feat: add globalAllowBuilds support for pnpm 11+, deprecate globalNeverBuiltDependencies

Author: Copilot

libraries/rush-lib/assets/rush-init/common/config/rush/pnpm-config.json

@@ -344,6 +344,8 @@
   },
 
   /**
+   * @deprecated Use `globalAllowBuilds` instead.
+   *
    * The `globalNeverBuiltDependencies` setting suppresses the `preinstall`, `install`, and `postinstall`
    * lifecycle events for the specified NPM dependencies.  This is useful for scripts with poor practices
    * such as downloading large binaries without retries or attempting to invoke OS tools such as
@@ -352,12 +354,42 @@
    * The settings are copied into the `pnpm.neverBuiltDependencies` field of the `common/temp/package.json`
    * file that is generated by Rush during installation.
    *
+   * NOTE: This setting is not supported in pnpm 11.0.0+. Use `globalAllowBuilds` instead.
+   *
    * PNPM documentation: https://pnpm.io/package_json#pnpmneverbuiltdependencies
    */
   "globalNeverBuiltDependencies": [
     /*[LINE "HYPOTHETICAL"]*/ "fsevents"
   ],
 
+  /**
+   * The `globalAllowBuilds` setting is a map of package names to booleans that controls which
+   * dependencies are permitted to run build scripts (`preinstall`, `install`, `postinstall`
+   * lifecycle events). A value of `true` explicitly permits a package to run build scripts;
+   * a value of `false` explicitly blocks it. Packages not listed inherit the default behavior.
+   *
+   * This is the replacement for `globalNeverBuiltDependencies` and `globalOnlyBuiltDependencies`,
+   * and is the only way to control build permissions in pnpm 11+. The settings are written to the
+   * `allowBuilds` field of the `pnpm-workspace.yaml` file that is generated by Rush during
+   * installation.
+   *
+   * (SUPPORTED ONLY IN PNPM 11.0.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#allowbuilds
+   *
+   * Example:
+   *   "globalAllowBuilds": {
+   *     "esbuild": true,
+   *     "playwright": true,
+   *     "core-js": false
+   *   }
+   */
+  /*[BEGIN "HYPOTHETICAL"]*/
+  "globalAllowBuilds": {
+    "esbuild": true
+  },
+  /*[END "HYPOTHETICAL"]*/
+
   /**
    * The `globalOnlyBuiltDependencies` setting specifies which dependencies are permitted to run
    * build scripts (`preinstall`, `install`, and `postinstall` lifecycle events). This is the inverse

libraries/rush-lib/src/logic/installManager/InstallHelpers.ts

@@ -77,7 +77,32 @@ export class InstallHelpers {
       }
 
       if (pnpmOptions.globalNeverBuiltDependencies) {
-        commonPackageJson.pnpm.neverBuiltDependencies = pnpmOptions.globalNeverBuiltDependencies;
+        if (
+          rushConfiguration.rushConfigurationJson.pnpmVersion !== undefined &&
+          semver.gte(rushConfiguration.rushConfigurationJson.pnpmVersion, '11.0.0')
+        ) {
+          terminal.writeWarningLine(
+            Colorize.yellow(
+              `The "globalNeverBuiltDependencies" field in ` +
+                `${rushConfiguration.commonRushConfigFolder}/${RushConstants.pnpmConfigFilename} ` +
+                `is deprecated and is not supported by pnpm ${rushConfiguration.rushConfigurationJson.pnpmVersion}. ` +
+                'Migrate to "globalAllowBuilds" instead. ' +
+                `For example, replace "globalNeverBuiltDependencies": ["pkg"] ` +
+                `with "globalAllowBuilds": { "pkg": false }.`
+            )
+          );
+        } else {
+          terminal.writeWarningLine(
+            Colorize.yellow(
+              `The "globalNeverBuiltDependencies" field in ` +
+                `${rushConfiguration.commonRushConfigFolder}/${RushConstants.pnpmConfigFilename} ` +
+                'is deprecated. Migrate to "globalAllowBuilds" instead. ' +
+                `For example, replace "globalNeverBuiltDependencies": ["pkg"] ` +
+                `with "globalAllowBuilds": { "pkg": false }.`
+            )
+          );
+          commonPackageJson.pnpm!.neverBuiltDependencies = pnpmOptions.globalNeverBuiltDependencies;
+        }
       }
 
       if (pnpmOptions.globalOnlyBuiltDependencies) {

libraries/rush-lib/src/logic/installManager/WorkspaceInstallManager.ts

@@ -469,6 +469,25 @@ export class WorkspaceInstallManager extends BaseInstallManager {
       workspaceFile.setCatalogs(catalogs);
     }
 
+    // Set allowBuilds in the workspace file if specified (requires pnpm 11.0.0+)
+    if (pnpmOptions.globalAllowBuilds) {
+      if (
+        this.rushConfiguration.rushConfigurationJson.pnpmVersion !== undefined &&
+        semver.lt(this.rushConfiguration.rushConfigurationJson.pnpmVersion, '11.0.0')
+      ) {
+        this._terminal.writeWarningLine(
+          Colorize.yellow(
+            `Your version of pnpm (${this.rushConfiguration.rushConfigurationJson.pnpmVersion}) ` +
+              `doesn't support the "globalAllowBuilds" field in ` +
+              `${this.rushConfiguration.commonRushConfigFolder}/${RushConstants.pnpmConfigFilename}. ` +
+              'Remove this field or upgrade to pnpm 11.0.0 or newer.'
+          )
+        );
+      }
+
+      workspaceFile.setAllowBuilds(pnpmOptions.globalAllowBuilds);
+    }
+
     // Save the generated workspace file. Don't update the file timestamp unless the content has changed,
     // since "rush install" will consider this timestamp
     workspaceFile.save(workspaceFile.workspaceFilename, { onlyIfChanged: true });

libraries/rush-lib/src/logic/pnpm/PnpmOptionsConfiguration.ts

@@ -121,6 +121,11 @@ export interface IPnpmOptionsJson extends IPackageManagerOptionsJsonBase {
    */
   globalPackageExtensions?: Record<string, IPnpmPackageExtension>;
   /**
+   * {@inheritDoc PnpmOptionsConfiguration.globalAllowBuilds}
+   */
+  globalAllowBuilds?: Record<string, boolean>;
+  /**
+   * @deprecated Use {@link IPnpmOptionsJson.globalAllowBuilds} instead.
    * {@inheritDoc PnpmOptionsConfiguration.globalNeverBuiltDependencies}
    */
   globalNeverBuiltDependencies?: string[];
@@ -425,6 +430,23 @@ export class PnpmOptionsConfiguration extends PackageManagerOptionsConfiguration
    */
   public readonly globalPackageExtensions: Record<string, IPnpmPackageExtension> | undefined;
 
+  /**
+   * The `globalAllowBuilds` setting is a map of package names to booleans that controls which
+   * dependencies are permitted to run build scripts (`preinstall`, `install`, `postinstall`
+   * lifecycle events). A value of `true` explicitly permits a package to run build scripts;
+   * a value of `false` explicitly blocks it. Packages not listed inherit the default behavior.
+   *
+   * This is the replacement for `globalNeverBuiltDependencies` and `globalOnlyBuiltDependencies`,
+   * and is the only way to control build permissions in pnpm 11+. The settings are written to the
+   * `allowBuilds` field of the `pnpm-workspace.yaml` file that is generated by Rush during
+   * installation.
+   *
+   * (SUPPORTED ONLY IN PNPM 11.0.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#allowbuilds
+   */
+  public readonly globalAllowBuilds: Record<string, boolean> | undefined;
+
   /**
    * The `globalNeverBuiltDependencies` setting suppresses the `preinstall`, `install`, and `postinstall`
    * lifecycle events for the specified NPM dependencies.  This is useful for scripts with poor practices
@@ -434,6 +456,8 @@ export class PnpmOptionsConfiguration extends PackageManagerOptionsConfiguration
    * The settings are copied into the `pnpm.neverBuiltDependencies` field of the `common/temp/package.json`
    * file that is generated by Rush during installation.
    *
+   * @deprecated Use {@link PnpmOptionsConfiguration.globalAllowBuilds} instead.
+   *
    * PNPM documentation: https://pnpm.io/package_json#pnpmneverbuiltdependencies
    */
   public readonly globalNeverBuiltDependencies: string[] | undefined;
@@ -554,6 +578,14 @@ export class PnpmOptionsConfiguration extends PackageManagerOptionsConfiguration
     this.globalOverrides = json.globalOverrides;
     this.globalPeerDependencyRules = json.globalPeerDependencyRules;
     this.globalPackageExtensions = json.globalPackageExtensions;
+
+    if (json.globalNeverBuiltDependencies !== undefined && json.globalAllowBuilds !== undefined) {
+      throw new Error(
+        'The "globalNeverBuiltDependencies" setting is deprecated. Use "globalAllowBuilds" instead.' +
+          ' Both settings cannot be specified together in pnpm-config.json.'
+      );
+    }
+    this.globalAllowBuilds = json.globalAllowBuilds;
     this.globalNeverBuiltDependencies = json.globalNeverBuiltDependencies;
     this.globalOnlyBuiltDependencies = json.globalOnlyBuiltDependencies;
     this.globalIgnoredOptionalDependencies = json.globalIgnoredOptionalDependencies;

libraries/rush-lib/src/logic/pnpm/PnpmWorkspaceFile.ts

@@ -31,6 +31,8 @@ interface IPnpmWorkspaceYaml {
   packages: string[];
   /** Catalog definitions for centralized version management */
   catalogs?: Record<string, Record<string, string>>;
+  /** Per-package build permission map. True permits build scripts, false blocks them. (pnpm 11+) */
+  allowBuilds?: Record<string, boolean>;
 }
 
 export class PnpmWorkspaceFile extends BaseWorkspaceFile {
@@ -41,6 +43,7 @@ export class PnpmWorkspaceFile extends BaseWorkspaceFile {
 
   private _workspacePackages: Set<string>;
   private _catalogs: Record<string, Record<string, string>> | undefined;
+  private _allowBuilds: Record<string, boolean> | undefined;
 
   /**
    * The PNPM workspace file is used to specify the location of workspaces relative to the root
@@ -54,6 +57,7 @@ export class PnpmWorkspaceFile extends BaseWorkspaceFile {
     // If we need to support manual customization, that should be an additional parameter for "base file"
     this._workspacePackages = new Set<string>();
     this._catalogs = undefined;
+    this._allowBuilds = undefined;
   }
 
   /**
@@ -64,6 +68,19 @@ export class PnpmWorkspaceFile extends BaseWorkspaceFile {
     this._catalogs = catalogs;
   }
 
+  /**
+   * Sets the `allowBuilds` map for the workspace. Each key is a package name and each value
+   * is `true` (permit build scripts) or `false` (block build scripts).
+   *
+   * @remarks
+   * This writes to the `allowBuilds` field in `pnpm-workspace.yaml`, which requires pnpm 11.0.0+.
+   *
+   * @param allowBuilds - A map of package name to boolean permission flag
+   */
+  public setAllowBuilds(allowBuilds: Record<string, boolean> | undefined): void {
+    this._allowBuilds = allowBuilds;
+  }
+
   /** @override */
   public addPackage(packagePath: string): void {
     // Ensure the path is relative to the pnpm-workspace.yaml file
@@ -89,6 +106,10 @@ export class PnpmWorkspaceFile extends BaseWorkspaceFile {
       workspaceYaml.catalogs = this._catalogs;
     }
 
+    if (this._allowBuilds && Object.keys(this._allowBuilds).length > 0) {
+      workspaceYaml.allowBuilds = this._allowBuilds;
+    }
+
     return yamlModule.dump(workspaceYaml, PNPM_SHRINKWRAP_YAML_FORMAT);
   }
 }

libraries/rush-lib/src/logic/pnpm/test/PnpmOptionsConfiguration.test.ts

@@ -87,6 +87,29 @@ describe(PnpmOptionsConfiguration.name, () => {
     ]);
   });
 
+  it('loads allowBuilds', () => {
+    const pnpmConfiguration: PnpmOptionsConfiguration = PnpmOptionsConfiguration.loadFromJsonFileOrThrow(
+      `${__dirname}/jsonFiles/pnpm-config-allowBuilds.json`,
+      fakeCommonTempFolder
+    );
+
+    expect(TestUtilities.stripAnnotations(pnpmConfiguration.globalAllowBuilds)).toEqual({
+      esbuild: true,
+      playwright: true,
+      'core-js': false,
+      '@swc/core': true
+    });
+  });
+
+  it('throws if both globalNeverBuiltDependencies and globalAllowBuilds are specified', () => {
+    expect(() =>
+      PnpmOptionsConfiguration.loadFromJsonFileOrThrow(
+        `${__dirname}/jsonFiles/pnpm-config-allowBuilds-conflict.json`,
+        fakeCommonTempFolder
+      )
+    ).toThrow(/Both settings cannot be specified together/);
+  });
+
   it('loads minimumReleaseAgeMinutes', () => {
     const pnpmConfiguration: PnpmOptionsConfiguration = PnpmOptionsConfiguration.loadFromJsonFileOrThrow(
       `${__dirname}/jsonFiles/pnpm-config-minimumReleaseAge.json`,

libraries/rush-lib/src/logic/pnpm/test/PnpmWorkspaceFile.test.ts

@@ -180,4 +180,67 @@ describe(PnpmWorkspaceFile.name, () => {
       expect(content).toMatchSnapshot();
     });
   });
+
+  describe('allowBuilds functionality', () => {
+    it('generates workspace file with allowBuilds', () => {
+      const workspaceFile: PnpmWorkspaceFile = new PnpmWorkspaceFile(workspaceFilePath);
+      workspaceFile.addPackage(path.join(projectsDir, 'app1'));
+
+      workspaceFile.setAllowBuilds({
+        esbuild: true,
+        playwright: true,
+        'core-js': false
+      });
+
+      workspaceFile.save(workspaceFilePath, { onlyIfChanged: true });
+
+      const content: string = FileSystem.readFile(workspaceFilePath);
+      expect(content).toMatchSnapshot();
+    });
+
+    it('handles empty allowBuilds object', () => {
+      const workspaceFile: PnpmWorkspaceFile = new PnpmWorkspaceFile(workspaceFilePath);
+      workspaceFile.addPackage(path.join(projectsDir, 'app1'));
+
+      workspaceFile.setAllowBuilds({});
+
+      workspaceFile.save(workspaceFilePath, { onlyIfChanged: true });
+
+      const content: string = FileSystem.readFile(workspaceFilePath);
+      expect(content).toMatchSnapshot();
+    });
+
+    it('handles undefined allowBuilds', () => {
+      const workspaceFile: PnpmWorkspaceFile = new PnpmWorkspaceFile(workspaceFilePath);
+      workspaceFile.addPackage(path.join(projectsDir, 'app1'));
+
+      workspaceFile.setAllowBuilds(undefined);
+
+      workspaceFile.save(workspaceFilePath, { onlyIfChanged: true });
+
+      const content: string = FileSystem.readFile(workspaceFilePath);
+      expect(content).toMatchSnapshot();
+    });
+
+    it('generates workspace file with both catalogs and allowBuilds', () => {
+      const workspaceFile: PnpmWorkspaceFile = new PnpmWorkspaceFile(workspaceFilePath);
+      workspaceFile.addPackage(path.join(projectsDir, 'app1'));
+
+      workspaceFile.setCatalogs({
+        default: {
+          react: '^18.0.0'
+        }
+      });
+
+      workspaceFile.setAllowBuilds({
+        esbuild: true,
+        'core-js': false
+      });
+
+      workspaceFile.save(workspaceFilePath, { onlyIfChanged: true });
+
+      const content: string = FileSystem.readFile(workspaceFilePath);
+      expect(content).toMatchSnapshot();
+    });
+  });
 });

libraries/rush-lib/src/logic/pnpm/test/__snapshots__/PnpmWorkspaceFile.test.ts.snap

@@ -65,3 +65,39 @@ exports[`PnpmWorkspaceFile catalog functionality handles undefined catalog 1`] =
   - projects/app1
 "
 `;
+
+exports[`PnpmWorkspaceFile allowBuilds functionality generates workspace file with allowBuilds 1`] = `
+"allowBuilds:
+  core-js: false
+  esbuild: true
+  playwright: true
+packages:
+  - projects/app1
+"
+`;
+
+exports[`PnpmWorkspaceFile allowBuilds functionality generates workspace file with both catalogs and allowBuilds 1`] = `
+"allowBuilds:
+  core-js: false
+  esbuild: true
+catalogs:
+  default:
+    react: ^18.0.0
+packages:
+  - projects/app1
+"
+`;
+
+exports[`PnpmWorkspaceFile allowBuilds functionality handles empty allowBuilds object 1`] = `
+"packages:
+  - projects/app1
+"
+`;
+
+exports[`PnpmWorkspaceFile allowBuilds functionality handles undefined allowBuilds 1`] = `
+"packages:
+  - projects/app1
+"
+`;
+
+

libraries/rush-lib/src/logic/pnpm/test/jsonFiles/pnpm-config-allowBuilds-conflict.json

@@ -0,0 +1,6 @@
+{
+  "globalNeverBuiltDependencies": ["fsevents"],
+  "globalAllowBuilds": {
+    "esbuild": true
+  }
+}

libraries/rush-lib/src/logic/pnpm/test/jsonFiles/pnpm-config-allowBuilds.json

@@ -0,0 +1,8 @@
+{
+  "globalAllowBuilds": {
+    "esbuild": true,
+    "playwright": true,
+    "core-js": false,
+    "@swc/core": true
+  }
+}