corepack icon indicating copy to clipboard operation
corepack copied to clipboard
verified publisher icon nodejs

Prompt before applying `AUTO_PIN` to `package.json`

Open MikeMcC399 opened this issue 8 months ago • 1 comments

What would you like?

Corepack AUTO_PIN should prompt before adding a packageManager field to an existing package.json file. It may not be a desired change.

Why is this needed?

~~By default, and if the environment variable COREPACK_ENABLE_AUTO_PIN is not set to 0~~ If COREPACK_ENABLE_AUTO_PIN is set to 1, then Corepack adds a packageManager field to an existing package.json file if the field is not present.

Especially when working in a hybrid environment using package managers npm and Yarn in a mixture of projects, some of which are set up to work with Corepack and others are not, then some actions can lead to a packageManager field being added to an existing package.json file where this is not desired.

Consider the following scenario:

  • Project-npm is configured for npm without Corepack (no packageManager field)
  • Project-yarn-v1-corepack is configured for Yarn Classic with Corepack (packageManager field contains [email protected]+sha512...)

If my working directory cwd is in Project-npm and I execute yarn -v overlooking what project I am in, then my npm project becomes corrupted with the unwanted Yarn packageManager field. There is no prompt to allow me to recognize my mistake and prevent the package.json from being updated.

$ yarn -v
! The local project doesn't define a 'packageManager' field. Corepack will now add one referencing [email protected]+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e.
! For more details about this field, consult the documentation at https://nodejs.org/api/packages.html#packagemanager

Other

  • https://github.com/nodejs/corepack/issues/485 proposes to disable AUTO_PIN by default. This is a related suggestion and it contains descriptions of scenarios where AUTO_PIN is not wanted.
  • AUTO_PIN was added in [email protected] March 2024

MikeMcC399 avatar Mar 30 '25 08:03 MikeMcC399

This is now less critical due to [email protected] changing the default for to COREPACK_ENABLE_AUTO_PIN. This is now only active if explicitly set to 1.

MikeMcC399 avatar Jun 04 '25 10:06 MikeMcC399