Add globalOnlyBuiltDependencies support for PNPM 10.x

[Copilot]

PNPM 10.x disables build scripts by default for security. This adds globalOnlyBuiltDependencies to allow Rush users to specify an allowlist of packages permitted to run lifecycle scripts.

Changes

• PnpmOptionsConfiguration: Added globalOnlyBuiltDependencies property that reads from pnpm-config.json
• PnpmWorkspaceFile: Added setOnlyBuiltDependencies() method and serialization to write onlyBuiltDependencies field to pnpm-workspace.yaml
• WorkspaceInstallManager: Wired up the setting with version check warning for PNPM < 10.1.0
• Schema & Template: Added JSON schema definition and documented example in template pnpm-config.json

Usage

In common/config/rush/pnpm-config.json:

{
  "globalOnlyBuiltDependencies": [
    "esbuild",
    "playwright", 
    "@swc/core"
  ]
}

Generates in pnpm-workspace.yaml:

onlyBuiltDependencies:
  - esbuild
  - playwright
  - '@swc/core'
packages:
  - ...

This is the inverse of globalNeverBuiltDependencies - it specifies which packages can run scripts rather than which cannot.

Original prompt

Background

Issue #5235 requests PNPM 10.x support. In PNPM 10, lifecycle scripts (e.g., postinstall) of dependencies are disabled by default for security. The onlyBuiltDependencies setting is an allowlist that specifies which dependencies are permitted to run build scripts.

PNPM documentation: https://pnpm.io/settings#onlybuiltdependencies

Requirements

Add support for globalOnlyBuiltDependencies in pnpm-config.json to allow Rush users to specify which dependencies are allowed to run build scripts when using PNPM 10.x.

Implementation Details

1. Update libraries/rush-lib/src/logic/pnpm/PnpmOptionsConfiguration.ts

• Add globalOnlyBuiltDependencies?: string[] to the IPnpmOptionsJson interface (around line 116, following the pattern of globalNeverBuiltDependencies)
• Add a public readonly property globalOnlyBuiltDependencies: string[] | undefined to the PnpmOptionsConfiguration class with JSDoc documentation explaining:
  • This is the inverse of globalNeverBuiltDependencies
  • It specifies an allowlist of dependencies that are permitted to run build scripts
  • This is required for PNPM 10.x where build scripts are disabled by default
  • Reference PNPM documentation: https://pnpm.io/settings#onlybuiltdependencies
  • Note: SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER
• Initialize the property in the constructor from json.globalOnlyBuiltDependencies

2. Update libraries/rush-lib/src/schemas/pnpm-config.schema.json

• Add schema definition for globalOnlyBuiltDependencies as an array of strings, similar to globalNeverBuiltDependencies:

"globalOnlyBuiltDependencies": {
  "description": "This field allows specifying which dependencies are permitted to run build scripts (preinstall, install, postinstall). In PNPM 10.x, build scripts are disabled by default for security. Use this allowlist to explicitly permit specific packages to run their build scripts.\n\n(SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)\n\nPNPM documentation: https://pnpm.io/settings#onlybuiltdependencies",
  "type": "array",
  "items": {
    "description": "Specify package name of the dependency allowed to run build scripts",
    "type": "string"
  }
}

3. Update libraries/rush-lib/src/logic/pnpm/PnpmWorkspaceFile.ts

• Update the IPnpmWorkspaceYaml interface to include onlyBuiltDependencies?: string[]
• Add a private field _onlyBuiltDependencies: string[] | undefined
• Add a public method setOnlyBuiltDependencies(deps: string[] | undefined): void similar to setCatalogs()
• Update the serialize() method to include onlyBuiltDependencies in the output YAML when set

4. Update libraries/rush-lib/src/logic/installManager/InstallHelpers.ts

• This setting goes to pnpm-workspace.yaml, not package.json, so no changes needed here.

5. Find where the workspace file is generated and pass globalOnlyBuiltDependencies

• Search for where PnpmWorkspaceFile is instantiated and setCatalogs is called
• Add a similar call to setOnlyBuiltDependencies(pnpmOptions.globalOnlyBuiltDependencies)
• Add a version check warning if PNPM version < 10.1.0 and globalOnlyBuiltDependencies is set

6. Update template/documentation files

• Update libraries/rush-lib/assets/rush-init/common/config/rush/pnpm-config.json with documentation and example for the new setting (add after globalNeverBuiltDependencies section)

7. Add tests

• Add a test case in libraries/rush-lib/src/logic/pnpm/test/PnpmOptionsConfiguration.test.ts similar to the neverBuiltDependencies test
• Create a test JSON file libraries/rush-lib/src/logic/pnpm/test/jsonFiles/pnpm-config-onlyBuiltDependencies.json
• Add workspace file tests in libraries/rush-lib/src/logic/pnpm/test/PnpmWorkspaceFile.test.ts for the new setOnlyBuiltDependencies functionality

8. Update API review file

• The common/reviews/api/rush-lib.api.md file will need to be updated to reflect the new public API

Notes

• The pattern should follow existing settings like globalNeverBuiltDependencies and globalCatalogs
• onlyBuiltDependencies should be written to pnpm-workspace.yaml (like catalogs) because that's where PNPM 10.x expects workspace-level settings
• Include appropriate version checking with warnings for users on older PNPM versions

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.