Dependency Management Conflict with Deno 'npm:' Imports

When using v0.dev to generate and commit code for a Next.js project that includes Supabase Edge Functions utilizing Deno’s npm: import syntax (e.g., npm:square), v0.dev incorrectly adds these npm: prefixed dependencies to the main project’s package.json file. This leads to pnpm install failures during Vercel builds due to ERR_PNPM_OUTDATED_LOCKFILE and 404 Not Found errors, requiring manual intervention outside of v0.dev.

2. Detailed Description:

Our project structure involves a Next.js application (managed by pnpm) and a Supabase Edge Function (written in TypeScript/Deno).

The Supabase Edge Function correctly imports an npm module using Deno’s specific syntax:

import { SquareClient } from “npm:square@22.0.0”

The Problematic Behavior:

When v0.dev is used to generate or modify code and then commit directly to GitHub, it appears to scan the entire project for dependencies. In doing so, it incorrectly identifies the Deno npm: import and adds it as a regular dependency entry in the root package.json of the Next.js project.

Example of package.json after v0.dev’s commit:

“dependencies”: {
// … other valid Next.js dependencies
“npm:square”: “22.0.0”, // <— This line is incorrectly added by v0.dev
// …
}

This npm: prefix is not valid syntax for dependencies within a standard Node.js package.json file. Consequently, when Vercel attempts to build the project using pnpm install --frozen-lockfile, it encounters two errors:

• ERR_PNPM_OUTDATED_LOCKFILE: Because v0.dev adds the dependency to package.json but does not regenerate and commit a corresponding pnpm-lock.yaml that includes this (invalid) entry.
• GET https://registry.npmjs.org/npm%3Asquare: Not Found - 404: Because pnpm attempts to find a package literally named “npm:square” in the npm registry, which does not exist.

This forces developers to manually intervene in a separate environment (like GitHub Codespaces) to:

1. Remove the invalid “npm:square”: “22.0.0” line from package.json.
2. Delete pnpm-lock.yaml and node_modules.
3. Run pnpm install to regenerate a clean pnpm-lock.yaml.
4. Commit and push these changes to GitHub.

This manual step is required every time v0.dev makes a new commit that triggers this behavior, disrupting the CI/CD pipeline and user workflow.

3. Steps to Reproduce:

4. Start a new Next.js project in v0.dev (or open an existing one).

5. Create a Supabase Edge Function file (e.g., supabase/functions/my-function/index.ts or create-square-payment/index.ts) within the project structure.

6. In the Edge Function file, add a Deno npm: import, e.g.:
   import { SomeClient } from “npm:some-npm-package@latest” (or specifically npm:square@22.0.0).

7. Make a small change in v0.dev that triggers a commit to GitHub (e.g., modify a component, then use v0.dev’s “Deploy” or “Commit” feature).

8. Observe the package.json file in the GitHub repository after the v0.dev commit – the npm: prefixed dependency will likely be incorrectly added to its dependencies section.

9. Attempt to deploy this commit via Vercel.

10. The Vercel build will fail with ERR_PNPM_OUTDATED_LOCKFILE and a 404 Not Found error for the npm: prefixed package.

11. Expected Behavior:

v0.dev should:

• Ignore Deno npm: imports when processing the main Next.js project’s package.json for dependency management. These are specific to the Deno runtime and should not be treated as Node.js dependencies.
• Alternatively, if it must process them, it should do so in a way that is compatible with Node.js package managers (e.g., by converting them to standard npm package names if the package is truly used by the Node.js part of the app, which is unlikely for an Edge Function SDK).
• Ensure that any changes it makes to package.json are always accompanied by a correctly regenerated and committed pnpm-lock.yaml (or package-lock.json/yarn.lock) to maintain synchronization and prevent OUTDATED_LOCKFILE errors.

5. Actual Behavior:

v0.dev adds npm: prefixed dependencies from Edge Functions to the root package.json in an invalid format, and does not synchronize the pnpm-lock.yaml, causing Vercel builds to fail.

6. Impact:

• Breaks CI/CD pipelines (Vercel builds fail).
• Requires frequent, manual intervention (editing package.json, deleting lockfile, running pnpm install, committing) outside of v0.dev, negating the convenience of v0.dev’s direct commit feature.
• Causes confusion and frustration for developers.

Thank you for your time and consideration in addressing this limitation.

Hi there!

Can you share a chat example for us to dig into, please?

Here is the build log: Detected `pnpm-lock.yaml` 9 which may be generated by pnpm@9.x or pnpm@10.x
Using pnpm@10.x based on project creation date
To use pnpm@9.x, manually opt in using corepack (https://vercel.com/docs/deployments/configure-a-build#corepack)
Installing dependencies...
 ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>/package.json
Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"
  Failure reason:
  specifiers in the lockfile don't match specifiers in package.json:
* 1 dependencies were added: npm:square@22.0.0
Error: Command "pnpm install" exited with 1

Here is my latest build log. The build log doesn’t show any attempts to fetch npm:square or any related 404 errors. The dependency was not added to the package.json file. Did Vercel make an update to resolve this issue? I can now deploy directly from v0.dev platform.

[11:11:38.391] Running build in Washington, D.C., USA (East) – iad1[11:11:38.391] Build machine configuration: 2 cores, 8 GB[11:11:38.420] Cloning github.com/ckck42/clausells (Branch: main, Commit: ee4aae3)[11:11:39.176] Cloning completed: 755.000ms[11:11:41.478] Restored build cache from previous deployment (6cJ2RoqR3ZrxScWk14waUPkLCjXQ)[11:11:45.983] Running “vercel build”[11:11:46.412] Vercel CLI 45.0.10[11:11:46.866] Detected pnpm-lock.yaml 9 which may be generated by pnpm@9.x or pnpm@10.x[11:11:46.866] Using pnpm@10.x based on project creation date[11:11:46.866] To use pnpm@9.x, manually opt in using corepack ()[11:11:46.885] Installing dependencies…[11:11:47.642] Lockfile is up to date, resolution step is skipped[11:11:47.747] Already up to date[11:11:48.134][11:11:48.135] ╭ Warning ─────────────────────────────────────────────────────────────────────╮[11:11:48.135] │                                                                              │[11:11:48.136] │   Ignored build scripts: sharp.                                              │[11:11:48.136] │   Run “pnpm approve-builds” to pick which dependencies should be allowed     │[11:11:48.136] │   to run scripts.                                                            │[11:11:48.136] │                                                                              │[11:11:48.136] ╰──────────────────────────────────────────────────────────────────────────────╯[11:11:48.137][11:11:48.167] Done in 1.1s using pnpm v10.14.0[11:11:48.178] Detected Next.js version: 15.2.4[11:11:48.189] Running “pnpm run build”[11:11:48.486][11:11:48.486] > my-v0-project@0.1.0 build /vercel/path0[11:11:48.486] > next build[11:11:48.486][11:11:49.346]    ▲ Next.js 15.2.4[11:11:49.347][11:11:49.424]    Creating an optimized production build …[11:11:56.570]  [webpack.cache.PackFileCacheStrategy] Serializing big strings (108kiB) impacts deserialization performance (consider using Buffer instead and decode when needed)[11:12:03.698]  ✓ Compiled successfully[11:12:03.703]    Skipping validation of types[11:12:03.703]    Skipping linting[11:12:03.971]    Collecting page data …[11:12:06.548]    Generating static pages (0/17) …[11:12:07.696]    Generating static pages (4/17)[11:12:07.697]    Generating static pages (8/17)[11:12:07.697]    Generating static pages (12/17)[11:12:07.697]  ✓ Generating static pages (17/17)[11:12:08.065]    Finalizing page optimization …[11:12:08.067]    Collecting build traces …[11:12:15.842][11:12:15.860] Route (app)                                 Size  First Load JS[11:12:15.861] ┌ ƒ /                                    7.41 kB         130 kB[11:12:15.861] ├ ƒ /_not-found                            974 B         102 kB[11:12:15.861] ├ ƒ /admin/users                         5.36 kB         126 kB[11:12:15.861] ├ ƒ /api/process-payment                   146 B         102 kB[11:12:15.861] ├ ƒ /auth/callback                       2.22 kB         153 kB[11:12:15.861] ├ ƒ /checkout                            13.6 kB         177 kB[11:12:15.861] ├ ƒ /contact                             13.1 kB         156 kB[11:12:15.862] ├ ƒ /cooking-classes                     5.58 kB         128 kB[11:12:15.862] ├ ƒ /login                               3.49 kB         115 kB[11:12:15.862] ├ ƒ /orders                                172 B         105 kB[11:12:15.862] ├ ƒ /orders/[orderId]                    5.35 kB         178 kB[11:12:15.862] ├ ƒ /products                              13 kB         137 kB[11:12:15.862] ├ ƒ /profile                             6.57 kB         161 kB[11:12:15.862] ├ ƒ /register                             3.6 kB         115 kB[11:12:15.863] ├ ƒ /reset-password                       3.4 kB         115 kB[11:12:15.863] └ ƒ /reset-password/confirm              5.81 kB         157 kB[11:12:15.863] + First Load JS shared by all             101 kB[11:12:15.863]   ├ chunks/8490244b-a23f41295b2413b3.js  53.2 kB[11:12:15.863]   ├ chunks/952-283bd17fdf23d2ec.js       46.3 kB[11:12:15.863]   └ other shared chunks (total)          1.92 kB[11:12:15.863][11:12:15.863][11:12:15.863] ƒ Middleware                             68.8 kB[11:12:15.863][11:12:15.865] ƒ  (Dynamic)  server-rendered on demand[11:12:15.865][11:12:16.004] Traced Next.js server files in: 71.033ms[11:12:16.158] Created all serverless functions in: 153.404ms[11:12:16.262] Collected static files (public/, static/, .next/static): 10.77ms[11:12:16.353] Build Completed in /vercel/output [30s][11:12:16.503] Deploying outputs…[11:12:27.227] Deployment completed[11:12:28.168] Creating build cache…