Install pnpm via buildpack dependency

dr460nf1r3 · dr460nf1r3 · commit 1a1b7ee2b330 · 2026-01-31T14:04:10.000+01:00
diff --git a/manifest.yml b/manifest.yml
@@ -114,4 +114,13 @@ dependencies:
   - cflinuxfs3
   source: https://github.com/yarnpkg/yarn/releases/download/v1.22.22/yarn-v1.22.22.tar.gz
   source_sha256: 88268464199d1611fcf73ce9c0a6c4d44c7d5363682720d8506f6508addf36a0
+- name: pnpm
+  version: 10.28.2
+  uri: https://github.com/pnpm/pnpm/releases/download/v10.28.2/pnpm-linux-x64
+  sha256: 9f38396f660cd3b1f71e0b0af0b7ba22dd1fd446dc37840a1b6a025868557390
+  cf_stacks:
+  - cflinuxfs4
+  - cflinuxfs3
+  source: https://github.com/pnpm/pnpm/archive/refs/tags/v10.28.2.tar.gz
+  source_sha256: f5078e3376b449ee18842fce49d3c26db2f04d164b0da674b40234ee8d4db583
 pre_package: scripts/build.sh
diff --git a/src/nodejs/supply/supply.go b/src/nodejs/supply/supply.go
@@ -502,7 +502,7 @@ func (s *Supplier) NoPackageLockTip() error {
 		}
 
 		if s.IsVendored {
-			s.Log.Protip("Warning: package-lock.json not found. The buildpack may reach out to the internet to download module updates, even if they are vendored.", "https://docs.cloudfoundry.org/buildpacks/node/index.html#offline_environments")
+			s.Log.Protip(fmt.Sprintf("Warning: %s not found. The buildpack may reach out to the internet to download module updates, even if they are vendored.", strings.Join(lockFiles, " or ")), "https://docs.cloudfoundry.org/buildpacks/node/index.html#offline_environments")
 		}
 	}
 
@@ -853,31 +853,70 @@ func (s *Supplier) InstallPNPM() error {
 		return nil
 	}
 
-	installTarget := "pnpm"
+	versions := s.Manifest.AllDependencyVersions("pnpm")
+	selectedVersion := ""
 	if s.PNPMVersion != "" {
-		// Basic security validation for version string to prevent command injection
-		// Allow digits, dots, 'v' prefix, alphabetic tags (beta, rc), hyphens, and asterisk.
-		validVersion := regexp.MustCompile(`^[v0-9a-zA-Z\.\-\*]+$`)
-		if !validVersion.MatchString(s.PNPMVersion) {
-			s.Log.Warning("Invalid pnpm version specified in package.json: '%s'. Ignoring and using default.", s.PNPMVersion)
-		} else {
-			installTarget = "pnpm@" + s.PNPMVersion
+		matchedVersion, err := libbuildpack.FindMatchingVersion(s.PNPMVersion, versions)
+		if err != nil {
+			return fmt.Errorf("package.json requested %s, buildpack only includes pnpm version %s", s.PNPMVersion, strings.Join(versions, ", "))
+		}
+		selectedVersion = matchedVersion
+	} else {
+		if len(versions) == 0 {
+			return fmt.Errorf("no versions of pnpm found")
 		}
+		if len(versions) > 1 {
+			return fmt.Errorf("pnpm version not specified and more than one version available: %s", strings.Join(versions, ", "))
+		}
+		selectedVersion = versions[0]
+	}
+
+	pnpmInstallDir := filepath.Join(s.Stager.DepDir(), "pnpm")
+	if err := s.Installer.InstallOnlyVersion("pnpm", pnpmInstallDir); err != nil {
+		return err
 	}
 
-	s.Log.Info("Installing %s via npm...", installTarget)
+	binDir := filepath.Join(pnpmInstallDir, "bin")
+	pnpmBin := filepath.Join(binDir, "pnpm")
 
-	nodeDir := filepath.Join(s.Stager.DepDir(), "node")
-	npmArgs := []string{"install", "--unsafe-perm", "--quiet", "-g", installTarget, "--prefix", nodeDir, "--userconfig", filepath.Join(s.Stager.BuildDir(), ".npmrc")}
-	if err := s.Command.Execute(s.Stager.BuildDir(), s.Log.Output(), s.Log.Output(), "npm", npmArgs...); err != nil {
-		s.Log.Error("Unable to install pnpm: %s", err.Error())
+	if exists, err := libbuildpack.FileExists(pnpmBin); err != nil {
+		return err
+	} else if !exists {
+		entry, err := s.Manifest.GetEntry(libbuildpack.Dependency{Name: "pnpm", Version: selectedVersion})
+		if err != nil {
+			return err
+		}
+		candidate := filepath.Join(pnpmInstallDir, filepath.Base(entry.URI))
+		candidateExists, err := libbuildpack.FileExists(candidate)
+		if err != nil {
+			return err
+		}
+		if !candidateExists {
+			return fmt.Errorf("pnpm binary not found after install")
+		}
+		if err := os.MkdirAll(binDir, 0755); err != nil {
+			return err
+		}
+		if err := os.Rename(candidate, pnpmBin); err != nil {
+			return err
+		}
+		if err := os.Chmod(pnpmBin, 0755); err != nil {
+			return err
+		}
+	}
+
+	if err := s.Stager.LinkDirectoryInDepDir(binDir, "bin"); err != nil {
 		return err
 	}
 
-	if err := s.Stager.LinkDirectoryInDepDir(filepath.Join(nodeDir, "bin"), "bin"); err != nil {
+	buffer := new(bytes.Buffer)
+	if err := s.Command.Execute(s.Stager.BuildDir(), buffer, buffer, "pnpm", "--version"); err != nil {
 		return err
 	}
 
+	pnpmVersion := strings.TrimSpace(buffer.String())
+	s.Log.Info("Installed pnpm %s", pnpmVersion)
+
 	return nil
 }
 
diff --git a/src/nodejs/supply/supply_test.go b/src/nodejs/supply/supply_test.go
@@ -38,6 +38,7 @@ var _ = Describe("Supply", func() {
 		mockCommand     *MockCommand
 		installNode     func(libbuildpack.Dependency, string)
 		installOnlyYarn func(string, string)
+		installOnlyPNPM func(string, string)
 	)
 
 	BeforeEach(func() {
@@ -91,6 +92,14 @@ var _ = Describe("Supply", func() {
 			Expect(err).To(BeNil())
 		}
 
+		installOnlyPNPM = func(_ string, pnpmDir string) {
+			err := os.MkdirAll(filepath.Join(pnpmDir, "bin"), 0755)
+			Expect(err).To(BeNil())
+
+			err = os.WriteFile(filepath.Join(pnpmDir, "bin", "pnpm"), []byte("pnpm exe"), 0644)
+			Expect(err).To(BeNil())
+		}
+
 		args := []string{buildDir, cacheDir, depsDir, depsIdx}
 		stager := libbuildpack.NewStager(args, logger, &libbuildpack.Manifest{})
 
@@ -689,36 +698,72 @@ var _ = Describe("Supply", func() {
 	})
 
 	Describe("InstallPNPM", func() {
-		Context("pnpm version is not set", func() {
-			It("installs latest pnpm via npm", func() {
-				supplier.UsePNPM = true
+		var pnpmInstallDir string
 
-				// Mock corepack check failure to fallback to npm
-				mockCommand.EXPECT().Execute(buildDir, gomock.Any(), gomock.Any(), "corepack", "enable").Return(fmt.Errorf("not found"))
+		BeforeEach(func() {
+			pnpmInstallDir = filepath.Join(depsDir, depsIdx, "pnpm")
+		})
 
-				mockCommand.EXPECT().Execute(buildDir, gomock.Any(), gomock.Any(),
-					"npm", "install", "--unsafe-perm", "--quiet", "-g", "pnpm",
-					"--userconfig", filepath.Join(buildDir, ".npmrc")).Return(nil)
+		Context("pnpm version is unset", func() {
+			BeforeEach(func() {
+				mockInstaller.EXPECT().InstallOnlyVersion("pnpm", pnpmInstallDir).Do(installOnlyPNPM).Return(nil)
 
+				mockCommand.EXPECT().Execute(buildDir, gomock.Any(), gomock.Any(), "pnpm", "--version").Do(func(_ string, buffer io.Writer, _ io.Writer, _ string, _ ...string) {
+					buffer.Write([]byte("10.28.2\n"))
+				}).Return(nil)
+			})
+
+			It("installs the only version in the manifest", func() {
+				supplier.UsePNPM = true
+				supplier.PNPMVersion = ""
 				err = supplier.InstallPNPM()
 				Expect(err).To(BeNil())
+				Expect(buffer.String()).To(ContainSubstring("Installed pnpm 10.28.2"))
 			})
-		})
 
-		Context("pnpm version is set", func() {
-			It("installs requested pnpm version via npm", func() {
+			It("creates a symlink in <depDir>/bin", func() {
 				supplier.UsePNPM = true
+				err = supplier.InstallPNPM()
+				Expect(err).To(BeNil())
 
-				// Mock corepack check failure to fallback to npm
-				mockCommand.EXPECT().Execute(buildDir, gomock.Any(), gomock.Any(), "corepack", "enable").Return(fmt.Errorf("not found"))
+				link, err := os.Readlink(filepath.Join(depsDir, depsIdx, "bin", "pnpm"))
+				Expect(err).To(BeNil())
+				Expect(link).To(Equal("../pnpm/bin/pnpm"))
+			})
+		})
 
-				mockCommand.EXPECT().Execute(buildDir, gomock.Any(), gomock.Any(),
-					"npm", "install", "--unsafe-perm", "--quiet", "-g", "pnpm@1.2.3",
-					"--userconfig", filepath.Join(buildDir, ".npmrc")).Return(nil)
+		Context("requested pnpm version is in manifest", func() {
+			BeforeEach(func() {
+				versions := []string{"10.28.2"}
+				mockManifest.EXPECT().AllDependencyVersions("pnpm").Return(versions)
+				mockInstaller.EXPECT().InstallOnlyVersion("pnpm", pnpmInstallDir).Do(installOnlyPNPM).Return(nil)
 
-				supplier.PNPMVersion = "1.2.3"
+				mockCommand.EXPECT().Execute(buildDir, gomock.Any(), gomock.Any(), "pnpm", "--version").Do(func(_ string, buffer io.Writer, _ io.Writer, _ string, _ ...string) {
+					buffer.Write([]byte("10.28.2\n"))
+				}).Return(nil)
+			})
+
+			It("installs the correct version from the manifest", func() {
+				supplier.UsePNPM = true
+				supplier.PNPMVersion = "10.28.x"
 				err = supplier.InstallPNPM()
 				Expect(err).To(BeNil())
+				Expect(buffer.String()).To(ContainSubstring("Installed pnpm 10.28.2"))
+			})
+		})
+
+		Context("requested pnpm version is not in manifest", func() {
+			BeforeEach(func() {
+				versions := []string{"10.28.2"}
+				mockManifest.EXPECT().AllDependencyVersions("pnpm").Return(versions)
+			})
+
+			It("returns an error", func() {
+				supplier.UsePNPM = true
+				supplier.PNPMVersion = "9.0.x"
+				err = supplier.InstallPNPM()
+				Expect(err).ToNot(BeNil())
+				Expect(err.Error()).To(Equal("package.json requested 9.0.x, buildpack only includes pnpm version 10.28.2"))
 			})
 		})
 
