fix: broken PNPM lockfiles

[NyanKiyoshi]

The lock files for the following projects were broken:

• ./example-app-checkout-prices
• ./example-storefront-nextjs-sequra
• ./example-storefront-nextjs-klarna
• ./example-app-sequra
• ./example-storefront-nextjs-app-router
• ./example-app-abandoned-checkouts
• ./example-auth-nextjs-apollo-urql
• ./example-app-slack
• ./example-auth-nextjs-pages-router-apollo

This led to Dependabot failing with the following error when trying to check dependencies:

"message": "/example-app-abandoned-checkouts/pnpm-lock.yaml not parseable",

Running pnpm install --frozen-lockfile confirmed the issue:

$ cd ./example-app-abandoned-checkouts
$ pnpm install --frozen-lockfile
 ERR_PNPM_LOCKFILE_BREAKING_CHANGE  Lockfile /Saleor/examples/example-app-abandoned-checkouts/pnpm-lock.yaml not compatible with current pnpm

Run with the --force parameter to recreate the lockfile.

The list of affected projects was found by scanning for broken lock files like so:

Details

$ cd examples/
$ readarray -d '' paths < <(find . -maxdepth 1 -name 'example-*' -type d -print0)
$ for d in "${paths[@]}"; do echo "$d" ; ( cd "$d"; pnpm install --frozen-lockfile 2>&1 ; ) ; done

./example-app-checkout-prices
 ERR_PNPM_LOCKFILE_BREAKING_CHANGE  Lockfile /Saleor/examples/example-app-checkout-prices/pnpm-lock.yaml not compatible with current pnpm

Run with the --force parameter to recreate the lockfile.

./example-storefront-nextjs-sequra
 ERR_PNPM_LOCKFILE_BREAKING_CHANGE  Lockfile /Saleor/examples/example-storefront-nextjs-sequra/pnpm-lock.yaml not compatible with current pnpm

Run with the --force parameter to recreate the lockfile.

./example-storefront-nextjs-klarna
 ERR_PNPM_LOCKFILE_BREAKING_CHANGE  Lockfile /Saleor/examples/example-storefront-nextjs-klarna/pnpm-lock.yaml not compatible with current pnpm

Run with the --force parameter to recreate the lockfile.

./example-app-sequra
 WARN  Unsupported engine: wanted: {"node":"^20.0.0"} (current: {"node":"v22.17.1","pnpm":"8.14.2"})
Lockfile is up to date, resolution step is skipped
Already up to date
Done in 931ms

./example-storefront-nextjs-app-router
 ERR_PNPM_LOCKFILE_BREAKING_CHANGE  Lockfile /Saleor/examples/example-storefront-nextjs-app-router/pnpm-lock.yaml not compatible with current pnpm

Run with the --force parameter to recreate the lockfile.

./example-app-abandoned-checkouts
 ERR_PNPM_LOCKFILE_BREAKING_CHANGE  Lockfile /Saleor/examples/example-app-abandoned-checkouts/pnpm-lock.yaml not compatible with current pnpm

Run with the --force parameter to recreate the lockfile.

./example-auth-nextjs-apollo-urql
 ERR_PNPM_LOCKFILE_BREAKING_CHANGE  Lockfile /Saleor/examples/example-auth-nextjs-apollo-urql/pnpm-lock.yaml not compatible with current pnpm

Run with the --force parameter to recreate the lockfile.

./example-app-slack
 ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>/package.json

Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"

  Failure reason:
  specifiers in the lockfile don't match specifiers in package.json:
* 2 dependencies were removed: vite@5.3.3, vitest@2.0.0

./example-auth-nextjs-pages-router-apollo
 ERR_PNPM_LOCKFILE_BREAKING_CHANGE  Lockfile /Saleor/examples/example-auth-nextjs-pages-router-apollo/pnpm-lock.yaml not compatible with current pnpm

Run with the --force parameter to recreate the lockfile.

Then, the lockfiles were fixed like so (by recreating them from scratch):

dirs=(
	'./example-app-checkout-prices'
	'./example-storefront-nextjs-sequra'
	'./example-storefront-nextjs-klarna'
	'./example-app-sequra'
	'./example-storefront-nextjs-app-router'
	'./example-app-abandoned-checkouts'
	'./example-auth-nextjs-apollo-urql'
	'./example-app-slack'
	'./example-auth-nextjs-pages-router-apollo'
)

for dir in "${dirs[@]}"; do
	echo "Recreating lock file for ${dir}..." >&2
	( cd "$dir" && pnpm install --lockfile-only ) || echo "Failed" >&2
done

[github-actions]

Differences Found

⚠️ 24 packages or licenses were added.

Expand

License	Package
Apache-2.0	@swc/types
Apache-2.0	baseline-browser-mapping
MIT	@envelop/core
MIT	@envelop/instrumentation
MIT	@envelop/types
MIT	@fastify/busboy
MIT	@graphql-hive/signal
MIT	@graphql-tools/executor-common
MIT	@jridgewell/remapping
MIT	@theguild/federation-composition
MIT	@whatwg-node/disposablestack
MIT	@whatwg-node/promise-helpers
MIT	@wry/caches
MIT	data-uri-to-buffer
MIT	fetch-blob
MIT	formdata-polyfill
MIT	generator-function
MIT	quansync
MIT	react-fast-compare
MIT	react-helmet
MIT	react-side-effect
MIT	rehackt
MIT	sync-fetch
MIT	timeout-signal

Summary

Expand

License Name	Package Count	Packages
0BSD	1	Packages tslib
AFL-2.1	1	Packages json-schema
Apache 2.0	1	Packages @mailchimp/mailchimp_marketing
CC-BY-3.0	1	Packages spdx-exceptions
MIT (http://mootools.net/license.txt)	1	Packages slick
MIT-0	1	Packages nodemailer
Public Domain	1	Packages jsonify
Python-2.0	1	Packages argparse
SEE LICENSE IN LICENSE	1	Packages spawndamnit
WTFPL	1	Packages utf8-byte-length
CC-BY-4.0	2	Packages @saleor/macaw-ui caniuse-lite
CC0-1.0	3	Packages language-subtag-registry spdx-license-ids type-fest
Unlicense	3	Packages @zxing/text-encoding big-integer tweetnacl
<<missing>>	5	Packages busboy cycle example-nextjs-sequra eyes streamsearch
BlueOak-1.0.0	5	Packages chownr jackspeak package-json-from-dist path-scurry yallist
LGPL-3.0-or-later	11	Packages @img/sharp-libvips-darwin-arm64 @img/sharp-libvips-darwin-x64 @img/sharp-libvips-linux-arm @img/sharp-libvips-linux-arm64 @img/sharp-libvips-linux-s390x @img/sharp-libvips-linux-x64 @img/sharp-libvips-linuxmusl-arm64 @img/sharp-libvips-linuxmusl-x64 @img/sharp-wasm32 @img/sharp-win32-ia32 @img/sharp-win32-x64
MPL-2.0	12	Packages axe-core lightningcss lightningcss-darwin-arm64 lightningcss-darwin-x64 lightningcss-freebsd-x64 lightningcss-linux-arm-gnueabihf lightningcss-linux-arm64-gnu lightningcss-linux-arm64-musl lightningcss-linux-x64-gnu lightningcss-linux-x64-musl lightningcss-win32-arm64-msvc lightningcss-win32-x64-msvc
BSD-2-Clause	25	Packages @typescript-eslint/parser @typescript-eslint/typescript-estree cheerio-select css-select css-what damerau-levenshtein domelementtype domhandler domutils dotenv entities escodegen eslint-scope espree esprima esrecurse estraverse esutils glob-to-regexp normalize-package-data And 5 more...
BSD-3-Clause	30	Packages @humanwhocodes/object-schema @saleor/app-sdk @saleor/auth-sdk @saleor/eslint-plugin-saleor-app @sentry/cli @xtuc/ieee754 abab asn1js bcrypt-pbkdf diff esquery exenv hoist-non-react-statics hyphenate-style-name ieee754 immutable istanbul-lib-coverage istanbul-lib-report istanbul-lib-source-maps istanbul-reports And 10 more...
ISC	71	Packages @isaacs/cliui @isaacs/fs-minipass @saleor/app-sdk @saleor/json-schema-compiler @ungap/structured-clone abbrev anymatch ast-types-flow authorizenet boolbase cli-color cli-width cliui d electron-to-chromium es5-ext es6-symbol es6-weak-map eslint-import-resolver-typescript ext And 51 more...
Apache-2.0	76	Packages @ampproject/remapping @humanwhocodes/config-array @humanwhocodes/module-importer @img/sharp-darwin-arm64 @img/sharp-darwin-x64 @img/sharp-linux-arm @img/sharp-linux-arm64 @img/sharp-linux-s390x @img/sharp-linux-x64 @img/sharp-linuxmusl-arm64 @img/sharp-linuxmusl-x64 @img/sharp-wasm32 @img/sharp-win32-ia32 @img/sharp-win32-x64 @opentelemetry/api @opentelemetry/semantic-conventions @pollyjs/adapter @pollyjs/adapter-fetch @pollyjs/adapter-node-http @pollyjs/core And 56 more...
MIT	1441	Packages @0no-co/graphql.web @aashutoshrathi/word-wrap @adobe/css-tools @alloc/quick-lru @apidevtools/json-schema-ref-parser @apollo/client @ardatan/relay-compiler @ardatan/sync-fetch @babel/code-frame @babel/compat-data @babel/core @babel/generator @babel/helper-annotate-as-pure @babel/helper-compilation-targets @babel/helper-create-class-features-plugin @babel/helper-environment-visitor @babel/helper-function-name @babel/helper-globals @babel/helper-hoist-variables @babel/helper-member-expression-to-functions And 1421 more...