fix(deps): unversion isomorphic-git pnpm patch key#1529
Merged
Conversation
Version-pinned patch keys break renovate's artifact update every time isomorphic-git is bumped (ERR_PNPM_UNUSED_PATCH — hit in #804, re-pinned in #807, hit again in #1163). Use the unversioned key so the patch follows version bumps; the ^1.38.3 floor in web/package.json still prevents downgrades below the patched baseline. Gotcha: with an unversioned key pnpm warns instead of hard-failing if a future version diverges enough that the patch no longer applies. Co-authored-by: Pinky <44b8e82baa6e0e254e0208d68f335c283c94e7b78dd1fa10d5a49d3f13dd0435@sprout-oss.stage.blox.sqprod.co> Signed-off-by: Wes <wesbillman@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Renovate PR #1163 fails the
renovate/artifactscheck withERR_PNPM_UNUSED_PATCHforisomorphic-git: the pnpm patch key is version-pinned to1.38.3, so any renovate bump (this round: 1.38.6) invalidates the patch and artifact regeneration aborts — the PR ships workflow bumps but silently drops all the npm bumps.This is the second occurrence of the exact failure: #804 hit it, #807 fixed it by re-pinning 1.38.1→1.38.3. Re-pinning again just re-arms the trap for the next release.
What
Unversion the patch key so the patch follows version bumps:
pnpm-workspace.yaml:isomorphic-git@1.38.3: patches/isomorphic-git@1.38.3.patch→isomorphic-git: patches/isomorphic-git.patchpatches/: renamed (content byte-identical)pnpm-lock.yaml: patch key updated (hash unchanged)The
^1.38.3range inweb/package.jsonis untouched — it remains the floor, so resolution can never drop below the patched baseline. Not a security pin: the only published isomorphic-git advisory (GHSA-fgxq-p49f-qw99) was patched in 1.8.2, and our patch is the ESM/CJSexportsinterop fix from #709.Trade-off: with an unversioned key, pnpm emits a warning instead of hard-failing if a future upstream version diverges so the patch no longer applies. Given the patch is a 10-line
package.jsonexports rewrite, that risk is small and worth un-breaking renovate.Verification
pnpm install --frozen-lockfilepasses on this branch; patched exports confirmed inweb/node_modules/isomorphic-git/package.jsonpnpm update --lockfile-only isomorphic-git→ resolves 1.38.6, noERR_PNPM_UNUSED_PATCH, patch hash retained in lockfile, patched exports present in installed 1.38.6pnpm checkgreen across workspacesFollow-up
Once merged, tick the rebase box on #1163 — renovate regenerates the branch against the unversioned key and
renovate/artifactsshould go green.