pnpm lockedVersion should come from importers, not packages

[rarkins]

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

No response

If you're self-hosting Renovate, select which platform you are using.

None

Was this something which used to work for you, and then stopped?

I am trying to get this working for the first time

Describe the bug

Renovate gets lockedVersion wrong for some pnpm packages, which results in confused PRs as described in #22375

Instead of iterating through the packages section of the pnpm lock file, Renovate needs to iterate through the importers section instead

Relevant debug logs

Logs

            "currentValue": "^5.1.1",
            "currentVersion": "7.1.1",
            "datasource": "npm",
            "depName": "execa",
            "depType": "devDependencies",
            "fixedVersion": "7.1.1",
            "isSingleVersion": false,
            "lockedVersion": "7.1.1",

Have you created a minimal reproduction repository?

I have linked to a minimal reproduction in the description above

[viceice]

you forgot the link to the reproduction 🙃

[rarkins]

yarn start --dry-run=lookup renovate-reproductions/22375

[rarkins]

@RahulGautamSingh do you have time to take over https://github.com/renovatebot/renovate/tree/fix/22382-pnpm-lock-importers ?

[RahulGautamSingh]

Yes on it.

[rarkins]

I think it's working but please test it and then tests need updating

[RahulGautamSingh]

Is it necessary that there always be importers? I tried on replit and got no importers for simple repos.

[rarkins]

Please check the pnpm definitions. The current approach seems wrong

[viceice]

We need to check the different lockfile versions. maybe that importers are only available since a specific version.

[RahulGautamSingh]

Fields in pnpm-lock.yaml for:
i. Normal Repo
ii. Monorepo

We need to care for lockfile-version>=5 since we only update pnpm-lock.yaml. And according to this comment by the maintainer the formatting of the v5 and v6 should be almost same.

Which means for monorepos we need to look in importers section and for normal repos we need to look either in packages or dependencies section. I would prefer dependencies since it willl be smaller in size than packages.

[RahulGautamSingh]

Lockfile Version <=5 / 5.3 and 6 have different formatting which is still not updated in the official docs. Here is a comment confirming this

6.0

lockfileVersion: '6.0'

importers:

  .:
    dependencies:
      chalk:
        specifier: 1.1.0
        version: 1.1.0
      pnpm:
        specifier: ^8.5.1
        version: 8.5.1

  package-a:
    dependencies:
      dotenv:
        specifier: ^9.0.2
        version: 9.0.2

5.3

lockfileVersion: 5.3

importers:

  .:
    specifiers:
      chalk: 1.1.0
      pnpm: ^6.2.0
    dependencies:
      chalk: 1.1.0
      pnpm: 6.35.1

  package-a:
    specifiers:
      dotenv: ^9.0.2
    dependencies:
      dotenv: 9.0.2