Update package.json

[m-rooeintan]

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

[vercel]

@m-rooeintan is attempting to deploy a commit to the Umami Software Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

This PR adds a pnpm.onlyBuiltDependencies block to package.json, restricting which packages are allowed to run lifecycle (postinstall) scripts during pnpm install to only @swc/core and @parcel/watcher.

• The \"pnpm\" key is indented with 4 spaces instead of the 2-space indent used by every other top-level key, creating a visual inconsistency.
• In pnpm v9+, onlyBuiltDependencies is an enforced allowlist — packages not listed have their postinstall scripts silently skipped. The current list omits cypress (which downloads its binary via postinstall) and potentially other packages, which could silently break dev tooling after a fresh install.

Confidence Score: 3/5

The change introduces a pnpm allowlist that may silently prevent Cypress and other dev tools from downloading their required binaries on a fresh install.

Setting onlyBuiltDependencies to only two packages while cypress (a direct devDependency that downloads its binary via postinstall) is absent means a fresh pnpm install will silently skip that postinstall step. The breakage won't surface until someone tries to run Cypress, making it difficult to diagnose.

package.json — the new pnpm.onlyBuiltDependencies block needs the full list of packages that rely on lifecycle scripts before this is safe to land.

Important Files Changed

Filename	Overview
package.json	Adds a pnpm.onlyBuiltDependencies block with malformed indentation and a potentially incomplete allowlist that could break postinstall scripts for packages like cypress

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pnpm install] --> B{Package has postinstall script?}
    B -->|No| E[Package ready]
    B -->|Yes| C{Listed in onlyBuiltDependencies?}
    C -->|swc-core or parcel-watcher| D[Run build scripts]
    C -->|cypress, prisma, esbuild etc.| F[Scripts silently skipped]
    D --> E
    F --> G[Binary or generated files missing]
    G --> H[Runtime or dev-tool failure]

Loading

_{Reviews (1): Last reviewed commit: "Update package.json" | Re-trigger Greptile}

[greptile-apps]

The "pnpm" key is indented with 4 spaces, breaking consistency with every other top-level key in the file (all use 2 spaces). The closing brace on line 166 is already at 2 spaces, making the open/close indentation levels mismatch visually.

Suggested change

	},
	"pnpm": {
	"onlyBuiltDependencies": [
	},
	"pnpm": {
	"onlyBuiltDependencies": [

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Incomplete onlyBuiltDependencies allowlist may silently break installs

In pnpm v9+, setting pnpm.onlyBuiltDependencies means only the listed packages are permitted to run lifecycle scripts — all others are silently skipped. This project has several direct devDependencies that rely on postinstall scripts to download their native binaries: cypress (downloads the Cypress binary), and potentially prisma (generates the client, though that step is also called explicitly in the build scripts). If Cypress's postinstall script is skipped, cypress run / cypress open will fail with a missing binary error at runtime rather than at install time, making the breakage hard to diagnose. The list should be expanded to include every package in the dependency tree that needs to run a build step.