install scripts that run other scripts can cause an infinite loop with `verify-deps-before-run=install`

[RJWadley]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

10.0.0

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

https://github.com/RJWadley/pnpm-infinite-loop.git

Reproduction steps

using the reproduction

1. clone the reproduction: git clone https://github.com/RJWadley/pnpm-infinite-loop.git
2. enter the repo directory: cd ./pnpm-infinite-loop
3. run a pnpm install or pnpm cowsay
4. enjoy the show! to see it again, you'll need to delete the node_modules folder so that another install can be run.

more generally

1. set verify-deps-before-run=install
2. add at least one script and one package, so that we have a script to run and something to install
3. create a postinstall or preinstall that runs our script, for example: "preinstall": "pnpm run myscript"
4. run pnpm install

Describe the Bug

when we run a pnpm script and verify-deps-before-run=install an installation is performed. this is as expected.

however, if any pnpm script is run during this installation or as part of this installation, pnpm will attempt to trigger another installation, completely unaware that it's already in the middle of one. that second installation will do the same thing, and so will the third, fourth, etc.

we also get some interesting behavior with other values of verify-deps-before-run:
prompt: the user can opt-out of the infinite loop at any time
warn: every install logs a warning
error: every install throws an error

as a side note, this seems pretty similar to #8865 although I wasn't able to reproduce that one.

Expected Behavior

when an installation is in progress, verify-deps-before-run should always be treated as false
any other value doesn't really make sense - we're already in the middle of fixing the problem pnpm is telling us about

Which Node.js version are you using?

22.11.0

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

[KSXGitHub]

I can't reproduce the infinite loop on Linux.

I also took the precaution against this issue in particular by setting and checking an environment variable named pnpm_run_skip_deps_check. You can see it in shouldRunCheck.ts which is used by run.ts:

pnpm/exec/plugin-commands-script-runners/src/run.ts

Lines 202 to 204 in ab74e6a

	if (opts.verifyDepsBeforeRun && shouldRunCheck(process.env, scriptName)) {
	await runDepsStatusCheck(opts)
	}

Can you inspect this env in your machine?

[KSXGitHub]

Nevermind. It's reproducible with pnpm@10.0.0.

[KSXGitHub]

It's interesting that injecting printenv pnpm_run_skip_deps_check into the command would cause it to fails, this suggests that pnpm somehow unsets that variable.

[KSXGitHub]

So the problem appear because scriptName (which is params[0]) from run.handler is no longer "preinstall", instead, it was "cowsay".