Skip to content

chore(pnpm): enable strict-peer-dependencies#1218

Merged
John-David Dalton (jdalton) merged 3 commits intomainfrom
chore/strict-peer-deps
Apr 17, 2026
Merged

chore(pnpm): enable strict-peer-dependencies#1218
John-David Dalton (jdalton) merged 3 commits intomainfrom
chore/strict-peer-deps

Conversation

@jdalton
Copy link
Copy Markdown
Contributor

@jdalton John-David Dalton (jdalton) commented Apr 17, 2026

Summary

  • Sets strict-peer-dependencies=true in .pnpmrc so pnpm surfaces peer dependency mismatches at install time instead of silently letting them through.

Why

Keeps us honest about the peer graph. Cleaner install output too.

Test plan

  • pnpm install resolves clean with the stricter setting (no peer warnings to fix)
  • pnpm install --force ditto
  • pnpm run build:cli succeeds
  • CI green

Note

Medium Risk
Changes global package-manager behavior; installs/CI may start failing if any transitive peer dependency mismatches exist or if workflows relied on non-strict resolution.

Overview
pnpm configuration is consolidated into pnpm-workspace.yaml (with updated pnpm v11 guidance), and .pnpmrc is effectively removed.

This turns on strict peer dependency enforcement (strictPeerDependencies: true) and also sets saveExact: true in the workspace config, making installs fail fast on peer mismatches and standardizing exact-version saves.

Reviewed by Cursor Bugbot for commit 038e087. Configure here.

Flips `strict-peer-dependencies` to `true` in .pnpmrc so pnpm surfaces
peer dependency mismatches at install time instead of silently letting
them through. Verified locally that the current lockfile resolves
cleanly with the stricter setting — no fallout to fix.
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: Setting in .pnpmrc is ignored by pnpm
    • Added strictPeerDependencies: true to pnpm-workspace.yaml where pnpm v11 actually reads it, since .pnpmrc is not a recognized pnpm config file.

Create PR

Or push these changes by commenting:

@cursor push faed3733d2
Preview (faed3733d2)
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -153,6 +153,7 @@
 # Migrated from .npmrc (pnpm v11 only reads auth/registry from .npmrc).
 ignoreScripts: true
 linkWorkspacePackages: false
+strictPeerDependencies: true
 
 # Wait 7 days (10080 minutes) before installing newly published packages.
 minimumReleaseAge: 10080

You can send follow-ups to the cloud agent here.

Comment thread .pnpmrc Outdated
pnpm v11 doesn't read .pnpmrc — the comment in this very workspace file
spells that out ("Migrated from .npmrc (pnpm v11 only reads auth/registry
from .npmrc)"). My earlier flip of strict-peer-dependencies in .pnpmrc
was therefore a no-op.

Reverts the .pnpmrc change back to false (where it's still harmless,
just ignored) and adds `strictPeerDependencies: true` to
pnpm-workspace.yaml next to the other migrated settings, which is the
location pnpm actually reads.

Thanks to Cursor bugbot for catching this.
@jdalton

This comment was marked as outdated.

pnpm v11 doesn't read .pnpmrc — per the existing comment in
pnpm-workspace.yaml, only auth/registry go in .npmrc, everything
else reads from the workspace yaml. So every line in .pnpmrc was
either ignored or already duplicated in pnpm-workspace.yaml.

Changes:
  * Delete .pnpmrc entirely so nothing in the repo suggests those
    knobs are live.
  * Move saveExact: true into pnpm-workspace.yaml (overrides pnpm's
    default of false and keeps the catalog's pinned-version style).
  * Drop auto-install-peers=true (matches pnpm v11 default, redundant).
  * Drop the local minimumReleaseAge=10080 line (already present in
    pnpm-workspace.yaml alongside minimumReleaseAgeExclude).

Net result: one source of truth. Settings in the repo actually do
something.
@jdalton
Copy link
Copy Markdown
Contributor Author

Cursor (@cursor) review

Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 038e087. Configure here.

@jdalton John-David Dalton (jdalton) merged commit ff28a80 into main Apr 17, 2026
6 checks passed
@jdalton John-David Dalton (jdalton) deleted the chore/strict-peer-deps branch April 17, 2026 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants