feat: by default trust the most downloaded packages with build scripts#10134
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces default trust for the most downloaded packages with build scripts by adding the @pnpm/plugin-trusted-deps package and integrating its trusted package list into the script policy resolution logic.
Key Changes:
- Added
@pnpm/plugin-trusted-depsdependency to enable access to a curated list of trusted packages - Modified
resolveScriptPoliciesfunction to automatically allow build scripts for trusted packages unless explicitly configured otherwise
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| workspace.jsonc | Adds @pnpm/plugin-trusted-deps as a new dependency to provide the list of trusted package names |
| scopes/dependencies/pnpm/lynx.ts | Imports TRUSTED_PACKAGE_NAMES and updates script policy resolution to auto-trust popular packages with build scripts when not explicitly configured |
Comments suppressed due to low confidence (1)
scopes/dependencies/pnpm/lynx.ts:425
- Avoid automated semicolon insertion (92% of all statements in the enclosing function have an explicit semicolon).
onlyBuiltDependencies.push(trustedPkgName)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@pnpm/parse-overrides": "1001.0.3", | ||
| "@pnpm/plugin-commands-publishing": "1000.2.25", | ||
| "@pnpm/plugin-commands-rebuild": "1006.0.0", | ||
| "@pnpm/plugin-trusted-deps": "^0.2.0", |
There was a problem hiding this comment.
The version format for this dependency uses a caret range (^0.2.0) which is inconsistent with the other pnpm plugin dependencies in this file that use exact versions. For example, "@pnpm/plugin-commands-rebuild" uses "1006.0.0" without a caret. Consider using an exact version "0.2.0" to maintain consistency with the established versioning pattern in this configuration.
| "@pnpm/plugin-trusted-deps": "^0.2.0", | |
| "@pnpm/plugin-trusted-deps": "0.2.0", |
| for (const trustedPkgName of TRUSTED_PACKAGE_NAMES) { | ||
| if (allowScripts?.[trustedPkgName] == null) { | ||
| onlyBuiltDependencies.push(trustedPkgName); | ||
| } | ||
| } |
There was a problem hiding this comment.
This security-sensitive functionality that automatically trusts packages from TRUSTED_PACKAGE_NAMES lacks test coverage. Given that this directory contains test files (e.g., lockfile-deps-graph-converter.spec.ts) and this change affects script execution permissions, tests should be added to verify: 1) trusted packages are correctly added to onlyBuiltDependencies when not in allowScripts, 2) explicit user configurations (both true and false) are respected and not overridden, and 3) the interaction between trusted packages and the dangerouslyAllowAllScripts flag works as expected.
Proposed Changes
workspace.jsonc.