Skip to content

fix: also declare pnpm build-script policy in package.json#7525

Merged
JohnMcLear merged 1 commit intodevelopfrom
fix/pnpm-config-in-package-json
Apr 16, 2026
Merged

fix: also declare pnpm build-script policy in package.json#7525
JohnMcLear merged 1 commit intodevelopfrom
fix/pnpm-config-in-package-json

Conversation

@JohnMcLear
Copy link
Copy Markdown
Member

@JohnMcLear JohnMcLear commented Apr 16, 2026

Summary

PR #7523 moved the build-script allowlist into `pnpm-workspace.yaml`, which is the modern location. But some pnpm versions / setups still read these settings from `package.json` only — and plugin CI is hitting that case: `ERR_PNPM_IGNORED_BUILDS` is back even though `pnpm-workspace.yaml` correctly lists `esbuild` under `onlyBuiltDependencies` and `@scarf/scarf` under `ignoredBuiltDependencies`.

Mirror the same configuration into `package.json`'s `"pnpm"` field. Whichever location pnpm reads, it now finds the policy.

Verified locally that a fresh `pnpm install` (with store pruned) still:

  • runs esbuild's `postinstall` (downloads native binary)
  • silently skips `@scarf/scarf`'s `postinstall` (telemetry)
  • exits 0 (no `ERR_PNPM_IGNORED_BUILDS`)

Generated with Claude Code

@JohnMcLear @claude
fix: also declare pnpm build-script policy in package.json
e5a5ca1 
Some pnpm versions don't read onlyBuiltDependencies / ignoredBuiltDependencies
from pnpm-workspace.yaml — leaving CI on plugin repos to fail with
ERR_PNPM_IGNORED_BUILDS even after #7523 added the workspace.yaml entries.

Mirror the same configuration into package.json's "pnpm" field, which is
the older (and more widely supported) location. The two files are kept in
sync; whichever pnpm version reads the values picks them up from one or
the other.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects bot commented Apr 16, 2026

Review Summary by Qodo

Mirror pnpm build-script policy to package.json for compatibility

🐞 Bug fix

Grey Divider

Walkthroughs

Description 
• Mirror pnpm build-script policy from workspace.yaml to package.json
• Ensures compatibility with pnpm versions that only read package.json
• Fixes ERR_PNPM_IGNORED_BUILDS errors in plugin CI environments
• Allows esbuild postinstall while silently skipping @scarf/scarf telemetry
Diagram 
flowchart LR
  A["pnpm-workspace.yaml<br/>onlyBuiltDependencies<br/>ignoredBuiltDependencies"]
  B["package.json<br/>pnpm field"]
  C["pnpm versions<br/>read config"]
  A -- "mirrored to" --> B
  B -- "compatible with" --> C
Loading

Grey Divider

File Changes

1. package.json 🐞 Bug fix +9/-1

Add pnpm build-script policy configuration

• Added pnpm configuration object to package.json root level
• Declared onlyBuiltDependencies array containing esbuild
• Declared ignoredBuiltDependencies array containing @scarf/scarf
• Mirrors existing configuration from pnpm-workspace.yaml for broader compatibility

package.json

Grey Divider

Qodo Logo

@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects bot commented Apr 16, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (1)   📎 Requirement gaps (0)
🐞\ ⚙ Maintainability (1)
📘\ ☼ Reliability (1)

Grey Divider


Action required

1. No regression test for pnpm policy 📘
Description 
This PR fixes ERR_PNPM_IGNORED_BUILDS behavior by changing package.json pnpm configuration but
does not add/update any automated regression test to prevent the issue from reoccurring. Without a
test that fails when this change is reverted, the bug can silently return in future config
refactors.
Code

package.json[R54-60]

+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "esbuild"
+    ],
+    "ignoredBuiltDependencies": [
+      "@scarf/scarf"
+    ]
Evidence 
PR Compliance ID 1 requires a regression test for bug fixes; the diff shows only a configuration
change in package.json to address the pnpm build-script policy, with no accompanying test changes
in the PR-provided diff.

package.json[54-60]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A bug fix was made to pnpm build-script policy configuration, but there is no automated regression test that would fail if the fix were reverted.

## Issue Context
The change mirrors `onlyBuiltDependencies` / `ignoredBuiltDependencies` into `package.json` to avoid `ERR_PNPM_IGNORED_BUILDS` in environments where pnpm reads policy only from `package.json`.

## Fix Focus Areas
- package.json[54-60]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

2. Pnpm policy drift risk 🐞
Description 
The build-script allow/ignore policy is now duplicated in both package.json and pnpm-workspace.yaml,
so a future change that updates only one file can reintroduce install failures (e.g.,
ERR_PNPM_IGNORED_BUILDS) or unintentionally change which dependency postinstalls run.
Code

package.json[R53-61]

+  "license": "Apache-2.0",
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "esbuild"
+    ],
+    "ignoredBuiltDependencies": [
+      "@scarf/scarf"
+    ]
+  }
Evidence 
The same pnpm keys/values are defined in two different config locations; there is no in-repo
mechanism/documentation tying them together, so they can become inconsistent over time.

package.json[51-61]
pnpm-workspace.yaml[7-13]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The pnpm build policy is duplicated in `package.json` and `pnpm-workspace.yaml`. Without an explicit note or a consistency check, it’s easy for a future edit to update only one file and break installs/CI or alter which dependency build scripts run.

### Issue Context
Both files currently define the same `onlyBuiltDependencies` and `ignoredBuiltDependencies` lists.

### Fix Focus Areas
- pnpm-workspace.yaml[7-13]
- package.json[51-61]

### Suggested fix
- Add an explicit comment in `pnpm-workspace.yaml` stating that these lists must be mirrored in the root `package.json` for compatibility and must be kept in sync.
- (Optional but stronger) Add a small CI/script check that asserts the two lists are identical (parse `package.json` + `pnpm-workspace.yaml` and fail if they differ).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

qodo-free-for-open-source-projects[bot]
qodo-free-for-open-source-projects bot reviewed Apr 16, 2026
View reviewed changes
Comment thread package.json
Comment on lines +54 to +60
"pnpm": {
"onlyBuiltDependencies": [
"esbuild"
],
"ignoredBuiltDependencies": [
"@scarf/scarf"
]
Copy link
Copy Markdown

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. No regression test for pnpm policy 📘 Rule violation ☼ Reliability

This PR fixes ERR_PNPM_IGNORED_BUILDS behavior by changing package.json pnpm configuration but
does not add/update any automated regression test to prevent the issue from reoccurring. Without a
test that fails when this change is reverted, the bug can silently return in future config
refactors.
Agent Prompt 
## Issue description
A bug fix was made to pnpm build-script policy configuration, but there is no automated regression test that would fail if the fix were reverted.

## Issue Context
The change mirrors `onlyBuiltDependencies` / `ignoredBuiltDependencies` into `package.json` to avoid `ERR_PNPM_IGNORED_BUILDS` in environments where pnpm reads policy only from `package.json`.

## Fix Focus Areas
- package.json[54-60]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

@JohnMcLear JohnMcLear merged commit 58c8e26 into develop Apr 16, 2026
36 checks passed
@JohnMcLear JohnMcLear deleted the fix/pnpm-config-in-package-json branch April 16, 2026 13:42
JohnMcLear added a commit that referenced this pull request Apr 16, 2026
@JohnMcLear @claude
fix: downgrade ERR_PNPM_IGNORED_BUILDS to a warning
8072ca8 
Plugin CI is still failing on ERR_PNPM_IGNORED_BUILDS even with the
build-script policy declared in both pnpm-workspace.yaml (#7523) and
package.json (#7525). pnpm's strict-dep-builds defaults to true in 10+,
so any transitive dep with an unrecognized postinstall fails the build.

For etherpad-lite — and especially for downstream plugin repos that
pull this codebase as their core install — that's a footgun: the moment
some new transitive ships a postinstall, every plugin's CI explodes.

Set strictDepBuilds: false in pnpm-workspace.yaml AND
strict-dep-builds=false in .npmrc as a defensive layer, so unknown
postinstalls become a warning instead of a hard failure. The
allow/ignore lists still control what actually runs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
JohnMcLear added a commit that referenced this pull request Apr 16, 2026
@JohnMcLear @claude
fix: downgrade ERR_PNPM_IGNORED_BUILDS to a warning
da32566 
Plugin CI is still failing on ERR_PNPM_IGNORED_BUILDS even with the
build-script policy declared in both pnpm-workspace.yaml (#7523) and
package.json (#7525). pnpm's strict-dep-builds defaults to true in 10+,
so any transitive dep with an unrecognized postinstall fails the build.

For etherpad-lite — and especially for downstream plugin repos that
pull this codebase as their core install — that's a footgun: the moment
some new transitive ships a postinstall, every plugin's CI explodes.

Set strictDepBuilds: false in pnpm-workspace.yaml AND
strict-dep-builds=false in .npmrc as a defensive layer, so unknown
postinstalls become a warning instead of a hard failure. The
allow/ignore lists still control what actually runs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@JohnMcLear JohnMcLear mentioned this pull request Apr 16, 2026
Merged
JohnMcLear added a commit that referenced this pull request Apr 16, 2026
@JohnMcLear @claude
fix: downgrade ERR_PNPM_IGNORED_BUILDS to a warning (#7527)
372ea3b 
Plugin CI is still failing on ERR_PNPM_IGNORED_BUILDS even with the
build-script policy declared in both pnpm-workspace.yaml (#7523) and
package.json (#7525). pnpm's strict-dep-builds defaults to true in 10+,
so any transitive dep with an unrecognized postinstall fails the build.

For etherpad-lite — and especially for downstream plugin repos that
pull this codebase as their core install — that's a footgun: the moment
some new transitive ships a postinstall, every plugin's CI explodes.

Set strictDepBuilds: false in pnpm-workspace.yaml AND
strict-dep-builds=false in .npmrc as a defensive layer, so unknown
postinstalls become a warning instead of a hard failure. The
allow/ignore lists still control what actually runs.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects[bot] qodo-free-for-open-source-projects[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JohnMcLear