[Bug]: running pnpm from rules_js has non deterministic outcomes since pnpm relies on npm on the user path

[Aghassi]

What happened?

We foud that if you use bazel run -- @pnpm//:pnpm info <package> --verbose, you will see what version of node and what version of npm is being used. The version of npm used is derived from the user's PATH instead of from the sandbox. node however is safe as it's part of js_binary. The reason this is problematic is that npm is what may or may not have a hand in determining the integrity field in the lockfile. If you have npm version drift you can end up in a state where users are getting different integrity SHAs in the lockfile based on the response from the registry.

To reproduce you can simply do the following:

1. Install nvm https://github.com/nvm-sh/nvm
2. nvm install 16 && nvm use 16
3. bazel run -- @pnpm//:pnpm info react --verbose
4. nvm install 18 && nvm use 18
5. bazel run -- @pnpm//:pnpm info react --verbose

Notice that between runs the path in this output will change. In my case, you can see I have npm from node 16 installed on my path when my monorepo uses node 18

npm verb cli /private/var/tmp/_bazel_davidaghassi/30b12e6784b9304c95faa3f4506c5839/execroot/rh/bazel-out/darwin_arm64-fastbuild/bin/external/pnpm/pnpm.sh.runfiles/rh/../pnpm/pnpm_node_bin/node /Users/davidaghassi/.nvm/versions/node/v16.18.0/bin/npm
npm info using npm@8.19.2
npm info using node@v18.18.2

Thanks to @joeljeske for helping me pin point and debug this. This may be related to this issue we are seeing too pnpm/pnpm#7419 (comment)

Version

Development (host) and target OS/architectures:

Output of bazel --version:
6.4.0

Version of the Aspect rules, or other relevant rules from your
WORKSPACE or MODULE.bazel file:
rules_js: 1.39.1

Language(s) and/or frameworks involved:

How to reproduce

See above

Any other information?

No response

[jbedard]

Notes:

• See https://github.com/pnpm/pnpm/blob/442d97daad425c9bc923c12889d5b1ccee154992/pnpm/src/runNpm.ts#L6