fix: downgrade ERR_PNPM_IGNORED_BUILDS to a warning

[JohnMcLear]

Summary

Plugin CI is still failing on `ERR_PNPM_IGNORED_BUILDS` even with the build-script allowlist declared in both `pnpm-workspace.yaml` (#7523) and `package.json` (#7525) — every downstream plugin repo's backend tests now fail when running `bin/installDeps.sh` against `develop`.

The root cause: pnpm's `strict-dep-builds` defaults to `true` in 10.x, so any transitive dep with an unrecognized postinstall fails the install. That makes any new transitive landing in `pnpm-lock.yaml` a footgun for every plugin repo's CI.

Fix

Set the strict-mode setting to `false` in two places:

• `pnpm-workspace.yaml` → `strictDepBuilds: false` (the modern location)
• `.npmrc` → `strict-dep-builds=false` (the universally-supported location, in case some pnpm version doesn't read the workspace setting)

Unknown postinstalls now emit a warning instead of failing. The existing `onlyBuiltDependencies` (esbuild) and `ignoredBuiltDependencies` (@scarf/scarf) lists still control what actually runs.

Verified locally that a fresh `pnpm install` (with store pruned) still:

• runs esbuild's `postinstall`
• silently skips `@scarf/scarf`'s `postinstall`
• exits 0

Generated with Claude Code

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Downgrade ERR_PNPM_IGNORED_BUILDS to warning via pnpm config

🐞 Bug fix

Walkthroughs

Description

• Downgrade pnpm strict-dep-builds errors to warnings
• Add .npmrc configuration with strict-dep-builds=false
• Add strictDepBuilds: false to pnpm-workspace.yaml
• Prevent CI failures from unknown transitive dependency postinstall scripts

Diagram

flowchart LR
  A["Unknown postinstall scripts"] -->|Previously| B["ERR_PNPM_IGNORED_BUILDS failure"]
  A -->|Now| C["Warning only"]
  D[".npmrc: strict-dep-builds=false"] --> C
  E["pnpm-workspace.yaml: strictDepBuilds: false"] --> C
  C --> F["CI continues successfully"]

Loading

File Changes

1. .npmrc ⚙️ Configuration changes +1/-0

Add pnpm strict-dep-builds configuration

• New file created to configure pnpm behavior
• Sets strict-dep-builds=false to downgrade unknown postinstall errors to warnings
• Provides universal pnpm version compatibility as fallback configuration

.npmrc

---

2. pnpm-workspace.yaml ⚙️ Configuration changes +4/-0

Add strictDepBuilds false to workspace config

• Added strictDepBuilds: false setting to workspace configuration
• Complements existing onlyBuiltDependencies and ignoredBuiltDependencies lists
• Prevents CI failures when transitive dependencies have unrecognized postinstall scripts
• Includes explanatory comment about defensive layering approach

pnpm-workspace.yaml

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (2)   📎 Requirement gaps (0)

🐞\ ☼ Reliability (1)

📘\ ☼ Reliability (1) ⚙ Maintainability (1)

1. No regression test for pnpm config 📘 ☼

Description

This bug fix changes install behavior by disabling strict dependency builds, but the PR adds no
regression test to ensure ERR_PNPM_IGNORED_BUILDS remains downgraded to a warning in future
changes. Without a test, the strict mode could be re-enabled inadvertently and CI failures would
regress.

Code

pnpm-workspace.yaml[R14-17]

+# Belt-and-suspenders: even if a fresh transitive dep slips through with a
+# postinstall script, downgrade to a warning so CI doesn't break for
+# downstream plugin repos that pull etherpad-lite as their core install.
+strictDepBuilds: false

Evidence

PR Compliance ID 1 requires a regression test for bug fixes. The diff shows only configuration
changes (strict-dep-builds=false / strictDepBuilds: false) and no test additions, so the fix is
not protected against regression.

.npmrc[1-1]
pnpm-workspace.yaml[14-17]
Best Practice: Repository guidelines

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR changes pnpm install behavior by disabling strict dependency builds, but does not add a regression test that would fail if strict mode is re-enabled.

## Issue Context
The goal is to prevent future regressions where `ERR_PNPM_IGNORED_BUILDS` starts failing CI again. A regression test could validate that the repo’s install configuration keeps strict-dep-builds disabled (or that an install with a fixture postinstall does not fail).

## Fix Focus Areas
- .npmrc[1-1]
- pnpm-workspace.yaml[14-17]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Docker skips pnpm setting 🐞 ☼

Description

The PR adds strict-dep-builds=false in .npmrc, but the Docker production build stage never
copies .npmrc into the image and also overwrites pnpm-workspace.yaml, so the `pnpm --recursive
i invoked by bin/installDeps.sh` during the production image build will not see this new
configuration.

Code

.npmrc[1]

+strict-dep-builds=false

Evidence

.npmrc is where the PR sets strict-dep-builds=false, but Docker’s build stage only copies
pnpm-workspace.yaml and package.json (not .npmrc) before later stages run
bin/installDeps.sh. Additionally, the Docker production target replaces pnpm-workspace.yaml
with a minimal file that does not include the new strictDepBuilds: false key, and package.json
also does not define strictDepBuilds, leaving no in-image source for this setting in the
production build path. The GitHub Actions Docker workflow builds the production target, so this
path is exercised in CI.

.npmrc[1-1]
pnpm-workspace.yaml[14-17]
Dockerfile[121-126]
Dockerfile[174-178]
package.json[54-61]
bin/installDeps.sh[36-43]
.github/workflows/docker.yml[38-44]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR’s new pnpm config (`strict-dep-builds=false`) is stored in `.npmrc`, but the Docker production image build path does not include `.npmrc` in the image filesystem, so `pnpm` runs during `bin/installDeps.sh` won’t see the new setting.

## Issue Context
- Docker `production` target is used in CI (`.github/workflows/docker.yml`).
- The Docker `build` stage copies a small subset of files and currently omits `.npmrc`.
- The Docker `production` stage overwrites `pnpm-workspace.yaml`, which also removes the PR’s `strictDepBuilds: false` workspace fallback.

## Fix Focus Areas
- Dockerfile[121-126]
- Dockerfile[174-178]

## Suggested change
1) Update the selective `COPY` in the `build` stage to include `./.npmrc` so downstream stages inherit it.
2) (Optional belt-and-suspenders) When overwriting `pnpm-workspace.yaml` for production, include `strictDepBuilds: false` in the generated YAML as well, so the production target remains protected even if `.npmrc` handling changes later.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. No docs for strictDepBuilds change 📘 ⚙

Description

The PR changes project install behavior/configuration by setting strict-dep-builds=false /
strictDepBuilds: false, but does not update documentation describing dependency installation
expectations or troubleshooting. This can confuse downstream plugin developers/operators when
warnings vs failures change.

Code

pnpm-workspace.yaml[R14-17]

+# Belt-and-suspenders: even if a fresh transitive dep slips through with a
+# postinstall script, downgrade to a warning so CI doesn't break for
+# downstream plugin repos that pull etherpad-lite as their core install.
+strictDepBuilds: false

Evidence

PR Compliance ID 2 requires documentation updates when user/developer-facing behavior or
configuration changes. The diff introduces new pnpm configuration values that alter install-time
behavior, but no documentation changes are included in the PR diff.

.npmrc[1-1]
pnpm-workspace.yaml[14-17]
Best Practice: Repository guidelines

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR modifies pnpm configuration to downgrade strict dependency build failures to warnings, but does not document the new behavior or rationale.

## Issue Context
This affects how installs behave (warnings vs failures) and is relevant to downstream plugin repos and anyone troubleshooting CI/install issues.

## Fix Focus Areas
- .npmrc[1-1]
- pnpm-workspace.yaml[14-17]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-free-for-open-source-projects]

1. No regression test for pnpm config 📘 Rule violation ☼ Reliability

This bug fix changes install behavior by disabling strict dependency builds, but the PR adds no
regression test to ensure ERR_PNPM_IGNORED_BUILDS remains downgraded to a warning in future
changes. Without a test, the strict mode could be re-enabled inadvertently and CI failures would
regress.

Agent Prompt

## Issue description
The PR changes pnpm install behavior by disabling strict dependency builds, but does not add a regression test that would fail if strict mode is re-enabled.

## Issue Context
The goal is to prevent future regressions where `ERR_PNPM_IGNORED_BUILDS` starts failing CI again. A regression test could validate that the repo’s install configuration keeps strict-dep-builds disabled (or that an install with a fixture postinstall does not fail).

## Fix Focus Areas
- .npmrc[1-1]
- pnpm-workspace.yaml[14-17]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-free-for-open-source-projects]

2. Docker skips pnpm setting 🐞 Bug ☼ Reliability

The PR adds strict-dep-builds=false in .npmrc, but the Docker production build stage never
copies .npmrc into the image and also overwrites pnpm-workspace.yaml, so the `pnpm --recursive
i invoked by bin/installDeps.sh` during the production image build will not see this new
configuration.

Agent Prompt

## Issue description
The PR’s new pnpm config (`strict-dep-builds=false`) is stored in `.npmrc`, but the Docker production image build path does not include `.npmrc` in the image filesystem, so `pnpm` runs during `bin/installDeps.sh` won’t see the new setting.

## Issue Context
- Docker `production` target is used in CI (`.github/workflows/docker.yml`).
- The Docker `build` stage copies a small subset of files and currently omits `.npmrc`.
- The Docker `production` stage overwrites `pnpm-workspace.yaml`, which also removes the PR’s `strictDepBuilds: false` workspace fallback.

## Fix Focus Areas
- Dockerfile[121-126]
- Dockerfile[174-178]

## Suggested change
1) Update the selective `COPY` in the `build` stage to include `./.npmrc` so downstream stages inherit it.
2) (Optional belt-and-suspenders) When overwriting `pnpm-workspace.yaml` for production, include `strictDepBuilds: false` in the generated YAML as well, so the production target remains protected even if `.npmrc` handling changes later.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools