fix(@angular/cli): isolate temporary package installation from parent pnpm workspace

Write an empty pnpm-workspace.yaml file inside the temporary installation directory when using pnpm. This acts as a workspace boundary, preventing pnpm from searching up the directory tree and modifying the parent workspace's lockfile during ng update.

Author: clydin

packages/angular/cli/src/package-managers/package-manager.ts

@@ -647,6 +647,12 @@ export class PackageManager {
     // Writing an empty package.json file beforehand prevents this.
     await this.host.writeFile(join(workingDirectory, 'package.json'), '{}');
 
+    // To prevent pnpm from traversing up the directory tree and modifying the project's workspace lockfile,
+    // write a blank `pnpm-workspace.yaml` in the temporary directory.
+    if (this.name === 'pnpm') {
+      await this.host.writeFile(join(workingDirectory, 'pnpm-workspace.yaml'), '');
+    }
+
     // Copy configuration files if the package manager requires it (e.g., bun).
     if (this.descriptor.copyConfigFromProject) {
       for (const configFile of this.descriptor.configFiles) {

packages/angular/cli/src/package-managers/package-manager_spec.ts

@@ -86,6 +86,70 @@ describe('PackageManager', () => {
     });
   });
 
+  describe('acquireTempPackage', () => {
+    it('should write pnpm-workspace.yaml when package manager is pnpm', async () => {
+      const pnpmDescriptor = SUPPORTED_PACKAGE_MANAGERS['pnpm'];
+      const pm = new PackageManager(host, '/tmp/project', pnpmDescriptor);
+
+      const createTempDirectorySpy = spyOn(host, 'createTempDirectory').and.resolveTo(
+        '/tmp/project/node_modules/angular-cli-tmp-packages-abc',
+      );
+      const writeFileSpy = spyOn(host, 'writeFile').and.resolveTo();
+      spyOn(host, 'stat').and.callFake(async (path) => {
+        if (path === '/tmp/project/node_modules') {
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          return { isDirectory: () => true, isFile: () => false } as any;
+        }
+        throw new Error('Not found');
+      });
+      runCommandSpy.and.resolveTo({ stdout: '', stderr: '' });
+
+      const { workingDirectory } = await pm.acquireTempPackage('foo@1.0.0');
+
+      expect(workingDirectory).toBe('/tmp/project/node_modules/angular-cli-tmp-packages-abc');
+      expect(createTempDirectorySpy).toHaveBeenCalledWith('/tmp/project/node_modules');
+      expect(writeFileSpy).toHaveBeenCalledWith(
+        '/tmp/project/node_modules/angular-cli-tmp-packages-abc/package.json',
+        '{}',
+      );
+      expect(writeFileSpy).toHaveBeenCalledWith(
+        '/tmp/project/node_modules/angular-cli-tmp-packages-abc/pnpm-workspace.yaml',
+        '',
+      );
+    });
+
+    it('should NOT write pnpm-workspace.yaml when package manager is npm', async () => {
+      const npmDescriptor = SUPPORTED_PACKAGE_MANAGERS['npm'];
+      const pm = new PackageManager(host, '/tmp/project', npmDescriptor);
+
+      const createTempDirectorySpy = spyOn(host, 'createTempDirectory').and.resolveTo(
+        '/tmp/project/node_modules/angular-cli-tmp-packages-abc',
+      );
+      const writeFileSpy = spyOn(host, 'writeFile').and.resolveTo();
+      spyOn(host, 'stat').and.callFake(async (path) => {
+        if (path === '/tmp/project/node_modules') {
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          return { isDirectory: () => true, isFile: () => false } as any;
+        }
+        throw new Error('Not found');
+      });
+      runCommandSpy.and.resolveTo({ stdout: '', stderr: '' });
+
+      const { workingDirectory } = await pm.acquireTempPackage('foo@1.0.0');
+
+      expect(workingDirectory).toBe('/tmp/project/node_modules/angular-cli-tmp-packages-abc');
+      expect(createTempDirectorySpy).toHaveBeenCalledWith('/tmp/project/node_modules');
+      expect(writeFileSpy).toHaveBeenCalledWith(
+        '/tmp/project/node_modules/angular-cli-tmp-packages-abc/package.json',
+        '{}',
+      );
+      expect(writeFileSpy).not.toHaveBeenCalledWith(
+        '/tmp/project/node_modules/angular-cli-tmp-packages-abc/pnpm-workspace.yaml',
+        '',
+      );
+    });
+  });
+
   describe('initializationError', () => {
     it('should throw initializationError when running commands', async () => {
       const error = new Error('Not installed');

packages/angular/cli/src/package-managers/testing/mock-host.ts

@@ -51,27 +51,36 @@ export class MockHost implements Host {
     } as Stats);
   }
 
-  runCommand(): Promise<{ stdout: string; stderr: string }> {
+  runCommand(
+    command: string,
+    args: readonly string[],
+    options?: {
+      timeout?: number;
+      stdio?: 'pipe' | 'ignore';
+      cwd?: string;
+      env?: Record<string, string>;
+    },
+  ): Promise<{ stdout: string; stderr: string }> {
     throw new Error('Method not implemented.');
   }
 
-  createTempDirectory(): Promise<string> {
+  createTempDirectory(baseDir?: string): Promise<string> {
     throw new Error('Method not implemented.');
   }
 
-  deleteDirectory(): Promise<void> {
+  deleteDirectory(path: string): Promise<void> {
     throw new Error('Method not implemented.');
   }
 
-  writeFile(): Promise<void> {
+  writeFile(path: string, content: string): Promise<void> {
     throw new Error('Method not implemented.');
   }
 
-  readFile(): Promise<string> {
+  readFile(path: string): Promise<string> {
     throw new Error('Method not implemented.');
   }
 
-  copyFile(): Promise<void> {
+  copyFile(src: string, dest: string): Promise<void> {
     throw new Error('Method not implemented.');
   }
 }

tests/e2e/tests/update/update-pnpm-workspace.ts

@@ -0,0 +1,33 @@
+import { createProjectFromAsset } from '../../utils/assets';
+import { readFile, writeFile } from '../../utils/fs';
+import { getActivePackageManager } from '../../utils/packages';
+import { ng } from '../../utils/process';
+
+export default async function () {
+  if (getActivePackageManager() !== 'pnpm') {
+    return;
+  }
+
+  let restoreRegistry: (() => Promise<void>) | undefined;
+
+  try {
+    // Setup project from older asset using the public registry
+    restoreRegistry = await createProjectFromAsset('20.0-project', true);
+
+    // Create pnpm-workspace.yaml inside the project directory
+    await writeFile('pnpm-workspace.yaml', "packages:\n  - '.'\n");
+
+    // Run ng update on @angular/cli to trigger the update from version 20 to the current version
+    await ng('update', '@angular/cli');
+
+    // Verify that the pnpm lockfile does not contain references to the temporary package directory
+    const lockfileContent = await readFile('pnpm-lock.yaml');
+    if (lockfileContent.includes('angular-cli-tmp-packages-')) {
+      throw new Error(
+        'pnpm-lock.yaml contains reference to temporary package directory, isolation failed!',
+      );
+    }
+  } finally {
+    await restoreRegistry?.();
+  }
+}