fix(web): regenerate pnpm-lock.yaml to repair duplicate-key corruption#136
Merged
Conversation
Merging the sibling npm dependabot bumps (#52/#55/#56) via sequential squash without re-rebasing produced a semantically broken pnpm-lock.yaml: git merged the YAML line-by-line with no textual conflict, but tripled several package blocks (picomatch@4.0.5, acorn, agent-base, ...), leaving duplicate mapping keys. pnpm rejects it with ERR_PNPM_BROKEN_LOCKFILE, failing Frontend Build, Lint, and the Docker web image on main (Backend Tests unaffected). Regenerated from package.json with pnpm 10.15 (lockfileVersion 9.0). No package.json or dependency-version changes; verified 'pnpm install --frozen-lockfile' succeeds and the duplicate keys are gone.
ravirajsinh45
added a commit
that referenced
this pull request
Jul 9, 2026
package-lock.json was vestigial — Dockerfiles and CI use pnpm exclusively (pnpm install --frozen-lockfile), yet dependabot maintained BOTH lockfiles per bump, doubling the conflict surface (which produced the duplicate-key corruption fixed in #136). - Remove apps/web/package-lock.json and root package-lock.json. - Declare packageManager: pnpm@10.15.0 in root + apps/web package.json. - Drop the redundant version:10 from pnpm/action-setup in CI (packageManager is now the single source of the pnpm version); pin corepack prepare to match. - gitignore package-lock.json so a stray npm install can't reintroduce it. - Regenerate the root pnpm-lock.yaml, which had pre-existing drift (it referenced wavesurfer.js, not a root dep); root 'pnpm install --frozen-lockfile' now passes. apps/web/pnpm-lock.yaml (the web build's lockfile) is unchanged. Verified 'pnpm install --frozen-lockfile' passes at root and in apps/web.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem — main CI is red
Frontend Build,Lint, andDocker Build(web image) are failing on main with:Backend Tests are unaffected.
Root cause
Today's npm dependabot bumps (#52 vitest, #55 hls.js, #56 wavesurfer) each modified
apps/web/pnpm-lock.yaml. They were squash-merged sequentially without re-rebasing each onto the previous merge. Git merged the YAML line-by-line with no textual conflict, but that duplicated several package blocks (picomatch@4.0.5,acorn,agent-base, …) — producing duplicate mapping keys that pnpm refuses to parse. GitHub reported the PRs as "mergeable" because there was no line conflict; the break is semantic, which line-based merges can't catch for lockfiles.Fix
Regenerated
pnpm-lock.yamlfrompackage.jsonwith pnpm 10.15 (lockfileVersion 9.0). Nopackage.jsonor dependency-version changes — same resolved versions (vitest 4.1.10, hls.js 1.6.16, wavesurfer 7.12.10, …), just a clean lockfile. Diff is −126/+56 (removes the duplicated blocks).Verified locally
packages:section has no duplicate keys (thepicomatch@4.0.5tripling is gone).pnpm install --frozen-lockfile(CI's install step) succeeds.Only
apps/web/pnpm-lock.yamlchanges. This unblocks Frontend Build / Lint / Docker on main and on the two remaining dependabot PRs (#95, #97).