pnpm update 未更新 package.json 文件

我在当前这个 blog 项目中使用了 pnpm，整体上的体验要比 npm 好上很多，强烈推荐。但是因为 dependabot 暂时还不支持 pnpm，所以只能手动管理依赖，大概一个多月前我尝试升级了一次，发现 package.json 文件没有被更新：

# pnpm version 7.5.0
pnpm update

输出如下信息（你可能和我不一样）

WARN deprecated [email protected]: standard 16.0.0 and eslint-config-standard 16.0.0 no longer require the eslint-plugin-standard package. You can remove it from your dependencies with 'npm rm eslint-plugin-standard'. More info here: https://github.com/standard/standard/issues/1316
WARN deprecated @stylelint/[email protected]: Use the original unforked package instead: postcss-markdown
WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
Already up-to-date
Progress: resolved 1463, reused 1285, downloaded 0, added 0, done
ERR_PNPM_PEER_DEP_ISSUES Unmet peer dependencies

.
├─┬ elint-preset-kw
│ ├─┬ @typescript-eslint/eslint-plugin
│ │ ├── ✕ missing peer eslint@"^5.0.0 || ^6.0.0 || ^7.0.0"
│ │ └─┬ @typescript-eslint/experimental-utils
│ │   ├── ✕ missing peer eslint@"*"
│ │   └─┬ eslint-utils
│ │     └── ✕ missing peer eslint@>=5
│ ├─┬ @typescript-eslint/parser
│ │ └── ✕ missing peer eslint@"^5.0.0 || ^6.0.0 || ^7.0.0"
│ ├─┬ eslint-config-prettier
│ │ └── ✕ missing peer eslint@>=7.0.0
│ ├─┬ eslint-config-standard
│ │ └── ✕ missing peer eslint@^7.12.1
│ ├─┬ eslint-config-standard-jsx
│ │ └── ✕ missing peer eslint@^7.12.1
│ ├─┬ eslint-config-standard-react
│ │ └── ✕ missing peer eslint@^7.12.1
│ ├─┬ eslint-config-standard-with-typescript
│ │ └── ✕ missing peer eslint@^7.12.1
│ ├─┬ eslint-plugin-import
│ │ └── ✕ missing peer eslint@"^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8"
│ ├─┬ eslint-plugin-node
│ │ ├── ✕ missing peer eslint@>=5.16.0
│ │ └─┬ eslint-plugin-es
│ │   └── ✕ missing peer eslint@>=4.19.1
│ ├─┬ eslint-plugin-promise
│ │ └── ✕ missing peer eslint@^7.0.0
│ ├─┬ eslint-plugin-react
│ │ └── ✕ missing peer eslint@"^3 || ^4 || ^5 || ^6 || ^7 || ^8"
│ ├─┬ eslint-plugin-standard
│ │ └── ✕ missing peer eslint@>=5.0.0
│ ├─┬ stylelint-config-prettier
│ │ └── ✕ missing peer stylelint@>=11.0.0
│ └─┬ stylelint-config-standard
│   ├── ✕ missing peer stylelint@>=10.1.0
│   └─┬ stylelint-config-recommended
│     └── ✕ missing peer stylelint@>=10.1.0
├─┬ @docsearch/js
│ └─┬ @docsearch/react
│   └─┬ @algolia/autocomplete-preset-algolia
│     └── ✕ missing peer @algolia/client-search@^4.9.1
├─┬ react-router
│ └─┬ mini-create-react-context
│   └── ✕ unmet peer react@"^0.14.0 || ^15.0.0 || ^16.0.0 || ^17.0.0": found 18.2.0
└─┬ use-media
  └── ✕ unmet peer react@^16.8.1: found 18.2.0
Peer dependencies that should be installed:
  @algolia/client-search@^4.9.1  eslint@">=7.12.1 <8.0.0"       stylelint@>=11.0.0

hint: If you want peer dependencies to be automatically installed, add "auto-install-peers=true" to an .npmrc file at the root of your project.
hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.

此时再看 IDE，发现只有 pnpm-lock.yaml 更新了，package.json 里的依赖并没有变化。我没多想，以为是 pnpm 的 bug，就打算等修复后再升级。完全没想到 peer dependencies 和 pnpm 结尾输出的 hint 与此事有任何关系。

直到前几天，给 webpack 提的一个 issue 被修复关闭了，我又想到了依赖升级的事情。在 pnpm 仓库上搜索了一番，意外发现这事儿居然真的和 peer dependencies 有关：

The root cause is the strict-peer-dependencies option default value change which happened in v7.0.0 https://github.com/pnpm/pnpm/pull/4427. It results in the package.json file not being written after pnpm update.

As a workaround, you may add this line in your project's .npmrc file: strict-peer-dependencies=false

然后找了下官方文档，它是这么写的：

strict-peer-dependencies

• 默认值：true
• 类型：Boolean

如果启用了此选项，那么在依赖树中存在缺失或无效的 peer 依赖关系时，命令将执行失败。

那么解决方案其实很简单了，在 .npmrc 中添加 strict-peer-dependencies=false 即可

但这其实依然是一个问题，命令执行失败的时候 package.json 和 pnpm-lock.yaml 两个文件不同步了。