feat: SPFx v1.23.2 (generator bump + pnpm 11 build-scripts fix)#121
Merged
Conversation
pnpm 11 blocks dependency build scripts by default and now defaults strictDepBuilds to true, so an unapproved build script (e.g. unrs-resolver, a transitive SPFx eslint dependency) makes `pnpm install` exit non-zero with ERR_PNPM_IGNORED_BUILDS. Because pnpm is installed unpinned, CI began pulling pnpm 11 and the test-webpart stage failed. Bake dangerouslyAllowAllBuilds=true into the image's global pnpm config (~/.config/pnpm/config.yaml, outside the /usr/app/spfx volume mount) so build scripts run as they did pre-pnpm-11. This fixes CI and every end user of the published image in one place. Written directly rather than via `pnpm config set --global`, which errors in-container until the pnpm global bin dir is on PATH. Also bump node to 22.23.1 and the SPFx generator to 1.23.2, and add test-local.sh to reproduce the CI build stages locally. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add permission allowlist entries used for local Docker verification and PR workflows (docker build/run/buildx, gh pr/api/repo/workflow/run). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the project’s Docker image to unblock SPFx scaffolding/builds when CI (and users) pick up pnpm 11, by applying an image-level pnpm global configuration that permits dependency build scripts.
Changes:
- Update the base Node image version and bump
@microsoft/generator-sharepoint. - Add a global pnpm config file (
~/.config/pnpm/config.yaml) to enable dependency build scripts inside the image. - Add a local reproduction script (
test-local.sh) and expand.claude/settings.jsoncommand allowlist.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
Dockerfile |
Bumps Node + SPFx generator and writes global pnpm config to allow dependency build scripts during installs. |
test-local.sh |
Adds a local helper script to reproduce the Docker build stages used in CI. |
.claude/settings.json |
Expands the Claude permissions allowlist to include additional gh/docker commands. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+8
to
+10
| fi | ||
|
|
||
| echo "=== Step 1: Building default image ===" |
Comment on lines
+11
to
+25
| "Bash(gh release *)", | ||
| "Bash(gh pr create --base master --head chore/rename-default-branch-main --title 'chore: rename default branch from master to main' --body ' *)", | ||
| "Bash(gh pr *)", | ||
| "Bash(gh api *)", | ||
| "Bash(python3 -c \"import sys,json; d=json.load\\(sys.stdin\\); print\\('renamed to:', d.get\\('name'\\), '| protected:', d.get\\('protected'\\)\\)\")", | ||
| "Bash(gh repo *)", | ||
| "Bash(python3 -c \"import sys,json; d=json.load\\(sys.stdin\\); print\\('rulesets:', [ \\(r.get\\('name'\\), r.get\\('target'\\)\\) for r in d] if isinstance\\(d,list\\) else d\\)\")", | ||
| "Bash(python3 -c \"import sys,json; d=json.load\\(sys.stdin\\); print\\('deployment_branch_policy:', d.get\\('deployment_branch_policy'\\)\\)\")", | ||
| "Bash(python3 -c \"import sys,json; d=json.load\\(sys.stdin\\); print\\([p.get\\('name'\\) for p in d.get\\('branch_policies',[]\\)] if isinstance\\(d,dict\\) else d\\)\")", | ||
| "Bash(gh workflow *)", | ||
| "Bash(gh run *)", | ||
| "Bash(docker buildx *)", | ||
| "Bash(chmod +x test-local.sh)", | ||
| "Bash(docker build *)", | ||
| "Bash(docker run *)" |
Comment on lines
+21
to
+24
| # pnpm 11 blocks dependency build scripts by default; SPFx projects (e.g. unrs-resolver) | ||
| # rely on them. Allow them globally so `pnpm install` works for CI and end users. | ||
| RUN mkdir -p /home/spfx/.config/pnpm && \ | ||
| printf 'dangerouslyAllowAllBuilds: true\n' > /home/spfx/.config/pnpm/config.yaml |
… file The initial fix wrote dangerouslyAllowAllBuilds to the spfx user's global pnpm config (~/.config/pnpm/config.yaml). That only works when the container runs as spfx. The README's macOS/Linux command runs as the host user (`--user $(id -u):$(id -g)`) so scaffolded files are owned by the host, and the devcontainer uses `remoteUser: node` — in both cases HOME is not /home/spfx, so pnpm never reads the config and ERR_PNPM_IGNORED_BUILDS returns for real users (CI passed only because it runs as spfx). Use `ENV pnpm_config_dangerously_allow_all_builds=true` instead. Env vars are user/HOME-independent, so the setting applies across every documented run path (spfx, host-uid override, node devcontainer). Verified `pnpm config get dangerouslyAllowAllBuilds` returns true under both the default user and `--user 1000:1000`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Complete the 1.23.2 version bump alongside the Dockerfile generator update: point the `latest`/`online` tags at 1.23.2 and add a 1.23.2 row in the README Available tags section, and update the devcontainer.json example in DevelopmentContainers.md. Makes this branch a complete v1.23.2 release (fix + version bump), ready to tag after merge. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reclaims the ~250MB npm cache (~/.npm) left behind by the global npm installs. The clean must run in the same RUN as the installs: a separate `RUN npm cache clean` only adds a whiteout in a new layer while the cache bytes remain committed in the earlier install layers, so image size is unchanged. Folding it in drops the default image from 2.3GB to 1.97GB (single-arch; larger saving on the multi-arch manifest). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Bump ci.yml actions to Node 24 runtimes: docker/setup-buildx-action v3->v4 and docker/bake-action v6.10.0->v7.3.0. (build-and-push.yaml was already bumped.) bake-action v7's only breaking input change (workdir merged into source) doesn't affect us — ci.yml already uses `source: .`; targets/push/set and buildx `cleanup` are unchanged. - Use exec-form CMD (`CMD ["/bin/bash"]`) to resolve the buildkit JSONArgsRecommended lint warning and get proper signal handling for the interactive container. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release v1.23.2: bumps the SPFx generator and fixes the pnpm 11 install blocker in one PR.
Included
test-local.shto reproduce the CI build stages locally.npm cache clean --forceinto the global-installRUN(a separateRUNleaves the cache in earlier layers). Drops the default image 2.3GB → 1.97GB single-arch (~250MB npm cache; larger on the multi-arch manifest).The pnpm 11 fix
pnpm installwas failing hard with:pnpm is installed unpinned, so CI/end users now get pnpm 11, which blocks dependency build scripts by default and defaults
strictDepBuildstotrue— turning an ignored build script (unrs-resolver) into a fatal install error. The SPFxpackage.jsonis generated at runtime byyo, so the fix is baked into the image via:ENV pnpm_config_dangerously_allow_all_builds=trueAn env var (not a global pnpm config file) is deliberate: a config file only applies when the container runs as
spfx, but the README's macOS/Linux command runs as the host user (--user $(id -u):$(id -g)) and the devcontainer usesremoteUser: node— in those cases$HOMEisn't/home/spfx, so a config-file fix would be silently missed and the error would return for real users (CI would still pass, hiding it). The env var is user/HOME-independent.Verification
pnpm config get dangerouslyAllowAllBuilds→trueunder both the defaultspfxuser and--user 1000:1000(the README path a config-file fix would have missed).docker build --target test-webpart→ scaffold +pnpm install+pnpm buildall pass, noERR_PNPM_IGNORED_BUILDS../test-local.sh→=== All checks passed ===.After merge
Tag
v1.23.2on the merged commit to trigger the Docker Hub build-and-push.🤖 Generated with Claude Code