Pnpm lockfile migration (#283)

arcanis · web-flow · commit 1e0dd051514c · 2026-04-19T23:03:56.000+02:00
This PR adds a way to migrate a repository from pnpm to Yarn. I have an older repository I need to migrate so this will be handy.  --- > [!NOTE] > **Medium Risk** > Modifies lockfile generation by shelling out to `pnpm` and interpreting its tree, including optional-dependency and path handling; incorrect parsing could produce wrong resolutions during migrations. CI/e2e coverage is added, but behavior depends on pnpm version differences. > > **Overview** > Adds a pnpm-to-Yarn migration path that builds a Yarn `Lockfile` from `node_modules` by invoking `pnpm list -r --json`, selecting `--depth=Infinity` on newer pnpm versions (fallback `--depth=3`), normalizing relative paths, and skipping missing optional dependencies. > > Updates the e2e sandbox image to install `pnpm`, and introduces a new `tests/e2e/pnpm-migration.sh` that asserts the migration largely preserves pnpm-resolved package versions after switching to `yarn install`. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 1d9b669. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup>
diff --git a/.github/actions/run-e2e-sandbox/Dockerfile b/.github/actions/run-e2e-sandbox/Dockerfile
@@ -13,7 +13,8 @@ RUN apt-get update \
     npm \
     python3 \
     python-is-python3 \
-  && rm -rf /var/lib/apt/lists/*
+  && rm -rf /var/lib/apt/lists/* \
+  && npm install -g pnpm
 
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
diff --git a/.gitignore b/.gitignore
@@ -21,4 +21,7 @@ profile.json.gz
 /.yarn/cache
 /.yarn/unplugged
 
+/.claude
+/.superset
+
 /bench-*.json
diff --git a/packages/zpm-primitives/src/reference.rs b/packages/zpm-primitives/src/reference.rs
@@ -33,7 +33,6 @@ fn format_pypi_registry(ident: &Ident, version: &crate::PypiVersion, url: Option
         None => format!("pypi:{}@{}", ident.to_file_string(), version.to_file_string()),
     }
 }
-
 fn format_workspace_path(path: &Path) -> String {
     if path.is_empty() {
         "workspace:.".to_string()
diff --git a/packages/zpm/src/lockfile.rs b/packages/zpm/src/lockfile.rs
@@ -408,7 +408,8 @@ struct PnpmListDependency {
 /// Builds a lockfile from pnpm's installed packages using `pnpm list --json`.
 ///
 /// The approach:
-/// 1. Run `pnpm list --json --depth=3` to get most of the full dependency tree
+/// 1. Run `pnpm list --json` to get the full dependency tree
+///    (uses `--depth=Infinity` on pnpm >= 10.29.3, `--depth=3` on older versions)
 /// 2. Recursively walk the tree to collect all packages with their resolved URLs
 /// 3. For each package, read its package.json to get the original dependency ranges
 /// 4. Build descriptor -> locator mappings
@@ -438,9 +439,17 @@ pub fn from_pnpm_node_modules(project_cwd: &Path) -> Result<Lockfile, Error> {
         return Ok(Lockfile::new());
     }
 
-    // Run pnpm list --json --depth=Infinity
+    let depth_flag = std::process::Command::new("pnpm")
+        .arg("--version")
+        .output()
+        .ok()
+        .and_then(|o| String::from_utf8(o.stdout).ok())
+        .and_then(|v| zpm_semver::Version::from_file_string(v.trim()).ok())
+        .filter(|v| *v >= zpm_semver::Version::from_file_string("10.29.3").unwrap())
+        .map_or("--depth=3", |_| "--depth=Infinity");
+
     let output = std::process::Command::new("pnpm")
-        .args(["list", "-r", "--json", "--depth=3"])
+        .args(["list", "-r", "--json", depth_flag])
         .current_dir(project_cwd.as_str())
         .output()
         .map_err(|_| Error::PnpmNodeModulesReadError)?;
@@ -466,14 +475,22 @@ pub fn from_pnpm_node_modules(project_cwd: &Path) -> Result<Lockfile, Error> {
             continue;
         };
 
-        let Ok(package_path) = Path::try_from(package_path_str.as_str()) else {
+        let Ok(raw_path) = Path::try_from(package_path_str.as_str()) else {
             continue;
         };
 
+        let package_path = if raw_path.is_relative() {
+            project_cwd.with_join_str("node_modules").with_join(&raw_path)
+        } else {
+            raw_path
+        };
+
         #[derive(Debug, Deserialize)]
         struct Manifest {
             #[serde(default)]
             dependencies: BTreeMap<String, String>,
+            #[serde(default, rename = "optionalDependencies")]
+            optional_dependencies: BTreeMap<String, String>,
         }
 
         let manifest: Option<Manifest>
@@ -487,7 +504,11 @@ pub fn from_pnpm_node_modules(project_cwd: &Path) -> Result<Lockfile, Error> {
             continue;
         };
 
-        for (name, range) in manifest.dependencies {
+        let all_dependencies
+            = manifest.dependencies.into_iter().map(|(n, r)| (n, r, false))
+                .chain(manifest.optional_dependencies.into_iter().map(|(n, r)| (n, r, true)));
+
+        for (name, range, is_optional) in all_dependencies {
             let Ok(ident) = Ident::from_file_string(&name) else {
                 continue;
             };
@@ -501,6 +522,25 @@ pub fn from_pnpm_node_modules(project_cwd: &Path) -> Result<Lockfile, Error> {
                 continue;
             };
 
+            if is_optional {
+                let installed = resolved_entry.path.as_ref().and_then(|p| {
+                    let p
+                        = Path::try_from(p.as_str()).ok()?;
+
+                    let p = if p.is_relative() {
+                        project_cwd.with_join_str("node_modules").with_join(&p)
+                    } else {
+                        p
+                    };
+
+                    Some(p.with_join_str("package.json").fs_exists())
+                });
+
+                if !installed.unwrap_or(false) {
+                    continue;
+                }
+            }
+
             let Some(version) = &resolved_entry.version else {
                 continue;
             };
diff --git a/tests/e2e/pnpm-migration.sh b/tests/e2e/pnpm-migration.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+mkdir -p packages/pkg-a
+
+cat > package.json <<'JSON'
+{
+  "name": "e2e-pnpm-migration",
+  "private": true,
+  "workspaces": [
+    "packages/*"
+  ]
+}
+JSON
+
+cat > pnpm-workspace.yaml <<'YAML'
+packages:
+  - "packages/*"
+YAML
+
+cat > packages/pkg-a/package.json <<'JSON'
+{
+  "name": "pkg-a",
+  "version": "1.0.0",
+  "private": true,
+  "dependencies": {
+    "jest": "*"
+  }
+}
+JSON
+
+pnpm install
+
+# Capture the versions pnpm resolved (normalized to name@version)
+pnpm ls -r --json --depth=Infinity \
+  | jq -r '.. | objects | select(.version? and .from?) | "\(.from)@\(.version)"' \
+  | sort -u > "${TEMP_DIR}/pnpm-versions.txt"
+
+rm -f pnpm-lock.yaml
+
+yarn install
+
+# Capture the versions yarn resolved (normalized to name@version)
+yarn info -AR --json \
+  | jq -r '.value' \
+  | grep '@npm:' \
+  | sed -E 's/@npm:(.+@)?/\t/' \
+  | awk -F'\t' '{print $1"@"$2}' \
+  | sort -u > "${TEMP_DIR}/yarn-versions.txt"
+
+# Every version from pnpm must appear in yarn's resolution.
+# Platform-specific packages (like fsevents) may be absent; that's expected.
+MISMATCHES=0
+while IFS= read -r line; do
+  if ! grep -qxF "${line}" "${TEMP_DIR}/yarn-versions.txt"; then
+    echo "MISMATCH: pnpm had ${line} but yarn does not" >&2
+    MISMATCHES=$((MISMATCHES + 1))
+  fi
+done < "${TEMP_DIR}/pnpm-versions.txt"
+
+if [[ "${MISMATCHES}" -gt 5 ]]; then
+  echo "Too many version mismatches (${MISMATCHES}); migration did not preserve versions" >&2
+  exit 1
+fi

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,6 @@ fn format_pypi_registry(ident: &Ident, version: &crate::PypiVersion, url: Option`
`33`	`33`	`None => format!("pypi:{}@{}", ident.to_file_string(), version.to_file_string()),`
`34`	`34`	`}`
`35`	`35`	`}`
`36`		`-`
`37`	`36`	`fn format_workspace_path(path: &Path) -> String {`
`38`	`37`	`if path.is_empty() {`
`39`	`38`	`"workspace:.".to_string()`