"globalDependencies": ["node_modules/.pnpm/lock.yaml"] doesn't work

[aaronadamsCA]

Summary

I've noticed "globalDependencies": ["node_modules/.pnpm/lock.yaml"] isn't actually working. Worse, it's a silent failure; you think you're cache-busting, but you're not.

Our dev and CI environments share a remote cache, so we need to be careful against invalid data getting in there. Without it, AFAIK a developer could:

1. Pull latest main branch
2. Forget to run pnpm install
3. Make changes and run checks

And now the cache would contain entries with keys using the new lockfile, but values using the old dependencies. We seemed to see this happening at times, so we tried to put a stop to it.

Since pnpm stores a lockfile in node_modules/.pnpm/lock.yaml that always reflects the current install, it seems perfect to use for cache busting. But Turborepo seems to quietly ignore it.

I'm hoping someone can tell me if this should be a feature request, a bug report, or if this isn't something we should be doing with recent versions of Turborepo. For instance, maybe this is a feature request for Turborepo to automatically use node_modules/.pnpm/lock.yaml instead of pnpm-lock.yaml, and/or to give an error if you try to reference node_modules/ in your globalDependencies. Really anything that would help guard against false negatives and silent failures.

Thanks!

Additional information

No response

Example

No response