Change Request: Migrate Build install to Corepack standalone

[MikeMcC399]

Repo's CI Environment

ESLint version: not used
@eslint/css version: HEAD
Node version: lts/* (currently 22.14.0)
npm version: 10.9.2
Operating System: ubuntu-latest / ubuntu-24.04

What problem do you want to solve?

In the workflow .github/workflows/ci-build-all-pm.yml the jobs:

• yarn-install
• pnpm-install

use the bundled version of Corepack from the Node.js LTS installation of actions/setup-node@v4.

The Node.js organization has decided to stop distributing the experimental Corepack module with future versions of Node.js. They have already taken steps to remove documentation from their website and since the release of Node.js v23.11.0 the Node.js latest API documentation page https://nodejs.org/docs/latest/api/ no longer lists Corepack. https://nodejs.org/docs/latest/api/corepack.html does however include a short statement "... Corepack itself will no longer be distributed with future versions of Node.js."

Independent of Node.js bundling, the npm module corepack continues to be available from the npm registry and can be directly installed from there.

What do you think is the correct solution?

In jobs using Corepack, install corepack using npm install -g corepack@latest to become independent from Node.js Corepack unbundling.

Participation

• I am willing to submit a pull request for this change.

Additional comments

In some ways this is not an urgently needed change. The workflow .github/workflows/ci-build-all-pm.yml is using Node.js lts/* and the next Node.js LTS activation switch is scheduled to be to Node.js 24.x in October 2025. Although the Node.js website documentation does not state this, the Node.js TSC voted to release Node.js 24.x with bundled Corepack. The follow-on LTS version 26.x one year later is intended to be the first LTS version without a bundled Corepack version.

Corepack is however currently not protected against npm registry key signing changes which caused pnpm installation failures in Jan 2025. Moving to install the latest version of Corepack from the npm registry, instead of relying on a bundled version, shortens the time to remediate key mismatch issues when these need a new release of Corepack, therefore the above proposed change already has advantages separate from the Node.js bundling issue.

[MikeMcC399]

Branch https://github.com/MikeMcC399/css/tree/ci/corepack-standalone is ready for a PR to implement this change request if approved.

[nzakas]

Thanks for reporting this and for the detailed information. My feeling is that it makes sense to have the CI system setup in the way that most closely mirrors actual user experience. If most people using pnpm will be using the bundled Corepack, then I think it makes sense for the CI system to do the same.

What do you think?

[MikeMcC399]

@nzakas

Many pnpm users transitioned to downloading Corepack directly from the npm registry after Corepack broke their installs completely in January 2025. You can see this if you view the download stats https://npm-stat.com/charts.html?package=corepack where the download numbers shot up by a factor of 10 in the week beginning Feb 2, 2025.

Yarn (Modern) users were unaffected and are probably still using the bundled Corepack version. The Yarn Modern docs do however now recommend installing from the npm registry https://yarnpkg.com/getting-started/install, but I would expect that only new users will read that, or ones having problem.

From my point of view we can leave this issue open and monitor the messaging from Node.js and Corepack during the next weeks as Node.js 24.x is released. At the moment, communication from Node.js is confused. It's unclear what message they are trying to bring over and how it will be interpreted by users. Will users stick with the bundled version of Corepack for as long as possible or will they migrate to npm install?

It's a good principle to try to mirror end-user setups. I do agree with that.

Anyway, at the latest, the workflow will need to be migrated in October 2026 when Node.js 26.x becomes the LTS version. Of course, a lot can happen between now and then 🙂

[nzakas]

Ah, thanks for the extra details. If most pnpm users are doing that and Yarn recommends it, then I think it makes sense to update the CI now. 👍

[MikeMcC399]

@nzakas

Ah, thanks for the extra details. If most pnpm users are doing that and Yarn recommends it, then I think it makes sense to update the CI now. 👍

On the principle of using the same installation method as users would use, and following the package manager's documentation, the installation method for pnpm in GitHub Actions should be changed to use the JavaScript GitHub Action pnpm/action-setup@v4 according to the documentation section https://pnpm.io/continuous-integration#github-actions.

The npm registry shows that the download numbers for pnpm are 10 times higher than the download numbers for corepack which suggests that most pnpm users are not employing Corepack. Unlike Yarn Modern, pnpm does not rely on Corepack. pnpm additionally introduced a setting managePackageManagerVersions which allows it to self-manage its own version for pnpm >=10.0.0.

I will submit separate PRs for pnpm and Yarn.

[nzakas]

This has been addressed by #107 and #108