BUG - @zowe/secrets-for-zowe-sdk cannot be resolved when using pnpm package manager

[CLVNSwan]

Related Feature

Feature request: Secure Store / Backend Proxy Authentication

Description

When using pnpm as the package manager, the @sap-ux/store package fails to load the optional @zowe/secrets-for-zowe-sdk dependency. This causes the secure store functionality to fall back to DummyStore, which means automatic SAP backend authentication does not work.

The root cause is that pnpm uses a strict isolated node_modules structure (.pnpm/<package>@<version>/node_modules/<package>), and the current code in loadZoweSecretSdk() (in packages/store/src/secure-store/index.ts) only handles:

1. Direct require('@zowe/secrets-for-zowe-sdk')
2. VS Code extension paths (~/.vscode/extensions/sapse.sap-ux-application-modeler-extension-*/...)

Neither of these work with pnpm's symlinked structure.

Steps to Reproduce

1. Create a UI5/Fiori project using pnpm as the package manager
2. Add @sap-ux/backend-proxy-middleware as a dependency
3. Configure the backend proxy in ui5.yaml
4. Run pnpm start

Expected results

The Zowe secrets SDK should be loaded successfully, enabling secure credential storage and automatic SAP backend authentication.

Actual results

The following warning appears in the console:

warn backend-proxy-middleware Cannot find module '@zowe/secrets-for-zowe-sdk'

The secure store falls back to DummyStore, and automatic login to the SAP backend no longer works. Users must re-enter credentials.

Screenshots

N/A

Version/Components/Environment

• @sap-ux/store version: 1.5.11 / 1.5.12 (latest)
• @sap-ux/backend-proxy-middleware version: 0.11.3
• Package Manager: pnpm v10.26.1
• Node.js: v22.x

OS:

• Mac OS
• Windows
• Other

---

Additional Technical Context

Why pnpm is Different

pnpm stores packages in a content-addressable store and uses symlinks. The actual module location is:

node_modules/.pnpm/@zowe+secrets-for-zowe-sdk@8.x.x/node_modules/@zowe/secrets-for-zowe-sdk

Standard require() cannot resolve this path when the consuming package (@sap-ux/store) is itself inside the .pnpm structure.

Proposed Solution

Add a fallback in loadZoweSecretSdk() that searches for the Zowe SDK in pnpm's .pnpm directory structure by traversing up from __dirname and looking for @zowe+secrets-for-zowe-sdk@* directories.

Workaround

Add the following to your .npmrc file to hoist the @zowe/secrets-for-zowe-sdk package to the root node_modules:

public-hoist-pattern[]=@zowe/secrets-for-zowe-sdk

Then reinstall dependencies:

pnpm install

This makes the package resolvable via standard require() by placing it in the root node_modules directory alongside the symlinked structure.

Impact

This affects all users who use pnpm as their package manager and rely on @sap-ux/backend-proxy-middleware for development proxy with automatic SAP backend authentication. With the increasing adoption of pnpm (especially in monorepo setups), this is becoming a more common issue.

[kjose90]

Hi @CLVNSwan, thanks for the bug report.

I spent time trying to reproduce this issue locally but was unable to replicate it. Here's what I found:

On both Mac and Windows, pnpm correctly creates a symlink for @zowe/secrets-for-zowe-sdk inside @sap-ux/store's own scoped node_modules. This means the existing
require('@zowe/secrets-for-zowe-sdk') call actually finds and loads the SDK successfully - so the fallback to DummyStore never gets invoked.

Pasting a screenshot on attempt in windows similar to your steps to reproduce and environment you shared

The output was Using KeyStoreManager for secure storage - working as expected.

Maybe there is something specific in your environment which maybe preventing pnpm from creating the symlink. Could you help us narrow it down by sharing:

1. The contents of your .npmrc file if you have one
2. Output of pnpm config list
3. Output of ls node_modules/.pnpm/@sap-ux+store@1.5.12/node_modules/@zowe
4. If possible, a zipped dummy project where you can reproduce the bug

This will help us understand what's different in your environment and whether a code change is needed.