Skip to content

fix(docker): pin pnpm version to honor package.json packageManager field#86

Merged
TortoiseWolfe merged 1 commit into
mainfrom
fix/docker-pin-pnpm
May 13, 2026
Merged

fix(docker): pin pnpm version to honor package.json packageManager field#86
TortoiseWolfe merged 1 commit into
mainfrom
fix/docker-pin-pnpm

Conversation

@TortoiseWolfe
Copy link
Copy Markdown
Owner

@TortoiseWolfe TortoiseWolfe commented May 12, 2026

Summary

  • corepack prepare pnpm@latest in docker/Dockerfile started failing 2026-05-12 when pnpm 11.1.1 shipped (released the same day) with a stricter PNPM_HOME/PATH check. Build broke wherever the image was rebuilt today.
  • Pin to pnpm@10.16.1 — the version package.json's packageManager field already declares as the single source of truth. Corepack honors that field automatically, so this is now the canonical pin.
  • Also add $PNPM_HOME/bin to PATH as belt-and-suspenders, so future intentional bumps to pnpm 11.x keep the build working without another Dockerfile edit.

Root cause

A floating @latest tag in infrastructure code is a time bomb. This is the first time it went off, but won't be the last unless pinned. The fix also removes the duplication where two files (Dockerfile and package.json) both claimed authority over the pnpm version.

Test plan

  • docker compose build --no-cache scripthammer succeeds
  • docker compose up -d reaches health: starting
  • Verified pnpm 10.16.1 activates inside built image (corepack pulls from package.json packageManager field)
  • Isolation test: 
    docker run --rm node:22-slim sh -c 'corepack enable &&
  corepack prepare pnpm@10.16.1 --activate &&
  export PNPM_HOME=/pnpm && export PATH=\$PNPM_HOME:\$PNPM_HOME/bin:\$PATH &&
  pnpm config set store-dir /pnpm/store --global && echo SUCCESS'
    SUCCESS
  • Pre-push hooks (lint, type-check, build) all green

🤖 Generated with Claude Code

@TurtleWolfe @claude
fix(docker): pin pnpm version to honor package.json packageManager field
0cba24c 
The Dockerfile called `corepack prepare pnpm@latest --activate`, which
silently follows whatever pnpm publishes as "latest" each time the image
is rebuilt. This broke the build on 2026-05-12 when pnpm 11.1.1 shipped
(released the same day) with a stricter interpretation of PNPM_HOME:

    [ERROR] The configured global bin directory "/pnpm/bin" is not in PATH

pnpm 10.x (which the repo's pnpm-lock.yaml requires) accepted
`PATH=$PNPM_HOME:$PATH` because it treated $PNPM_HOME itself as the bin
dir. pnpm 11.x splits PNPM_HOME and its bin subdirectory, so the same
PATH no longer satisfies `pnpm config set --global`.

Two changes:

1. Pin to pnpm@10.16.1, the version package.json's `packageManager` field
   already declared as the single source of truth. Corepack honors that
   field automatically when you don't pass an explicit override, so this
   is now the canonical pin. Future pnpm upgrades happen by editing
   package.json (and ideally regenerating pnpm-lock.yaml), not by
   whatever Docker Hub serves that day.

2. Add `$PNPM_HOME/bin` to PATH as well. Belt-and-suspenders — when the
   pin is intentionally bumped to pnpm 11.x in the future, the build
   keeps working without another Dockerfile edit.

Tested:
- docker compose build --no-cache scripthammer succeeds
- docker compose up -d → container reaches health: starting
- Verified pnpm 10.16.1 activates inside built image (corepack pulls
  from package.json packageManager field)
- Sanity test in isolation:
  docker run --rm node:22-slim sh -c 'corepack enable &&
    corepack prepare pnpm@10.16.1 --activate &&
    export PNPM_HOME=/pnpm && export PATH=\$PNPM_HOME:\$PNPM_HOME/bin:\$PATH &&
    pnpm config set store-dir /pnpm/store --global && echo SUCCESS'
  → SUCCESS

Root cause:
A floating `@latest` tag in infrastructure code is a time bomb; this is
the first time it went off but won't be the last unless pinned. The fix
also removes the duplication where two different files (Dockerfile and
package.json) both claimed authority over the pnpm version.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@TortoiseWolfe TortoiseWolfe mentioned this pull request May 12, 2026
Closed
3 tasks
@TortoiseWolfe TortoiseWolfe merged commit 4708cd8 into main May 13, 2026
28 checks passed
@TortoiseWolfe TortoiseWolfe deleted the fix/docker-pin-pnpm branch May 13, 2026 00:14
This was referenced May 13, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TortoiseWolfe @TurtleWolfe