Skip to content

fix(deps): unversion isomorphic-git pnpm patch key#1529

Merged
wesbillman merged 1 commit into
mainfrom
pinky/isomorphic-git-unversioned-patch
Jul 6, 2026
Merged

fix(deps): unversion isomorphic-git pnpm patch key#1529
wesbillman merged 1 commit into
mainfrom
pinky/isomorphic-git-unversioned-patch

Conversation

@wesbillman

Copy link
Copy Markdown
Collaborator

Why

Renovate PR #1163 fails the renovate/artifacts check with ERR_PNPM_UNUSED_PATCH for isomorphic-git: the pnpm patch key is version-pinned to 1.38.3, so any renovate bump (this round: 1.38.6) invalidates the patch and artifact regeneration aborts — the PR ships workflow bumps but silently drops all the npm bumps.

This is the second occurrence of the exact failure: #804 hit it, #807 fixed it by re-pinning 1.38.1→1.38.3. Re-pinning again just re-arms the trap for the next release.

What

Unversion the patch key so the patch follows version bumps:

  • pnpm-workspace.yaml: isomorphic-git@1.38.3: patches/isomorphic-git@1.38.3.patchisomorphic-git: patches/isomorphic-git.patch
  • patches/: renamed (content byte-identical)
  • pnpm-lock.yaml: patch key updated (hash unchanged)

The ^1.38.3 range in web/package.json is untouched — it remains the floor, so resolution can never drop below the patched baseline. Not a security pin: the only published isomorphic-git advisory (GHSA-fgxq-p49f-qw99) was patched in 1.8.2, and our patch is the ESM/CJS exports interop fix from #709.

Trade-off: with an unversioned key, pnpm emits a warning instead of hard-failing if a future upstream version diverges so the patch no longer applies. Given the patch is a 10-line package.json exports rewrite, that risk is small and worth un-breaking renovate.

Verification

  • pnpm install --frozen-lockfile passes on this branch; patched exports confirmed in web/node_modules/isomorphic-git/package.json
  • Simulated the future renovate bump: pnpm update --lockfile-only isomorphic-git → resolves 1.38.6, no ERR_PNPM_UNUSED_PATCH, patch hash retained in lockfile, patched exports present in installed 1.38.6
  • pnpm check green across workspaces

Follow-up

Once merged, tick the rebase box on #1163 — renovate regenerates the branch against the unversioned key and renovate/artifacts should go green.

Version-pinned patch keys break renovate's artifact update every time
isomorphic-git is bumped (ERR_PNPM_UNUSED_PATCH — hit in #804, re-pinned
in #807, hit again in #1163). Use the unversioned key so the patch
follows version bumps; the ^1.38.3 floor in web/package.json still
prevents downgrades below the patched baseline.

Gotcha: with an unversioned key pnpm warns instead of hard-failing if a
future version diverges enough that the patch no longer applies.

Co-authored-by: Pinky <44b8e82baa6e0e254e0208d68f335c283c94e7b78dd1fa10d5a49d3f13dd0435@sprout-oss.stage.blox.sqprod.co>
Signed-off-by: Wes <wesbillman@users.noreply.github.com>
@wesbillman wesbillman merged commit 2a24765 into main Jul 6, 2026
28 checks passed
@wesbillman wesbillman deleted the pinky/isomorphic-git-unversioned-patch branch July 6, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant