@vercel/build-utils 8.3.6 → 8.3.8

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @vercel/build-utils
 
+## 8.3.8
+
+### Patch Changes
+
+- Limit `package.json#packageManager` parsing to concrete versions ([#12025](https://github.com/vercel/vercel/pull/12025))
+
+- Catch PNPM_UNSUPPORTED_ENGINE when corepack is enabled and throw a more helpful error ([#12017](https://github.com/vercel/vercel/pull/12017))
+
+## 8.3.7
+
+### Patch Changes
+
+- Revert "Revert "warn on mismatched corepack and detected package managers"" ([#11887](https://github.com/vercel/vercel/pull/11887))
+
 ## 8.3.6
 
 ### Patch Changes

package/dist/fs/run-user-scripts.d.ts

@@ -82,7 +82,7 @@ export declare function runNpmInstall(destPath: string, args?: string[], spawnOp
  * Prepares the input environment based on the used package manager and lockfile
  * versions.
  */
-export declare function getEnvForPackageManager({ cliType, lockfileVersion, packageJsonPackageManager, nodeVersion, env, }: {
+export declare function getEnvForPackageManager({ cliType, lockfileVersion, packageJsonPackageManager, nodeVersion, env, packageJsonEngines, }: {
     cliType: CliType;
     lockfileVersion: number | undefined;
     packageJsonPackageManager?: string | undefined;
@@ -90,6 +90,7 @@ export declare function getEnvForPackageManager({ cliType, lockfileVersion, pack
     env: {
         [x: string]: string | undefined;
     };
+    packageJsonEngines?: PackageJson.Engines;
 }): {
     [x: string]: string | undefined;
 };
@@ -97,11 +98,13 @@ export declare function getEnvForPackageManager({ cliType, lockfileVersion, pack
  * Helper to get the binary paths that link to the used package manager.
  * Note: Make sure it doesn't contain any `console.log` calls.
  */
-export declare function getPathOverrideForPackageManager({ cliType, lockfileVersion, corepackEnabled, nodeVersion, }: {
+export declare function getPathOverrideForPackageManager({ cliType, lockfileVersion, corepackPackageManager, corepackEnabled, packageJsonEngines, }: {
     cliType: CliType;
     lockfileVersion: number | undefined;
-    corepackEnabled: boolean;
+    corepackPackageManager: string | undefined;
     nodeVersion: NodeVersion | undefined;
+    corepackEnabled?: boolean;
+    packageJsonEngines?: PackageJson.Engines;
 }): {
     /**
      * Which lockfile was detected.
@@ -117,6 +120,15 @@ export declare function getPathOverrideForPackageManager({ cliType, lockfileVers
      */
     path: string | undefined;
 };
+export declare function detectPackageManager(cliType: CliType, lockfileVersion: number | undefined): {
+    path: string;
+    detectedLockfile: string;
+    detectedPackageManager: string;
+} | {
+    path: undefined;
+    detectedLockfile: string;
+    detectedPackageManager: string;
+} | undefined;
 /**
  * Helper to get the binary paths that link to the used package manager.
  * Note: Make sure it doesn't contain any `console.log` calls.

package/dist/fs/run-user-scripts.js

@@ -28,6 +28,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var run_user_scripts_exports = {};
 __export(run_user_scripts_exports, {
+  detectPackageManager: () => detectPackageManager,
   execCommand: () => execCommand,
   getEnvForPackageManager: () => getEnvForPackageManager,
   getNodeBinPath: () => getNodeBinPath,
@@ -64,6 +65,11 @@ var import_node_version = require("./node-version");
 var import_read_config_file = require("./read-config-file");
 var import_clone_env = require("../clone-env");
 const runNpmInstallSema = new import_async_sema.default(1);
+const NO_OVERRIDE = {
+  detectedLockfile: void 0,
+  detectedPackageManager: void 0,
+  path: void 0
+};
 function spawnAsync(command, args, opts = {}) {
   return new Promise((resolve, reject) => {
     const stderrLogs = [];
@@ -363,7 +369,8 @@ async function runNpmInstall(destPath, args = [], spawnOpts, meta, nodeVersion)
       lockfileVersion,
       packageJsonPackageManager: packageJson?.packageManager,
       nodeVersion,
-      env
+      env,
+      packageJsonEngines: packageJson?.engines
     });
     let commandArgs;
     const isPotentiallyBrokenNpm = cliType === "npm" && (nodeVersion?.major === 16 || opts.env.PATH?.includes("/node16/bin-npm7")) && !args.includes("--legacy-peer-deps") && spawnOpts?.env?.ENABLE_EXPERIMENTAL_COREPACK !== "1";
@@ -415,7 +422,8 @@ function getEnvForPackageManager({
   lockfileVersion,
   packageJsonPackageManager,
   nodeVersion,
-  env
+  env,
+  packageJsonEngines
 }) {
   const corepackEnabled = usingCorepack(env, packageJsonPackageManager);
   const {
@@ -425,8 +433,10 @@ function getEnvForPackageManager({
   } = getPathOverrideForPackageManager({
     cliType,
     lockfileVersion,
+    corepackPackageManager: packageJsonPackageManager,
+    nodeVersion,
     corepackEnabled,
-    nodeVersion
+    packageJsonEngines
   });
   if (corepackEnabled) {
     (0, import_debug.default)(
@@ -464,10 +474,8 @@ function getEnvForPackageManager({
   }
   return newEnv;
 }
-function detectPnpmVersion(lockfileVersion, corepackEnabled) {
+function detectPnpmVersion(lockfileVersion) {
   switch (true) {
-    case corepackEnabled:
-      return "corepack_enabled";
     case lockfileVersion === void 0:
       return "not found";
     case lockfileVersion === 5.3:
@@ -482,98 +490,161 @@ function detectPnpmVersion(lockfileVersion, corepackEnabled) {
       return "not found";
   }
 }
-function shouldUseNpm7(lockfileVersion, nodeVersion) {
-  if (lockfileVersion === void 0)
-    return false;
-  return lockfileVersion >= 2 && (nodeVersion?.major || 0) < 16;
+function validLockfileForPackageManager(cliType, lockfileVersion, packageManagerVersion) {
+  const packageManagerMajorVersion = packageManagerVersion.major;
+  switch (cliType) {
+    case "npm":
+    case "bun":
+    case "yarn":
+      return true;
+    case "pnpm":
+      switch (packageManagerMajorVersion) {
+        case 9:
+          if ("9.0.0" === packageManagerVersion.version && lockfileVersion === 6) {
+            return false;
+          }
+          return [6, 7, 9].includes(lockfileVersion);
+        case 8:
+          return [6, 6.1].includes(lockfileVersion);
+        case 7:
+          return [5.3, 5.4].includes(lockfileVersion);
+        case 6:
+          return [5.3, 5.4].includes(lockfileVersion);
+        default:
+          return true;
+      }
+  }
 }
 function getPathOverrideForPackageManager({
   cliType,
   lockfileVersion,
-  corepackEnabled,
-  nodeVersion
+  corepackPackageManager,
+  corepackEnabled = true,
+  packageJsonEngines
 }) {
-  const no_override = {
-    detectedLockfile: void 0,
-    detectedPackageManager: void 0,
-    path: void 0
+  const detectedPackageManger = detectPackageManager(cliType, lockfileVersion);
+  if (!corepackPackageManager || !corepackEnabled) {
+    return detectedPackageManger ?? NO_OVERRIDE;
+  }
+  if (!validateCorepackPackageManager(
+    cliType,
+    lockfileVersion,
+    corepackPackageManager,
+    packageJsonEngines?.pnpm
+  )) {
+    console.warn(
+      `WARN [package-manager-warning-1] Detected lockfile "${lockfileVersion}" which is not compatible with the intended corepack package manager "${corepackPackageManager}". Update your lockfile or change to a compatible corepack version.`
+    );
+  }
+  return NO_OVERRIDE;
+}
+function validateCorepackPackageManager(cliType, lockfileVersion, corepackPackageManager, enginesPnpmVersionRange) {
+  const validatedCorepackPackageManager = validateVersionSpecifier(
+    corepackPackageManager
+  );
+  if (!validatedCorepackPackageManager) {
+    console.warn(
+      `WARN [package-manager-warning-2] Intended corepack defined package manager "${corepackPackageManager}" is not a valid semver value.`
+    );
+    return false;
+  }
+  if (cliType !== validatedCorepackPackageManager.packageName) {
+    console.warn(
+      `WARN [package-manager-warning-3] Detected package manager "${cliType}" does not match intended corepack defined package manager "${validatedCorepackPackageManager.packageName}". Change your lockfile or "package.json#packageManager" value to match.`
+    );
+    return false;
+  }
+  if (cliType === "pnpm" && enginesPnpmVersionRange) {
+    const pnpmWithinEngineRange = (0, import_semver.satisfies)(
+      validatedCorepackPackageManager.packageVersion,
+      enginesPnpmVersionRange
+    );
+    if (!pnpmWithinEngineRange) {
+      throw new Error(
+        `The version of pnpm specified in package.json#packageManager (${validatedCorepackPackageManager.packageVersion}) must satisfy the version range in package.json#engines.pnpm (${enginesPnpmVersionRange}).`
+      );
+    }
+  }
+  if (lockfileVersion) {
+    return validLockfileForPackageManager(
+      cliType,
+      lockfileVersion,
+      validatedCorepackPackageManager.packageVersion
+    );
+  } else {
+    return true;
+  }
+}
+function validateVersionSpecifier(version) {
+  if (!version) {
+    return void 0;
+  }
+  const [before, after, ...extra] = version.split("@");
+  if (extra.length) {
+    return void 0;
+  }
+  if (!before) {
+    return void 0;
+  }
+  if (!after) {
+    return void 0;
+  }
+  const packageVersion = (0, import_semver.parse)(after);
+  if (!packageVersion) {
+    return void 0;
+  }
+  return {
+    packageName: before,
+    packageVersion
   };
+}
+function detectPackageManager(cliType, lockfileVersion) {
   switch (cliType) {
     case "npm":
-      switch (true) {
-        case corepackEnabled:
-          return no_override;
-        case shouldUseNpm7(lockfileVersion, nodeVersion):
-          return {
-            path: "/node16/bin-npm7",
-            detectedLockfile: "package-lock.json",
-            detectedPackageManager: "npm 7+"
-          };
-        default:
-          return no_override;
-      }
+      return void 0;
     case "pnpm":
-      switch (detectPnpmVersion(lockfileVersion, corepackEnabled)) {
-        case "corepack_enabled":
-          return no_override;
+      switch (detectPnpmVersion(lockfileVersion)) {
         case "pnpm 7":
           return {
             path: "/pnpm7/node_modules/.bin",
             detectedLockfile: "pnpm-lock.yaml",
-            detectedPackageManager: "pnpm 7"
+            detectedPackageManager: "pnpm@7.x"
           };
         case "pnpm 8":
           return {
             path: "/pnpm8/node_modules/.bin",
             detectedLockfile: "pnpm-lock.yaml",
-            detectedPackageManager: "pnpm 8"
+            detectedPackageManager: "pnpm@8.x"
           };
         case "pnpm 9":
           return {
             path: "/pnpm9/node_modules/.bin",
             detectedLockfile: "pnpm-lock.yaml",
-            detectedPackageManager: "pnpm 9"
+            detectedPackageManager: "pnpm@9.x"
           };
         case "pnpm 6":
-        default:
-          return no_override;
-      }
-    case "bun":
-      switch (true) {
-        case corepackEnabled:
-          return no_override;
-        default:
           return {
-            path: "/bun1",
-            detectedLockfile: "bun.lockb",
-            detectedPackageManager: "Bun"
+            // undefined because pnpm@6 is the current default in the build container
+            path: void 0,
+            detectedLockfile: "pnpm-lock.yaml",
+            detectedPackageManager: "pnpm@6.x"
           };
+        default:
+          return void 0;
       }
+    case "bun":
+      return {
+        path: "/bun1",
+        detectedLockfile: "bun.lockb",
+        detectedPackageManager: "bun@1.x"
+      };
     case "yarn":
-      return no_override;
-  }
-}
-function validateVersionSpecifier(version) {
-  if (!version) {
-    return void 0;
-  }
-  const [before, after, ...extra] = version.split("@");
-  if (extra.length) {
-    return void 0;
-  }
-  if (!before) {
-    return void 0;
-  }
-  if (!after) {
-    return void 0;
-  }
-  if (!(0, import_semver.validRange)(after)) {
-    return void 0;
+      return {
+        path: void 0,
+        detectedLockfile: "yarn.lock",
+        detectedPackageManager: "yarn"
+      };
   }
-  return {
-    packageName: before,
-    packageVersionRange: after
-  };
 }
 function getPathForPackageManager({
   cliType,
@@ -582,12 +653,15 @@ function getPathForPackageManager({
   env
 }) {
   const corepackEnabled = env.ENABLE_EXPERIMENTAL_COREPACK === "1";
-  const overrides = getPathOverrideForPackageManager({
+  let overrides = getPathOverrideForPackageManager({
     cliType,
     lockfileVersion,
-    corepackEnabled,
+    corepackPackageManager: void 0,
     nodeVersion
   });
+  if (corepackEnabled) {
+    overrides = NO_OVERRIDE;
+  }
   const alreadyInPath = (newPath) => {
     const oldPath = env.PATH ?? "";
     return oldPath.split(import_path.default.delimiter).includes(newPath);
@@ -622,7 +696,8 @@ async function runCustomInstallCommand({
     lockfileVersion,
     packageJsonPackageManager: packageJson?.packageManager,
     nodeVersion,
-    env: spawnOpts?.env || {}
+    env: spawnOpts?.env || {},
+    packageJsonEngines: packageJson?.engines
   });
   (0, import_debug.default)(`Running with $PATH:`, env?.PATH || "");
   await execCommand(installCommand, {
@@ -653,7 +728,8 @@ async function runPackageJsonScript(destPath, scriptNames, spawnOpts) {
       lockfileVersion,
       packageJsonPackageManager: packageJson?.packageManager,
       nodeVersion: void 0,
-      env: (0, import_clone_env.cloneEnv)(process.env, spawnOpts?.env)
+      env: (0, import_clone_env.cloneEnv)(process.env, spawnOpts?.env),
+      packageJsonEngines: packageJson?.engines
     })
   };
   if (cliType === "npm") {
@@ -708,6 +784,7 @@ const installDependencies = (0, import_util.deprecate)(
 );
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  detectPackageManager,
   execCommand,
   getEnvForPackageManager,
   getNodeBinPath,