chore: enforce pnpm via preinstall guard#3296
Closed
nynexman4464 wants to merge 1 commit into
Closed
Conversation
Adds a root `preinstall` script using `only-allow pnpm` so running `npm install` or `yarn install` fails fast with a clear message instead of producing a broken `node_modules` (or an ERESOLVE dependency-tree error, which is what surfaces today). The repo already declares `packageManager: pnpm@10.34.1`, but that is purely advisory — npm and yarn ignore it. This makes the requirement enforceable. Also adds a one-line note to README and CONTRIBUTING pointing to the guard.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
PR Analysis Report📚 Storybook PreviewView Storybook for this PR 🧪 Sandbox PreviewView Sandbox for this PR No new or modified components detected. Bundle Size Summary
Accessibility AuditStatus: No accessibility violations detected. Generated by PR Enrichment workflow | Storybook | Sandbox | View full report |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a root
preinstallscript that runsonly-allow pnpm, so attempts to install withnpmoryarnfail fast with a clear message instead of producing a brokennode_modules(or anERESOLVEdependency-tree error, which is the surface symptom today).Why
The repo already declares
packageManager: pnpm@10.34.1inpackage.json, but that field is purely advisory —npmandyarnignore it.Recent example: a contributor on Windows ran
npm installagainst the latest branch and hitERESOLVEfrom a peer-dep conflict between@modelcontextprotocol/sdkandmcp-handlerinapps/docsite. pnpm tolerates that conflict; npm rejects it. The user-visible error blames the deps, but the real issue is that we shouldn't be running npm in the first place.With this PR, running npm/yarn fails immediately with the standard
only-allowmessage:How
package.json:"preinstall": "npx -y only-allow pnpm"npx -ykeeps the implementation registry-only — no new entry indevDependencies, no lockfile churn. (If we want to avoid even the registry fetch, we could inline a small Node script — happy to switch if preferred.)Notes
npm_config_user_agentso the guard is a no-op when invoked correctly.Testing
Tested locally by running
npm installagainst a minimal package.json carrying just thepreinstallscript — the script fires and the install aborts non-zero before any deps are resolved.