docs(only-allow-pnpm): added option to enforce pnpm with package.json and .npmrc

[karthikappiah]

Hello team!

I propose a very non-invasive update to the documentation—a native solution to a bug that has spawned numerous issues on GitHub.

As described in this issue (and many more open and closed issues), the package only-allow cannot reliably prevent NPM commands from running (even as a preinstall script).

Therefore, I added an alternative—a native solution that simply specifies PNPM as packageManager in package.json and sets engine-strict as true in .npmrc. This prevents commands from anything other than what's specified as the package manager.

I also documented the option to install only-allow as a dev dependency for offline and CI/CD use cases.

Thank you,
Karthik Appiah

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

@karthikappiah is attempting to deploy a commit to the pnpm Team on Vercel.

A member of the Team first needs to authorize it.

[karthikappiah]

For easier reference, here is the alternative:

As per the NPM docs, to prevent the use of an unspecified package manager, you should:

1. Create a file, if it doesn't already exist, named .npmrc at the root of your project.
2. Toggle the following configuration variable in your .npmrc on:

engine-strict=true

3. Specify the following fields in your package.json:

{
  "devEngines": {
    "runtime": {
      "name": "node",
      "onFail": "error"
    },
    "packageManager": {
      "name": "pnpm",
      "version": "10.13.1",
      "onFail": "error"
    }
  },
  "engines": {
    "node": ">=18.18.0",
    "pnpm": ">=10.0.0"
  },
}

• Now, when you run npm i or npm i -D, these commands return this error (before the preinstall script can run):

username@hostname nodejs-project % npm i -D package
npm error code EBADDEVENGINES
npm error EBADDEVENGINES The developer of this package has specified the following through devEngines
npm error EBADDEVENGINES Invalid engine "packageManager"
npm error EBADDEVENGINES Invalid name "pnpm" does not match "npm" for "packageManager"
npm error EBADDEVENGINES {
npm error EBADDEVENGINES   current: { name: 'npm', version: '10.9.2' },
npm error EBADDEVENGINES   required: { name: 'pnpm', onFail: 'error' }
npm error EBADDEVENGINES }
npm error A complete log of this run can be found in: /Users/username/.npm/_logs/2021-08-21T00_00_00_000Z-debug-0.log

[karthikappiah]

Sorry for the last-minute refinement, I'm done adding commits to this pull request.
My latest commit is 873885b, awaiting your review and approval!