Skip to content

Nx doesn't use appropriate package manager for provenance check #35815

Open
Bug
Open
Nx doesn't use appropriate package manager for provenance check#35815
Bug
Labels
type: bug
@marcebdev

Description

@marcebdev
marcebdev
opened on May 28, 2026

Current Behavior

Pretty straightforward it seems nx uses npm for the provenance check when doing e.g. yarn nx migrate latest this does not align with assigning a packageManager in package.json or when you're more strictly using the newer devEngines.packageManager

Expected Behavior

The correct package manager should always be used

GitHub Repo

No response

Steps to Reproduce

  1. add something like the following to package.json
  "devEngines": {
    "packageManager": {
      "name": "yarn",
      "version": "4.15.0",
      "onFail": "error"
    },
  },
  1. run yarn nx migrate latest, it will fail due to trying to call npm

Nx Report

Node           : 26.2.0
OS             : darwin-arm64
Native Target  : aarch64-macos
yarn           : 4.15.0
daemon         : Available

nx                     : 22.5.2
@nx/js                 : 22.5.2
@nx/eslint             : 22.5.2
@nx/workspace          : 22.5.2
@nx/jest               : 22.5.2
@nx/detox              : 22.5.2
@nx/devkit             : 22.5.2
@nx/eslint-plugin      : 22.5.2
@nx/expo               : 22.5.2
@nx/module-federation  : 22.5.2
@nx/react              : 22.5.2
@nx/rollup             : 22.5.2
@nx/vite               : 22.5.2
@nx/vitest             : 22.5.2
@nx/web                : 22.5.2
typescript             : 5.9.3
---------------------------------------
Registered Plugins:
@nx/js/typescript
@nx/expo/plugin
---------------------------------------
Cache Usage: 0.00 B / 46.04 GB

Failure Logs

ProvenanceError: An error occurred while checking the provenance of nx@latest. This could indicate a security risk. Please double check https://www.npmjs.com/package/nx to see if the package is published correctly or file an issue at https://github.com/nrwl/nx/issues. To disable this check at your own risk, you can set the NX_SKIP_PROVENANCE_CHECK environment variable to true. 
 Error: Command failed: npm view nx@latest --json --silent

Package Manager Version

No response

Operating System

  • macOS
  • Linux
  • Windows
  • Other (Please specify)

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bug

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions