[rush] Fix sync-back when dependencies move to devDependencies (#5811)

ericprestemon · Eric Prestemon · iclanton · web-flow · commit 3134980d467b · 2026-06-07T00:29:10.000Z
* [rush] Fix sync-back when dependencies move to devDependencies

'rush update' failed to sync back the corrected pnpm-lock.yaml when a dependency moved to devDependencies because
isWorkspaceProjectModifiedAsync would unconditionally fall through to the 'dependencies' section if a package was
missing from 'devDependencies'.

This fall-through is now gated on the new set regularDependencyNames to support legitimate dual-declarations while
correctly detecting when a dependency has been moved out of the 'dependencies' section.

* Update common/changes/@microsoft/rush/fix-rush-update-devDependency-sync_2026-05-29-12-00.json

Co-authored-by: Ian Clanton-Thuon &lt;iclanton@users.noreply.github.com&gt;

* Update common/changes/@microsoft/rush/fix-rush-update-devDependency-sync_2026-05-29-12-00.json

Co-authored-by: Ian Clanton-Thuon &lt;iclanton@users.noreply.github.com&gt;

---------

Co-authored-by: Eric Prestemon &lt;eric.prestemon@users.noreply.github.com&gt;
Co-authored-by: Ian Clanton-Thuon &lt;iclanton@users.noreply.github.com&gt;
diff --git a/common/changes/@microsoft/rush/fix-rush-update-devDependency-sync_2026-05-29-12-00.json b/common/changes/@microsoft/rush/fix-rush-update-devDependency-sync_2026-05-29-12-00.json
@@ -0,0 +1,11 @@
+{
+  "changes": [
+    {
+      "comment": "Fix `rush update` not syncing `pnpm-lock.yaml` when a workspace dependency moves from `dependencies` to `devDependencies`.",
+      "type": "patch",
+      "packageName": "@microsoft/rush"
+    }
+  ],
+  "packageName": "@microsoft/rush",
+  "email": "ericprestemon@users.noreply.github.com"
+}
diff --git a/libraries/rush-lib/src/logic/pnpm/PnpmShrinkwrapFile.ts b/libraries/rush-lib/src/logic/pnpm/PnpmShrinkwrapFile.ts
@@ -1124,6 +1124,8 @@ export class PnpmShrinkwrapFile extends BaseShrinkwrapFile {
       const importerDevDependencies: Set<string> = new Set(Object.keys(importer.devDependencies ?? {}));
       const importerDependenciesMeta: Set<string> = new Set(Object.keys(importer.dependenciesMeta ?? {}));
 
+      const regularDependencyNames: Set<string> = new Set(dependencyList.map(({ name }) => name));
+
       for (const { dependencyType, name, version } of allDependencies) {
         let isOptional: boolean = false;
         let specifierFromLockfile: IPnpmVersionSpecifier | undefined;
@@ -1148,6 +1150,10 @@ export class PnpmShrinkwrapFile extends BaseShrinkwrapFile {
               importerDevDependencies.delete(name);
               break;
             }
+            // If not a peer and not also a regular dependency, the lockfile is stale.
+            if (!isOptional && !regularDependencyNames.has(name)) {
+              return true;
+            }
             // If fall through, there is a chance the package declares an inconsistent version, ignore it.
             isDevDepFallThrough = true;
           }
diff --git a/libraries/rush-lib/src/logic/pnpm/test/PnpmShrinkwrapFile.test.ts b/libraries/rush-lib/src/logic/pnpm/test/PnpmShrinkwrapFile.test.ts
@@ -487,6 +487,22 @@ snapshots:
         ).resolves.toBe(false);
       });
 
+      it('can detect a devDependency that is still listed under dependencies in the importer', async () => {
+        // Regression: moving a dep from dependencies to devDependencies should be detected as modified.
+        const project = getMockRushProject();
+        const pnpmShrinkwrapFile = getPnpmShrinkwrapFileFromFile(
+          `${__dirname}/yamlFiles/pnpm-lock-v9/stale-dev-in-dependencies.yaml`,
+          project.rushConfiguration.defaultSubspace
+        );
+        await expect(
+          pnpmShrinkwrapFile.isWorkspaceProjectModifiedAsync(
+            project,
+            project.rushConfiguration.defaultSubspace,
+            undefined
+          )
+        ).resolves.toBe(true);
+      });
+
       it('sha1 integrity can be handled when disallowInsecureSha1', async () => {
         const project = getMockRushProject();
         const pnpmShrinkwrapFile = getPnpmShrinkwrapFileFromFile(
diff --git a/libraries/rush-lib/src/logic/pnpm/test/yamlFiles/pnpm-lock-v9/stale-dev-in-dependencies.yaml b/libraries/rush-lib/src/logic/pnpm/test/yamlFiles/pnpm-lock-v9/stale-dev-in-dependencies.yaml
@@ -0,0 +1,37 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+importers:
+  .: {}
+
+  ../../apps/foo:
+    dependencies:
+      tslib:
+        specifier: ~2.3.1
+        version: 2.3.1
+      typescript:
+        specifier: ~5.0.4
+        version: 5.0.4
+
+packages:
+  tslib@2.3.1:
+    resolution:
+      {
+        integrity: sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw==
+      }
+
+  typescript@5.0.4:
+    resolution:
+      {
+        integrity: sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==
+      }
+    engines: { node: '>=12.20' }
+    hasBin: true
+
+snapshots:
+  tslib@2.3.1: {}
+
+  typescript@5.0.4: {}
