fix(install): persist revoked builds to .modules.yaml (#12221)#12224
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughDetect revoked build approvals during install post-processing, persist the updated ChangesRevoked builds detection and state persistence
Sequence Diagram(s)sequenceDiagram
participant Installer
participant ModulesManifest
participant ApproveCLI
Installer->>ModulesManifest: read on-disk .modules.yaml (readModulesManifest)
Installer->>Installer: compute ignoredBuildsFromInstall, detect revokedBuilds
Installer->>ModulesManifest: write merged ignoredBuilds to .modules.yaml (writeModulesManifest)
ApproveCLI->>ModulesManifest: read ignoredBuilds for approval (getAutomaticallyIgnoredBuilds)
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Review Summary by QodoPersist revoked builds to .modules.yaml for approve-builds
WalkthroughsDescription• Persist revoked build approvals to .modules.yaml after revocation scan • Re-read manifest from disk and merge revoked builds before writing • Prevents loss of revocation state when approval config is removed • Added regression test simulating git stash scenario with re-added dependencies Diagramflowchart LR
A["Install runs<br/>writeModulesManifest"] --> B["Revocation scan<br/>detects revoked builds"]
B --> C["Re-read manifest<br/>from disk"]
C --> D["Merge revoked builds<br/>with on-disk state"]
D --> E["Write updated<br/>.modules.yaml"]
E --> F["approve-builds finds<br/>pending approvals"]
File Changes1. installing/deps-installer/src/install/index.ts
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Fixes an edge case where build-script approvals can become “revoked” (e.g. after stashing workspace config) and then not be detected by pnpm approve-builds, by ensuring revoked packages are correctly persisted in .modules.yaml.
Changes:
- Added regression test covering approve-builds after stashing and re-adding a build-script dependency.
- Updated install flow to detect revoked build approvals and update
.modules.yamlaccordingly. - Added a changeset describing the patch fix and linking the reported issue.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| pnpm/test/install/lifecycleScripts.ts | Adds regression test for the stash/re-add approve-builds scenario. |
| installing/deps-installer/src/install/index.ts | Re-reads and updates .modules.yaml when approvals are revoked post-install. |
| .changeset/fix-approve-builds-stash-revocation.md | Documents the fix as a patch changeset. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
7aad289 to
b6e6a69
Compare
b6e6a69 to
9178e3f
Compare
|
@coderabbitai full review |
✅ Action performedFull review finished. |
After a build-script dependency whose approval was revoked (e.g. via git stash dropping allowBuilds from pnpm-workspace.yaml) is re-added, the revocation detection populated ignoredBuilds in memory but the install path's writeModulesManifest had already run, so .modules.yaml never recorded the revoked packages. pnpm approve-builds then read an empty ignoredBuilds and reported 'no packages awaiting approval'. Re-read the manifest from disk after the revocation scan and write back the updated ignoredBuilds, merging with any entries the install path captured.
- Inline dead ignoredBuildsFromInstall indirection - Drop unsafe allowBuilds cast in the regression test
9178e3f to
c6ed9f5
Compare
Summary
Fix
pnpm approve-buildsreporting "no packages awaiting approval" when a build-script dependency whose approval was revoked (e.g. aftergit stashdropsallowBuildsfrompnpm-workspace.yaml) is re-added.Root cause
The revocation detection in
mutateModulespopulatesignoredBuildsin memory, but the install path'swriteModulesManifesthad already run, so.modules.yamlnever recorded the revoked packages.pnpm approve-buildsreads.modules.yamlto find pending approvals, finds nothing, and reports "no packages awaiting approval".Fix
After the revocation scan, re-read the manifest from disk and write back the updated
ignoredBuilds. This only touches theignoredBuildsfield so the install's other state (hoistedDependencies,pendingBuilds, etc.) is preserved.Test
Added a regression test in
pnpm/test/install/lifecycleScripts.tsthat simulates the stash scenario: install a build-script package, approve it, remove the config files while keepingnode_modules, re-add the package, then verifyapprove-buildsstill works. The test fails without the fix and passes with it.Fixes #12221
Summary by CodeRabbit
Bug Fixes
approve-buildsto correctly handle revoked build-script approvals when a dependency is stashed/removed and later re-added, so it no longer incorrectly reports “no packages awaiting approval.”ignoredBuildsand persist the corrected ignored/revoked state in.modules.yaml.Tests
approve-builds --allto confirm approvals are reapplied.Chores