Skip to content

docker: pin pnpm dependency to v10 to avoid ERR_PNPM_IGNORED_BUILDS#4305

Open
bastidest wants to merge 1 commit into
umami-software:masterfrom
bastidest:fix/pin-pnpm-version
Open

docker: pin pnpm dependency to v10 to avoid ERR_PNPM_IGNORED_BUILDS#4305
bastidest wants to merge 1 commit into
umami-software:masterfrom
bastidest:fix/pin-pnpm-version

Conversation

@bastidest

@bastidest bastidest commented May 28, 2026
edited by blacksmith-sh Bot
Loading

Copy link
Copy Markdown

The docker build has started failing for me since the update of pnpm to version 11. Pinning pnpm to version 10 fixes the build.

Ideally the dependencies should not be pinned, but fixated with a lockfile. There are several other dependencies that could silently update and fail the build.

This is just a quick fix to get the docker build working again.

20.46 Progress: resolved 188, reused 0, downloaded 188, added 188, done
20.51 .../node_modules/@prisma/engines postinstall$ node scripts/postinstall.js
28.80 .../node_modules/@prisma/engines postinstall: Done
29.00 
29.00 dependencies:
29.00 + @prisma/adapter-pg 6.19.0 (7.8.0 is available)
29.00 + chalk 5.6.2
29.00 + dotenv 17.4.2
29.00 + npm-run-all 4.1.5
29.00 + prisma 6.19.0 (7.8.0 is available)
29.00 + semver 7.8.1
29.00 
29.05 [ERR_PNPM_IGNORED_BUILDS] Ignored build scripts: prisma@6.19.0
29.05 
29.05 Run "pnpm approve-builds" to pick which dependencies should be allowed to run scripts.

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.

@vercel

vercel Bot commented May 28, 2026

Copy link
Copy Markdown

@bastidest is attempting to deploy a commit to the Umami Software Team on Vercel.

A member of the Team first needs to authorize it.

@greptile-apps

greptile-apps Bot commented May 28, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR pins the pnpm installation in the Dockerfile to pnpm@10 (major-version range) to work around the ERR_PNPM_IGNORED_BUILDS error introduced in pnpm v11, which requires explicit build-script approval for every package. Both the deps and runner build stages are updated, and comments are added to explain the reason for the pin.

  • deps stage (pnpm install --frozen-lockfile): pnpm is now installed as pnpm@10 before the frozen install; no --allow-build flag is present, which would also be needed to support pnpm v11.
  • runner stage (pnpm add): pnpm is pinned to pnpm@10; the existing --allow-build='@prisma/engines' flag already reflects v11 semantics but is missing prisma itself, which is the package shown as ignored in the error output.

Confidence Score: 4/5

The change restores a broken Docker build with minimal blast radius — only two lines in the Dockerfile are modified. The pin is functional but uses a floating major-version range rather than an exact version, and the underlying root cause is not fully addressed.

The fix achieves its stated goal of unblocking the Docker build. The two observations — the floating @10 range and the incomplete --allow-build list — do not affect correctness today but leave the build susceptible to future pnpm 10.x regressions and make a future v11 upgrade harder.

Dockerfile — both pnpm install lines should ideally be pinned to a full 10.x.y version, and the --allow-build list in the runner stage is worth revisiting when upgrading to pnpm v11.

Important Files Changed

Filename Overview
Dockerfile Pins pnpm to the v10 major-version range in both the deps and runner build stages to work around the pnpm v11 ERR_PNPM_IGNORED_BUILDS error; comments explain the reason, but the pin is a floating range rather than an exact version.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[FROM node:22-alpine AS deps] --> B[apk add libc6-compat]
    B --> C[COPY package.json pnpm-lock.yaml]
    C --> D["npm install -g pnpm@10 ← pinned"]
    D --> E[pnpm install --frozen-lockfile]
    E --> F[FROM node:22-alpine AS builder]
    F --> G[COPY node_modules from deps]
    G --> H[npm run build-docker]
    H --> I[FROM node:22-alpine AS runner]
    I --> J["npm install -g pnpm@10 ← pinned"]
    J --> K["pnpm --allow-build='@prisma/engines' add prisma ..."]
    K --> L[COPY built artifacts from builder]
    L --> M[CMD pnpm start-docker]
Loading

Comments Outside Diff (1)

  1. Dockerfile, line 47-49 (link)

    P2 The root cause of ERR_PNPM_IGNORED_BUILDS in pnpm v11 is that build scripts must be explicitly allowed. The runner-stage pnpm add already uses --allow-build='@prisma/engines', but the error output in the PR description shows prisma@6.19.0 (the CLI package) is also ignored — it has its own postinstall script that is not listed in --allow-build. Extending the allowlist to --allow-build='@prisma/engines,prisma' here (and adding a corresponding --allow-build=@prisma/engines to the deps-stage pnpm install --frozen-lockfile) would be the proper fix that lets the project upgrade to pnpm v11 without downgrading.

Reviews (1): Last reviewed commit: "docker: pin pnpm dependency to v10 to av..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 28, 2026
View reviewed changes
Comment thread Dockerfile
COPY package.json pnpm-lock.yaml ./
RUN npm install -g pnpm
# pnpm version pinned at 10 due to ERR_PNPM_IGNORED_BUILDS error with v11
RUN npm install -g pnpm@10

@greptile-apps greptile-apps Bot May 28, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 pnpm@10 is a major-version range, not an exact pin — it will silently float to any 10.x.y release published after the image is built. Two builds at different times can pick up different pnpm versions, making the build non-reproducible. Pin to a full pnpm@10.x.y semver (e.g. the latest stable 10.x at the time of merging) and update both occurrences in the file to keep them in sync.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bastidest