chore(pnpm): migrate from onlyBuiltDependencies to allowBuilds#308
Merged
chore(pnpm): migrate from onlyBuiltDependencies to allowBuilds#308
Conversation
Replace deprecated `onlyBuiltDependencies` array with the new `allowBuilds` object format introduced in pnpm 10.26. This new format also supersedes `ignoredBuiltDependencies`. The new syntax uses an object with boolean values: - `true`: allow build scripts for the package - `false`: block build scripts for the package This provides more explicit control and aligns with pnpm's direction for stricter dependency management. Reference: https://creators.bengo4.com/entry/2026/01/26/080000
commit: |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Remove chokidar@4.0.3 from trustPolicyExclude as it is no longer a dependency in the project. Keep undici-types@6.21.0 as it is still required by @types/node.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates pnpm security configuration to use the new allowBuilds setting format introduced in pnpm 10.26+, replacing the deprecated onlyBuiltDependencies setting.
Changes:
- Replace
onlyBuiltDependenciesarray withallowBuildsobject in pnpm-workspace.yaml - Update pnpm-usage.md documentation to reflect the new setting and its usage
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pnpm-workspace.yaml | Migrates from onlyBuiltDependencies array to allowBuilds object format with boolean values for esbuild and msw packages |
| .claude/rules/pnpm-usage.md | Updates security settings documentation table and instructions to reference the new allowBuilds setting |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrate pnpm security settings from deprecated
onlyBuiltDependenciesto the newallowBuildsformat introduced in pnpm 10.26.What Changed
onlyBuiltDependenciesarray withallowBuildsobject inpnpm-workspace.yaml.claude/rules/pnpm-usage.mdto reflect new settingWhy
The
onlyBuiltDependenciesandignoredBuiltDependenciessettings have been superseded byallowBuildsin pnpm 10.26+. The new object-based format provides more explicit control by using boolean values (trueto allow,falseto block build scripts).Reference: https://creators.bengo4.com/entry/2026/01/26/080000
Summary by cubic
Migrated pnpm security config from deprecated onlyBuiltDependencies to the new allowBuilds (pnpm 10.26+) for clearer control over which packages can run build scripts. Updated workspace config and docs; esbuild and msw remain allowed.
Refactors
Migration
Written for commit 6cdc5fc. Summary will update on new commits.