feat: dangerouslyAllowAllBuilds allows to enable the build of all dependencies

[zkochan]

close #9102

[Copilot]

Pull Request Overview

This PR introduces a new configuration flag, dangerouslyAllowAllBuilds, which enables building all dependencies by bypassing neverBuiltDependencies. Key changes include:

• Adding the CLI option "dangerously-allow-all-builds" in update, install, and add commands.
• Updating configuration types, default values, and processing logic in config/src to handle the new flag.
• Adding tests and documentation to verify and record the new behavior.

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg-manager/plugin-commands-installation/src/update/index.ts	Adds the CLI option "dangerously-allow-all-builds" to update commands.
pkg-manager/plugin-commands-installation/src/install.ts	Adds the CLI option "dangerously-allow-all-builds" to install commands.
pkg-manager/plugin-commands-installation/src/add.ts	Adds the CLI option "dangerously-allow-all-builds" to add commands.
config/config/test/index.ts	Introduces tests validating behavior of dangerouslyAllowAllBuilds.
config/config/test/fixtures/never-built-dependencies/pnpm-workspace.yaml	Provides a sample configuration with neverBuiltDependencies.
config/config/src/types.ts	Updates configuration types with "dangerously-allow-all-builds".
config/config/src/index.ts	Sets the default value for "dangerously-allow-all-builds" and adds logic to clear neverBuiltDependencies.
config/config/src/Config.ts	Extends the Config interface with the dangerouslyAllowAllBuilds property.
.changeset/long-windows-lay.md	Documents the new behavior and usage of dangerouslyAllowAllBuilds.

Comments suppressed due to low confidence (2)

config/config/src/Config.ts:221

• The property 'dangerouslyAllowAllBuilds' in the Config interface is introduced; please ensure its consistent mapping from the CLI option 'dangerously-allow-all-builds' across the codebase.

  dangerouslyAllowAllBuilds: boolean

.changeset/long-windows-lay.md:1

• [nitpick] Consider reviewing the file name 'long-windows-lay.md' for potential spelling consistency; if 'lay' was meant to be 'layout', updating the name could improve clarity.

long-windows-lay.md

[karlhorky]

@zkochan would this flag also be able to passed to pnpm as a child process? Eg. something like NODE_OPTIONS env var or something?

A pnpm child process may be used by a scaffolder to install packages (such as the setup used by the scaffolder create-next-app), which leads to pnpm blocking build of packages such as sharp:

$ pnpm create next-app@15.1.7 . --app --no-turbopack --no-src-dir --no-eslint --import-alias @/\* --no-tailwind --typescript
Creating a new Next.js app in /Users/k/p/repro-conflicting-dependabot-and-renovate-config-vs-pnpm-minimum-release-age.

Using pnpm.

Initializing project with template: app


Installing dependencies:
- react
- react-dom
- next

Installing devDependencies:
- typescript
- @types/node
- @types/react
- @types/react-dom

Packages: +35
+++++++++++++++++++++++++++++++++++
Downloading @img/sharp-libvips-darwin-arm64@1.0.4: 7.10 MB/7.10 MB, done
Downloading next@15.1.7: 25.16 MB/25.16 MB, done
Downloading @next/swc-darwin-arm64@15.1.7: 41.27 MB/41.27 MB, done
Progress: resolved 60, reused 13, downloaded 23, added 35, done

dependencies:
+ next 15.1.7 (15.5.3 is available)
+ react 19.1.1
+ react-dom 19.1.1

devDependencies:
+ @types/node 20.19.15 (24.5.2 is available)
+ @types/react 19.1.13
+ @types/react-dom 19.1.9
+ typescript 5.9.2

 ERR_PNPM_IGNORED_BUILDS  Ignored build scripts: sharp

Run "pnpm approve-builds" to pick which dependencies should be allowed to run scripts.

Aborting installation.
  pnpm install has failed.

A new version of `create-next-app` is available!
You can update by running: pnpm add -g create-next-app

Having something like PNPM_OPTIONS='--dangerouslyAllowAllBuilds' would allow users to circumvent this for any scaffolders which have not yet implemented pnpm build config integration.

An alternative I considered was that all scaffolders build their own pnpm onlyBuiltDependencies integration, which would mean a lot of work in many packages.

More discussion in this Next.js PR + issue which would possibly configure onlyBuiltDependencies for the project:

• [cna] For pnpm ignore postinstall from sharp and unrs-resolver vercel/next.js#83168 (comment)
• create-next-app: pnpm v10 blocks sharp build vercel/next.js#83158

[zkochan]

Why doesn't the scaffolder add sharp to the onlyBuiltDependencies setting of pnpm-workspace.yaml?

Settings can be set by the npm_config_ env variable. E.g. npm_config_dangerously_allow_all_builds=true.

[karlhorky]

Why doesn't the scaffolder add sharp to the onlyBuiltDependencies setting of pnpm-workspace.yaml?

Yeah, that's the alternative I mentioned in the comment above - I proposed that create-next-app add onlyBuiltDependencies - the Next.js security team is reviewing now and they will possibly add something.

Settings can be set by the npm_config_ env variable. E.g. npm_config_dangerously_allow_all_builds=true.

Ah great, I'll give that a shot.