← All Docs
pnpm pnpm-10 esbuild sharp build-scripts security

pnpm 10 Blocks Build Scripts by Default

pnpm 10: onlyBuiltDependencies for esbuild/sharp

Problem

After pnpm install, a warning appeared:

Ignored build scripts: esbuild@0.25.12, esbuild@0.27.3, sharp@0.34.5.
Run "pnpm approve-builds" to pick which dependencies should be allowed to run scripts.

pnpm approve-builds is interactive (requires terminal input), making it unusable in CI or non-interactive contexts.

Root Cause

pnpm 10 introduced a security feature that blocks all dependency build scripts (postinstall, install, etc.) by default. This prevents supply chain attacks where malicious packages run arbitrary code during installation.

esbuild and sharp both need build scripts to install platform-specific binaries.

Solution

Add onlyBuiltDependencies to root package.json:

{
  "pnpm": {
    "onlyBuiltDependencies": ["esbuild", "sharp"]
  }
}

This explicitly allowlists which packages can run build scripts, without requiring interactive approval.

Prevention

  • When adding new dependencies that need native binaries (e.g., better-sqlite3, canvas, bcrypt), add them to onlyBuiltDependencies.
  • This is a one-time config per dependency, not per install.
  • The --frozen-lockfile flag in CI combined with onlyBuiltDependencies ensures reproducible, secure installs.