You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I did use AI to help me draft this issue, but I personally reviewed and confirmed the issue and the steps reproduced here in a large monorepo, including screenshots I took on my own.
pnpm 11 stopped reading configuration from the pnpm field of package.json; those settings must now live in pnpm-workspace.yaml (see the pnpm 11 release notes and settings docs).
Rush still serialises most of its pnpm-config.json settings into the pnpm field of the generated common/temp/package.json. After bumping pnpmVersion to 11.x, those settings are no longer applied. The most consequential of them, globalOverrides and globalPatchedDependencies, are commonly used to pin CVE remediations on transitive dependencies, so the regression is security-relevant.
Rush 5.176.0 already relocated one of these settings, allowBuilds, to pnpm-workspace.yaml via #5817. The same treatment is needed for the remaining fields.
Repro steps
In a Rush repository using pnpm, define a globalOverrides entry in common/config/rush/pnpm-config.json (for example, a transitive CVE pin).
Set pnpmVersion to 11.x in rush.json.
Run rush update.
Inspect the generated common/temp/pnpm-workspace.yaml.
Expected result: The override is emitted into common/temp/pnpm-workspace.yaml (as allowBuilds already is) and applied by pnpm 11.
Actual result:rush update prints the warning below and completes "successfully". The override is written only to common/temp/package.json under pnpm.overrides, where pnpm 11 ignores it; pnpm-workspace.yaml contains no overrides: block.
WARN The "pnpm" field in package.json is no longer read by pnpm. The following keys were ignored: "pnpm.overrides", "pnpm.packageExtensions", "pnpm.peerDependencyRules", "pnpm.allowedDeprecatedVersions", "pnpm.patchedDependencies". See https://pnpm.io/settings for the new home of each setting.
Details
Settings affected
The warning names exactly the settings Rush copies into common/temp/package.json from pnpm-config.json:
The warning is the only signal; the settings are dropped without an error and the install still reports success. In a repository that pins CVE fixes through globalOverrides, the pins survive only while the committed lockfile already encodes them and installs run frozen. A rush update that re-resolves can rewrite the lockfile without the overrides, quietly reverting transitive dependencies to vulnerable versions. pnpm tracks this risk as pnpm/pnpm#11536.
Likely cause
The pnpm settings are serialised into the pnpm field of common/temp/package.json during install generation. pnpm 11 no longer reads that field; the canonical home for these settings is now common/temp/pnpm-workspace.yaml.
Suggested fix
Extend the relocation already done for allowBuilds (#5817) so that Rush also emits the following into the generated pnpm-workspace.yaml instead of the package.jsonpnpm field:
Summary
Important
I did use AI to help me draft this issue, but I personally reviewed and confirmed the issue and the steps reproduced here in a large monorepo, including screenshots I took on my own.
pnpm 11 stopped reading configuration from the
pnpmfield ofpackage.json; those settings must now live inpnpm-workspace.yaml(see the pnpm 11 release notes and settings docs).Rush still serialises most of its
pnpm-config.jsonsettings into thepnpmfield of the generatedcommon/temp/package.json. After bumpingpnpmVersionto 11.x, those settings are no longer applied. The most consequential of them,globalOverridesandglobalPatchedDependencies, are commonly used to pin CVE remediations on transitive dependencies, so the regression is security-relevant.Rush 5.176.0 already relocated one of these settings,
allowBuilds, topnpm-workspace.yamlvia #5817. The same treatment is needed for the remaining fields.Repro steps
In a Rush repository using pnpm, define a
globalOverridesentry incommon/config/rush/pnpm-config.json(for example, a transitive CVE pin).Set
pnpmVersionto11.xinrush.json.Run
rush update.Inspect the generated
common/temp/pnpm-workspace.yaml.Expected result: The override is emitted into
common/temp/pnpm-workspace.yaml(asallowBuildsalready is) and applied by pnpm 11.Actual result:
rush updateprints the warning below and completes "successfully". The override is written only tocommon/temp/package.jsonunderpnpm.overrides, where pnpm 11 ignores it;pnpm-workspace.yamlcontains nooverrides:block.Details
Settings affected
The warning names exactly the settings Rush copies into
common/temp/package.jsonfrompnpm-config.json:pnpm-config.jsonkeypackage.jsonasglobalOverridespnpm.overridesglobalPackageExtensionspnpm.packageExtensionsglobalPeerDependencyRulespnpm.peerDependencyRulesglobalAllowedDeprecatedVersionspnpm.allowedDeprecatedVersionsglobalPatchedDependenciespnpm.patchedDependenciesglobalAllowBuildsallowBuildsinpnpm-workspace.yamlWhy this is easy to miss
The warning is the only signal; the settings are dropped without an error and the install still reports success. In a repository that pins CVE fixes through
globalOverrides, the pins survive only while the committed lockfile already encodes them and installs run frozen. Arush updatethat re-resolves can rewrite the lockfile without the overrides, quietly reverting transitive dependencies to vulnerable versions. pnpm tracks this risk as pnpm/pnpm#11536.Likely cause
The pnpm settings are serialised into the
pnpmfield ofcommon/temp/package.jsonduring install generation. pnpm 11 no longer reads that field; the canonical home for these settings is nowcommon/temp/pnpm-workspace.yaml.Suggested fix
Extend the relocation already done for
allowBuilds(#5817) so that Rush also emits the following into the generatedpnpm-workspace.yamlinstead of thepackage.jsonpnpmfield:globalOverrides→overridesglobalPatchedDependencies→patchedDependenciesglobalPackageExtensions→packageExtensionsglobalPeerDependencyRules→peerDependencyRulesglobalAllowedDeprecatedVersions→allowedDeprecatedVersionsRelationship to existing issues
allowBuildstopnpm-workspace.yamlfor pnpm 11. This issue asks for the same mechanism to be applied to the remaining settings.minimumReleaseAge, but was filed under pnpm 10, whereoverrides/packageExtensions/patchedDependencieswere still read frompackage.json. Its proposed fix (Fix/pnpm minimum release age #5798) targetsminimumReleaseAgeonly and writes to.npmrc, which does not cover the settings above and is not the pnpm 11 home for them. The settings in this issue therefore remain untracked.Standard questions
@microsoft/rushglobally installed version?rushVersionfrom rush.json?pnpmVersion,npmVersion, oryarnVersionfrom rush.json?useWorkspacesfrom pnpm-config.json?node -v)?