Conversation
When running from the standalone executable, `pnpm setup` installs pnpm via `pnpm add -g file:<dir>`. The shipped `@pnpm/exe` package.json carries preinstall/prepare scripts, which triggered a build-approval prompt for pnpm's own install. pnpm links the platform-specific binary itself, so these scripts are unnecessary (and unrunnable on a Node-less host); pass --ignore-scripts to skip them. Closes #12377
Code Review by Qodo
Context used 1. execPath descriptor not restored
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
🧰 Additional context used📓 Path-based instructions (2)**/*.{ts,tsx}📄 CodeRabbit inference engine (AGENTS.md)
Files:
**/*.test.{ts,tsx}📄 CodeRabbit inference engine (AGENTS.md)
Files:
🧠 Learnings (4)📚 Learning: 2026-05-26T21:01:06.666ZApplied to files:
📚 Learning: 2026-05-14T09:04:00.133ZApplied to files:
📚 Learning: 2026-06-05T13:47:26.046ZApplied to files:
📚 Learning: 2026-06-05T13:47:05.929ZApplied to files:
🔇 Additional comments (6)
📝 WalkthroughWalkthroughThe ChangesSkip
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install timed out. The project may have too many dependencies for the sandbox. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by Qodofix(setup): ignore @pnpm/exe scripts during standalone global self-install WalkthroughsDescription• Add --ignore-scripts when SEA pnpm setup installs itself globally. • Prevent build-approval prompt for @pnpm/exe during standalone setup. • Add regression test asserting exact global-install spawn arguments. Diagramgraph TD
U(["Run pnpm setup"]) --> H["setup.handler"] --> D{"Standalone exe?"}
D -->|yes| I["installCliGlobally"] --> S["spawnSync: add -g --ignore-scripts file:<dir>"] --> A["addDirToEnvPath"]
D -->|no| A
subgraph Legend
direction LR
_start([Start]) ~~~ _dec{Decision} ~~~ _step[Process]
end
High-Level AssessmentThe following are alternative approaches to this PR: 1. Auto-trust @pnpm/exe on this install path
2. Remove/avoid shipping scripts in the packaged @pnpm/exe manifest for SEA
Recommendation: Keep the current approach: passing --ignore-scripts to the SEA self-install (pnpm add -g file:) is the lowest-risk, most targeted fix. It directly prevents the build-approval prompt and avoids executing scripts that are irrelevant/unrunnable in this scenario, and the added regression test locks in the intended spawn arguments. File ChangesBug fix (1)
Tests (1)
Documentation (1)
|
Problem
Closes #12377.
When
pnpm setupruns from the standalone executable, it installs pnpm into the global directory viapnpm add -g file:<execDir>. The@pnpm/exepackage.jsonshipped alongside the binary carriespreinstall/preparescripts (setup.js/prepare.js), so the install prints a build-approval prompt for@pnpm/exe— pnpm asking to allow building itself, which understandably reads as "someone pushed postinstall malware to pnpm." (pnpm self-updatedoesn't show this because it auto-trusts@pnpm/exeand links the platform binary itself.)Fix
Pass
--ignore-scriptsto thepnpm add -ginvocation ininstallCliGlobally. Those scripts have no job on this path anyway:@pnpm/macos-arm64, …) aren't installed next to thefile:dependency, sosetup.jswould onlyERR_MODULE_NOT_FOUND;nodeto run the scripts at all;linkExePlatformBinary.With
--ignore-scripts,@pnpm/exeis never added to theignoredBuildsset (building/during-install/src/index.ts), so no prompt or warning is emitted — and no script is run, so nothing can fail.Test
Added a regression test that forces the SEA install branch and asserts the spawned arguments are exactly
['add', '-g', '--ignore-scripts', 'file:<dir>'].Notes
setupis a TypeScript-only command (not in pacquet's install/add/update/remove surface), so no pacquet-side port is needed.Written by an agent (Claude Code, claude-opus-4-8).
Summary by CodeRabbit
pnpm setupno longer prompts to approve build scripts when installing the standalone executable, streamlining the setup process.