Skip to content

feat(install): adopt pnpm 11 allowBuilds reviews#364

Merged
jdx merged 4 commits intomainfrom
codex/pnpm11-allow-builds
Apr 28, 2026
Merged

feat(install): adopt pnpm 11 allowBuilds reviews#364
jdx merged 4 commits intomainfrom
codex/pnpm11-allow-builds

Conversation

@jdx
Copy link
Copy Markdown
Contributor

@jdx jdx commented Apr 28, 2026
edited by cursor Bot
Loading

Summary

  • Switch build approval writes from onlyBuiltDependencies to pnpm 11-style allowBuilds entries.
  • Auto-seed unreviewed dependency builds into workspace allowBuilds as false, and have aube approve-builds flip selected entries to true.
  • Keep legacy onlyBuiltDependencies / neverBuiltDependencies as read-compatible inputs, and update docs, generated CLI help, and BATS coverage.

Validation

  • cargo fmt --check
  • cargo test -p aube-manifest workspace::tests::add_to_allow_builds -- --nocapture
  • cargo test -p aube --bin aube
  • cargo clippy --all-targets -- -D warnings
  • mise run test:bats test/approve_builds.bats
  • mise run test:bats test/lifecycle_scripts.bats
  • mise run test:bats test/global_install.bats
  • mise run docs:build

Note

Medium Risk
Changes dependency-build approval persistence and makes install write/update pnpm-workspace.yaml, which could affect build-script execution behavior and create new files in repos. Logic is localized but touches install-time safety gates and policy state transitions.

Overview
Switches build-script review/approval persistence to pnpm v11’s allowBuilds review map (writing true/false entries) instead of appending to onlyBuiltDependencies.

aube install now auto-seeds unreviewed build-script packages into workspace allowBuilds as false (and errors/warns accordingly), while aube approve-builds flips selected entries to true; when no workspace YAML exists, the code now creates pnpm-workspace.yaml rather than writing to package.json.

Updates CLI help text, settings/docs, and BATS/unit tests to reflect the new review workflow and file-writing behavior.

Reviewed by Cursor Bugbot for commit f76b880. Bugbot is set up for automated code reviews on this repo. Configure here.

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 28, 2026
edited
Loading

Greptile Summary

This PR migrates build-approval writes from the pnpm v10 onlyBuiltDependencies sequence to the pnpm v11 allowBuilds map, and adds automatic seeding of unreviewed dependency builds as false entries during aube install. Both concerns from the previous review round have been addressed: the !name.is_empty() guard in package_name_from_spec_key correctly handles bare scoped packages (e.g. @scope/pkg), and the entry(…).or_insert path for allowed=false seeding preserves any already-approved (true) entries.

Confidence Score: 5/5

Safe to merge — logic is correct, both prior review concerns are addressed, and the new behavior is well-covered by unit and BATS tests.

No P0 or P1 findings. The two previously flagged bugs (empty key for bare scoped packages, unconditional overwrite revoking approved builds) are both fixed with explicit guards and new unit tests. The behavioral change (creating pnpm-workspace.yaml in non-pnpm projects) is intentional and documented.

No files require special attention.

Important Files Changed

Filename Overview
crates/aube-manifest/src/workspace.rs Replaces add_to_only_built_dependencies with add_to_allow_builds(…, allowed: bool); uses unconditional insert for approvals and entry.or_insert for seeding — correctly preserves existing true entries when seeding with false.
crates/aube/src/commands/install/mod.rs Adds allow_build_review_names + package_name_from_spec_key to seed unreviewed packages into allowBuilds: false before returning an error; the !name.is_empty() guard correctly handles bare scoped packages (e.g. @scope/pkg).
crates/aube/src/commands/approve_builds.rs Swaps add_to_only_built_dependencies for add_to_allow_builds(…, true) in both project and global paths — straightforward call-site update.
test/approve_builds.bats BATS tests updated to expect pnpm-workspace.yaml with allowBuilds map instead of package.json onlyBuiltDependencies; covers seeding, flipping, dedup, and monorepo cases.
test/lifecycle_scripts.bats Adds assertions that strictDepBuilds failure now also writes dep-with-build: false into a new pnpm-workspace.yaml.
test/global_install.bats Global install test updated to expect pnpm-workspace.yaml with allowBuilds rather than package.json fallback.
docs/.gitignore Adds pnpm-workspace.yaml to docs gitignore so auto-created review files during doc builds are not committed.

Reviews (4): Last reviewed commit: "fix(docs): ignore generated pnpm workspa..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 28, 2026
View reviewed changes
Comment thread crates/aube/src/commands/install/mod.rs
Comment thread crates/aube-manifest/src/workspace.rs
cursor[bot]
cursor Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit d557376. Configure here.

Comment thread docs/pnpm-workspace.yaml Outdated
@jdx jdx merged commit 94635b5 into main Apr 28, 2026
17 checks passed
@jdx jdx deleted the codex/pnpm11-allow-builds branch April 28, 2026 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx