@vercel/build-utils 8.3.7 → 8.3.8

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @vercel/build-utils
 
+## 8.3.8
+
+### Patch Changes
+
+- Limit `package.json#packageManager` parsing to concrete versions ([#12025](https://github.com/vercel/vercel/pull/12025))
+
+- Catch PNPM_UNSUPPORTED_ENGINE when corepack is enabled and throw a more helpful error ([#12017](https://github.com/vercel/vercel/pull/12017))
+
 ## 8.3.7
 
 ### Patch Changes

package/dist/fs/run-user-scripts.d.ts

@@ -82,7 +82,7 @@ export declare function runNpmInstall(destPath: string, args?: string[], spawnOp
  * Prepares the input environment based on the used package manager and lockfile
  * versions.
  */
-export declare function getEnvForPackageManager({ cliType, lockfileVersion, packageJsonPackageManager, nodeVersion, env, }: {
+export declare function getEnvForPackageManager({ cliType, lockfileVersion, packageJsonPackageManager, nodeVersion, env, packageJsonEngines, }: {
     cliType: CliType;
     lockfileVersion: number | undefined;
     packageJsonPackageManager?: string | undefined;
@@ -90,6 +90,7 @@ export declare function getEnvForPackageManager({ cliType, lockfileVersion, pack
     env: {
         [x: string]: string | undefined;
     };
+    packageJsonEngines?: PackageJson.Engines;
 }): {
     [x: string]: string | undefined;
 };
@@ -97,12 +98,13 @@ export declare function getEnvForPackageManager({ cliType, lockfileVersion, pack
  * Helper to get the binary paths that link to the used package manager.
  * Note: Make sure it doesn't contain any `console.log` calls.
  */
-export declare function getPathOverrideForPackageManager({ cliType, lockfileVersion, corepackPackageManager, corepackEnabled, }: {
+export declare function getPathOverrideForPackageManager({ cliType, lockfileVersion, corepackPackageManager, corepackEnabled, packageJsonEngines, }: {
     cliType: CliType;
     lockfileVersion: number | undefined;
     corepackPackageManager: string | undefined;
     nodeVersion: NodeVersion | undefined;
     corepackEnabled?: boolean;
+    packageJsonEngines?: PackageJson.Engines;
 }): {
     /**
      * Which lockfile was detected.

package/dist/fs/run-user-scripts.js

@@ -369,7 +369,8 @@ async function runNpmInstall(destPath, args = [], spawnOpts, meta, nodeVersion)
       lockfileVersion,
       packageJsonPackageManager: packageJson?.packageManager,
       nodeVersion,
-      env
+      env,
+      packageJsonEngines: packageJson?.engines
     });
     let commandArgs;
     const isPotentiallyBrokenNpm = cliType === "npm" && (nodeVersion?.major === 16 || opts.env.PATH?.includes("/node16/bin-npm7")) && !args.includes("--legacy-peer-deps") && spawnOpts?.env?.ENABLE_EXPERIMENTAL_COREPACK !== "1";
@@ -421,7 +422,8 @@ function getEnvForPackageManager({
   lockfileVersion,
   packageJsonPackageManager,
   nodeVersion,
-  env
+  env,
+  packageJsonEngines
 }) {
   const corepackEnabled = usingCorepack(env, packageJsonPackageManager);
   const {
@@ -433,7 +435,8 @@ function getEnvForPackageManager({
     lockfileVersion,
     corepackPackageManager: packageJsonPackageManager,
     nodeVersion,
-    corepackEnabled
+    corepackEnabled,
+    packageJsonEngines
   });
   if (corepackEnabled) {
     (0, import_debug.default)(
@@ -516,7 +519,8 @@ function getPathOverrideForPackageManager({
   cliType,
   lockfileVersion,
   corepackPackageManager,
-  corepackEnabled = true
+  corepackEnabled = true,
+  packageJsonEngines
 }) {
   const detectedPackageManger = detectPackageManager(cliType, lockfileVersion);
   if (!corepackPackageManager || !corepackEnabled) {
@@ -525,7 +529,8 @@ function getPathOverrideForPackageManager({
   if (!validateCorepackPackageManager(
     cliType,
     lockfileVersion,
-    corepackPackageManager
+    corepackPackageManager,
+    packageJsonEngines?.pnpm
   )) {
     console.warn(
       `WARN [package-manager-warning-1] Detected lockfile "${lockfileVersion}" which is not compatible with the intended corepack package manager "${corepackPackageManager}". Update your lockfile or change to a compatible corepack version.`
@@ -533,7 +538,7 @@ function getPathOverrideForPackageManager({
   }
   return NO_OVERRIDE;
 }
-function validateCorepackPackageManager(cliType, lockfileVersion, corepackPackageManager) {
+function validateCorepackPackageManager(cliType, lockfileVersion, corepackPackageManager, enginesPnpmVersionRange) {
   const validatedCorepackPackageManager = validateVersionSpecifier(
     corepackPackageManager
   );
@@ -549,16 +554,22 @@ function validateCorepackPackageManager(cliType, lockfileVersion, corepackPackag
     );
     return false;
   }
-  const corepackPackageManagerVersion = (0, import_semver.coerce)(
-    validatedCorepackPackageManager.packageVersionRange
-  );
-  if (corepackPackageManagerVersion === null) {
-    return true;
-  } else if (lockfileVersion) {
+  if (cliType === "pnpm" && enginesPnpmVersionRange) {
+    const pnpmWithinEngineRange = (0, import_semver.satisfies)(
+      validatedCorepackPackageManager.packageVersion,
+      enginesPnpmVersionRange
+    );
+    if (!pnpmWithinEngineRange) {
+      throw new Error(
+        `The version of pnpm specified in package.json#packageManager (${validatedCorepackPackageManager.packageVersion}) must satisfy the version range in package.json#engines.pnpm (${enginesPnpmVersionRange}).`
+      );
+    }
+  }
+  if (lockfileVersion) {
     return validLockfileForPackageManager(
       cliType,
       lockfileVersion,
-      corepackPackageManagerVersion
+      validatedCorepackPackageManager.packageVersion
     );
   } else {
     return true;
@@ -578,12 +589,13 @@ function validateVersionSpecifier(version) {
   if (!after) {
     return void 0;
   }
-  if (!(0, import_semver.validRange)(after)) {
+  const packageVersion = (0, import_semver.parse)(after);
+  if (!packageVersion) {
     return void 0;
   }
   return {
     packageName: before,
-    packageVersionRange: after
+    packageVersion
   };
 }
 function detectPackageManager(cliType, lockfileVersion) {
@@ -684,7 +696,8 @@ async function runCustomInstallCommand({
     lockfileVersion,
     packageJsonPackageManager: packageJson?.packageManager,
     nodeVersion,
-    env: spawnOpts?.env || {}
+    env: spawnOpts?.env || {},
+    packageJsonEngines: packageJson?.engines
   });
   (0, import_debug.default)(`Running with $PATH:`, env?.PATH || "");
   await execCommand(installCommand, {
@@ -715,7 +728,8 @@ async function runPackageJsonScript(destPath, scriptNames, spawnOpts) {
       lockfileVersion,
       packageJsonPackageManager: packageJson?.packageManager,
       nodeVersion: void 0,
-      env: (0, import_clone_env.cloneEnv)(process.env, spawnOpts?.env)
+      env: (0, import_clone_env.cloneEnv)(process.env, spawnOpts?.env),
+      packageJsonEngines: packageJson?.engines
     })
   };
   if (cliType === "npm") {

package/dist/index.js

@@ -9994,9 +9994,9 @@ var require_minimatch = __commonJS({
         throw new TypeError("pattern is too long");
       }
     };
-    Minimatch.prototype.parse = parse2;
+    Minimatch.prototype.parse = parse3;
     var SUBPARSE = {};
-    function parse2(pattern, isSub) {
+    function parse3(pattern, isSub) {
       assertValidPattern(pattern);
       var options = this.options;
       if (pattern === "**") {
@@ -13197,8 +13197,8 @@ var require_semver = __commonJS({
       }
     }
     var i;
-    exports2.parse = parse2;
-    function parse2(version, options) {
+    exports2.parse = parse3;
+    function parse3(version, options) {
       if (!options || typeof options !== "object") {
         options = {
           loose: !!options,
@@ -13226,12 +13226,12 @@ var require_semver = __commonJS({
     }
     exports2.valid = valid;
     function valid(version, options) {
-      var v = parse2(version, options);
+      var v = parse3(version, options);
       return v ? v.version : null;
     }
     exports2.clean = clean;
     function clean(version, options) {
-      var s = parse2(version.trim().replace(/^[=v]+/, ""), options);
+      var s = parse3(version.trim().replace(/^[=v]+/, ""), options);
       return s ? s.version : null;
     }
     exports2.SemVer = SemVer2;
@@ -13441,8 +13441,8 @@ var require_semver = __commonJS({
       if (eq(version1, version2)) {
         return null;
       } else {
-        var v1 = parse2(version1);
-        var v2 = parse2(version2);
+        var v1 = parse3(version1);
+        var v2 = parse3(version2);
         var prefix = "";
         if (v1.prerelease.length || v2.prerelease.length) {
           prefix = "pre";
@@ -13639,10 +13639,10 @@ var require_semver = __commonJS({
       var rangeTmp;
       if (this.operator === "") {
         rangeTmp = new Range(comp.value, options);
-        return satisfies(this.value, rangeTmp, options);
+        return satisfies2(this.value, rangeTmp, options);
       } else if (comp.operator === "") {
         rangeTmp = new Range(this.value, options);
-        return satisfies(comp.semver, rangeTmp, options);
+        return satisfies2(comp.semver, rangeTmp, options);
       }
       var sameDirectionIncreasing = (this.operator === ">=" || this.operator === ">") && (comp.operator === ">=" || comp.operator === ">");
       var sameDirectionDecreasing = (this.operator === "<=" || this.operator === "<") && (comp.operator === "<=" || comp.operator === "<");
@@ -13951,8 +13951,8 @@ var require_semver = __commonJS({
       }
       return true;
     }
-    exports2.satisfies = satisfies;
-    function satisfies(version, range, options) {
+    exports2.satisfies = satisfies2;
+    function satisfies2(version, range, options) {
       try {
         range = new Range(range, options);
       } catch (er) {
@@ -14080,7 +14080,7 @@ var require_semver = __commonJS({
         default:
           throw new TypeError('Must provide a hilo val of "<" or ">"');
       }
-      if (satisfies(version, range, options)) {
+      if (satisfies2(version, range, options)) {
         return false;
       }
       for (var i2 = 0; i2 < range.set.length; ++i2) {
@@ -14112,7 +14112,7 @@ var require_semver = __commonJS({
     }
     exports2.prerelease = prerelease;
     function prerelease(version, options) {
-      var parsed = parse2(version, options);
+      var parsed = parse3(version, options);
       return parsed && parsed.prerelease.length ? parsed.prerelease : null;
     }
     exports2.intersects = intersects3;
@@ -14133,7 +14133,7 @@ var require_semver = __commonJS({
       if (match == null) {
         return null;
       }
-      return parse2(match[1] + "." + (match[2] || "0") + "." + (match[3] || "0"));
+      return parse3(match[1] + "." + (match[2] || "0") + "." + (match[3] || "0"));
     }
   }
 });
@@ -14201,7 +14201,7 @@ var require_parse = __commonJS({
       }
       return parsed;
     }
-    function parse2(command, args, options) {
+    function parse3(command, args, options) {
       if (args && !Array.isArray(args)) {
         options = args;
         args = null;
@@ -14220,7 +14220,7 @@ var require_parse = __commonJS({
       };
       return options.shell ? parseShell(parsed) : parseNonShell(parsed);
     }
-    module2.exports = parse2;
+    module2.exports = parse3;
   }
 });
 
@@ -14279,16 +14279,16 @@ var require_cross_spawn = __commonJS({
   "../../node_modules/.pnpm/cross-spawn@6.0.5/node_modules/cross-spawn/index.js"(exports2, module2) {
     "use strict";
     var cp = require("child_process");
-    var parse2 = require_parse();
+    var parse3 = require_parse();
     var enoent = require_enoent();
     function spawn2(command, args, options) {
-      const parsed = parse2(command, args, options);
+      const parsed = parse3(command, args, options);
       const spawned = cp.spawn(parsed.command, parsed.args, parsed.options);
       enoent.hookChildProcess(spawned, parsed);
       return spawned;
     }
     function spawnSync(command, args, options) {
-      const parsed = parse2(command, args, options);
+      const parsed = parse3(command, args, options);
       const result = cp.spawnSync(parsed.command, parsed.args, parsed.options);
       result.error = result.error || enoent.verifyENOENTSync(result.status, parsed);
       return result;
@@ -14296,7 +14296,7 @@ var require_cross_spawn = __commonJS({
     module2.exports = spawn2;
     module2.exports.spawn = spawn2;
     module2.exports.sync = spawnSync;
-    module2.exports._parse = parse2;
+    module2.exports._parse = parse3;
     module2.exports._enoent = enoent;
   }
 });
@@ -14438,8 +14438,8 @@ var require_semver2 = __commonJS({
       }
     }
     var i;
-    exports2.parse = parse2;
-    function parse2(version, options) {
+    exports2.parse = parse3;
+    function parse3(version, options) {
       if (!options || typeof options !== "object") {
         options = {
           loose: !!options,
@@ -14467,12 +14467,12 @@ var require_semver2 = __commonJS({
     }
     exports2.valid = valid;
     function valid(version, options) {
-      var v = parse2(version, options);
+      var v = parse3(version, options);
       return v ? v.version : null;
     }
     exports2.clean = clean;
     function clean(version, options) {
-      var s = parse2(version.trim().replace(/^[=v]+/, ""), options);
+      var s = parse3(version.trim().replace(/^[=v]+/, ""), options);
       return s ? s.version : null;
     }
     exports2.SemVer = SemVer2;
@@ -14704,8 +14704,8 @@ var require_semver2 = __commonJS({
       if (eq(version1, version2)) {
         return null;
       } else {
-        var v1 = parse2(version1);
-        var v2 = parse2(version2);
+        var v1 = parse3(version1);
+        var v2 = parse3(version2);
         var prefix = "";
         if (v1.prerelease.length || v2.prerelease.length) {
           prefix = "pre";
@@ -14915,13 +14915,13 @@ var require_semver2 = __commonJS({
           return true;
         }
         rangeTmp = new Range(comp.value, options);
-        return satisfies(this.value, rangeTmp, options);
+        return satisfies2(this.value, rangeTmp, options);
       } else if (comp.operator === "") {
         if (comp.value === "") {
           return true;
         }
         rangeTmp = new Range(this.value, options);
-        return satisfies(comp.semver, rangeTmp, options);
+        return satisfies2(comp.semver, rangeTmp, options);
       }
       var sameDirectionIncreasing = (this.operator === ">=" || this.operator === ">") && (comp.operator === ">=" || comp.operator === ">");
       var sameDirectionDecreasing = (this.operator === "<=" || this.operator === "<") && (comp.operator === "<=" || comp.operator === "<");
@@ -15248,8 +15248,8 @@ var require_semver2 = __commonJS({
       }
       return true;
     }
-    exports2.satisfies = satisfies;
-    function satisfies(version, range, options) {
+    exports2.satisfies = satisfies2;
+    function satisfies2(version, range, options) {
       try {
         range = new Range(range, options);
       } catch (er) {
@@ -15377,7 +15377,7 @@ var require_semver2 = __commonJS({
         default:
           throw new TypeError('Must provide a hilo val of "<" or ">"');
       }
-      if (satisfies(version, range, options)) {
+      if (satisfies2(version, range, options)) {
         return false;
       }
       for (var i2 = 0; i2 < range.set.length; ++i2) {
@@ -15409,7 +15409,7 @@ var require_semver2 = __commonJS({
     }
     exports2.prerelease = prerelease;
     function prerelease(version, options) {
-      var parsed = parse2(version, options);
+      var parsed = parse3(version, options);
       return parsed && parsed.prerelease.length ? parsed.prerelease : null;
     }
     exports2.intersects = intersects3;
@@ -15446,7 +15446,7 @@ var require_semver2 = __commonJS({
       if (match === null) {
         return null;
       }
-      return parse2(match[2] + "." + (match[3] || "0") + "." + (match[4] || "0"), options);
+      return parse3(match[2] + "." + (match[3] || "0") + "." + (match[4] || "0"), options);
     }
   }
 });
@@ -22090,7 +22090,8 @@ async function runNpmInstall(destPath, args = [], spawnOpts, meta, nodeVersion)
       lockfileVersion,
       packageJsonPackageManager: packageJson?.packageManager,
       nodeVersion,
-      env
+      env,
+      packageJsonEngines: packageJson?.engines
     });
     let commandArgs;
     const isPotentiallyBrokenNpm = cliType === "npm" && (nodeVersion?.major === 16 || opts.env.PATH?.includes("/node16/bin-npm7")) && !args.includes("--legacy-peer-deps") && spawnOpts?.env?.ENABLE_EXPERIMENTAL_COREPACK !== "1";
@@ -22142,7 +22143,8 @@ function getEnvForPackageManager({
   lockfileVersion,
   packageJsonPackageManager,
   nodeVersion,
-  env
+  env,
+  packageJsonEngines
 }) {
   const corepackEnabled = usingCorepack(env, packageJsonPackageManager);
   const {
@@ -22154,7 +22156,8 @@ function getEnvForPackageManager({
     lockfileVersion,
     corepackPackageManager: packageJsonPackageManager,
     nodeVersion,
-    corepackEnabled
+    corepackEnabled,
+    packageJsonEngines
   });
   if (corepackEnabled) {
     debug(
@@ -22237,7 +22240,8 @@ function getPathOverrideForPackageManager({
   cliType,
   lockfileVersion,
   corepackPackageManager,
-  corepackEnabled = true
+  corepackEnabled = true,
+  packageJsonEngines
 }) {
   const detectedPackageManger = detectPackageManager(cliType, lockfileVersion);
   if (!corepackPackageManager || !corepackEnabled) {
@@ -22246,7 +22250,8 @@ function getPathOverrideForPackageManager({
   if (!validateCorepackPackageManager(
     cliType,
     lockfileVersion,
-    corepackPackageManager
+    corepackPackageManager,
+    packageJsonEngines?.pnpm
   )) {
     console.warn(
       `WARN [package-manager-warning-1] Detected lockfile "${lockfileVersion}" which is not compatible with the intended corepack package manager "${corepackPackageManager}". Update your lockfile or change to a compatible corepack version.`
@@ -22254,7 +22259,7 @@ function getPathOverrideForPackageManager({
   }
   return NO_OVERRIDE;
 }
-function validateCorepackPackageManager(cliType, lockfileVersion, corepackPackageManager) {
+function validateCorepackPackageManager(cliType, lockfileVersion, corepackPackageManager, enginesPnpmVersionRange) {
   const validatedCorepackPackageManager = validateVersionSpecifier(
     corepackPackageManager
   );
@@ -22270,16 +22275,22 @@ function validateCorepackPackageManager(cliType, lockfileVersion, corepackPackag
     );
     return false;
   }
-  const corepackPackageManagerVersion = (0, import_semver2.coerce)(
-    validatedCorepackPackageManager.packageVersionRange
-  );
-  if (corepackPackageManagerVersion === null) {
-    return true;
-  } else if (lockfileVersion) {
+  if (cliType === "pnpm" && enginesPnpmVersionRange) {
+    const pnpmWithinEngineRange = (0, import_semver2.satisfies)(
+      validatedCorepackPackageManager.packageVersion,
+      enginesPnpmVersionRange
+    );
+    if (!pnpmWithinEngineRange) {
+      throw new Error(
+        `The version of pnpm specified in package.json#packageManager (${validatedCorepackPackageManager.packageVersion}) must satisfy the version range in package.json#engines.pnpm (${enginesPnpmVersionRange}).`
+      );
+    }
+  }
+  if (lockfileVersion) {
     return validLockfileForPackageManager(
       cliType,
       lockfileVersion,
-      corepackPackageManagerVersion
+      validatedCorepackPackageManager.packageVersion
     );
   } else {
     return true;
@@ -22299,12 +22310,13 @@ function validateVersionSpecifier(version) {
   if (!after) {
     return void 0;
   }
-  if (!(0, import_semver2.validRange)(after)) {
+  const packageVersion = (0, import_semver2.parse)(after);
+  if (!packageVersion) {
     return void 0;
   }
   return {
     packageName: before,
-    packageVersionRange: after
+    packageVersion
   };
 }
 function detectPackageManager(cliType, lockfileVersion) {
@@ -22405,7 +22417,8 @@ async function runCustomInstallCommand({
     lockfileVersion,
     packageJsonPackageManager: packageJson?.packageManager,
     nodeVersion,
-    env: spawnOpts?.env || {}
+    env: spawnOpts?.env || {},
+    packageJsonEngines: packageJson?.engines
   });
   debug(`Running with $PATH:`, env?.PATH || "");
   await execCommand(installCommand, {
@@ -22436,7 +22449,8 @@ async function runPackageJsonScript(destPath, scriptNames, spawnOpts) {
       lockfileVersion,
       packageJsonPackageManager: packageJson?.packageManager,
       nodeVersion: void 0,
-      env: cloneEnv(process.env, spawnOpts?.env)
+      env: cloneEnv(process.env, spawnOpts?.env),
+      packageJsonEngines: packageJson?.engines
     })
   };
   if (cliType === "npm") {

package/dist/types.d.ts

@@ -236,6 +236,7 @@ export declare namespace PackageJson {
     interface Engines {
         node?: string;
         npm?: string;
+        pnpm?: string;
     }
     interface PublishConfig {
         registry?: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vercel/build-utils",
-  "version": "8.3.7",
+  "version": "8.3.8",
   "license": "Apache-2.0",
   "main": "./dist/index.js",
   "types": "./dist/index.d.js",