rules_js
rules_js copied to clipboard
[Bug]: running `pnpm` from `rules_js` has non deterministic outcomes since `pnpm` relies on `npm` on the user path
What happened?
We foud that if you use bazel run -- @pnpm//:pnpm info <package> --verbose
, you will see what version of node
and what version of npm
is being used. The version of npm
used is derived from the user's PATH
instead of from the sandbox. node
however is safe as it's part of js_binary
. The reason this is problematic is that npm
is what may or may not have a hand in determining the integrity
field in the lockfile. If you have npm
version drift you can end up in a state where users are getting different integrity
SHAs in the lockfile based on the response from the registry.
To reproduce you can simply do the following:
- Install
nvm
https://github.com/nvm-sh/nvm -
nvm install 16 && nvm use 16
-
bazel run -- @pnpm//:pnpm info react --verbose
-
nvm install 18 && nvm use 18
-
bazel run -- @pnpm//:pnpm info react --verbose
Notice that between runs the path in this output will change. In my case, you can see I have npm
from node 16 installed on my path when my monorepo uses node 18
npm verb cli /private/var/tmp/_bazel_davidaghassi/30b12e6784b9304c95faa3f4506c5839/execroot/rh/bazel-out/darwin_arm64-fastbuild/bin/external/pnpm/pnpm.sh.runfiles/rh/../pnpm/pnpm_node_bin/node /Users/davidaghassi/.nvm/versions/node/v16.18.0/bin/npm
npm info using [email protected]
npm info using [email protected]
Thanks to @joeljeske for helping me pin point and debug this. This may be related to this issue we are seeing too https://github.com/pnpm/pnpm/issues/7419#issuecomment-2026185020
Version
Development (host) and target OS/architectures:
Output of bazel --version
:
6.4.0
Version of the Aspect rules, or other relevant rules from your
WORKSPACE
or MODULE.bazel
file:
rules_js: 1.39.1
Language(s) and/or frameworks involved:
How to reproduce
See above
Any other information?
No response
Notes:
- See https://github.com/pnpm/pnpm/blob/442d97daad425c9bc923c12889d5b1ccee154992/pnpm/src/runNpm.ts#L6