[rush] Add globalOnlyBuiltDependencies support for PNPM 10.x (#5522)

* Initial plan

* Add globalOnlyBuiltDependencies support to PNPM configuration

Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>

* Update snapshots and API review file for globalOnlyBuiltDependencies

Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>

* Move onlyBuiltDependencies to package.json instead of pnpm-workspace.yaml

Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>

* Update test snapshots for onlyBuiltDependencies warning

Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>

* Add changelog entry for globalOnlyBuiltDependencies feature

Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>

* Rush change.

* Update test to use PNPM 10.1.0 to avoid hardcoded path in warning

Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>
Co-authored-by: Ian Clanton-Thuon <iclanton@users.noreply.github.com>

Author: Copilot

common/changes/@microsoft/rush/globalOnlyBuiltDependencies_2025-12-28-19-40.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@microsoft/rush",
+      "comment": "Add support for the `globalOnlyBuiltDependencies` PNPM 10.x option to specify an allowlist of packages permitted to run build scripts to `common/config/rush/pnpm-config.json`.",
+      "type": "none"
+    }
+  ],
+  "packageName": "@microsoft/rush"
+}

common/reviews/api/rush-lib.api.md

@@ -743,6 +743,7 @@ export interface _IPnpmOptionsJson extends IPackageManagerOptionsJsonBase {
     globalCatalogs?: Record<string, Record<string, string>>;
     globalIgnoredOptionalDependencies?: string[];
     globalNeverBuiltDependencies?: string[];
+    globalOnlyBuiltDependencies?: string[];
     globalOverrides?: Record<string, string>;
     globalPackageExtensions?: Record<string, IPnpmPackageExtension>;
     globalPatchedDependencies?: Record<string, string>;
@@ -1155,6 +1156,7 @@ export class PnpmOptionsConfiguration extends PackageManagerOptionsConfiguration
     readonly globalCatalogs: Record<string, Record<string, string>> | undefined;
     readonly globalIgnoredOptionalDependencies: string[] | undefined;
     readonly globalNeverBuiltDependencies: string[] | undefined;
+    readonly globalOnlyBuiltDependencies: string[] | undefined;
     readonly globalOverrides: Record<string, string> | undefined;
     readonly globalPackageExtensions: Record<string, IPnpmPackageExtension> | undefined;
     get globalPatchedDependencies(): Record<string, string> | undefined;

libraries/rush-lib/assets/rush-init/common/config/rush/pnpm-config.json

@@ -306,6 +306,31 @@
     /*[LINE "HYPOTHETICAL"]*/ "fsevents"
   ],
 
+  /**
+   * The `globalOnlyBuiltDependencies` setting specifies which dependencies are permitted to run
+   * build scripts (`preinstall`, `install`, and `postinstall` lifecycle events). This is the inverse
+   * of `globalNeverBuiltDependencies`. In PNPM 10.x, build scripts are disabled by default for
+   * security, so this setting is required to explicitly permit specific packages to run their
+   * build scripts. The settings are written to the `onlyBuiltDependencies` field of the
+   * `pnpm-workspace.yaml` file that is generated by Rush during installation.
+   *
+   * (SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#onlybuiltdependencies
+   *
+   * Example:
+   *   "globalOnlyBuiltDependencies": [
+   *     "esbuild",
+   *     "playwright",
+   *     "@swc/core"
+   *   ]
+   */
+  /*[BEGIN "HYPOTHETICAL"]*/
+  "globalOnlyBuiltDependencies": [
+    "esbuild"
+  ],
+  /*[END "HYPOTHETICAL"]*/
+
   /**
    * The `globalIgnoredOptionalDependencies` setting suppresses the installation of optional NPM
    * dependencies specified in the list. This is useful when certain optional dependencies are

libraries/rush-lib/src/logic/installManager/InstallHelpers.ts

@@ -31,6 +31,7 @@ interface ICommonPackageJson extends IPackageJson {
     packageExtensions?: typeof PnpmOptionsConfiguration.prototype.globalPackageExtensions;
     peerDependencyRules?: typeof PnpmOptionsConfiguration.prototype.globalPeerDependencyRules;
     neverBuiltDependencies?: typeof PnpmOptionsConfiguration.prototype.globalNeverBuiltDependencies;
+    onlyBuiltDependencies?: typeof PnpmOptionsConfiguration.prototype.globalOnlyBuiltDependencies;
     ignoredOptionalDependencies?: typeof PnpmOptionsConfiguration.prototype.globalIgnoredOptionalDependencies;
     allowedDeprecatedVersions?: typeof PnpmOptionsConfiguration.prototype.globalAllowedDeprecatedVersions;
     patchedDependencies?: typeof PnpmOptionsConfiguration.prototype.globalPatchedDependencies;
@@ -76,6 +77,24 @@ export class InstallHelpers {
         commonPackageJson.pnpm.neverBuiltDependencies = pnpmOptions.globalNeverBuiltDependencies;
       }
 
+      if (pnpmOptions.globalOnlyBuiltDependencies) {
+        if (
+          rushConfiguration.rushConfigurationJson.pnpmVersion !== undefined &&
+          semver.lt(rushConfiguration.rushConfigurationJson.pnpmVersion, '10.1.0')
+        ) {
+          terminal.writeWarningLine(
+            Colorize.yellow(
+              `Your version of pnpm (${rushConfiguration.rushConfigurationJson.pnpmVersion}) ` +
+                `doesn't support the "globalOnlyBuiltDependencies" field in ` +
+                `${rushConfiguration.commonRushConfigFolder}/${RushConstants.pnpmConfigFilename}. ` +
+                'Remove this field or upgrade to pnpm 10.1.0 or newer.'
+            )
+          );
+        }
+
+        commonPackageJson.pnpm.onlyBuiltDependencies = pnpmOptions.globalOnlyBuiltDependencies;
+      }
+
       if (pnpmOptions.globalIgnoredOptionalDependencies) {
         if (
           rushConfiguration.rushConfigurationJson.pnpmVersion !== undefined &&

libraries/rush-lib/src/logic/pnpm/PnpmOptionsConfiguration.ts

@@ -114,6 +114,10 @@ export interface IPnpmOptionsJson extends IPackageManagerOptionsJsonBase {
    * {@inheritDoc PnpmOptionsConfiguration.globalNeverBuiltDependencies}
    */
   globalNeverBuiltDependencies?: string[];
+  /**
+   * {@inheritDoc PnpmOptionsConfiguration.globalOnlyBuiltDependencies}
+   */
+  globalOnlyBuiltDependencies?: string[];
   /**
    * {@inheritDoc PnpmOptionsConfiguration.globalIgnoredOptionalDependencies}
    */
@@ -365,6 +369,20 @@ export class PnpmOptionsConfiguration extends PackageManagerOptionsConfiguration
    */
   public readonly globalNeverBuiltDependencies: string[] | undefined;
 
+  /**
+   * The `globalOnlyBuiltDependencies` setting specifies an allowlist of dependencies that are permitted
+   * to run build scripts (`preinstall`, `install`, and `postinstall` lifecycle events). This is the inverse
+   * of `globalNeverBuiltDependencies`. In PNPM 10.x, build scripts are disabled by default for security,
+   * so this setting is required to explicitly permit specific packages to run their build scripts.
+   * The settings are copied into the `pnpm.onlyBuiltDependencies` field of the `common/temp/package.json`
+   * file that is generated by Rush during installation.
+   *
+   * (SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/package_json#pnpmonlybuiltdependencies
+   */
+  public readonly globalOnlyBuiltDependencies: string[] | undefined;
+
   /**
    * The ignoredOptionalDependencies setting allows you to exclude certain optional dependencies from being installed
    * during the Rush installation process. This can be useful when optional dependencies are not required or are
@@ -468,6 +486,7 @@ export class PnpmOptionsConfiguration extends PackageManagerOptionsConfiguration
     this.globalPeerDependencyRules = json.globalPeerDependencyRules;
     this.globalPackageExtensions = json.globalPackageExtensions;
     this.globalNeverBuiltDependencies = json.globalNeverBuiltDependencies;
+    this.globalOnlyBuiltDependencies = json.globalOnlyBuiltDependencies;
     this.globalIgnoredOptionalDependencies = json.globalIgnoredOptionalDependencies;
     this.globalAllowedDeprecatedVersions = json.globalAllowedDeprecatedVersions;
     this.unsupportedPackageJsonSettings = json.unsupportedPackageJsonSettings;

libraries/rush-lib/src/logic/pnpm/test/PnpmOptionsConfiguration.test.ts

@@ -74,6 +74,19 @@ describe(PnpmOptionsConfiguration.name, () => {
     ]);
   });
 
+  it('loads onlyBuiltDependencies', () => {
+    const pnpmConfiguration: PnpmOptionsConfiguration = PnpmOptionsConfiguration.loadFromJsonFileOrThrow(
+      `${__dirname}/jsonFiles/pnpm-config-onlyBuiltDependencies.json`,
+      fakeCommonTempFolder
+    );
+
+    expect(TestUtilities.stripAnnotations(pnpmConfiguration.globalOnlyBuiltDependencies)).toEqual([
+      'esbuild',
+      'playwright',
+      '@swc/core'
+    ]);
+  });
+
   it('loads minimumReleaseAge', () => {
     const pnpmConfiguration: PnpmOptionsConfiguration = PnpmOptionsConfiguration.loadFromJsonFileOrThrow(
       `${__dirname}/jsonFiles/pnpm-config-minimumReleaseAge.json`,

libraries/rush-lib/src/logic/pnpm/test/jsonFiles/pnpm-config-onlyBuiltDependencies.json

@@ -0,0 +1,3 @@
+{
+  "globalOnlyBuiltDependencies": ["esbuild", "playwright", "@swc/core"]
+}

libraries/rush-lib/src/logic/test/InstallHelpers.test.ts

@@ -67,6 +67,7 @@ describe('InstallHelpers', () => {
               }
             },
             neverBuiltDependencies: ['fsevents', 'level'],
+            onlyBuiltDependencies: ['esbuild', 'playwright'],
             pnpmFutureFeature: true
           }
         })

libraries/rush-lib/src/logic/test/pnpmConfig/common/config/rush/pnpm-config.json

@@ -13,6 +13,7 @@
     }
   },
   "globalNeverBuiltDependencies": ["fsevents", "level"],
+  "globalOnlyBuiltDependencies": ["esbuild", "playwright"],
   "globalCatalogs": {
     "default": {
       "react": "^18.0.0",

libraries/rush-lib/src/logic/test/pnpmConfig/rush.json

@@ -1,5 +1,5 @@
 {
-  "pnpmVersion": "6.23.1",
+  "pnpmVersion": "10.1.0",
   "rushVersion": "5.58.0",
   "projects": []
 }