Skip to content

fix(web): regenerate pnpm-lock.yaml to repair duplicate-key corruption#136

Merged
ravirajsinh45 merged 1 commit into
mainfrom
fix-pnpm-lock
Jul 9, 2026
Merged

fix(web): regenerate pnpm-lock.yaml to repair duplicate-key corruption#136
ravirajsinh45 merged 1 commit into
mainfrom
fix-pnpm-lock

Conversation

@ravirajsinh45

Copy link
Copy Markdown
Contributor

Problem — main CI is red

Frontend Build, Lint, and Docker Build (web image) are failing on main with:

ERR_PNPM_BROKEN_LOCKFILE  The lockfile at apps/web/pnpm-lock.yaml is broken: duplicated mapping key (2506:3)

Backend Tests are unaffected.

Root cause

Today's npm dependabot bumps (#52 vitest, #55 hls.js, #56 wavesurfer) each modified apps/web/pnpm-lock.yaml. They were squash-merged sequentially without re-rebasing each onto the previous merge. Git merged the YAML line-by-line with no textual conflict, but that duplicated several package blocks (picomatch@4.0.5, acorn, agent-base, …) — producing duplicate mapping keys that pnpm refuses to parse. GitHub reported the PRs as "mergeable" because there was no line conflict; the break is semantic, which line-based merges can't catch for lockfiles.

Fix

Regenerated pnpm-lock.yaml from package.json with pnpm 10.15 (lockfileVersion 9.0). No package.json or dependency-version changes — same resolved versions (vitest 4.1.10, hls.js 1.6.16, wavesurfer 7.12.10, …), just a clean lockfile. Diff is −126/+56 (removes the duplicated blocks).

Verified locally

  • packages: section has no duplicate keys (the picomatch@4.0.5 tripling is gone).
  • pnpm install --frozen-lockfile (CI's install step) succeeds.

Only apps/web/pnpm-lock.yaml changes. This unblocks Frontend Build / Lint / Docker on main and on the two remaining dependabot PRs (#95, #97).

Merging the sibling npm dependabot bumps (#52/#55/#56) via sequential squash
without re-rebasing produced a semantically broken pnpm-lock.yaml: git merged
the YAML line-by-line with no textual conflict, but tripled several package
blocks (picomatch@4.0.5, acorn, agent-base, ...), leaving duplicate mapping
keys. pnpm rejects it with ERR_PNPM_BROKEN_LOCKFILE, failing Frontend Build,
Lint, and the Docker web image on main (Backend Tests unaffected).

Regenerated from package.json with pnpm 10.15 (lockfileVersion 9.0). No
package.json or dependency-version changes; verified 'pnpm install
--frozen-lockfile' succeeds and the duplicate keys are gone.
@ravirajsinh45 ravirajsinh45 merged commit 9b1893b into main Jul 9, 2026
4 checks passed
@ravirajsinh45 ravirajsinh45 deleted the fix-pnpm-lock branch July 9, 2026 09:11
ravirajsinh45 added a commit that referenced this pull request Jul 9, 2026
package-lock.json was vestigial — Dockerfiles and CI use pnpm exclusively
(pnpm install --frozen-lockfile), yet dependabot maintained BOTH lockfiles per
bump, doubling the conflict surface (which produced the duplicate-key corruption
fixed in #136).

- Remove apps/web/package-lock.json and root package-lock.json.
- Declare packageManager: pnpm@10.15.0 in root + apps/web package.json.
- Drop the redundant version:10 from pnpm/action-setup in CI (packageManager is
  now the single source of the pnpm version); pin corepack prepare to match.
- gitignore package-lock.json so a stray npm install can't reintroduce it.
- Regenerate the root pnpm-lock.yaml, which had pre-existing drift (it referenced
  wavesurfer.js, not a root dep); root 'pnpm install --frozen-lockfile' now passes.

apps/web/pnpm-lock.yaml (the web build's lockfile) is unchanged. Verified
'pnpm install --frozen-lockfile' passes at root and in apps/web.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant