fix: support pnpm v10+ configuration in pnpm-workspace.yaml

Author: jbedard

.aspect/rules/external_repository_action_cache/npm_translate_lock_LTE4Nzc1MDcwNjU=

@@ -32,6 +32,6 @@ npm/private/test/package.json=-1933829342
 npm/private/test/vendored/is-odd/package.json=1041695223
 npm/private/test/vendored/lodash-4.17.21.tgz=-1206623349
 npm/private/test/vendored/semver-max/package.json=578664053
-package.json=1085031407
-pnpm-lock.yaml=-155745742
-pnpm-workspace.yaml=-2039776064
+package.json=-1957263621
+pnpm-lock.yaml=-1250423305
+pnpm-workspace.yaml=-1336981113

MODULE.bazel

@@ -70,13 +70,13 @@ use_repo(
 ####### Dev dependencies ########
 
 # Dev-only pnpm used for local testing
-pnpm9 = use_extension("@aspect_rules_js//npm:extensions.bzl", "pnpm", dev_dependency = True)
-pnpm9.pnpm(
-    name = "pnpm9",
-    pnpm_version = "9.15.9",
-    pnpm_version_integrity = "sha512-aARhQYk8ZvrQHAeSMRKOmvuJ74fiaR1p5NQO7iKJiClf1GghgbrlW1hBjDolO95lpQXsfF+UA+zlzDzTfc8lMQ==",
+pnpm10 = use_extension("@aspect_rules_js//npm:extensions.bzl", "pnpm", dev_dependency = True)
+pnpm10.pnpm(
+    name = "pnpm10",
+    pnpm_version = "10.22.0",
+    pnpm_version_integrity = "sha512-vwSe/plbKPUn/StBrgR0zikYb37cs79UUIe9Yfu+uyv3U2LRMH/aCcLSiOHkmXh6wS1Py2F6l0cYpgUfLu50HA==",
 )
-use_repo(pnpm9, "pnpm9")
+use_repo(pnpm10, "pnpm10")
 
 bazel_dep(name = "bazelrc-preset.bzl", version = "1.3.0", dev_dependency = True)
 bazel_dep(name = "aspect_rules_lint", version = "1.1.0", dev_dependency = True)
@@ -273,7 +273,7 @@ npm.npm_translate_lock(
         "[email protected]": ["examples/npm_deps"],
     },
     update_pnpm_lock = True,
-    use_pnpm = "@pnpm9//:package/bin/pnpm.cjs",
+    use_pnpm = "@pnpm10//:package/bin/pnpm.cjs",
     verify_node_modules_ignored = "//:.bazelignore",
     verify_patches = "//examples/npm_deps/patches:patches",
 )

npm/private/npm_translate_lock_helpers.bzl

@@ -573,23 +573,27 @@ def _normalize_bazelignore(lines):
 ################################################################################
 def _verify_lifecycle_hooks_specified(_, state):
     if state.only_built_dependencies() == None:
-        fail("""\
-ERROR: pnpm.onlyBuiltDependencies required in pnpm workspace root package.json when using pnpm v9 or later
+        msg = """\
+ERROR: pnpm 'onlyBuiltDependencies' configuration required when using pnpm v9 or later.
 
-The root package.json must be alongside the pnpm-lock.yaml file and contain a pnpm.onlyBuiltDependencies and
-will be automatically detected even if not explicitly added to data attribute.
+Packages that rules_js should generate lifecycle hook actions for must be declared in
+'onlyBuiltDependencies'.
 
-As of pnpm v9, the lockfile no longer specifies if packages have lifecycle hooks.
+As of pnpm v10 'onlyBuiltDependencies' should be configured in the pnpm-workspace.yaml file
+alongside other pnpm configuration. See https://pnpm.io/10.x/settings#onlybuiltdependencies
+for more information.
 
-Packages that rules_js should generate lifecycle hook actions for must now be declared in
-pnpm.onlyBuiltDependencies in the pnpm workspace root package.json. See
-https://pnpm.io/package_json#pnpmonlybuiltdependencies for more information.
+In pnpm v9 and earlier 'onlyBuiltDependencies' is configured in the root package.json
+pnpm.onlyBuiltDependencies. The root package.json must be alongside the pnpm-lock.yaml file
+and will be automatically detected even if not explicitly added to data attribute.
+See https://pnpm.io/9.x/package_json#pnpmonlybuiltdependencies for more information.
 
 Prior to pnpm v9, rules_js keyed off of the requiresBuild attribute in the pnpm lock
 file to determine if a lifecycle hook action should be generated for an npm package.
 See [pnpm #7707](https://github.com/pnpm/pnpm/issues/7707) for the reasons that pnpm
 removed the requiresBuild attribute from the lockfile in v9.
-""")
+"""
+        fail(msg)
 
 ################################################################################
 def _verify_patches(rctx, attr, state):

npm/private/npm_translate_lock_state.bzl

@@ -51,7 +51,8 @@ WARNING: `update_pnpm_lock` attribute in `npm_translate_lock(name = "{rctx_name}
         _init_patched_dependencies_labels(priv, rctx, attr, label_store)
 
     # May depend on lockfile state
-    _init_root_package(priv, rctx, attr, label_store)
+    _init_root_package(priv, attr, label_store)
+    _init_workspace(priv, rctx, label_store, is_windows)
 
     if _should_update_pnpm_lock(priv):
         _init_importer_labels(priv, label_store)
@@ -167,7 +168,7 @@ def _init_external_repository_action_cache(priv, attr):
     priv["external_repository_action_cache"] = attr.external_repository_action_cache if attr.external_repository_action_cache else utils.default_external_repository_action_cache()
 
 ################################################################################
-def _init_root_package(priv, rctx, attr, label_store):
+def _init_root_package(priv, attr, label_store):
     pnpm_lock_label = label_store.label("pnpm_lock")
 
     # use the directory of the pnpm_lock file as the root_package unless overridden by the root_package attribute
@@ -184,19 +185,46 @@ def _init_root_package(priv, rctx, attr, label_store):
             fail("root_package cannot be overridden if there are pnpm workspace packages specified")
         priv["root_package"] = attr.root_package
 
-    # Load a declared root package.json
+def _init_workspace(priv, rctx, label_store, is_windows):
+    root_package_json = {}
+
+    # Load pnpm settings from root package.json for pnpm <= v9.
     if label_store.has("package_json_root"):
+        # Load a declared root package.json
         root_package_json_path = label_store.path("package_json_root")
-        priv["root_package_json"] = json.decode(rctx.read(root_package_json_path))
+        root_package_json = json.decode(rctx.read(root_package_json_path))
     elif "." in priv["importers"].keys():
         # Load an undeclared package.json derived from the root importer in the lockfile
         label_store.add_sibling("lock", "package_json_root", PACKAGE_JSON_FILENAME)
         root_package_json_path = label_store.path("package_json_root")
-        priv["root_package_json"] = json.decode(rctx.read(root_package_json_path))
-    else:
-        # if there is no root importer that means there is no root package.json to read; pnpm allows
-        # you to just have a pnpm-workspaces.yaml at the root and no package.json at that location
-        priv["root_package_json"] = {}
+        root_package_json = json.decode(rctx.read(root_package_json_path))
+
+    priv["pnpm_settings"] = root_package_json.get("pnpm", {})
+
+    # Read settings from pnpm-workspace.yaml for pnpm v10+ (NOTE: pnpm 9-10+ has lockfile version 9).
+    # Support scenario where pnpm-lock.yaml was never parsed and "lock_version" is not set.
+    if label_store.has("pnpm_workspace"):
+        pnpm_workspace_path = label_store.path("pnpm_workspace")
+        if is_windows or utils.exists(rctx, pnpm_workspace_path):
+            pnpm_workspace_json, workspace_parse_err = _yaml_to_json(rctx, str(pnpm_workspace_path), is_windows)
+
+            if workspace_parse_err == None:
+                pnpm_workspace_settings, workspace_parse_err = pnpm.parse_pnpm_workspace_json(pnpm_workspace_json)
+
+                if pnpm_workspace_settings:
+                    priv["pnpm_settings"] = priv["pnpm_settings"] | pnpm_workspace_settings
+
+            if workspace_parse_err != None:
+                should_update = _should_update_pnpm_lock(priv)
+                msg = """
+        {type}: pnpm-workspace.yaml parse error {error}`.
+        """.format(type = "WARNING" if should_update else "ERROR", error = workspace_parse_err)
+
+                if should_update:
+                    # buildifier: disable=print
+                    print(msg)
+                else:
+                    fail(msg)
 
 ################################################################################
 def _init_npmrc(priv, rctx, attr, label_store):
@@ -444,24 +472,33 @@ WARNING: Cannot determine home directory in order to load home `.npmrc` file in
         _load_npmrc(priv, rctx, home_npmrc_path)
 
 ################################################################################
-def _load_lockfile(priv, rctx, attr, pnpm_lock_path, is_windows):
-    importers = {}
-    packages = {}
-    patched_dependencies = {}
-    lock_parse_err = None
-
+def _yaml_to_json(rctx, yaml_path, is_windows):
     host_yq = Label("@yq_{}//:yq{}".format(repo_utils.platform(rctx), ".exe" if is_windows else ""))
     yq_args = [
         str(rctx.path(host_yq)),
-        str(pnpm_lock_path),
+        str(yaml_path),
         "-o=json",
     ]
     result = rctx.execute(yq_args)
     if result.return_code:
-        lock_parse_err = "failed to parse pnpm lock file with yq. '{}' exited with {}: \nSTDOUT:\n{}\nSTDERR:\n{}".format(" ".join(yq_args), result.return_code, result.stdout, result.stderr)
-    else:
+        return None, "failed to parse {} with yq. '{}' exited with {}: \nSTDOUT:\n{}\nSTDERR:\n{}".format(" ".join(yq_args), yaml_path, result.return_code, result.stdout, result.stderr)
+
+    # NB: yq will return the string "null" if the yaml file is empty
+    if result.stdout != "null":
+        return result.stdout, None
+
+    return None, None
+
+def _load_lockfile(priv, rctx, attr, pnpm_lock_path, is_windows):
+    importers = {}
+    packages = {}
+    patched_dependencies = {}
+    lock_parse_err = None
+
+    lockfile_content, lock_parse_err = _yaml_to_json(rctx, str(pnpm_lock_path), is_windows)
+    if lock_parse_err == None:
         importers, packages, patched_dependencies, lock_parse_err = pnpm.parse_pnpm_lock_json(
-            result.stdout if result.stdout != "null" else None,  # NB: yq will return the string "null" if the yaml file is empty
+            lockfile_content,
             attr.no_dev,
             attr.no_optional,
         )
@@ -507,7 +544,7 @@ def _patched_dependencies(priv):
     return priv["patched_dependencies"]
 
 def _only_built_dependencies(priv):
-    return _root_package_json(priv).get("pnpm", {}).get("onlyBuiltDependencies", None)
+    return _pnpm_settings(priv).get("onlyBuiltDependencies", None)
 
 def _num_patches(priv):
     return priv["num_patches"]
@@ -521,8 +558,8 @@ def _npm_auth(priv):
 def _root_package(priv):
     return priv["root_package"]
 
-def _root_package_json(priv):
-    return priv["root_package_json"]
+def _pnpm_settings(priv):
+    return priv["pnpm_settings"]
 
 ################################################################################
 def _new(rctx_name, rctx, attr):
@@ -543,7 +580,7 @@ def _new(rctx_name, rctx, attr):
         "npm_registries": {},
         "packages": {},
         "root_package": attr.root_package,
-        "root_package_json": {},
+        "pnpm_settings": {},
         "patched_dependencies": {},
         "should_update_pnpm_lock": should_update_pnpm_lock,
     }

npm/private/pnpm.bzl

@@ -322,7 +322,29 @@ def _assert_lockfile_version(version, testonly = False):
         fail(msg)
     return msg
 
+def _parse_pnpm_workspace_json(content):
+    """Parse the content of a pnpm-workspace.yaml file.
+
+    Args:
+        content: pnpm-workspace.yaml file content as json
+
+    Returns:
+        A tuple of (packages list, error string)
+    """
+    if not content:
+        return {}, None
+
+    parsed = json.decode(content)
+    if not parsed:
+        return {}, None
+
+    if not types.is_dict(parsed):
+        return None, "pnpm-workspace should be a starlark dict"
+
+    return parsed, None
+
 pnpm = struct(
     assert_lockfile_version = _assert_lockfile_version,
     parse_pnpm_lock_json = _parse_pnpm_lock_json,
+    parse_pnpm_workspace_json = _parse_pnpm_workspace_json,
 )

npm/private/test/snapshots/npm_defs-no_dev.bzl

@@ -9,57 +9,5 @@
         "inline-fixtures": "1.1.0",
         "jsonpath-plus": "7.2.0",
         "typescript": "^5.8.0"
-    },
-    "pnpm": {
-        "onlyBuiltDependencies": [
-            "@aspect-test/c",
-            "@figma/nodegit",
-            "@kubernetes/client-node",
-            "bufferutil",
-            "esbuild",
-            "fsevents",
-            "segfault-handler",
-            "puppeteer",
-            "protoc-gen-grpc-ts"
-        ],
-        "packageExtensions": {
-            "mocha": {
-                "peerDependencies": {
-                    "mocha-multi-reporters": "*"
-                }
-            },
-            "mocha-multi-reporters": {
-                "peerDependencies": {
-                    "mocha-junit-reporter": "*"
-                }
-            },
-            "segfault-handler": {
-                "dependencies": {
-                    "node-gyp": "*"
-                }
-            },
-            "unix-dgram": {
-                "dependencies": {
-                    "node-gyp": "*"
-                }
-            },
-            "@kubernetes/client-node": {
-                "//1": "these deps are from devDependencies of @kubernetes/client-node and needed for 'prepare' lifecycle hook",
-                "//2": "https://github.com/kubernetes-client/javascript/blob/cb821e92b766f6ffba6ad8cf5e7ff6ba77c3a1c9/package.json#L28",
-                "//3": "A very specific @types/node version is required for the tsc compilation within @kubernetes/client-node",
-                "dependencies": {
-                    "@types/node": "22.7.4",
-                    "typescript": "~5.6.2"
-                }
-            }
-        },
-        "overrides": {
-            "jsonify": "https://github.com/aspect-build/test-packages/releases/download/0.0.0/@foo-jsonify-0.0.0.tgz",
-            "semver-max": "file:./npm/private/test/vendored/semver-max",
-            "is-odd": "file:./npm/private/test/vendored/is-odd"
-        },
-        "patchedDependencies": {
-            "[email protected]": "examples/npm_deps/patches/[email protected]"
-        }
     }
 }