fix(config): handle configDependencies fetch during config commands

[ishan8351]

Running pnpm config set with configDependencies triggers installConfigDeps before saving
the new config, causing a crash as it tries to download dependencies before auth token is
written to .npmrc.

This PR adds an catchConfigDependenciesErrors flag to getConfig. During config commands
(config, set, get), if an error occurs, catches and logs it and proceeds.

Fixes #10684

[ishan8351]

pnpm audit is failing currently, but it is unrelated to changes made in this PR

[zkochan]

test coverage is needed.

[zkochan]

maybe run it anyway but ignore the errors

[Copilot]

Pull request overview

This PR addresses a pnpm CLI crash where running pnpm config set in a workspace with configDependencies could trigger an early config-deps fetch (before the auth token is written), leading to 401 failures.

Changes:

• Adds an ignoreConfigDependencies option to @pnpm/cli-utils getConfig() to skip installing configDependencies.
• Enables that option from the CLI entrypoint for the config command.
• Adds a changeset for @pnpm/cli-utils.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
pnpm/src/main.ts	Passes ignoreConfigDependencies based on the active command to avoid early config-deps installs.
cli/cli-utils/src/getConfig.ts	Introduces the ignoreConfigDependencies option and guards the config-deps install.
.changeset/major-hats-press.md	Declares a patch bump for @pnpm/cli-utils related to config-deps fetching behavior.

Comments suppressed due to low confidence (1)

cli/cli-utils/src/getConfig.ts:37

• When opts.ignoreConfigDependencies is true, installConfigDeps() is skipped, but later the code still derives pnpmfile paths from config.configDependencies and passes them to requireHooks(). requireHooks() throws PNPMFILE_NOT_FOUND for non-optional pnpmfiles, so pnpm config/pnpm set can now fail if configDependencies include a plugin (e.g. pnpm-plugin-*) whose pnpmfile isn't installed yet. Consider also guarding the pnpmfile injection with !opts.ignoreConfigDependencies (or marking these derived pnpmfiles as optional) to avoid breaking config commands.

  if (config.configDependencies && !opts.ignoreConfigDependencies) {
    const store = await createStoreController(config)
    await installConfigDeps(config.configDependencies, {
      registries: config.registries,
      rootDir: config.lockfileDir ?? config.rootProjectManifestDir,

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ishan8351]

updated

[fpapado]

@zkochan and @ishan8351, is there something blocking this PR, or did it just incidentally fall by the wayside?

I ask because we are facing a similar issue at work: we are introducing a shared config dependency for security hardening, but said config dependency (and our packages in general) is behind auth. Thus, pnpm config set ... fails for most teams' setups after adding the config dependency.

While we could work around it with a .npmrc / npm config set dance, this is not as simple as pnpm add --config ..., which slows down adoption. I'd be happy to pick up this PR or help unblock it, if it is ok with both of you 😌

[ishan8351]

Hey @fpapado, this is one of a bunch of PRs I opened, then I got occupied somewhere else. Please do take a look, if my implementation's alright and solves your problem, I'll try to finish it. Or you're welcome to take it over.

[fpapado]

Hey @fpapado, this is one of a bunch of PRs I opened, then I got occupied somewhere else. Please do take a look, if my implementation's alright and solves your problem, I'll try to finish it. Or you're welcome to take it over.

Yay, thank you for the response! Main had drifted a bit since this PR was opened, so I made a new set of changes here with a few more integration tests here #11362 🗒️