Update syncpack to v15 and move pnpm overrides to pnpm workspace file

.syncpackrc.yml

@@ -87,6 +87,9 @@ semverGroups:
   - label: "Must use exact dependency ranges"
     dependencies:
       - "@tiny-calc/*"
+      # @tylerbu/markdown-magic is currently pinned to a tagged prerelease (e.g. 2.4.0-tylerbu-1); a caret range on a
+      # prerelease won't include other prereleases, so an exact pin is the intended behavior.
+      - "@tylerbu/markdown-magic"
       - "@graphql-codegen/cli"
       - "@graphql-codegen/typescript"
       - "@material-ui/*"

build-tools/README.md

@@ -28,11 +28,17 @@ It is very useful to test changes in build-tools against the client release grou
 build-tools is limited, and manually testing locally with the client will expose obvious things like broken incremental
 builds, etc.
 
-The easiest way to test build-tools in client is to use pnpm overrides. You can use the following command from the root of the repo to update the
-root package.json and lockfile to link to the local version of build-tools:
+The easiest way to test build-tools in client is to use pnpm overrides. Add the following entries under the `overrides:`
+key in the repo root's `pnpm-workspace.yaml`, then refresh the lockfile:
+
+```yaml
+overrides:
+  # ... existing entries ...
+  "@fluidframework/build-tools": "link:./build-tools/packages/build-tools"
+  "@fluid-tools/build-cli": "link:./build-tools/packages/build-cli"
+```
 
 ```
-npm pkg set pnpm.overrides.@fluidframework/build-tools=link:./build-tools/packages/build-tools pnpm.overrides.@fluid-tools/build-cli=link:./build-tools/packages/build-cli
 pnpm i --no-frozen-lockfile
 ```
 

package.json

@@ -186,7 +186,7 @@
 		"puppeteer": "^23.6.0",
 		"rimraf": "^6.1.3",
 		"run-script-os": "^1.1.6",
-		"syncpack": "^14.0.2",
+		"syncpack": "^15.1.2",
 		"type-fest": "^2.19.0",
 		"typescript": "~5.4.5"
 	},
@@ -351,59 +351,6 @@
 		}
 	},
 	"pnpm": {
-		"comments": [
-			"biome is overridden to make review of the upgrade easier. This can be removed once merged.",
-			"node types are forced to a consistent version to avoid conflicts between globals.",
-			"nodegit is replaced with an empty package here because it's currently only used by good-fences for features we do not need, and has issues building when changing node versions. See https://github.com/smikula/good-fences/issues/105 for details. Note that using '-' to completely drop it, results in build failures complaining about nodegit not being there.",
-			"codemirror and marked overrides are because simplemde use * versions, and the fully up to date versions of its deps do not work. packageExtensions was tried to fix this, but did not work.",
-			"@fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, so overriding it forces a version that meets peer dependency requirements is installed.",
-			"oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce lockfile churn since the deps release very frequently.",
-			"axios pre-1.0 needs an override to stay current on a version with no reported CVEs. Caret dependencies aren't enough on a pre-1.0 package.",
-			"Security overrides: tar is overridden to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, GHSA-34x7-hfp2-rc4v).",
-			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
-			"fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range.",
-			"systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.",
-			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
-			"diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x have no fix in their major range so they are bumped to the nearest patched major.",
-			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).",
-			"express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.",
-			"picomatch: overridden to patched versions to resolve a known security vulnerability.",
-			"node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities.",
-			"langsmith: overridden to ^0.5.15 to resolve a known security vulnerability. The consumer declares ^0.3.x so the override is needed to cross the minor version boundary."
-		],
-		"overrides": {
-			"@biomejs/biome": "~2.4.5",
-			"@types/node": "catalog:types",
-			"diff@>=3 <4": "^4.0.4",
-			"diff@>=5 <6": "^5.2.2",
-			"diff@>=7 <8": "^8.0.3",
-			"diff@>=8 <9": "^8.0.3",
-			"fast-xml-parser": "^4.5.4",
-			"node-forge": "^1.4.0",
-			"good-fences>nodegit": "npm:empty-npm-package@1.0.0",
-			"qs": "^6.15.0",
-			"simple-git": "^3.32.3",
-			"systeminformation": "^5.31.0",
-			"simplemde>codemirror": "^5.65.11",
-			"simplemde>marked": "^4.3.0",
-			"@fluentui/react-positioning>@floating-ui/dom": "~1.5.4",
-			"oclif>@aws-sdk/client-cloudfront": "-",
-			"oclif>@aws-sdk/client-s3": "-",
-			"axios@<0.30.0": "^0.30.0",
-			"tar": "^7.5.11",
-			"minimatch@>=3 <4": "^3.1.5",
-			"minimatch@>=5 <6": "^5.1.9",
-			"minimatch@>=6 <7": "^6.2.3",
-			"minimatch@>=7 <8": "^7.4.9",
-			"minimatch@>=8 <9": "^8.0.7",
-			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4",
-			"serialize-javascript@>=6 <7": "^7.0.4",
-			"express@>=4 <5": "^4.22.1",
-			"picomatch@>=2 <3": "^2.3.2",
-			"picomatch@>=4 <5": "^4.0.4",
-			"langsmith": "^0.5.15"
-		},
 		"peerDependencyComments": [
 			"The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't seem to be maintained and it works fine with React 18. TODO: AB#18876",
 			"@types/node is ignored because it is usually not needed by packages, and if it is, then the package will hit a compilation failure.",

pnpm-workspace.yaml

@@ -90,3 +90,85 @@ catalogs:
   # Type definitions
   types:
     "@types/node": "~22.19.17"
+
+overrides:
+  # biome is overridden to make review of the upgrade easier. This can be removed once merged.
+  "@biomejs/biome": "~2.4.5"
+
+  # node types are forced to a consistent version to avoid conflicts between globals.
+  "@types/node": "catalog:types"
+
+  # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x have no fix in
+  # their major range so they are bumped to the nearest patched major.
+  "diff@>=3 <4": "^4.0.4"
+  "diff@>=5 <6": "^5.2.2"
+  "diff@>=7 <8": "^8.0.3"
+  "diff@>=8 <9": "^8.0.3"
+
+  # fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity
+  # expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range.
+  "fast-xml-parser": "^4.5.4"
+
+  # node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities.
+  "node-forge": "^1.4.0"
+
+  # nodegit is replaced with an empty package here because it's currently only used by good-fences for features we do
+  # not need, and has issues building when changing node versions. See https://github.com/smikula/good-fences/issues/105
+  # for details. Note that using '-' to completely drop it, results in build failures complaining about nodegit not
+  # being there.
+  "good-fences>nodegit": "npm:empty-npm-package@1.0.0"
+
+  # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.
+  "qs": "^6.15.0"
+
+  # simple-git: overridden to ^3.32.3 to resolve a CG alert.
+  "simple-git": "^3.32.3"
+
+  # systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.
+  "systeminformation": "^5.31.0"
+
+  # codemirror and marked overrides are because simplemde uses * versions, and the fully up to date versions of its
+  # deps do not work. packageExtensions was tried to fix this, but did not work.
+  "simplemde>codemirror": "^5.65.11"
+  "simplemde>marked": "^4.3.0"
+
+  # @fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, so overriding it
+  # forces a version that meets peer dependency requirements is installed.
+  "@fluentui/react-positioning>@floating-ui/dom": "~1.5.4"
+
+  # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce
+  # lockfile churn since the deps release very frequently.
+  "oclif>@aws-sdk/client-cloudfront": "-"
+  "oclif>@aws-sdk/client-s3": "-"
+
+  # axios pre-1.0 needs an override to stay current on a version with no reported CVEs. Caret dependencies aren't
+  # enough on a pre-1.0 package.
+  "axios@<0.30.0": "^0.30.0"
+
+  # tar: Security overrides to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w,
+  # GHSA-34x7-hfp2-rc4v).
+  "tar": "^7.5.11"
+
+  # minimatch: overridden to patched versions to resolve a known security vulnerability.
+  "minimatch@>=3 <4": "^3.1.5"
+  "minimatch@>=5 <6": "^5.1.9"
+  "minimatch@>=6 <7": "^6.2.3"
+  "minimatch@>=7 <8": "^7.4.9"
+  "minimatch@>=8 <9": "^8.0.7"
+  "minimatch@>=9 <10": "^9.0.9"
+  "minimatch@>=10 <11": "^10.2.4"
+
+  # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible
+  # (only drops Node <20 support).
+  "serialize-javascript@>=6 <7": "^7.0.4"
+
+  # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.
+  "express@>=4 <5": "^4.22.1"
+
+  # picomatch: overridden to patched versions to resolve a known security vulnerability.
+  "picomatch@>=2 <3": "^2.3.2"
+  "picomatch@>=4 <5": "^4.0.4"
+
+  # langsmith: overridden to ^0.5.15 to resolve a known security vulnerability. The consumer declares ^0.3.x so the
+  # override is needed to cross the minor version boundary.
+  "langsmith": "^0.5.15"