Skip to content

chore: enforce pnpm via preinstall guard#3296

Closed
nynexman4464 wants to merge 1 commit into
mainfrom
navi/chore/enforce-pnpm
Closed

chore: enforce pnpm via preinstall guard#3296
nynexman4464 wants to merge 1 commit into
mainfrom
navi/chore/enforce-pnpm

Conversation

@nynexman4464

@nynexman4464 nynexman4464 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Adds a root preinstall script that runs only-allow pnpm, so attempts to install with npm or yarn fail fast with a clear message instead of producing a broken node_modules (or an ERESOLVE dependency-tree error, which is the surface symptom today).

Why

The repo already declares packageManager: pnpm@10.34.1 in package.json, but that field is purely advisory — npm and yarn ignore it.

Recent example: a contributor on Windows ran npm install against the latest branch and hit ERESOLVE from a peer-dep conflict between @modelcontextprotocol/sdk and mcp-handler in apps/docsite. pnpm tolerates that conflict; npm rejects it. The user-visible error blames the deps, but the real issue is that we shouldn't be running npm in the first place.

With this PR, running npm/yarn fails immediately with the standard only-allow message:

Use "pnpm install" for installation in this project.

How

  • package.json: "preinstall": "npx -y only-allow pnpm"
  • README + CONTRIBUTING: one-line note that the guard exists

npx -y keeps the implementation registry-only — no new entry in devDependencies, no lockfile churn. (If we want to avoid even the registry fetch, we could inline a small Node script — happy to switch if preferred.)

Notes

  • pnpm itself sets npm_config_user_agent so the guard is a no-op when invoked correctly.
  • This does not address how someone gets pnpm in the first place — that's the README/Corepack docs question, which I'm splitting out into a separate PR for discussion (Node v25 no longer ships Corepack by default).

Testing

Tested locally by running npm install against a minimal package.json carrying just the preinstall script — the script fires and the install aborts non-zero before any deps are resolved.

Adds a root `preinstall` script using `only-allow pnpm` so running
`npm install` or `yarn install` fails fast with a clear message instead
of producing a broken `node_modules` (or an ERESOLVE dependency-tree
error, which is what surfaces today).

The repo already declares `packageManager: pnpm@10.34.1`, but that is
purely advisory — npm and yarn ignore it. This makes the requirement
enforceable.

Also adds a one-line note to README and CONTRIBUTING pointing to the
guard.
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Meta Open Source bot. label Jun 30, 2026
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
astryx Ready Ready Preview, Comment Jun 30, 2026 11:35pm

Request Review

@github-actions

Copy link
Copy Markdown
Contributor

PR Analysis Report

📚 Storybook Preview

View Storybook for this PR
GitHub Pages may take up to a minute to hydrate after deploy.

🧪 Sandbox Preview

View Sandbox for this PR
GitHub Pages may take up to a minute to hydrate after deploy.

No new or modified components detected.

Bundle Size Summary

Package Size (ESM) Size (CJS) Gzipped
@astryxdesign/core N/A 4.6KB 0B

Accessibility Audit

Status: No accessibility violations detected.


Generated by PR Enrichment workflow | Storybook | Sandbox | View full report

github-actions Bot added a commit that referenced this pull request Jun 30, 2026
@nynexman4464 nynexman4464 marked this pull request as ready for review July 1, 2026 00:51
@nynexman4464 nynexman4464 deleted the navi/chore/enforce-pnpm branch July 1, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant