Workspace updates cause version drift in pnpm-lock.yaml

[NfNitLoop]

We're gradually converting a big-ball-of-code into a pnpm workspace with separate, interdependent packages. We're using catalogs so that our packages depend on the same versions of dependencies.

A common task is to:

• add a new entry to packages in pnpm-workspace.yaml
• Update that package's package.json to add dependencies. (Using catalog:, so always using dependency version specifiers that are already in use by other packages.)
• pnpm install to set up node_modules correctly for the workspace packages.

However, often that pnpm install will end up changing dozens or hundreds of lines in the pnpm-lock.yaml file, bumping up transitive dependency versions for no reason I can discern.

I don't know of a way to work around this.

pnpm install --frozen-lockfile doesn't work, because I've just made an update to the workspace, so the lockfile isn't up-to-date.

In the most recent case, I found that tslib had been upgraded from 2.6.2 to 2.8.1. Again, I haven't added new dependencies to the repo, I've just added a new package.json that references versions already in catalog: and used by other packages.

I tried adding an "overrides" entry for it, to lock it back down to =2.6.2, but (after a git checkout pnpm-lock.yaml & pnpm install), that introduced diffs downgrading a lot of instances from 2.8.1 to 2.6.2. i.e.: unbeknownst to me, we had previously been running with mixed versions. (tangent: Does dependency resolution not dedupe these by default? Do I have to run pnpm dedupe after every pnpm install?)

I tried setting resolutionMode to lowest-direct and time-based, but neither caused pnpm install to change the lockfile.

[renanmpn]

I'm having the same issue. Does anyone have a solution?