Node.js LTS rollout of minimum Corepack 0.31.0?

[MikeMcC399]

Issue

New releases of pnpm and npm signed with the new npm "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U" published to https://registry.npmjs.org/-/npm/v1/keys cannot be installed with the version of Corepack currently distributed with Node.js LTS versions without using workarounds.

For instance,

corepack install -g pnpm@9

executed using Node.js 22.13.1 Active LTS (with bundled corepack@0.30.0) on Ubuntu 24.04.1 LTS results in the error "Cannot find matching keyid":

$ corepack install -g pnpm@9
Installing pnpm@9.15.5...
Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEQCIHGqHbvc2zImUPEPFpT4grh6rMYslel+lAjFArx8+RUdAiBfnJA+bgmUvO5Lctfkq+46KKDQdx/8RhLPge3pA+EdHA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}

The same problem can be expected to affect any new releases of Yarn Modern aka berry. Yarn v1 Classic is frozen, but could also be affected if security fixes are released.

Request

Please clarify if minimum corepack@0.31.0 will be rolled out to Node.js Maintenance and Active LTS status versions 18.x, 20.x and 22.x.

Note: corepack@0.31.0 is already rolled out in the Current Node.js 23.7.0 version.

Related

• Newly published versions of package managers distributed from npm cannot be installed due to key id mismatch #612
• Saveguards for keyid mismatch #616

Workaround

In some situations it is possible to follow the README > Manual Installs section and execute the following to pull in a corrected version of Corepack with updated keys from https://registry.npmjs.org/-/npm/v1/keys:

npm install -g corepack@0.31.0

[MikeMcC399]

Current bundled Corepack versions for supported Node.js versions are:

Node.js	Corepack
v18.20.6	0.29.4
v20.18.2	0.29.4
v22.13.1	0.30.0
v23.7.0	0.31.0

[richardlau]

Corepack 0.31.0 should make it's way into Node.js LTS eventually. The default general policy is for things to be in a current release (i.e. at this time Node.js 23) for two weeks before being eligible for LTS. Node.js 23.7.0 just came out last week (30 Jan), so normally we'd be looking at this being eligible for LTS releases after the end of next week.

cc @nodejs/releasers

[MikeMcC399]

@richardlau

Corepack 0.31.0 should make it's way into Node.js LTS eventually. The default general policy is for things to be in a current release (i.e. at this time Node.js 23) for two weeks before being eligible for LTS. Node.js 23.7.0 just came out last week (30 Jan), so normally we'd be looking at this being eligible for LTS releases after the end of next week.

Thank you very much for filling me in on the release processes! I know what to expect now.

[stevebeauge]

Why can't one simply update corepack itself?

I can run npm install -g corepack@latest. It will install the latest version of corepack. It won't work however (at least on windows), because C:\Program Files\nodejs (which contains corepack executable) appears in the PATH env before C:\Users\myuser\AppData\Roaming\npm.

Is there any hard link between nodejs and corepack ?

[MikeMcC399]

@stevebeauge

Why can't one simply update corepack itself?

I can run npm install -g corepack@latest. It will install the latest version of corepack. It won't work however (at least on windows), be cause C:\Program Files\nodejs (which contains corepack executable) appears in the PATH env before C:\Users\myuser\AppData\Roaming\npm.

Is there any hard link between nodejs and corepack ?

I've been able to update Corepack on Windows 11. I suggest you open a separate issue for your problem as it probably depends on how you have installed Node.js and other environment parameters.

[reconbot]

While one can update corepack this breaks all installs on CI servers who use LTS, even if they use the latest version of LTS (like on github actions) until this bubbles down to being installed by default. This will be a significant amount of failures.

EDIT: it does look like we're working to prevent this from happening in the future #616

I don't know if it's possible to make an exception on waiting for release as this is a large impact.

[MikeMcC399]

@reconbot

• In some cases it's possible to update Corepack on top of a Node.js LTS installation. It looks like a lot of users are working around it like this at the moment judging by postings in the https://github.com/pnpm/pnpm/issues list.

• I mentioned some of the delays in Saveguards for keyid mismatch #616 (comment) . It's not just a question of Node.js picking up the Corepack version, but then often the next stage in the supply chain, like GitHub Actions or Docker images, needs to pick this up as well. There probably isn't a one-size-fits-all solution at the moment.

[MikeMcC399]

@stevebeauge

• See How to corepack self update? #305 (comment) if you installed Node.js on Windows using an msi package. You need to disable the msi Corepack feature before attempting to install a newer version of Corepack using npm, otherwise they clash.

Edit: This is now added to the Manual installs section of the README document.

[MikeMcC399]

Corepack Download stats give some indication of the impact that the currently bundled versions of Corepack are having. There is a ten-fold increase in downloads at this time.