Skip to content

Add globalOnlyBuiltDependencies support for PNPM 10.x #5523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 3 commits into from
Closed

Add globalOnlyBuiltDependencies support for PNPM 10.x #5523

Copilot wants to merge 3 commits into from
+83 −0

Conversation

Copy link
Contributor

Copilot AI commented Dec 28, 2025
edited
Loading

PNPM 10.x disables lifecycle scripts by default for security. The onlyBuiltDependencies setting provides an allowlist of packages permitted to run build scripts.

Changes

Configuration

  • Added globalOnlyBuiltDependencies property to PnpmOptionsConfiguration
  • Added JSON schema definition with PNPM 10.1.0+ requirement note
  • Updated rush-init template with documentation

Runtime

  • Write globalOnlyBuiltDependencies to common/temp/package.json as pnpm.onlyBuiltDependencies
  • Version guard warns if PNPM < 10.1.0 and setting is used
  • Implementation in InstallHelpers.ts mirrors globalNeverBuiltDependencies pattern

Testing

  • Added test case validating property loading
  • Test file: pnpm-config-onlyBuiltDependencies.json

Usage

// common/config/rush/pnpm-config.json
{
  "globalOnlyBuiltDependencies": [
    "esbuild",
    "@prisma/client"
  ]
}

Generates in common/temp/package.json:

{
  "pnpm": {
    "onlyBuiltDependencies": ["esbuild", "@prisma/client"]
  }
}

Notes

  • Setting applies to common/temp/package.json, not pnpm-workspace.yaml
  • Works with useWorkspaces: false configurations
  • Inverse of globalNeverBuiltDependencies (denylist vs allowlist)
Original prompt

Background

Issue #5235 requests PNPM 10.x support. In PNPM 10, lifecycle scripts (e.g., postinstall) of dependencies are disabled by default for security. The onlyBuiltDependencies setting is an allowlist that specifies which dependencies are permitted to run build scripts.

PNPM documentation: https://pnpm.io/package_json#pnpmonlybuiltdependencies

Requirements

Add support for globalOnlyBuiltDependencies in pnpm-config.json to allow Rush users to specify which dependencies are allowed to run build scripts when using PNPM 10.x.

IMPORTANT: Implementation Location

The setting should be written to common/temp/package.json's pnpm field (NOT to pnpm-workspace.yaml). This is consistent with how neverBuiltDependencies is already handled in InstallHelpers.ts, and ensures it works for Rush repos that don't have pnpm workspaces enabled (useWorkspaces: false).

Implementation Details

1. Update libraries/rush-lib/src/logic/pnpm/PnpmOptionsConfiguration.ts

Add to IPnpmOptionsJson interface (around line 116, after globalNeverBuiltDependencies):

/**
 * {@inheritDoc PnpmOptionsConfiguration.globalOnlyBuiltDependencies}
 */
globalOnlyBuiltDependencies?: string[];

Add public readonly property to PnpmOptionsConfiguration class (after globalNeverBuiltDependencies property, around line 366):

/**
 * The `globalOnlyBuiltDependencies` setting specifies an allowlist of dependencies that are permitted
 * to run build scripts (`preinstall`, `install`, `postinstall`). In PNPM 10.x, build scripts are
 * disabled by default for security. Use this setting to explicitly permit specific packages to run
 * their build scripts. This is the inverse of `globalNeverBuiltDependencies`.
 *
 * The settings are copied into the `pnpm.onlyBuiltDependencies` field of the `common/temp/package.json`
 * file that is generated by Rush during installation.
 *
 * (SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)
 *
 * PNPM documentation: https://pnpm.io/package_json#pnpmonlybuiltdependencies
 */
public readonly globalOnlyBuiltDependencies: string[] | undefined;

Initialize in constructor (after globalNeverBuiltDependencies initialization, around line 470):

this.globalOnlyBuiltDependencies = json.globalOnlyBuiltDependencies;

2. Update libraries/rush-lib/src/schemas/pnpm-config.schema.json

Add after globalNeverBuiltDependencies (around line 151):

"globalOnlyBuiltDependencies": {
  "description": "This field specifies an allowlist of dependencies that are permitted to run build scripts (preinstall, install, postinstall). In PNPM 10.x, build scripts are disabled by default for security. Use this setting to explicitly permit specific packages to run their build scripts. This is the inverse of \"globalNeverBuiltDependencies\".\n\n(SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)\n\nPNPM documentation: https://pnpm.io/package_json#pnpmonlybuiltdependencies",
  "type": "array",
  "items": {
    "description": "Specify package name of the dependency allowed to run build scripts",
    "type": "string"
  }
},

3. Update libraries/rush-lib/src/logic/installManager/InstallHelpers.ts

Update the ICommonPackageJson interface (around line 28) to add:

onlyBuiltDependencies?: typeof PnpmOptionsConfiguration.prototype.globalOnlyBuiltDependencies;

In the generateCommonPackageJson method, after the globalNeverBuiltDependencies block (around line 77), add:

if (pnpmOptions.globalOnlyBuiltDependencies) {
  if (
    rushConfiguration.rushConfigurationJson.pnpmVersion !== undefined &&
    semver.lt(rushConfiguration.rushConfigurationJson.pnpmVersion, '10.1.0')
  ) {
    terminal.writeWarningLine(
      Colorize.yellow(
        `Your version of pnpm (${rushConfiguration.rushConfigurationJson.pnpmVersion}) ` +
          `doesn't support the "globalOnlyBuiltDependencies" field in ` +
          `${rushConfiguration.commonRushConfigFolder}/${RushConstants.pnpmConfigFilename}. ` +
          'Remove this field or upgrade to pnpm 10.1.0 or newer.'
      )
    );
  }

  commonPackageJson.pnpm.onlyBuiltDependencies = pnpmOptions.globalOnlyBuiltDependencies;
}

4. Update template file libraries/rush-lib/assets/rush-init/common/config/rush/pnpm-config.json

Add documentation after the globalNeverBuiltDependencies section (around line 310):

/**
 * The `globalOnlyBuiltDependencies` setting specifies an allowlist of dependencies that are permitted
 * to run build scripts (`preinstall`, `install`, `postinstall`). In PNPM 10.x, build scripts are
 * disabled by default for security. Use this setting to explicitly permit specific packages to run
 * their build scripts. This is the inverse of `globalNeverBuiltDependencies`.
 *
 * The settings are copied into the `pnpm.onlyBuiltDependencies` field of the `common/temp/package.json`
 * file that is generated by Rush during installation.
 *
 * (SUPPORTED ONLY IN PNPM 10.1.0 AN...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Dec 28, 2025
Copilot AI changed the title [WIP] Add support for globalOnlyBuiltDependencies in pnpm-config.json Add globalOnlyBuiltDependencies support for PNPM 10.x Dec 28, 2025
Copilot AI requested a review from iclanton December 28, 2025 19:36
@iclanton
Copy link
Member

iclanton commented Dec 28, 2025

Duplicate of #5522

@iclanton iclanton marked this as a duplicate of #5522 Dec 28, 2025
@iclanton iclanton closed this Dec 28, 2025
@github-project-automation github-project-automation bot moved this from Needs triage to Closed in Bug Triage Dec 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iclanton iclanton Awaiting requested review from iclanton iclanton is a code owner

@octogonz octogonz Awaiting requested review from octogonz octogonz will be requested when the pull request is marked ready for review octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms will be requested when the pull request is marked ready for review apostolisms is a code owner

@D4N14L D4N14L Awaiting requested review from D4N14L D4N14L will be requested when the pull request is marked ready for review D4N14L is a code owner

@dmichon-msft dmichon-msft Awaiting requested review from dmichon-msft dmichon-msft will be requested when the pull request is marked ready for review dmichon-msft is a code owner

Assignees

@iclanton iclanton

Copilot code review Copilot

Labels

None yet

Projects

Bug Triage
Status: Closed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iclanton