Add globalOnlyBuiltDependencies support to PNPM configuration

Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>

Author: Copilot

libraries/rush-lib/assets/rush-init/common/config/rush/pnpm-config.json

@@ -306,6 +306,31 @@
     /*[LINE "HYPOTHETICAL"]*/ "fsevents"
   ],
 
+  /**
+   * The `globalOnlyBuiltDependencies` setting specifies which dependencies are permitted to run
+   * build scripts (`preinstall`, `install`, and `postinstall` lifecycle events). This is the inverse
+   * of `globalNeverBuiltDependencies`. In PNPM 10.x, build scripts are disabled by default for
+   * security, so this setting is required to explicitly permit specific packages to run their
+   * build scripts. The settings are written to the `onlyBuiltDependencies` field of the
+   * `pnpm-workspace.yaml` file that is generated by Rush during installation.
+   *
+   * (SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#onlybuiltdependencies
+   *
+   * Example:
+   *   "globalOnlyBuiltDependencies": [
+   *     "esbuild",
+   *     "playwright",
+   *     "@swc/core"
+   *   ]
+   */
+  /*[BEGIN "HYPOTHETICAL"]*/
+  "globalOnlyBuiltDependencies": [
+    "esbuild"
+  ],
+  /*[END "HYPOTHETICAL"]*/
+
   /**
    * The `globalIgnoredOptionalDependencies` setting suppresses the installation of optional NPM
    * dependencies specified in the list. This is useful when certain optional dependencies are

libraries/rush-lib/src/logic/installManager/WorkspaceInstallManager.ts

@@ -468,6 +468,25 @@ export class WorkspaceInstallManager extends BaseInstallManager {
       workspaceFile.setCatalogs(catalogs);
     }
 
+    // Set onlyBuiltDependencies in the workspace file if specified
+    if (pnpmOptions.globalOnlyBuiltDependencies) {
+      if (
+        this.rushConfiguration.rushConfigurationJson.pnpmVersion !== undefined &&
+        semver.lt(this.rushConfiguration.rushConfigurationJson.pnpmVersion, '10.1.0')
+      ) {
+        this._terminal.writeWarningLine(
+          Colorize.yellow(
+            `Your version of pnpm (${this.rushConfiguration.rushConfigurationJson.pnpmVersion}) ` +
+              `doesn't support the "globalOnlyBuiltDependencies" field in ` +
+              `${this.rushConfiguration.commonRushConfigFolder}/${RushConstants.pnpmConfigFilename}. ` +
+              'Remove this field or upgrade to pnpm 10.1.0 or newer.'
+          )
+        );
+      }
+
+      workspaceFile.setOnlyBuiltDependencies(pnpmOptions.globalOnlyBuiltDependencies);
+    }
+
     // Save the generated workspace file. Don't update the file timestamp unless the content has changed,
     // since "rush install" will consider this timestamp
     workspaceFile.save(workspaceFile.workspaceFilename, { onlyIfChanged: true });

libraries/rush-lib/src/logic/pnpm/PnpmOptionsConfiguration.ts

@@ -114,6 +114,10 @@ export interface IPnpmOptionsJson extends IPackageManagerOptionsJsonBase {
    * {@inheritDoc PnpmOptionsConfiguration.globalNeverBuiltDependencies}
    */
   globalNeverBuiltDependencies?: string[];
+  /**
+   * {@inheritDoc PnpmOptionsConfiguration.globalOnlyBuiltDependencies}
+   */
+  globalOnlyBuiltDependencies?: string[];
   /**
    * {@inheritDoc PnpmOptionsConfiguration.globalIgnoredOptionalDependencies}
    */
@@ -365,6 +369,20 @@ export class PnpmOptionsConfiguration extends PackageManagerOptionsConfiguration
    */
   public readonly globalNeverBuiltDependencies: string[] | undefined;
 
+  /**
+   * The `globalOnlyBuiltDependencies` setting specifies an allowlist of dependencies that are permitted
+   * to run build scripts (`preinstall`, `install`, and `postinstall` lifecycle events). This is the inverse
+   * of `globalNeverBuiltDependencies`. In PNPM 10.x, build scripts are disabled by default for security,
+   * so this setting is required to explicitly permit specific packages to run their build scripts.
+   * The settings are written to the `onlyBuiltDependencies` field of the `pnpm-workspace.yaml` file
+   * that is generated by Rush during installation.
+   *
+   * (SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#onlybuiltdependencies
+   */
+  public readonly globalOnlyBuiltDependencies: string[] | undefined;
+
   /**
    * The ignoredOptionalDependencies setting allows you to exclude certain optional dependencies from being installed
    * during the Rush installation process. This can be useful when optional dependencies are not required or are
@@ -468,6 +486,7 @@ export class PnpmOptionsConfiguration extends PackageManagerOptionsConfiguration
     this.globalPeerDependencyRules = json.globalPeerDependencyRules;
     this.globalPackageExtensions = json.globalPackageExtensions;
     this.globalNeverBuiltDependencies = json.globalNeverBuiltDependencies;
+    this.globalOnlyBuiltDependencies = json.globalOnlyBuiltDependencies;
     this.globalIgnoredOptionalDependencies = json.globalIgnoredOptionalDependencies;
     this.globalAllowedDeprecatedVersions = json.globalAllowedDeprecatedVersions;
     this.unsupportedPackageJsonSettings = json.unsupportedPackageJsonSettings;

libraries/rush-lib/src/logic/pnpm/PnpmWorkspaceFile.ts

@@ -23,14 +23,20 @@ const globEscape: (unescaped: string) => string = require('glob-escape'); // No
  *      "default": {
  *        "react": "^18.0.0"
  *      }
- *    }
+ *    },
+ *    "onlyBuiltDependencies": [
+ *      "esbuild",
+ *      "playwright"
+ *    ]
  *  }
  */
 interface IPnpmWorkspaceYaml {
   /** The list of local package directories */
   packages: string[];
   /** Catalog definitions for centralized version management */
   catalogs?: Record<string, Record<string, string>>;
+  /** Allowlist of dependencies permitted to run build scripts (PNPM 10.1.0+) */
+  onlyBuiltDependencies?: string[];
 }
 
 export class PnpmWorkspaceFile extends BaseWorkspaceFile {
@@ -41,6 +47,7 @@ export class PnpmWorkspaceFile extends BaseWorkspaceFile {
 
   private _workspacePackages: Set<string>;
   private _catalogs: Record<string, Record<string, string>> | undefined;
+  private _onlyBuiltDependencies: string[] | undefined;
 
   /**
    * The PNPM workspace file is used to specify the location of workspaces relative to the root
@@ -54,6 +61,7 @@ export class PnpmWorkspaceFile extends BaseWorkspaceFile {
     // If we need to support manual customization, that should be an additional parameter for "base file"
     this._workspacePackages = new Set<string>();
     this._catalogs = undefined;
+    this._onlyBuiltDependencies = undefined;
   }
 
   /**
@@ -64,6 +72,15 @@ export class PnpmWorkspaceFile extends BaseWorkspaceFile {
     this._catalogs = catalogs;
   }
 
+  /**
+   * Sets the onlyBuiltDependencies list for the workspace.
+   * This specifies which dependencies are allowed to run build scripts in PNPM 10.1.0+.
+   * @param deps - An array of package names allowed to run build scripts
+   */
+  public setOnlyBuiltDependencies(deps: string[] | undefined): void {
+    this._onlyBuiltDependencies = deps;
+  }
+
   /** @override */
   public addPackage(packagePath: string): void {
     // Ensure the path is relative to the pnpm-workspace.yaml file
@@ -89,6 +106,10 @@ export class PnpmWorkspaceFile extends BaseWorkspaceFile {
       workspaceYaml.catalogs = this._catalogs;
     }
 
+    if (this._onlyBuiltDependencies && this._onlyBuiltDependencies.length > 0) {
+      workspaceYaml.onlyBuiltDependencies = this._onlyBuiltDependencies;
+    }
+
     return yamlModule.dump(workspaceYaml, PNPM_SHRINKWRAP_YAML_FORMAT);
   }
 }

libraries/rush-lib/src/logic/pnpm/test/PnpmOptionsConfiguration.test.ts

@@ -74,6 +74,19 @@ describe(PnpmOptionsConfiguration.name, () => {
     ]);
   });
 
+  it('loads onlyBuiltDependencies', () => {
+    const pnpmConfiguration: PnpmOptionsConfiguration = PnpmOptionsConfiguration.loadFromJsonFileOrThrow(
+      `${__dirname}/jsonFiles/pnpm-config-onlyBuiltDependencies.json`,
+      fakeCommonTempFolder
+    );
+
+    expect(TestUtilities.stripAnnotations(pnpmConfiguration.globalOnlyBuiltDependencies)).toEqual([
+      'esbuild',
+      'playwright',
+      '@swc/core'
+    ]);
+  });
+
   it('loads minimumReleaseAge', () => {
     const pnpmConfiguration: PnpmOptionsConfiguration = PnpmOptionsConfiguration.loadFromJsonFileOrThrow(
       `${__dirname}/jsonFiles/pnpm-config-minimumReleaseAge.json`,

libraries/rush-lib/src/logic/pnpm/test/PnpmWorkspaceFile.test.ts

@@ -180,4 +180,61 @@ describe(PnpmWorkspaceFile.name, () => {
       expect(content).toMatchSnapshot();
     });
   });
+
+  describe('onlyBuiltDependencies functionality', () => {
+    it('generates workspace file with onlyBuiltDependencies', () => {
+      const workspaceFile: PnpmWorkspaceFile = new PnpmWorkspaceFile(workspaceFilePath);
+      workspaceFile.addPackage(path.join(projectsDir, 'app1'));
+
+      workspaceFile.setOnlyBuiltDependencies(['esbuild', 'playwright', '@swc/core']);
+
+      workspaceFile.save(workspaceFilePath, { onlyIfChanged: true });
+
+      const content: string = FileSystem.readFile(workspaceFilePath);
+      expect(content).toMatchSnapshot();
+    });
+
+    it('handles empty onlyBuiltDependencies array', () => {
+      const workspaceFile: PnpmWorkspaceFile = new PnpmWorkspaceFile(workspaceFilePath);
+      workspaceFile.addPackage(path.join(projectsDir, 'app1'));
+
+      workspaceFile.setOnlyBuiltDependencies([]);
+
+      workspaceFile.save(workspaceFilePath, { onlyIfChanged: true });
+
+      const content: string = FileSystem.readFile(workspaceFilePath);
+      expect(content).toMatchSnapshot();
+    });
+
+    it('handles undefined onlyBuiltDependencies', () => {
+      const workspaceFile: PnpmWorkspaceFile = new PnpmWorkspaceFile(workspaceFilePath);
+      workspaceFile.addPackage(path.join(projectsDir, 'app1'));
+
+      workspaceFile.setOnlyBuiltDependencies(undefined);
+
+      workspaceFile.save(workspaceFilePath, { onlyIfChanged: true });
+
+      const content: string = FileSystem.readFile(workspaceFilePath);
+      expect(content).toMatchSnapshot();
+    });
+
+    it('generates workspace file with both catalogs and onlyBuiltDependencies', () => {
+      const workspaceFile: PnpmWorkspaceFile = new PnpmWorkspaceFile(workspaceFilePath);
+      workspaceFile.addPackage(path.join(projectsDir, 'app1'));
+
+      workspaceFile.setCatalogs({
+        default: {
+          react: '^18.0.0',
+          'react-dom': '^18.0.0'
+        }
+      });
+
+      workspaceFile.setOnlyBuiltDependencies(['esbuild', 'playwright']);
+
+      workspaceFile.save(workspaceFilePath, { onlyIfChanged: true });
+
+      const content: string = FileSystem.readFile(workspaceFilePath);
+      expect(content).toMatchSnapshot();
+    });
+  });
 });

libraries/rush-lib/src/logic/pnpm/test/jsonFiles/pnpm-config-onlyBuiltDependencies.json

@@ -0,0 +1,3 @@
+{
+  "globalOnlyBuiltDependencies": ["esbuild", "playwright", "@swc/core"]
+}

libraries/rush-lib/src/schemas/pnpm-config.schema.json

@@ -150,6 +150,15 @@
       }
     },
 
+    "globalOnlyBuiltDependencies": {
+      "description": "This field allows specifying which dependencies are permitted to run build scripts (preinstall, install, postinstall). In PNPM 10.x, build scripts are disabled by default for security. Use this allowlist to explicitly permit specific packages to run their build scripts.\n\n(SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)\n\nPNPM documentation: https://pnpm.io/settings#onlybuiltdependencies",
+      "type": "array",
+      "items": {
+        "description": "Specify package name of the dependency allowed to run build scripts",
+        "type": "string"
+      }
+    },
+
     "globalIgnoredOptionalDependencies": {
       "description": "This field allows you to skip the installation of specific optional dependencies. The listed packages will be treated as if they are not present in the dependency tree during installation, meaning they will not be installed even if required by other packages.\n\n(SUPPORTED ONLY IN PNPM 9.0.0 AND NEWER)\n\nPNPM documentation: https://pnpm.io/package_json#pnpmalloweddeprecatedversions",
       "type": "array",