fix: update pnpm-config template with correct version and new settings

Copilot · web-flow · commit d678f071a2ad · 2026-05-12T01:42:45.000Z
diff --git a/libraries/rush-lib/assets/rush-init/common/config/rush/pnpm-config.json b/libraries/rush-lib/assets/rush-init/common/config/rush/pnpm-config.json
@@ -368,12 +368,11 @@
    * lifecycle events). A value of `true` explicitly permits a package to run build scripts;
    * a value of `false` explicitly blocks it. Packages not listed inherit the default behavior.
    *
-   * This is the replacement for `globalNeverBuiltDependencies` and `globalOnlyBuiltDependencies`,
-   * and is the only way to control build permissions in pnpm 11+. The settings are written to the
-   * `allowBuilds` field of the `pnpm-workspace.yaml` file that is generated by Rush during
-   * installation.
+   * This is the replacement for `globalNeverBuiltDependencies` and `globalOnlyBuiltDependencies`.
+   * The settings are written to the `allowBuilds` field of the `pnpm-workspace.yaml` file that
+   * is generated by Rush during installation.
    *
-   * (SUPPORTED ONLY IN PNPM 11.0.0 AND NEWER)
+   * (SUPPORTED ONLY IN PNPM 10.26.0 AND NEWER)
    *
    * PNPM documentation: https://pnpm.io/settings#allowbuilds
    *
@@ -390,6 +389,36 @@
   },
   /*[END "HYPOTHETICAL"]*/
 
+  /**
+   * When `globalStrictDepBuilds` is enabled, the installation will exit with a non-zero exit code
+   * if any dependencies have unreviewed build scripts (i.e., scripts not explicitly listed in
+   * `globalAllowBuilds`). This helps enforce that all package build permissions are intentionally
+   * reviewed and approved. The setting maps to the `strictDepBuilds` field of the
+   * `pnpm-workspace.yaml` file generated by Rush during installation.
+   *
+   * (SUPPORTED ONLY IN PNPM 10.3.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#strictdepbuilds
+   */
+  /*[LINE "HYPOTHETICAL"]*/ "globalStrictDepBuilds": false,
+
+  /**
+   * If set to `true`, all build scripts (`preinstall`, `install`, `postinstall`) from all
+   * dependencies will run automatically without requiring explicit approval via `globalAllowBuilds`.
+   * The setting maps to the `dangerouslyAllowAllBuilds` field of the `pnpm-workspace.yaml` file
+   * generated by Rush during installation.
+   *
+   * WARNING: This allows all dependencies—including transitive ones—to run install scripts, both
+   * now and in the future. Future updates may introduce new, untrusted dependencies, or existing
+   * packages may add malicious scripts. For maximum safety, use `globalAllowBuilds` to explicitly
+   * review and allow builds.
+   *
+   * (SUPPORTED ONLY IN PNPM 10.9.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#dangerouslyallowallbuilds
+   */
+  /*[LINE "HYPOTHETICAL"]*/ "globalDangerouslyAllowAllBuilds": false,
+
   /**
    * The `globalOnlyBuiltDependencies` setting specifies which dependencies are permitted to run
    * build scripts (`preinstall`, `install`, and `postinstall` lifecycle events). This is the inverse
