From 6ca147832a284c4205d4ddf333c90134ecad78eb Mon Sep 17 00:00:00 2001 From: Sebastian Sebbie Silbermann Date: Thu, 9 Apr 2026 12:04:22 +0200 Subject: [PATCH 1/2] [test] pnpm fuckery --- pnpm-workspace.yaml | 2 ++ test/lib/create-next-install.js | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 37026d14839..f0152db9be3 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -31,6 +31,8 @@ ignoredBuiltDependencies: - wasm-pack blockExoticSubdeps: true minimumReleaseAge: 2880 # 48 hrs +# Keep in sync with pnpm-workspace.yaml written to temporary fixture dirs in +# file://./test/lib/create-next-install.js minimumReleaseAgeExclude: - '@next/*' - '@turbo/*' diff --git a/test/lib/create-next-install.js b/test/lib/create-next-install.js index 490878fd793..c2ad8e9f3f4 100644 --- a/test/lib/create-next-install.js +++ b/test/lib/create-next-install.js @@ -2,6 +2,7 @@ const os = require('os') const path = require('path') const execa = require('execa') const fs = require('fs-extra') +const outdent = require('outdent') const childProcess = require('child_process') const { randomBytes } = require('crypto') const { linkPackages } = @@ -190,6 +191,31 @@ async function createNextInstall({ ) ) + // pnpm propagates minimumReleaseAge via `npm_config_minimum_release_age` + // env variable despite claiming `npm_config` has no effect on pnpm. + // Only `pnpm_config_*` should have. + // However, it doesn't propagate `minimumReleaseAgeExclude` so we need to + // manually propagate those from the minimumReleaseAgeExclude in + // file://./../../pnpm-workspace.yaml + await fs.writeFile( + path.join(installDir, 'pnpm-workspace.yaml'), + outdent` + minimumReleaseAgeExclude: + - '@next/*' + - '@turbo/*' + - '@vercel/*' + - '@workflow/*' + - babel-plugin-react-compiler + - next + - react + - react-dom + - react-is + - react-server-dom-* + - scheduler + - turbo + ` + ) + if (beforeInstall !== undefined) { await rootSpan .traceChild('beforeInstall') From 7d733bacb53f011b3dd3a57d5b328ef391b9480f Mon Sep 17 00:00:00 2001 From: Sebastian Sebbie Silbermann Date: Thu, 9 Apr 2026 12:27:57 +0200 Subject: [PATCH 2/2] [test] Harden temporary test fixture installs against supply chain attacks --- pnpm-workspace.yaml | 4 ++-- test/lib/create-next-install.js | 11 +++++------ 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index f0152db9be3..f9c3f5fab27 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -29,10 +29,10 @@ ignoredBuiltDependencies: - ssh2 - unrs-resolver - wasm-pack +# Keep security related settings in sync with pnpm-workspace.yaml written to +# temporary fixture dirs in file://./test/lib/create-next-install.js blockExoticSubdeps: true minimumReleaseAge: 2880 # 48 hrs -# Keep in sync with pnpm-workspace.yaml written to temporary fixture dirs in -# file://./test/lib/create-next-install.js minimumReleaseAgeExclude: - '@next/*' - '@turbo/*' diff --git a/test/lib/create-next-install.js b/test/lib/create-next-install.js index c2ad8e9f3f4..93b4d609ff1 100644 --- a/test/lib/create-next-install.js +++ b/test/lib/create-next-install.js @@ -191,15 +191,14 @@ async function createNextInstall({ ) ) - // pnpm propagates minimumReleaseAge via `npm_config_minimum_release_age` - // env variable despite claiming `npm_config` has no effect on pnpm. - // Only `pnpm_config_*` should have. - // However, it doesn't propagate `minimumReleaseAgeExclude` so we need to - // manually propagate those from the minimumReleaseAgeExclude in - // file://./../../pnpm-workspace.yaml + // Propagate security relate settings from file://./../../pnpm-workspace.yaml + // TODO: Ensure tests with custom installCommand also include necessary pnpm + // configs for security related settings, and remove this workaround. await fs.writeFile( path.join(installDir, 'pnpm-workspace.yaml'), outdent` + blockExoticSubdeps: true + minimumReleaseAge: 2880 # 48 hrs minimumReleaseAgeExclude: - '@next/*' - '@turbo/*'