchybar-app-font
• stylelint-lsp
• surrealist
• syncyomi
• taler-challenger
• taler-merchant
• taler-sync
• taler-wallet-core
• vencord
• vencord-web-extension
• vesktop
• vikunja
• webcord-vencord
• wrangler
• youtube-music
• zenn-cli

[gepbird]

Updated podman-desktop and metacubexd hashes

[Scrumplex]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 349093

---

x86_64-linux

❌ 4 packages failed to build:

• metacubexd
• podman-desktop
• teleport (teleport_16)
• teleport.client (teleport_16.client)

✅ 41 packages built:

• astro-language-server
• authelia
• autoprefixer
• cdxgen
• clash-verge-rev
• en-croissant
• follow
• gitbutler
• goofcord
• heroic
• heroic-unwrapped
• homebox
• legcord
• lemmy-ui
• misskey
• n8n
• overlayed
• pgrok
• pgrok.server
• pnpm
• postcss-cli
• pot
• renovate
• rsshub
• siyuan
• sketchybar-app-font
• stylelint-lsp
• surrealist
• syncyomi
• taler-challenger
• taler-merchant
• taler-sync
• taler-wallet-core
• vencord
• vencord-web-extension
• vesktop
• vikunja
• webcord-vencord
• wrangler
• youtube-music
• zenn-cli

[Scrumplex]

LGTM. We should notify open PRs about this change so that they can update their hashes.

[gepbird]

LGTM. We should notify open PRs about this change so that they can update their hashes.

I'll do that after this is merged, also they should get a merge conflict for the hashes too.

[gepbird]

Thanks for notifying them about the hash changes!

I also checked which PR got broken by this and found the same ones as you did, except for dorion.

Edit: nevermind, dorion was just quickly fixed
Edit2: turns out GitHub search is not as good as I thought and we missed some, I'll check for all packages this PR touched later

[Aleksanaa]

Is this hash change unavoidable? This type of behavior should be kept to a minimum.

[dotlambda]

Looks like upstream changed their store format, which broke most of our FOD hashes :/

This is why pnpm.fetchDeps should never have been merged. Imagine thousands of packages using it and a change like this quickly becomes unsustainable.
Somebody urgently needs to write a different FOD fetcher, simiilar to the one for npm, whose hash doesn't change upon version bumps.

[dotlambda]

Alternatively, can we ask upstream to commit to not breaking the hashes outside of major version bumps? And write a CI test for upstream that ensures this?

[Aleksanaa]

Running a diff for example on the old and new astro-language-server.pnpmDeps, shows only a file name change, file content is the same:

Only in /nix/store/mbawgip8msszvjkqhsjnhv0bwxj89cqv-astro-language-server-pnpm-deps/v3/files/8a: 4e547ef22ddf054acadfe74ec7e8a083af03d7fdfe918fcf0b41d155f0e3163c58f94097e4fffeffa628ded2de364f9620d0208bbe7e5ac9c01073c374aa26
Only in /nix/store/kn62rkbq14mkah57sadr3kzc58hn8dm4-astro-language-server-pnpm-deps/v3/files/8a: 4e547ef22ddf054acadfe74ec7e8a083af03d7fdfe918fcf0b41d155f0e3163c58f94097e4fffeffa628ded2de364f9620d0208bbe7e5ac9c01073c374aa26-exec

But is it possible for us to at least "fixup" them to something simpler, so it doesn't matter?

Or is this completely happening in upstream servers and we don't have any control of it?

[Scrumplex]

But is it possible for us to at least "fixup" them to something simpler, so it doesn't matter?

If we had renamed these files back to what pnpm < 9.12.2 used, the configure hook would fail installing dependencies as pnpm 9.12.2 wouldn't find the expected files in its store.

Maybe we could have fixed them up and then unfixed them during configuration. But I think that wouldn't be very maintainable in the long run.

Alternatively, can we ask upstream to commit to not breaking the hashes outside of major version bumps? And write a CI test for upstream that ensures this?

I think this is a good way to go. If upstream agrees that a change to the store is a breaking change, they might just bump to a new major version every time the store format changes. In those cases, we can just release a new pnpm_<major> package and update all references in Nixpkgs to the previous version until packages update.

[Scrumplex]

I created an issue upstream to discuss this: pnpm/pnpm#8713

[Aleksanaa]

One more thing: we may need a release note for this, as it's somehow breaking.

[gepbird]

This is why pnpm.fetchDeps should never have been merged. Imagine thousands of packages using it and a change like this quickly becomes unsustainable.
Somebody urgently needs to write a different FOD fetcher, simiilar to the one for npm, whose hash doesn't change upon version bumps.

Until we don't have that many pnpm packages (currently there are about 50), mass hash changes are not the end of the world if it only happens 1 or 2 times in a year.

Package update PRs that use pnpm.fetchDeps get a merge conflict, so most likely the PR author will regenerate the hash. From what I've seen it didn't cause that big of an issue and was dealt with by active PR authors.

Hovewer package init PRs won't get merge conflicts and we need to hunt these down and notify the author, this is where we could've done better. Searching for pnpm.fetchDeps or even pnpm in nixpkgs/pulls is not sufficient. With a tool that could properly search in PR diffs, this could've been mitigated (at least in nixpkgs and not in nur or other projects relying on this). Do we have anything like that for searching PR diffs?

Alternatively, can we ask upstream to commit to not breaking the hashes outside of major version bumps? And write a CI test for upstream that ensures this?

Exactly, this should've been only released in the next major version.

One more thing: we may need a release note for this, as it's somehow breaking.

Mostly for people using pnpm.fetchDeps outside of nixpkgs, this will be very helpful. Can someone make a PR? I won't have the time for that in the near future.