feat(pm): add vp pm approve-builds subcommand#1662
Draft
fengmk2 wants to merge 1 commit into
Draft
Conversation
Adds a unified `vp pm approve-builds` command that mirrors `pnpm approve-builds` and adapts to `bun pm trust`, with informative warn-and-noop fallbacks for npm and yarn. Surface (intentionally tight, matches pnpm's documented flags): vp pm approve-builds # interactive (pnpm) vp pm approve-builds esbuild # approve named packages vp pm approve-builds esbuild !core-js # pnpm >= 11.0.0 (deny syntax) vp pm approve-builds --all # pnpm >= 10.32.0 / bun vp pm approve-builds -- <raw args> # forward to underlying PM Cross-PM behavior: - pnpm: pass-through. Version-gates `--all` on >= 10.32.0 and `!pkg` deny syntax on >= 11.0.0 (per pnpm PR #11030); prerelease versions compared against the lowest prerelease floor (`10.32.0-0` / `11.0.0-0`) so RCs are accepted. - bun: `bun pm trust [--all] [pkgs...]`. `!pkg` tokens emit a warn and are filtered (bun has no denylist model). When only deny tokens are given, the warn alone is enough context — no redundant note. - npm: warn and exit 0, pointing at `ignore-scripts=true` in `.npmrc`. - yarn: warn and exit 0. Yarn 1 (Classic) gets an npm-style hint (lifecycle scripts run by default); yarn Berry gets `dependenciesMeta.<pkg>.built: true` advice. Safety: - `--all` and positional packages are mutually exclusive at the clap layer, preventing a silent override where `--all` would otherwise drop denylisted packages on bun. - Version-gate failures render via `Error::UserMessage` (no harsh `error:` prefix). Coverage: - 23 Rust unit tests (resolver, version gates, prereleases, deny gate, yarn 1 vs Berry, pass-through args, strict unparseable-version) - 8 clap parse tests (conflicts, lone-flag, lone-packages, pass-through capture, deny conflict) - 5 snap fixtures: local pnpm10/npm/yarn + global bun/pnpm10-old - RFC at `rfcs/approve-builds-command.md`
✅ Deploy Preview for viteplus-preview canceled.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
vp pm approve-builds— a unified subcommand for approving dependency lifecycle scripts (install/postinstall). Mirrorspnpm approve-buildsone-to-one, adapts tobun pm trust, and falls back to informative warn-and-noop on npm/yarn.Surface (intentionally tight, matches pnpm's documented flags):
Cross-PM behavior
--allgated on>= 10.32.0,!pkgdeny syntax gated on>= 11.0.0(per pnpm PR #11030). Prereleases (10.32.0-rc.0,11.0.0-beta.1) satisfy viaVersion::parse("<floor>-0")comparison.bun pm trust [--all] [pkgs...].!pkgtokens emit a warn and are filtered (bun has no denylist model). When only deny tokens are given, the warn alone is enough — no redundant note.ignore-scripts=truein.npmrc.dependenciesMeta.<pkg>.built: trueadvice. Per yarn docs,enableScriptsdefaults tofalsein Berry.Safety
--alland positional packages are mutually exclusive at the clap layer (conflicts_with = "packages"). This prevents a silent override where--all !core-json bun would warn "Skipping: core-js" thenbun pm trust --alleverything anyway.Error::UserMessage(no harsherror:prefix).ApproveBuildsis not in theneeds_projectallowlist, so the npm/yarn/bun educational messages can fire outside a project directory.Files
crates/vite_install/src/commands/approve_builds.rs(new),crates/vite_install/src/commands/mod.rs(export),crates/vite_pm_cli/src/cli.rs(variant + parse tests),crates/vite_pm_cli/src/handlers.rs(dispatch + error mapping)rfcs/approve-builds-command.mdcommand-pm-approve-builds-{pnpm10,npm,yarn}/command-pm-approve-builds-{bun,pnpm10-old}/(new)snap-tests-global/cli-helper-message/snap.txt(for the new subcommand entry)Test plan
cargo test -p vite_install --lib approve_builds→ 23/23cargo test -p vite_pm_cli --lib approve_builds→ 8/8vp check --fix→ 0 warnings/errorspnpm -F vite-plus snap-test-local approve-builds→ 3/3 passpnpm -F vite-plus snap-test-global approve-builds→ 2/2 pass