starred/vinext
1
0
Fork 0
mirror of https://github.com/cloudflare/vinext.git synced 2026-05-09 08:25:34 +02:00
Code Issues 101 Projects Packages Wiki Activity

[GH-ISSUE #186] vinext deploy silently runs npm install, downgrading dependencies in Yarn/pnpm workspaces #44

New issue
Closed
opened 2026-05-06 12:36:47 +02:00 by BreizhHardware · 1 comment
BreizhHardware commented 2026-05-06 12:36:47 +02:00
Owner
Copy link

Originally created by @justinfinnn on GitHub (Feb 28, 2026).
Original GitHub issue: https://github.com/cloudflare/vinext/issues/186

Bug

vinext deploy internally runs npm install during the deploy process. In a Yarn or pnpm monorepo, this silently downgrades hoisted dependencies — in our case, React 19.2.0 was downgraded to 18.3.1 mid-deploy, causing:

Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Package subpath './server.edge' is not defined by "exports" 
in .../node_modules/react-dom/package.json

This is because react-dom/server.edge is a React 19 export that doesn't exist in React 18.

Environment

  • vinext: 0.0.13
  • Package manager: Yarn 1 (workspace monorepo)
  • React: 19.2.0 (specified in root package.json + yarn.lock)

Steps to reproduce

  1. Set up a Yarn workspace monorepo with React 19.2.0 pinned
  2. Run vinext deploy
  3. During deploy, vinext runs npm install internally
  4. npm resolves React 18.x (ignoring yarn.lock), overwriting node_modules/react-dom
  5. Build fails: ./server.edge not found in react-dom exports

Root cause

vinext deploy runs npm install regardless of which package manager the project uses. This conflicts with Yarn/pnpm lockfiles and can silently downgrade packages.

This is related to #109 (package manager detection) but specific to the deploy command and has a concrete breaking side effect beyond just using the wrong installer.

Workaround

Run next build + wrangler deploy separately — do not use vinext deploy:

# In package.json
"build": "next build",
"deploy": "yarn build && wrangler deploy"

Expected behavior

vinext deploy should respect the project's package manager (detect via lockfile: yarn.lock → yarn, pnpm-lock.yaml → pnpm, package-lock.json → npm). It should not run npm install in a Yarn or pnpm project.

See also: #109

Originally created by @justinfinnn on GitHub (Feb 28, 2026). Original GitHub issue: https://github.com/cloudflare/vinext/issues/186 ## Bug `vinext deploy` internally runs `npm install` during the deploy process. In a Yarn or pnpm monorepo, this silently downgrades hoisted dependencies — in our case, React 19.2.0 was downgraded to 18.3.1 mid-deploy, causing: ``` Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Package subpath './server.edge' is not defined by "exports" in .../node_modules/react-dom/package.json ``` This is because `react-dom/server.edge` is a React 19 export that doesn't exist in React 18. ## Environment - vinext: 0.0.13 - Package manager: Yarn 1 (workspace monorepo) - React: 19.2.0 (specified in root package.json + yarn.lock) ## Steps to reproduce 1. Set up a Yarn workspace monorepo with React 19.2.0 pinned 2. Run `vinext deploy` 3. During deploy, vinext runs `npm install` internally 4. npm resolves React 18.x (ignoring yarn.lock), overwriting `node_modules/react-dom` 5. Build fails: `./server.edge` not found in react-dom exports ## Root cause `vinext deploy` runs `npm install` regardless of which package manager the project uses. This conflicts with Yarn/pnpm lockfiles and can silently downgrade packages. This is related to #109 (package manager detection) but specific to the `deploy` command and has a concrete breaking side effect beyond just using the wrong installer. ## Workaround Run `next build` + `wrangler deploy` separately — do not use `vinext deploy`: ```bash # In package.json "build": "next build", "deploy": "yarn build && wrangler deploy" ``` ## Expected behavior `vinext deploy` should respect the project's package manager (detect via lockfile: `yarn.lock` → yarn, `pnpm-lock.yaml` → pnpm, `package-lock.json` → npm). It should not run `npm install` in a Yarn or pnpm project. See also: #109
BreizhHardware commented 2026-05-06 12:36:48 +02:00
Author
Owner
Copy link

@solracnyc commented on GitHub (Feb 28, 2026):

We run a pnpm workspace monorepo and had to bypass vinext deploy because of workspace:* compatibility with npm-based install behavior.

Our reliable path has been:

vinext build
wrangler deploy --name <worker-name>

This has been stable for us on Cloudflare Workers with vinext ~0.0.15.

+1 on package-manager detection. PR #187 improves hints, but the core deploy behavior still appears to rely on npm install.

Happy to validate a candidate fix against our pnpm workspace app if that would be helpful.

<!-- gh-comment-id:3977414024 --> @solracnyc commented on GitHub (Feb 28, 2026): We run a pnpm workspace monorepo and had to bypass `vinext deploy` because of `workspace:*` compatibility with npm-based install behavior. Our reliable path has been: ```bash vinext build wrangler deploy --name <worker-name> ``` This has been stable for us on Cloudflare Workers with vinext ~0.0.15. +1 on package-manager detection. PR #187 improves hints, but the core deploy behavior still appears to rely on `npm install`. Happy to validate a candidate fix against our pnpm workspace app if that would be helpful.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
alt/prerender-rsc-sidechannel
codex/pages-router-suite-main
claude/dev-socket-emit-patch
james/wip-agent-test
codex/fix-wrangler-suspense-streaming
hrushikesh/add-semgrep-oss-workflow
fix/preload-link-header-uses-served-url
fix/isr-always-mark-dynamic-with-searchparams
fix/strip-set-cookie-from-app-route-isr-cache-clean
fix/app-pages-fallback-sees-middleware-overrides-v2
opencode/misty-river
opencode/calm-meadow
codex/pages-router-cjs-node-modules
codex/refresh-ai-docs-vp-vite8
fix/suspense-flash-navigation-639
fix/issue-589
fix/route-handler-dynamic-detection-v3
fix/route-handler-dynamic-detection-v2
fix/route-handler-dynamic-detection
opencode/quiet-nebula
fix/include-query-in-route-handler-isr-key
fix/block-dangerous-uri-schemes
fix/use-post-middleware-context-for-headers
opencode/playful-mountain
opencode/quiet-sailor
feat/payload-cms-fixture
feat/static-prerender-build
opencode/cosmic-knight
fix/isr-stream-tee-no-double-render
codex/wrangler-auth-ux
docs/update-contributing
improve/vitest-workspace-split
feat/auto-pr-review
docs/skills-field-learnings
feat/nuqs-e2e-clean
feat/next-font-implementation
fix/rsc-navigation-credentials
chonky-list
fix/cli-version
ci/commit-version-bump
ci/publish-chat-notification
opencode/mighty-mountain
fix/rsc-optimizedeps-react-server
v0.0.49
v0.0.48
v0.0.47
v0.0.46
v0.0.45
v0.0.44
v0.0.43
v0.0.42
v0.0.41
v0.0.40
v0.0.39
v0.0.38
v0.0.37
v0.0.36
v0.0.35
v0.0.34
v0.0.33
v0.0.32
v0.0.31
v0.0.30
v0.0.29
v0.0.28
v0.0.27
v0.0.26
v0.0.25
v0.0.24
v0.0.23
v0.0.22
v0.0.21
v0.0.20
v0.0.19
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
Labels
Clear labels   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
nextjs-tracking

   
nextjs-tracking

   
pull-request
Mirrored from GitHub Pull Request

No labels
enhancement
enhancement
good first issue
help wanted
nextjs-tracking
nextjs-tracking
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vinext#44
No description provided.