Skip to content

[rush] Relocate pnpm settings to pnpm-workspace.yaml for pnpm 11#5838

Open
brunojppb wants to merge 3 commits into
microsoft:mainfrom
brunojppb:pnpm11-relocate-global-settings
Open

[rush] Relocate pnpm settings to pnpm-workspace.yaml for pnpm 11#5838
brunojppb wants to merge 3 commits into
microsoft:mainfrom
brunojppb:pnpm11-relocate-global-settings

Conversation

@brunojppb

@brunojppb brunojppb commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Proposal fix for #5837

pnpm 11 stopped reading configuration from the pnpm field of package.json. Those settings must now live in pnpm-workspace.yaml (see the pnpm 11 release notes and settings docs).

Rush still serialized most of its pnpm-config.json settings into the pnpm field of the generated common/temp/package.json. After bumping pnpmVersion to 11.x, those settings were silently dropped: pnpm prints a warning, but the install still reports success. The most consequential of them, globalOverrides and globalPatchedDependencies, are commonly used to pin CVE remediations on transitive dependencies, so a rush update that re-resolves can quietly revert them to vulnerable versions.

#5817 already relocated allowBuilds to pnpm-workspace.yaml for pnpm 11. This PR applies the same mechanism to the remaining affected settings.

Changes

For pnpm >= 11.0.0, the following are now written to the generated common/temp/pnpm-workspace.yaml instead of the package.json pnpm field:

pnpm-config.json key pnpm-workspace.yaml key
globalOverrides overrides
globalPackageExtensions packageExtensions
globalPeerDependencyRules peerDependencyRules
globalAllowedDeprecatedVersions allowedDeprecatedVersions
globalPatchedDependencies patchedDependencies
  • PnpmWorkspaceFile: added fields, setters, and serialization for the five settings.
  • WorkspaceInstallManager: populates them on the workspace file when pnpmVersion >= 11.0.0.
  • InstallHelpers: skips writing the corresponding package.json pnpm entries when pnpmVersion >= 11.0.0.

Behavior for pnpm 10 and earlier is unchanged.

Out of scope

minimumReleaseAge (tracked in #5752 / #5798), trustPolicy*, and ignoredOptionalDependencies are also written to the pnpm field but are left for follow-up PRs to keep this change focused.

Could potentially include that here too if you folks want.

brunojppb added 2 commits June 18, 2026 13:12
@brunojppb
[rush] Write pnpm global settings to pnpm-workspace.yaml for pnpm 11
e6331ed 
pnpm 11 no longer reads the "pnpm" field of package.json, so the settings
Rush serialized there were silently ignored. Relocate globalOverrides,
globalPackageExtensions, globalPeerDependencyRules,
globalAllowedDeprecatedVersions, and globalPatchedDependencies to the
generated common/temp/pnpm-workspace.yaml for pnpm >= 11.0.0, mirroring the
allowBuilds relocation from microsoft#5817. Behavior for older pnpm is unchanged.

Fixes microsoft#5837
@brunojppb
[rush] Add change file for pnpm 11 settings relocation
ff78c07 
Co-references microsoft#5837
@github-project-automation github-project-automation Bot moved this to Needs triage in Bug Triage Jun 18, 2026
@brunojppb

brunojppb commented Jun 18, 2026

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree

@brunojppb
[rush] Fix rush-pnpm patch-commit for pnpm 11 and add coverage
c906b41 
Two fixes from adversarial review of the pnpm 11 settings relocation:

1. rush-pnpm patch-commit / patch-remove read patchedDependencies from
   common/temp/package.json, which pnpm 11 no longer populates. They now read
   patchedDependencies from common/temp/pnpm-workspace.yaml for pnpm >= 11
   (mirroring the approve-builds allowBuilds path), preserving the package.json
   path for pnpm < 11 and the existing subspace + patches-folder logic.

2. Added integration coverage:
   - InstallHelpers.generateCommonPackageJson omits the relocated settings from
     package.json for pnpm 11 and still writes them for pnpm < 11.
   - RushPnpmCommandLineParser reads patchedDependencies from pnpm-workspace.yaml
     for pnpm 11 and from package.json for pnpm < 11.

Refs microsoft#5837
@brunojppb brunojppb marked this pull request as ready for review June 18, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iclanton iclanton Awaiting requested review from iclanton iclanton is a code owner

@octogonz octogonz Awaiting requested review from octogonz octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms is a code owner

@dmichon-msft dmichon-msft Awaiting requested review from dmichon-msft dmichon-msft is a code owner

@jxanthony jxanthony Awaiting requested review from jxanthony jxanthony is a code owner

@bmiddha bmiddha Awaiting requested review from bmiddha bmiddha is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Bug Triage
Status: Needs triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brunojppb