Skip to content

ci: pin pnpm via packageManager to fix auto-update lockfile mismatch#465

Closed
mandarini wants to merge 1 commit into
masterfrom
fix/pin-pnpm-version-via-package-manager
Closed

ci: pin pnpm via packageManager to fix auto-update lockfile mismatch#465
mandarini wants to merge 1 commit into
masterfrom
fix/pin-pnpm-version-via-package-manager

Conversation

@mandarini
Copy link
Copy Markdown
Contributor

@mandarini mandarini commented May 11, 2026

Summary

  • Auto-update PRs for @supabase/supabase-js (chore: update @supabase/supabase-js to v2.105.4 #460, do not merge #464) have been failing CI since 2026-05-08 with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH.
  • Root cause: update-supabase-js.yml regenerates the lockfile with pnpm 9 while website-tests.yaml runs --frozen-lockfile with pnpm latest (now 11.x). The two versions produce/expect different overrides lockfile shapes.
  • Fix: pin pnpm to a single version via the packageManager field in website/package.json. pnpm/action-setup@v6 reads it when no version: input is set, so both workflows always agree.
  • Bumps website/pnpm-lock.yaml to the pnpm-11 format (drops top-level overrides: block, adds libc: on platform deps).
  • Adds website/pnpm-workspace.yaml with allowBuilds: entries for sharp, esbuild, unrs-resolver — pnpm 11 errors on unapproved build scripts. Generated by pnpm approve-builds --all.

Why pin via packageManager rather than version: latest everywhere

version: latest is what caused this regression — pnpm shipped a new major and CI silently moved with it. Pinning makes pnpm upgrades a deliberate PR rather than a surprise breakage.

Verification

  • cd website && CI=true pnpm install --frozen-lockfile ✓ exits 0 locally on pnpm 11.0.8 (previously failed with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH)
  • pnpm run test:run ✓ passes in TZ=UTC (CI default). One pre-existing test in __tests__/search.integration.test.tsx:87 is timezone-dependent and only passes in UTC — unrelated to this change.
  • Test & Coverage on this PR will be the canonical check.

Follow-up

Once this lands, open auto-update PRs #460 and #464 will need to be rebased on master to pick up the new workflow + lockfile shape.

Test plan

  • Test & Coverage passes on this PR
  • After merge, manually re-trigger update-supabase-js workflow_dispatch (any current version) and confirm the produced PR is green

🤖 Generated with Claude Code

@vercel
Copy link
Copy Markdown

vercel Bot commented May 11, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
dbdev Error Error May 11, 2026 3:13pm

Request Review

@supabase
Copy link
Copy Markdown

supabase Bot commented May 11, 2026

This pull request has been ignored for the connected project xmuptpplfviifrbwmmtv because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@mandarini mandarini force-pushed the fix/pin-pnpm-version-via-package-manager branch from 8cd4028 to 1bc1b7c Compare May 11, 2026 15:05
@coveralls
Copy link
Copy Markdown

coveralls commented May 11, 2026
edited
Loading

Coverage Report for CI Build 25678894493

Warning

No base build found for commit 01e651d on master.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 50.963%

Details

  • Patch coverage: No coverable lines changed in this PR.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

Requires a base build to compare against. How to fix this →

Coverage Stats

Coverage Status
Relevant Lines: 495
Covered Lines: 265
Line Coverage: 53.54%
Relevant Branches: 180
Covered Branches: 79
Branch Coverage: 43.89%
Branches in Coverage %: Yes
Coverage Strength: 4.39 hits per line
💛 - Coveralls

@mandarini @claude
ci: pin pnpm via packageManager to fix auto-update lockfile mismatch
b27045f 
Auto-update PRs for @supabase/supabase-js have been failing since 2026-05-08
with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH. The update-supabase-js workflow
regenerates the lockfile with pnpm 9, but website-tests uses pnpm "latest"
(now 11.x), which writes a different overrides format and rejects the
pnpm-9 lockfile under --frozen-lockfile.

Pin both workflows to the same pnpm via the packageManager field in
website/package.json. pnpm/action-setup reads it when no version: is set,
so both jobs always agree on the pnpm version. Bump the lockfile to the
pnpm-11 format and add pnpm-workspace.yaml allowBuilds entries for sharp,
esbuild, and unrs-resolver — pnpm 11 errors on unapproved build scripts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mandarini mandarini force-pushed the fix/pin-pnpm-version-via-package-manager branch from 1bc1b7c to b27045f Compare May 11, 2026 15:12
@mandarini mandarini closed this May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mandarini @coveralls