pnpm ≥ 7.20 runs prepublishOnly even on --ignore-scripts

[ai]

pnpm version:

7.22.0

Code to reproduce the issue:

I can’t reproduce it locally, but see on CI: https://github.com/evilmartians/oklch-picker/actions/runs/3831016173/jobs/6519618073

Expected behavior:

No prepublishOnly logs on pnpm install --frozen-lockfile --ignore-scripts call

Actual behavior:

prepublishOnly records (and a build error, but the whole build script should not be run).

Additional information:

• node -v prints: 18.12.1
• Windows, macOS, or Linux?: Linux

[zkochan]

If you have a git-hosted dependency then it needs to be built. I don't think this can be changed. All we can do is to throw an exception if there is a git-hosted dependency that needs to be built and ignore-scripts is used.

Related issue: #5826

[ai]

The main problem is that --ignore-scripts is a security tool to avoid attack from the dependency’s scripts. If we run prepublishOnly the protection doesn’t work.

1. Is it how npm works with prepublishOnly and --ignore-scripts?
2. Should we add some --ignore-all-scripts?

[zkochan]

Looks like npm doesn't build the git-hosted dependencies when --ignore-scripts is used. So we should do the same. But we should also add warnings when this happens. Also, the unbuilt git-hosted dependency should be saved in a different location in the content-addressable store. Otherwise, the next time it will be installed without --ignore-scripts, the unbuilt version will be linked to node_modules.

[kripod]

Thanks for fixing this, I highly appreciate all the hard work dedicated to pnpm 🙌

Unfortunately, v7.20 broke my CI pipeline as I’m trying to pull in moonlight-vscode-theme as a package.json dependency through git. However, in that case, pnpm wants to execute the build script of that package, which fails on CI.

I could provide --ignore-scripts as a flag to pnpm – however, that’d break dependencies like sharp which have to be built on CI.

@zkochan is there a way to allowlist/blocklist scripts of certain packages, rather than either ignoring all or nothing? Thanks for your response in advance.

[kripod]

Turns out my issue could be solved via `.pnpmfile.cjs:

module.exports = {
  hooks: {
    readPackage: (pkg) => {
      if (pkg.name === "moonlight") {
        pkg.scripts = {};
      }

      return pkg;
    },
  },
};

[zkochan]

@kripod I don't think it will work through .pnpmfile.cjs.

There are currently two settings that control what projects are built: neverBuiltDependencies and onlyBuiltDependencies. Unfortunately, they currently don't work with git-hosted dependencies.

[kripod]

@zkochan Thank you! 😊 I’ve tried the .pnpmfile.cjs above and it fixed my issues on CI with the latest version of pnpm, so that’s okay for now.