diff --git a/.npmrc b/.npmrc deleted file mode 100644 index 7b53b06f3fc7..000000000000 --- a/.npmrc +++ /dev/null @@ -1,15 +0,0 @@ -engine-strict=true -frozen-lockfile=true -strict-peer-dependencies=true -link-workspace-packages=true - -# Disable pnpm update notifications since we use corepack to install package managers -update-notifier=false -# Use the number of cores on the machine by default. -workspace-concurrency=0 - -# Hoist these dependencies to the root workspace -public-hoist-pattern[]=@arethetypeswrong/cli -# ['*eslint*', '*prettier*'] is the default, so we add those as well -public-hoist-pattern[]=*eslint* -public-hoist-pattern[]=*prettier* diff --git a/package.json b/package.json index c120fae64e8c..8b95db169186 100644 --- a/package.json +++ b/package.json @@ -49,7 +49,7 @@ "checks:fix": "fluid-build --task checks:fix", "ci:build": "fluid-build --task ci:build", "ci:build:docs": "fluid-build --task ci:build:docs", - "ci:check:are-the-types-wrong": "pnpm run -r --parallel --no-bail --color check:are-the-types-wrong", + "ci:check:are-the-types-wrong": "pnpm run -r --parallel --no-bail --color=always check:are-the-types-wrong", "ci:test:jest": "npm run test:jest:report", "ci:test:jest:coverage": "c8 --no-clean npm run test:jest:report", "ci:test:mocha": "npm run test:mocha", @@ -190,10 +190,9 @@ "type-fest": "^2.19.0", "typescript": "~5.4.5" }, - "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319", + "packageManager": "pnpm@11.1.3+sha512.c85357fe17ca12dd23dd7071822666dfd7e3cb76fe214e3370b5ea2fb34f2a231185509b63e717f3cd0acb38dd3f8d82bcd5e8172400ae678b70ea4fbed0896d", "engines": { - "node": ">=22.22.2", - "pnpm": "10" + "node": ">=22.22.2" }, "fluidBuild": { "tasks": { @@ -349,43 +348,5 @@ "script": false } } - }, - "pnpm": { - "peerDependencyComments": [ - "The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't seem to be maintained and it works fine with React 18. TODO: AB#18876", - "@types/node is ignored because it is usually not needed by packages, and if it is, then the package will hit a compilation failure.", - "Peer dependencies on fluid-framework are never fulfilled since that's an in-repo dependency; we expect a customer using some packages to install it as a dependency.", - "markdown-magic is provided by another dependency so is ignored here.", - "oclif includes some AWS-related features, but we don't use them, so we ignore @aws-sdk peer dependencies." - ], - "peerDependencyRules": { - "allowedVersions": { - "react": "18.3.1", - "react-dom": "18.3.1" - }, - "ignoreMissing": [ - "@types/node", - "fluid-framework", - "markdown-magic", - "@aws-sdk/*" - ] - }, - "patchedDependencies": { - "@microsoft/api-extractor@7.58.1": "patches/@microsoft__api-extractor@7.58.1.patch" - }, - "onlyBuiltDependencies": [ - "@azure/msal-node-extensions", - "@azure/msal-node-runtime", - "@biomejs/biome", - "@parcel/watcher", - "@vvago/vale", - "classic-level", - "core-js", - "esbuild", - "keytar", - "msgpackr-extract", - "puppeteer", - "unrs-resolver" - ] } } diff --git a/packages/test/test-version-utils/compat-workspaces/full/package.json b/packages/test/test-version-utils/compat-workspaces/full/package.json index 7c8dd93cfba6..7fa9b751b5e3 100644 --- a/packages/test/test-version-utils/compat-workspaces/full/package.json +++ b/packages/test/test-version-utils/compat-workspaces/full/package.json @@ -10,7 +10,12 @@ }, "license": "MIT", "author": "Microsoft and contributors", - "scripts": { - "preinstall": "node ../scripts/only-pnpm.cjs" - } + "scripts": { + "preinstall": "node ../../../../../scripts/only-pnpm.cjs" + }, + "packageManager": "pnpm@11.1.3+sha512.c85357fe17ca12dd23dd7071822666dfd7e3cb76fe214e3370b5ea2fb34f2a231185509b63e717f3cd0acb38dd3f8d82bcd5e8172400ae678b70ea4fbed0896d", + "engines": { + "node": ">=22.22.2", + "pnpm": "11" + } } diff --git a/packages/test/test-version-utils/compat-workspaces/scripts/only-pnpm.cjs b/packages/test/test-version-utils/compat-workspaces/scripts/only-pnpm.cjs deleted file mode 100644 index 91d351b71e3b..000000000000 --- a/packages/test/test-version-utils/compat-workspaces/scripts/only-pnpm.cjs +++ /dev/null @@ -1,29 +0,0 @@ -/*! - * Copyright (c) Microsoft Corporation and contributors. All rights reserved. - * Licensed under the MIT License. - */ - -/** - * This script is used to prompt users to use pnpm in a project. This helps guide new contributors to the right tools. - * To use this script in a project, add a "preinstall" script to the package.json that calls this script. - */ - -const message = ` -╔══════════════════════════════════════════════════════════════════╗ -║ ║ -║ Use "pnpm install" for installation in this project. ║ -║ ║ -║ If you don't have pnpm, enable corepack via "corepack enable". ║ -║ Then run "pnpm install" to install dependencies. ║ -║ ║ -║ For more details, see the README. ║ -║ ║ -╚══════════════════════════════════════════════════════════════════╝ -`; - -const used_pnpm = process.env.npm_config_user_agent.startsWith(`pnpm`); - -if (!used_pnpm) { - console.error(message); - process.exit(1); -} diff --git a/packages/test/test-version-utils/package.json b/packages/test/test-version-utils/package.json index 3f703e326bd6..a1c864d10679 100644 --- a/packages/test/test-version-utils/package.json +++ b/packages/test/test-version-utils/package.json @@ -43,7 +43,7 @@ "eslint:fix": "eslint --quiet --format stylish src --fix --fix-type problem,suggestion,layout", "format": "npm run format:biome", "format:biome": "biome check . --write", - "postinstall": "pnpm --dir compat-workspaces/full install --frozen-lockfile", + "postinstall": "pnpm --dir compat-workspaces/full install --frozen-lockfile --config.confirmModulesPurge=false", "lint": "fluid-build . --task lint", "lint:fix": "fluid-build . --task eslint:fix --task format", "test": "npm run test:mocha", diff --git a/packages/tools/changelog-generator-wrapper/.npmrc b/packages/tools/changelog-generator-wrapper/.npmrc deleted file mode 100644 index ff7cd5deb92b..000000000000 --- a/packages/tools/changelog-generator-wrapper/.npmrc +++ /dev/null @@ -1,6 +0,0 @@ -engine-strict=true -frozen-lockfile=true -strict-peer-dependencies=true - -# Disable pnpm update notifications since we use corepack to install package managers -update-notifier=false diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 9cc9d0076685..ddbf4457dbb4 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -25,16 +25,21 @@ packages: # Supply chain security settings - see /DEV.md for documentation minimumReleaseAge: 1440 + minimumReleaseAgeExclude: [ # Temporary exceptions go here as needed. ] + resolutionMode: highest + blockExoticSubdeps: true + # See: https://github.com/orgs/pnpm/discussions/11084 for some discussion. # Enabling no-downgrade requires every transitive trust-policy violation to either be remediated # at the source or excluded below with a documented rationale. Run `flub check trustPolicy` to # surface current violations. trustPolicy: no-downgrade + trustPolicyExclude: # axios@0.30.3 is the last legitimate 0.30.x release (published 2026-02-18). The trust # downgrade fires because 0.30.x was published via direct CLI rather than the OIDC/GitHub @@ -67,13 +72,16 @@ trustPolicyExclude: # current 7.x line publishes through the npm-cli OIDC/Actions pipeline. The 5.x/6.x # lines will not be retroactively re-published with provenance. Pulled in by widely- # used legacy tooling that pins ^5 / ^6. - - "semver@5.7.2" - - "semver@6.3.1" + # Note: multiple versions of the same package must be combined with "||" — pnpm's + # trust-policy evaluator returns on the first name match and does not aggregate + # subsequent entries for the same package. + - "semver@5.7.2||6.3.1" # undici-types@6.21.0 (published 2024-11-13, by matteo.collina) — pipeline regression. # Prior trusted: undici-types@6.19.2 (provenance, 2024-06-18, by matteo.collina). # Same publisher (undici project lead). Type-only package (.d.ts shipped from undici # repo); provenance attestation was lost on a subsequent 6.x release. - "undici-types@6.21.0" + strictDepBuilds: true catalogs: @@ -93,82 +101,127 @@ catalogs: overrides: # biome is overridden to make review of the upgrade easier. This can be removed once merged. - "@biomejs/biome": "~2.4.5" - + "@biomejs/biome": ~2.4.5 # node types are forced to a consistent version to avoid conflicts between globals. - "@types/node": "catalog:types" - - # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x have no fix in - # their major range so they are bumped to the nearest patched major. - "diff@>=3 <4": "^4.0.4" - "diff@>=5 <6": "^5.2.2" - "diff@>=7 <8": "^8.0.3" - "diff@>=8 <9": "^8.0.3" - - # fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity - # expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range. - "fast-xml-parser": "^4.5.4" - - # node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities. - "node-forge": "^1.4.0" - - # nodegit is replaced with an empty package here because it's currently only used by good-fences for features we do - # not need, and has issues building when changing node versions. See https://github.com/smikula/good-fences/issues/105 - # for details. Note that using '-' to completely drop it, results in build failures complaining about nodegit not - # being there. - "good-fences>nodegit": "npm:empty-npm-package@1.0.0" - - # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. - "qs": "^6.15.0" - - # simple-git: overridden to ^3.32.3 to resolve a CG alert. - "simple-git": "^3.32.3" - - # systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities. - "systeminformation": "^5.31.0" - - # codemirror and marked overrides are because simplemde uses * versions, and the fully up to date versions of its - # deps do not work. packageExtensions was tried to fix this, but did not work. - "simplemde>codemirror": "^5.65.11" - "simplemde>marked": "^4.3.0" - - # @fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, so overriding it - # forces a version that meets peer dependency requirements is installed. - "@fluentui/react-positioning>@floating-ui/dom": "~1.5.4" - - # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce - # lockfile churn since the deps release very frequently. - "oclif>@aws-sdk/client-cloudfront": "-" - "oclif>@aws-sdk/client-s3": "-" - - # axios pre-1.0 needs an override to stay current on a version with no reported CVEs. Caret dependencies aren't - # enough on a pre-1.0 package. - "axios@<0.30.0": "^0.30.0" - - # tar: Security overrides to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, + "@types/node": catalog:types + # diff is overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x + # have no fix in their major range so they are bumped to the nearest patched major. + diff@>=3 <4: ^4.0.4 + diff@>=5 <6: ^5.2.2 + diff@>=7 <8: ^8.0.3 + diff@>=8 <9: ^8.0.3 + # fast-xml-parser is overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, + # DoS via entity expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range. + fast-xml-parser: ^4.5.4 + # node-forge is overridden to ^1.4.0 to resolve known security vulnerabilities. + node-forge: ^1.4.0 + # nodegit is replaced with an empty package here because it's currently only used by good-fences for + # features we do not need, and has issues building when changing node versions. + # See https://github.com/smikula/good-fences/issues/105 for details. Note that using '-' to completely + # drop it results in build failures complaining about nodegit not being there. + good-fences>nodegit: npm:empty-npm-package@1.0.0 + # qs is overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: ^6.15.0 + # overridden to resolve a CG alert. + simple-git: ^3.32.3 + # overridden to resolve command injection vulnerabilities. + systeminformation: ^5.31.0 + # codemirror and marked overrides are because simplemde uses * versions, and the fully up-to-date + # versions of its deps do not work. packageExtensions was tried to fix this, but did not work. + simplemde>codemirror: ^5.65.11 + simplemde>marked: ^4.3.0 + # @fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, + # so overriding it forces a version that meets peer dependency requirements to be installed. + "@fluentui/react-positioning>@floating-ui/dom": ~1.5.4 + # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. + # This helps reduce lockfile churn since the deps release very frequently. + oclif>@aws-sdk/client-cloudfront: "-" + oclif>@aws-sdk/client-s3: "-" + # axios pre-1.0 needs an override to stay current on a version with no reported CVEs. + # Caret dependencies aren't enough on a pre-1.0 package. + axios@<0.30.0: ^0.30.0 + # Security overrides to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, # GHSA-34x7-hfp2-rc4v). - "tar": "^7.5.11" - + tar: ^7.5.11 # minimatch: overridden to patched versions to resolve a known security vulnerability. - "minimatch@>=3 <4": "^3.1.5" - "minimatch@>=5 <6": "^5.1.9" - "minimatch@>=6 <7": "^6.2.3" - "minimatch@>=7 <8": "^7.4.9" - "minimatch@>=8 <9": "^8.0.7" - "minimatch@>=9 <10": "^9.0.9" - "minimatch@>=10 <11": "^10.2.4" - - # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible - # (only drops Node <20 support). - "serialize-javascript@>=6 <7": "^7.0.4" - - # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2. - "express@>=4 <5": "^4.22.1" - - # picomatch: overridden to patched versions to resolve a known security vulnerability. - "picomatch@>=2 <3": "^2.3.2" - "picomatch@>=4 <5": "^4.0.4" - - # langsmith: overridden to ^0.5.15 to resolve a known security vulnerability. The consumer declares ^0.3.x so the - # override is needed to cross the minor version boundary. - "langsmith": "^0.5.15" + minimatch@>=3 <4: ^3.1.5 + minimatch@>=5 <6: ^5.1.9 + minimatch@>=6 <7: ^6.2.3 + minimatch@>=7 <8: ^7.4.9 + minimatch@>=8 <9: ^8.0.7 + minimatch@>=9 <10: ^9.0.9 + minimatch@>=10 <11: ^10.2.4 + + # serialize-javascript is overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. + # No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support). + serialize-javascript@>=6 <7: ^7.0.4 + # express is overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2. + express@>=4 <5: ^4.22.1 + # picomatch is overridden to patched versions to resolve a known security vulnerability. + picomatch@>=2 <3: ^2.3.2 + picomatch@>=4 <5: ^4.0.4 + # langsmith is overridden to ^0.5.15 to resolve a known security vulnerability. + # The consumer declares ^0.3.x so the override is needed to cross the minor version boundary. + langsmith: ^0.5.15 + +peerDependencyRules: + # The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't + # seem to be maintained and it works fine with React 18. TODO: AB#18876 + allowedVersions: + react: 18.3.1 + react-dom: 18.3.1 + ignoreMissing: + # @types/node is ignored because it is usually not needed by packages, and if it is, then the + # package will hit a compilation failure. + - '@types/node' + # Peer dependencies on fluid-framework are never fulfilled since that's an in-repo dependency; + # we expect a customer using some packages to install it as a dependency. + - fluid-framework + # markdown-magic is provided by another dependency so is ignored here. + - markdown-magic + # oclif includes some AWS-related features, but we don't use them, so we ignore @aws-sdk peer + # dependencies. + - '@aws-sdk/*' + +patchedDependencies: + '@microsoft/api-extractor@7.58.1': patches/@microsoft__api-extractor@7.58.1.patch + +engineStrict: true + +frozenLockfile: true + +strictPeerDependencies: true + +linkWorkspacePackages: true + +# Disable pnpm update notifications since we use corepack to install package managers +updateNotifier: false + +# Use the number of cores on the machine by default. +workspaceConcurrency: 0 + +# pnpm 11 enabled this check by default, which runs a frozen-lockfile install before every `pnpm run