Node.js LTS rollout of minimum Corepack 0.31.0?

[MikeMcC399]

Issue

New releases of pnpm and npm signed with the new npm "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U" published to https://registry.npmjs.org/-/npm/v1/keys cannot be installed with the version of Corepack currently distributed with Node.js LTS versions without using workarounds.

For instance,

corepack install -g pnpm@9

executed using Node.js 22.13.1 Active LTS (with bundled corepack@0.30.0) on Ubuntu 24.04.1 LTS results in the error "Cannot find matching keyid":

$ corepack install -g pnpm@9
Installing pnpm@9.15.5...
Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEQCIHGqHbvc2zImUPEPFpT4grh6rMYslel+lAjFArx8+RUdAiBfnJA+bgmUvO5Lctfkq+46KKDQdx/8RhLPge3pA+EdHA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}

• The same problem can be expected to affect any new releases of Yarn Modern aka berry. Yarn v1 Classic is frozen, but could also be affected if security fixes are released.

• Also older releases of pnpm are currently affected. See Please don't make error of fetching latest version information if packageManager field is specified. #625.

Request

Please clarify if minimum corepack@0.31.0 will be rolled out to Node.js Maintenance and Active LTS status versions 18.x, 20.x and 22.x.

Note: corepack@0.31.0 is already rolled out in the Current Node.js 23.7.0 version.

Related

• Newly published versions of package managers distributed from npm cannot be installed due to key id mismatch #612
• Safeguards for keyid mismatch #616

Workaround

In some situations it is possible to follow the README > Manual Installs section and execute the following to pull in a corrected version of Corepack with updated keys from https://registry.npmjs.org/-/npm/v1/keys:

npm install -g corepack@0.31.0

Status

• Node.js 18.x (Maintenance LTS)
• Node.js 20.x (Maintenance LTS)
• Node.js 22.x (Active LTS)

[MikeMcC399]

Current bundled Corepack versions for supported Node.js versions are:

Node.js	Corepack
v18.20.6	0.29.4
v20.18.2	0.29.4
v22.13.1	0.30.0
v23.7.0	0.31.0

[MikeMcC399]

• v20.18.3 proposal node#56699 plans to update to include
  • deps: update corepack to 0.30.0 node#55977 not
  • deps: update corepack to 0.31.0 node#56795

Edit: feedback says it is too late for this release unfortunately

[richardlau]

Corepack 0.31.0 should make it's way into Node.js LTS eventually. The default general policy is for things to be in a current release (i.e. at this time Node.js 23) for two weeks before being eligible for LTS. Node.js 23.7.0 just came out last week (30 Jan), so normally we'd be looking at this being eligible for LTS releases after the end of next week.

cc @nodejs/releasers

[MikeMcC399]

@richardlau

Corepack 0.31.0 should make it's way into Node.js LTS eventually. The default general policy is for things to be in a current release (i.e. at this time Node.js 23) for two weeks before being eligible for LTS. Node.js 23.7.0 just came out last week (30 Jan), so normally we'd be looking at this being eligible for LTS releases after the end of next week.

Thank you very much for filling me in on the release processes! I know what to expect now.

[stevebeauge]

Why can't one simply update corepack itself?

I can run npm install -g corepack@latest. It will install the latest version of corepack. It won't work however (at least on windows), because C:\Program Files\nodejs (which contains corepack executable) appears in the PATH env before C:\Users\myuser\AppData\Roaming\npm.

Is there any hard link between nodejs and corepack ?

[MikeMcC399]

@stevebeauge

Why can't one simply update corepack itself?

I can run npm install -g corepack@latest. It will install the latest version of corepack. It won't work however (at least on windows), be cause C:\Program Files\nodejs (which contains corepack executable) appears in the PATH env before C:\Users\myuser\AppData\Roaming\npm.

Is there any hard link between nodejs and corepack ?

I've been able to update Corepack on Windows 11. I suggest you open a separate issue for your problem as it probably depends on how you have installed Node.js and other environment parameters.