sdkbuild: pass --ignore-scripts to harness pnpm install#813
Merged
brianstrauch merged 4 commits intomainfrom May 7, 2026
Merged
sdkbuild: pass --ignore-scripts to harness pnpm install#813brianstrauch merged 4 commits intomainfrom
brianstrauch merged 4 commits intomainfrom
Conversation
7da2c69 to
62ddaba
Compare
pnpm 10.33's strict-builds policy fails the harness install with
ERR_PNPM_IGNORED_BUILDS for any dep with an unapproved install script:
[ERR_PNPM_IGNORED_BUILDS] Ignored build scripts: \
@swc/core@1.15.33, protobufjs@7.5.5, protobufjs@7.5.6
Whitelisting via pnpm.onlyBuiltDependencies is the documented escape
hatch. Both packages have shipped install scripts for years; this just
makes pnpm's new strict default explicit for the harness.
The protobufjs version override is left at 7.5.1 — the SDK's protobufjs
patch lives in its own root pnpm.patchedDependencies and never reaches
the harness install, so the version chosen here doesn't materially
affect runtime behavior.
873fd68 to
9107b50
Compare
9107b50 to
f69065f
Compare
pnpm 10 fails the harness install with `ERR_PNPM_IGNORED_BUILDS` when
any transitive dep ships an unapproved postinstall script:
[ERR_PNPM_IGNORED_BUILDS] Ignored build scripts: \
@swc/core@1.15.33, protobufjs@...
The SDK install just above already passes `--ignore-scripts` for the
same reason; this mirrors that for the harness install.
Tried more targeted alternatives first; none take effect in the GitHub
Actions runner (same configs work locally with the same pnpm 10.33.4):
- `pnpm.onlyBuiltDependencies` in package.json — silently ignored
- `onlyBuiltDependencies` in pnpm-workspace.yaml — silently ignored
- `--config.onlyBuiltDependencies[]=...` CLI override — silently ignored
- `--allow-build` flag — does not exist in pnpm 10
`--ignore-scripts` is the same approach the SDK install already uses
and is the only knob that's been observed to work in CI here.
f69065f to
145ac72
Compare
chris-olszewski
approved these changes
May 7, 2026
brianstrauch
commented
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--ignore-scriptsfor the same reason. This change mirrors that for the harness install.pnpm.overrides/pnpm.onlyBuiltDependenciesroute does not help — the rejection is a strict-build policy, not a version mismatch (verified empirically: even withonlyBuiltDependencies: ["@swc/core", "protobufjs"]set in the generated package.json, pnpm 10.33.4 in CI still raisesERR_PNPM_IGNORED_BUILDS).Test plan