Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COREPACK_ENABLE_AUTO_PIN should default to 0 #485

Open
benmccann opened this issue May 28, 2024 · 11 comments
Open

COREPACK_ENABLE_AUTO_PIN should default to 0 #485

benmccann opened this issue May 28, 2024 · 11 comments

Comments

@benmccann
Copy link

I don't want to use corepack. However, this setting means that every single contributor to my project will need to set COREPACK_ENABLE_AUTO_PIN=0 and be careful not to accidentally check in the packageManager field since corepack will automatically add that field to force itself upon any project you use. This is even more annoying since pnpm can't be used without corepack once the packageManager field is present: pnpm/pnpm#8087
@benmccann benmccann mentioned this issue May 28, 2024
Closed
@Lectem
Copy link

Lectem commented Jul 14, 2024
edited
Loading

Same thing here.
I have projects that use pnpm, some don't, some require pinning the version and others don't.

I think nobody wants their package.json to be automatically modified on any command one could do. And even less on packages you do not own.

I do NOT want to add this field on packages I do not own just because I contributed to it for a small fix or something.

Discoverability of such a feature is also bad, especially for juniors that will 100% fail to understand the implications of the new field and how to disable the feature (the env variable is not even part of the upgrade message). For sure we'll be getting PRs on many projects adding the field with random versions the others might have installed at the moment they made their fix, and it'll create unnecessary back and forth to ask to remove it.

This is even worse because in some of my use cases, the package.json happens to be readonly (for reasons out of my control), and so it will fail while all I asked was the equivalent of npm ci npm install -save=false, pnpm --frozen-lockfile or any such command that should not touch files. Which I explicitly use because I do not want to touch neither the package.json nor the lock file!

@Lectem
Copy link

Lectem commented Jul 14, 2024

Note that it can (and should) in my opinion be fixed before the next version of node is released or the problem will most likely blow up.

For reference this was added by #413 in version 0.26. Original issue was #399.

I think that a warning can be printed by default instead of directly modifying the package.json.

This was referenced Jul 14, 2024
Open
Open
@AprilNEA
Copy link

I also believe that this should be disabled by default.

If we have to synchronize this environment variable within the team to prevent everyone from enabling it, that would be terrible.

@KaelWD
Copy link

KaelWD commented Jul 26, 2024
edited
Loading

At least allow it to be set in npmrc instead of an environment variable so project managers can force it off for everyone.

@vtnorton
Copy link

For me its another use case. I create a lot or demos, samples and help students with their code. I don't know the environment of each person, and I deal with a lot of different repositories and companies.

Creating this packageManager by default, once I enabled corepack only on my machine, requires everyone to have the exact same package manager (including version) that I have on my computer. This leads to a awful developer experience for trying to running a demo, sample or a open source project for the first time.

Yes, having an option to disable on .npmrc or something would be nice, but in most cases this leads to having more files then I honest need on my repo, that in my use cases I prefer to KISS.

I did set COREPACK_ENABLE_AUTO_PIN to 0 so it doesn't botter me anymore, but I don't think this is the ideal solution.

@hardfist
Copy link

hardfist commented Aug 23, 2024
edited
Loading

there're other monorepo tools like Rush which support pin packageManager version without using corepack, when run pnpm commands in these tools, the auto pin behavior may make inconsistent version than the version specified by monorepo tools.

@Lectem Lectem mentioned this issue Aug 23, 2024
Open
@zacuke zacuke mentioned this issue Nov 29, 2024
Merged
@hyperknot
Copy link

I've run into the same issue. I've wrote about my case here, maybe someone also runs into this:
https://blog.hyperknot.com/p/corepacks-packagemanager-field

@ADTC
Copy link

ADTC commented Jan 16, 2025

Happy New Year! What is the response of maintainers on this?

Perhaps we could have an option of setting "packageManager": null which would effectively be equivalent of having COREPACK_ENABLE_AUTO_PIN = 0 but on a project level instead of user level.

Committing that should effectively prevent corepack from ever writing the packageManager into package.json field and simply treat it the same as COREPACK_ENABLE_AUTO_PIN = 0 in the project for every developer.

Unfortunately I suspect this won't be backwards compatible with older corepack versions which would just overwrite the current packageManager value (including null).

@bsunderhus bsunderhus mentioned this issue Jan 17, 2025
Merged
@MikeMcC399
Copy link
Contributor

MikeMcC399 commented Jan 24, 2025
edited
Loading

The default value of COREPACK_ENABLE_AUTO_PIN allowing Corepack to autopin is a barrier to adoption of Corepack in a mixed environment contributing to Yarn repos whilst still dealing with Yarn Classic repos which have not transitioned to Corepack.

If I execute yarn -v in a Yarn 1 Classic repo that I don't own and which has no packageManager field set in its package.json file, I don't want corepack to add one for me. As far as the repo is concerned, I would like yarn -v to be a read-only command. By default however, if corepack is enabled, it is not read-only.

I would like to have corepack permanently enabled for Yarn, however this situation means that I am enabling and disabling corepack instead as a workaround, which causes other difficulties, as the corepack enable / corepack disable sequence does not save and restore the links to any globally installed Yarn Classic version (see #112). Yarn Classic is still there in the node directory, however it is no longer linked and essentially needs to be re-installed to get the link back.

I would also like to see COREPACK_ENABLE_AUTO_PIN set to 0 by default, for the above reasons.

I wonder if it could simply be made a requirement for those packages which consciously want to opt-in to corepack, for them to add a desired packageManager version with corepack use? Automating it is causing issues with repos that are older or consciously have not opted in to corepack.

@styfle
Copy link
Member

styfle commented Jan 24, 2025

If I remember correctly, PR #413 was implemented at the request of the Node.js TSC after several meetings trying to figure out if corepack should be made stable as part of the node distribution.

I think if corepack is made stable, then it makes a lot of sense to keep it as-is.

But it seems we're not trending in that direction since others on the TSC want to remove corepack from the node distribution.

@ADTC
Copy link

ADTC commented Jan 25, 2025

Sidenote, just wondering why packageManager was not just a hint with ^ caret to indicate the minimum minor version instead of a pinned exact version?

And why the SHA of exact version is not in the lock file, since that's what the lock file is for?

Just like Node packages...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@styfle @benmccann @hyperknot @vtnorton @Lectem @ADTC @hardfist @KaelWD @AprilNEA @MikeMcC399