fix: only add postinstall to root package.json for pnpm monorepos

pnpm runs root lifecycle scripts on `pnpm install`, so adding
postinstall scripts to individual workspace package.json files is
unnecessary. Worse, it breaks because workspaces may not have
`@socketsecurity/socket-patch` as a dependency, and pnpm's strict
module isolation prevents `npx` from resolving it.

The setup command now detects pnpm monorepos (via pnpm-workspace.yaml)
and only updates the root package.json.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Wenxin-Jiang

crates/socket-patch-cli/src/commands/setup.rs

@@ -1,5 +1,5 @@
 use clap::Args;
-use socket_patch_core::package_json::find::find_package_json_files;
+use socket_patch_core::package_json::find::{find_package_json_files, WorkspaceType};
 use socket_patch_core::package_json::update::{update_package_json, UpdateStatus};
 use std::io::{self, Write};
 use std::path::{Path, PathBuf};
@@ -30,7 +30,22 @@ pub async fn run(args: SetupArgs) -> i32 {
         println!("Searching for package.json files...");
     }
 
-    let package_json_files = find_package_json_files(&args.cwd).await;
+    let find_result = find_package_json_files(&args.cwd).await;
+
+    // For pnpm monorepos, only update root package.json.
+    // pnpm runs root postinstall on `pnpm install`, so workspace-level
+    // postinstall scripts are unnecessary. Individual workspaces may not
+    // have `@socketsecurity/socket-patch` as a dependency, causing
+    // `npx @socketsecurity/socket-patch apply` to fail due to pnpm's
+    // strict module isolation.
+    let package_json_files = match find_result.workspace_type {
+        WorkspaceType::Pnpm => find_result
+            .files
+            .into_iter()
+            .filter(|loc| loc.is_root)
+            .collect(),
+        _ => find_result.files,
+    };
 
     if package_json_files.is_empty() {
         if args.json {

crates/socket-patch-core/src/package_json/find.rs

@@ -25,10 +25,17 @@ pub struct PackageJsonLocation {
     pub workspace_pattern: Option<String>,
 }
 
+/// Result of finding package.json files.
+#[derive(Debug)]
+pub struct PackageJsonFindResult {
+    pub files: Vec<PackageJsonLocation>,
+    pub workspace_type: WorkspaceType,
+}
+
 /// Find all package.json files, respecting workspace configurations.
 pub async fn find_package_json_files(
     start_path: &Path,
-) -> Vec<PackageJsonLocation> {
+) -> PackageJsonFindResult {
     let mut results = Vec::new();
     let root_package_json = start_path.join("package.json");
 
@@ -63,7 +70,10 @@ pub async fn find_package_json_files(
         }
     }
 
-    results
+    PackageJsonFindResult {
+        files: results,
+        workspace_type: workspace_config.ws_type,
+    }
 }
 
 /// Detect workspace configuration from package.json.
@@ -470,8 +480,8 @@ mod tests {
     #[tokio::test]
     async fn test_find_no_root_package_json() {
         let dir = tempfile::tempdir().unwrap();
-        let results = find_package_json_files(dir.path()).await;
-        assert!(results.is_empty());
+        let result = find_package_json_files(dir.path()).await;
+        assert!(result.files.is_empty());
     }
 
     #[tokio::test]
@@ -480,9 +490,9 @@ mod tests {
         fs::write(dir.path().join("package.json"), r#"{"name":"root"}"#)
             .await
             .unwrap();
-        let results = find_package_json_files(dir.path()).await;
-        assert_eq!(results.len(), 1);
-        assert!(results[0].is_root);
+        let result = find_package_json_files(dir.path()).await;
+        assert_eq!(result.files.len(), 1);
+        assert!(result.files[0].is_root);
     }
 
     #[tokio::test]
@@ -499,11 +509,12 @@ mod tests {
         fs::write(pkg_a.join("package.json"), r#"{"name":"a"}"#)
             .await
             .unwrap();
-        let results = find_package_json_files(dir.path()).await;
+        let result = find_package_json_files(dir.path()).await;
+        assert!(matches!(result.workspace_type, WorkspaceType::Npm));
         // root + workspace member
-        assert_eq!(results.len(), 2);
-        assert!(results[0].is_root);
-        assert!(results[1].is_workspace);
+        assert_eq!(result.files.len(), 2);
+        assert!(result.files[0].is_root);
+        assert!(result.files[1].is_workspace);
     }
 
     #[tokio::test]
@@ -523,10 +534,13 @@ mod tests {
         fs::write(pkg_a.join("package.json"), r#"{"name":"a"}"#)
             .await
             .unwrap();
-        let results = find_package_json_files(dir.path()).await;
-        assert_eq!(results.len(), 2);
-        assert!(results[0].is_root);
-        assert!(results[1].is_workspace);
+        let result = find_package_json_files(dir.path()).await;
+        assert!(matches!(result.workspace_type, WorkspaceType::Pnpm));
+        // find_package_json_files still returns all files;
+        // filtering for pnpm is done by the caller (setup command)
+        assert_eq!(result.files.len(), 2);
+        assert!(result.files[0].is_root);
+        assert!(result.files[1].is_workspace);
     }
 
     #[tokio::test]
@@ -540,10 +554,10 @@ mod tests {
         fs::write(nm.join("package.json"), r#"{"name":"lodash"}"#)
             .await
             .unwrap();
-        let results = find_package_json_files(dir.path()).await;
+        let result = find_package_json_files(dir.path()).await;
         // Only root, node_modules should be skipped
-        assert_eq!(results.len(), 1);
-        assert!(results[0].is_root);
+        assert_eq!(result.files.len(), 1);
+        assert!(result.files[0].is_root);
     }
 
     #[tokio::test]
@@ -561,9 +575,9 @@ mod tests {
         fs::write(deep.join("package.json"), r#"{"name":"deep"}"#)
             .await
             .unwrap();
-        let results = find_package_json_files(dir.path()).await;
+        let result = find_package_json_files(dir.path()).await;
         // Only root (the deep one exceeds depth limit)
-        assert_eq!(results.len(), 1);
+        assert_eq!(result.files.len(), 1);
     }
 
     #[tokio::test]
@@ -580,9 +594,9 @@ mod tests {
         fs::write(nested.join("package.json"), r#"{"name":"client"}"#)
             .await
             .unwrap();
-        let results = find_package_json_files(dir.path()).await;
+        let result = find_package_json_files(dir.path()).await;
         // root + recursively found workspace member
-        assert!(results.len() >= 2);
+        assert!(result.files.len() >= 2);
     }
 
     #[tokio::test]
@@ -599,7 +613,7 @@ mod tests {
         fs::write(core.join("package.json"), r#"{"name":"core"}"#)
             .await
             .unwrap();
-        let results = find_package_json_files(dir.path()).await;
-        assert_eq!(results.len(), 2);
+        let result = find_package_json_files(dir.path()).await;
+        assert_eq!(result.files.len(), 2);
     }
 }