zys-contrib · pull · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
diff --git a/.changeset/salty-beds-sell.md b/.changeset/salty-beds-sell.md
@@ -0,0 +1,8 @@
+---
+"@pnpm/lockfile.settings-checker": patch
+"@pnpm/lockfile.verification": patch
+"@pnpm/core": patch
+"@pnpm/deps.status": patch
+---
+
+Properly throw a frozen lockfile error when changing catalogs defined in `pnpm-workspace.yaml` and running `pnpm install --frozen-lockfile`. This previously passed silently as reported in [#9369](https://github.com/pnpm/pnpm/issues/9369).
diff --git a/.changeset/stupid-grapes-press.md b/.changeset/stupid-grapes-press.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/fs.indexed-pkg-importer": patch
+"pnpm": patch
+---
+
+Packages that don't have a `package.json` file (like Node.js) should not be reimported from the store on every install. Another file from the package should be checked in order to verify its presence in `node_modules`.
diff --git a/__fixtures__/pnpm-workspace.yaml b/__fixtures__/pnpm-workspace.yaml
@@ -18,3 +18,7 @@ packages:
   - '!workspace-has-shared-package-lock-json'
   - '!workspace-has-shared-npm-shrinkwrap-json'
 sharedWorkspaceLockfile: false
+
+catalog:
+  # Used in has-outdated-deps-using-catalog-protocol fixture.
+  is-negative: ^1.0.0
diff --git a/deps/status/src/checkDepsStatus.ts b/deps/status/src/checkDepsStatus.ts
@@ -488,6 +488,7 @@ async function assertWantedLockfileUpToDate (
   ])
 
   const outdatedLockfileSettingName = getOutdatedLockfileSetting(wantedLockfile, {
+    catalogs: config.catalogs,
     autoInstallPeers: config.autoInstallPeers,
     injectWorkspacePackages: config.injectWorkspacePackages,
     excludeLinksFromLockfile: config.excludeLinksFromLockfile,

diff --git a/fs/indexed-pkg-importer/src/index.ts b/fs/indexed-pkg-importer/src/index.ts
@@ -119,15 +119,31 @@ function clonePkg (
   to: string,
   opts: ImportOptions
 ): 'clone' | undefined {
-  const pkgJsonPath = path.join(to, 'package.json')
-
-  if (opts.resolvedFrom !== 'store' || opts.force || !existsSync(pkgJsonPath)) {
+  if (opts.resolvedFrom !== 'store' || opts.force || !pkgExistsAtTargetDir(to, opts.filesMap)) {
     importIndexedDir(clone, to, opts.filesMap, opts)
     return 'clone'
   }
   return undefined
 }
 
+function pkgExistsAtTargetDir (targetDir: string, filesMap: FilesMap): boolean {
+  return existsSync(path.join(targetDir, pickFileFromFilesMap(filesMap)))
+}
+
+function pickFileFromFilesMap (filesMap: FilesMap): string {
+  // A package might not have a package.json file.
+  // For instance, the Node.js package.
+  // Or injected packages in a Bit workspace.
+  if (filesMap['package.json']) {
+    return 'package.json'
+  }
+  const files = Object.keys(filesMap)
+  if (files.length === 0) {
+    throw new Error('pickFileFromFilesMap cannot pick a file from an empty FilesMap')
+  }
+  return files[0]
+}
+
 function createCloneFunction (): CloneFunction {
   // Node.js currently does not natively support reflinks on Windows and macOS.
   // Hence, we use a third party solution.
@@ -195,24 +211,8 @@ function linkOrCopy (existingPath: string, newPath: string): void {
   }
 }
 
-function pkgLinkedToStore (
-  filesMap: FilesMap,
-  to: string
-): boolean {
-  if (filesMap['package.json']) {
-    if (isSameFile('package.json', to, filesMap)) {
-      return true
-    }
-  } else {
-    // An injected package might not have a package.json.
-    // This will probably only even happen in a Bit workspace.
-    const [anyFile] = Object.keys(filesMap)
-    if (isSameFile(anyFile, to, filesMap)) return true
-  }
-  return false
-}
-
-function isSameFile (filename: string, linkedPkgDir: string, filesMap: FilesMap): boolean {
+function pkgLinkedToStore (filesMap: FilesMap, linkedPkgDir: string): boolean {
+  const filename = pickFileFromFilesMap(filesMap)
   const linkedFile = path.join(linkedPkgDir, filename)
   let stats0!: Stats
   try {
@@ -230,9 +230,7 @@ export function copyPkg (
   to: string,
   opts: ImportOptions
 ): 'copy' | undefined {
-  const pkgJsonPath = path.join(to, 'package.json')
-
-  if (opts.resolvedFrom !== 'store' || opts.force || !existsSync(pkgJsonPath)) {
+  if (opts.resolvedFrom !== 'store' || opts.force || !pkgExistsAtTargetDir(to, opts.filesMap)) {
     importIndexedDir(fs.copyFileSync, to, opts.filesMap, opts)
     return 'copy'
   }

diff --git a/lockfile/settings-checker/package.json b/lockfile/settings-checker/package.json
@@ -33,8 +33,10 @@
     "compile": "tsc --build && pnpm run lint --fix"
   },
   "dependencies": {
+    "@pnpm/catalogs.types": "workspace:*",
     "@pnpm/crypto.hash": "workspace:*",
     "@pnpm/lockfile.types": "workspace:*",
+    "@pnpm/lockfile.verification": "workspace:*",
     "@pnpm/parse-overrides": "workspace:*",
     "p-map-values": "catalog:",
     "ramda": "catalog:"

diff --git a/lockfile/settings-checker/src/getOutdatedLockfileSetting.ts b/lockfile/settings-checker/src/getOutdatedLockfileSetting.ts
@@ -1,7 +1,10 @@
+import { type Catalogs } from '@pnpm/catalogs.types'
 import { type LockfileObject, type PatchFile } from '@pnpm/lockfile.types'
+import { allCatalogsAreUpToDate } from '@pnpm/lockfile.verification'
 import { equals } from 'ramda'
 
 export type ChangedField =
+  | 'catalogs'
   | 'patchedDependencies'
   | 'overrides'
   | 'packageExtensionsChecksum'
@@ -15,6 +18,7 @@ export type ChangedField =
 export function getOutdatedLockfileSetting (
   lockfile: LockfileObject,
   {
+    catalogs,
     overrides,
     packageExtensionsChecksum,
     ignoredOptionalDependencies,
@@ -25,6 +29,7 @@ export function getOutdatedLockfileSetting (
     pnpmfileChecksum,
     injectWorkspacePackages,
   }: {
+    catalogs?: Catalogs
     overrides?: Record<string, string>
     packageExtensionsChecksum?: string
     patchedDependencies?: Record<string, PatchFile>
@@ -36,6 +41,9 @@ export function getOutdatedLockfileSetting (
     injectWorkspacePackages?: boolean
   }
 ): ChangedField | null {
+  if (!allCatalogsAreUpToDate(catalogs ?? {}, lockfile.catalogs)) {
+    return 'catalogs'
+  }
   if (!equals(lockfile.overrides ?? {}, overrides ?? {})) {
     return 'overrides'
   }

diff --git a/lockfile/settings-checker/tsconfig.json b/lockfile/settings-checker/tsconfig.json
@@ -12,6 +12,9 @@
     {
       "path": "../../__utils__/prepare"
     },
+    {
+      "path": "../../catalogs/types"
+    },
     {
       "path": "../../config/parse-overrides"
     },
@@ -20,6 +23,9 @@
     },
     {
       "path": "../types"
+    },
+    {
+      "path": "../verification"
     }
   ]
 }
diff --git a/lockfile/verification/src/index.ts b/lockfile/verification/src/index.ts
@@ -1,4 +1,5 @@
 export { allProjectsAreUpToDate } from './allProjectsAreUpToDate.js'
+export { allCatalogsAreUpToDate } from './allCatalogsAreUpToDate.js'
 export { getWorkspacePackagesByDirectory } from './getWorkspacePackagesByDirectory.js'
 export { localTarballDepsAreUpToDate } from './localTarballDepsAreUpToDate.js'
 export { linkedPackagesAreUpToDate } from './linkedPackagesAreUpToDate.js'

diff --git a/pkg-manager/core/src/install/index.ts b/pkg-manager/core/src/install/index.ts
@@ -410,6 +410,7 @@ export async function mutateModules (
     if (!opts.ignorePackageManifest) {
       const outdatedLockfileSettingName = getOutdatedLockfileSetting(ctx.wantedLockfile, {
         autoInstallPeers: opts.autoInstallPeers,
+        catalogs: opts.catalogs,
         injectWorkspacePackages: opts.injectWorkspacePackages,
         excludeLinksFromLockfile: opts.excludeLinksFromLockfile,
         peersSuffixMaxLength: opts.peersSuffixMaxLength,

diff --git a/pkg-manager/core/test/catalogs.ts b/pkg-manager/core/test/catalogs.ts
@@ -256,6 +256,49 @@ test('lockfile is updated if catalog config changes', async () => {
   })
 })
 
+test('frozen lockfile error is thrown if catalog config changes', async () => {
+  const { options, projects, readLockfile } = preparePackagesAndReturnObjects([
+    {
+      name: 'project1',
+      dependencies: {
+        'is-positive': 'catalog:',
+      },
+    },
+  ])
+
+  await mutateModules(installProjects(projects), {
+    ...options,
+    lockfileOnly: true,
+    catalogs: {
+      default: {
+        'is-positive': '=1.0.0',
+      },
+    },
+  })
+
+  expect(readLockfile().importers['project1' as ProjectId]).toEqual({
+    dependencies: {
+      'is-positive': {
+        specifier: 'catalog:',
+        version: '1.0.0',
+      },
+    },
+  })
+
+  const frozenLockfileMutation = mutateModules(installProjects(projects), {
+    ...options,
+    lockfileOnly: true,
+    frozenLockfile: true,
+    catalogs: {
+      default: {
+        'is-positive': '=3.1.0',
+      },
+    },
+  })
+
+  await expect(frozenLockfileMutation).rejects.toThrow('Cannot proceed with the frozen installation. The current "catalogs" configuration doesn\'t match the value found in the lockfile')
+})
+
 test('lockfile catalog snapshots retain existing entries on --filter', async () => {
   const { options, projects, readLockfile } = preparePackagesAndReturnObjects([
     {

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml