feat: add support for pnpm 11 (#2802)

pnpm 11 introduced several breaking changes to the lockfile format that
this commit addresses:
1. patchedDependencies path moved to pnpm-workspace.yaml: pnpm 11 no
longer includes the patch file path in pnpm-lock.yaml (only the hash).
Add _normalize_patched_dependencies() to look up the path from
pnpm-workspace.yaml and restore the dict form expected by the rest of
the code.
2. Multi-document lockfile format: in some situations, such as when
configDependencies are present, pnpm 11 prepends an "env lockfile" YAML
document to pnpm-lock.yaml. Update the yq invocation to always return
the last document regardless of whether the file has one or two YAML
documents.
3. Changed peer dependency path encoding in snapshot keys: pnpm 11
encodes workspace-relative peer dep paths with a leading '+' (e.g.
`@scoped/b@+projects+b` instead of `@scoped/b@projects+b`), which
changes the generated virtual store target names.

Also adds v110 test fixtures (lockfile, workspace config, snapshots) and
reorganizes the e2e/pnpm_lockfiles setup so each version (v90, v101,
v110) is self-contained. v90 needs its own package.json and
pnpm-workspace.yaml, because pnpm 9 requires some things to be in
package.json that are expected in pnpm-workspace.yaml in later versions.

Fixes #2798.

---

### Changes are visible to end-users: yes

- Searched for relevant documentation and updated as needed: yes
- Breaking change (forces users to change their own code or config): no
- Suggested release notes appear below: no

### Test plan

- New test cases added

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: acozzette

docs/pnpm.md

@@ -271,10 +271,7 @@ npm packages have "lifecycle scripts" such as `postinstall` which are documented
 
 We refer to these as "lifecycle hooks".
 
-The lifecycle hooks of a package are determined by the `package.json` [`pnpm.onlyBuiltDependencies` attribute](https://pnpm.io/package_json#pnpmonlybuiltdependencies).
-
-If `pnpm.onlyBuiltDependencies` is unspecified `npm_translate_lock` will fallback to the legacy pnpm lockfile `requiresBuild` attribute.
-This attribute is only available in pnpm _before_ v9, see [pnpm #7707](https://github.com/pnpm/pnpm/issues/7707) for reasons why this attribute was removed.
+The lifecycle hooks of a package are determined by [allowBuilds](https://pnpm.io/next/settings#allowbuilds). (The `package.json` [`pnpm.onlyBuiltDependencies` attribute](https://pnpm.io/package_json#pnpmonlybuiltdependencies) also works for this and is needed for pnpm versions prior to 10.26).
 
 When a package has lifecycle hooks the `lifecycle_*` attributes are applied to filter which hooks are run and how they are run.
 

e2e/pnpm_lockfiles/.bazelignore

@@ -9,6 +9,7 @@ cases/nested-peer-v9/node_modules
 cases/workspace-peer-v9/node_modules
 cases/workspace-peer-v9/libs/chokidar/node_modules
 cases/isaacs-cliui-v90/node_modules
+cases/multi-document-v11/node_modules
 cases/override-with-alias-url-v9/node_modules
 projects/a/node_modules
 projects/a-types/node_modules
@@ -21,4 +22,5 @@ projects/peers-combo-1/node_modules
 projects/peers-combo-2/node_modules
 v90/node_modules/
 v101/node_modules/
+v110/node_modules/
 vendored/is-number/node_modules

e2e/pnpm_lockfiles/MODULE.bazel

@@ -8,6 +8,7 @@ local_path_override(
 PNPM_LOCK_VERSIONS = [
     "v90",
     "v101",
+    "v110",
 ]
 
 # Lockfiles with unique test cases
@@ -19,6 +20,7 @@ PNPM_LOCK_TEST_CASES = [
     "nested-peer-v9",
     "rerooted-nested-projects-v10/root",
     "workspace-peer-v9",
+    "multi-document-v11",
 ]
 
 bazel_dep(name = "bazel_lib", version = "3.0.0")

e2e/pnpm_lockfiles/base/pnpm-workspace.yaml

@@ -2,3 +2,30 @@ packages:
     - '.'
     - '../projects/*'
     - '../vendored/*'
+
+# The presence of configDependencies causes pnpm-lock.yaml to be a
+# multi-document YAML file with pnpm 11.
+configDependencies:
+    semver: 7.7.4+sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==
+
+# patchedDependencies, allowBuilds (or onlyBuiltDependencies), and overrides
+# are duplicated in package.json, and should be kept in sync for as long as we
+# maintain support for pnpm 9. Once we drop support for pnpm 9, we should
+# delete that information from package.json.
+patchedDependencies:
+    meaning-of-life@1.0.0: patches/meaning-of-life@1.0.0-pnpm.patch
+
+allowBuilds:
+    '@aspect-test/c': true
+
+# pnpm 11 defaults this to true, which blocks URL-based dependencies from being
+# used as subdependencies; the test intentionally uses a URL override for diff,
+# so this needs to be disabled
+blockExoticSubdeps: false
+
+overrides:
+    is-number: 'file:../vendored/is-number'
+    diff: 'https://github.com/kpdecker/jsdiff/archive/refs/tags/v5.2.0.tar.gz'
+    fsevents: '^2.3'
+    typescript: '5.5.2'
+    '@types/glob': '^8.1.0'

e2e/pnpm_lockfiles/cases/multi-document-v11/BUILD.bazel

@@ -0,0 +1,19 @@
+load("@bazel_skylib//rules:build_test.bzl", "build_test")
+load("@multi-document-v11//:defs.bzl", multi_document_v11_link_all = "npm_link_all_packages")
+
+exports_files(["pnpm-lock.yaml"])
+
+multi_document_v11_link_all()
+
+# Verify that rules_js can parse a pnpm 11 multi-document lockfile (where
+# configDependencies cause an env lockfile to be prepended as a second YAML
+# document) and correctly resolves the main lockfile from the last document.
+# :node_modules/ms only appears in the second document, so its presence proves
+# we are reading the correct document.
+build_test(
+    name = "multi_document_v11",
+    targets = [
+        ":node_modules",
+        ":node_modules/ms",
+    ],
+)

e2e/pnpm_lockfiles/cases/multi-document-v11/package.json

@@ -0,0 +1,7 @@
+{
+    "name": "config-deps-v11",
+    "version": "0.0.0",
+    "dependencies": {
+        "ms": "^2.1.3"
+    }
+}

e2e/pnpm_lockfiles/cases/multi-document-v11/pnpm-lock.yaml

@@ -0,0 +1,7 @@
+packages:
+    - '.'
+
+configDependencies:
+    semver: 7.7.4+sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==
+
+allowBuilds: {}

e2e/pnpm_lockfiles/cases/multi-document-v11/pnpm-workspace.yaml

@@ -145,7 +145,10 @@ def lockfile_test(npm_link_all_packages, name = None):
             ":node_modules/scoped/bad",
             ":.aspect_rules_js/node_modules/@scoped+a@0.0.0",
             ":.aspect_rules_js/node_modules/@scoped+b@0.0.0",
-            ":.aspect_rules_js/node_modules/@scoped+c@file+..+projects+c_@scoped+b@projects+b",
+            # Workaround for peer suffixes changing in pnpm 11. We may want to
+            # revisit this depending on the outcome of:
+            # https://github.com/pnpm/pnpm/issues/11272
+            ":.aspect_rules_js/node_modules/@scoped+c@file+..+projects+c_@scoped+b@%sprojects+b" % ("+" if lock_version == "v110" else ""),
             ":.aspect_rules_js/node_modules/@scoped+d@0.0.0",
 
             # file: 4.17.21.tgz tarbal

e2e/pnpm_lockfiles/lockfile-test.bzl

@@ -2,9 +2,13 @@
 
 #   9.0 - pnpm v9.0.0 bumped the lockfile version to 9.0; this includes breaking changes regarding lifecycle hooks and patches
 #  10.0 - pnpm v10 kept the lockfile version at 9.0, but has minor differences such as length of hashes, yaml key order etc.
+#  11.0 - pnpm v11 kept the lockfile version at 9.0 and made several minor changes
 
 # pnpm v9.0.0 bumped the lockfile version to 9.0
-pushd base && npx -y pnpm@~9 install --lockfile-only && mv pnpm-lock.yaml ../v90 && popd
+pushd v90 && npx -y pnpm@~9 install --lockfile-only && popd
 
 # pnpm v10
-pushd base && npx -y pnpm@~10 install --lockfile-only && mv pnpm-lock.yaml ../v101 && popd
+pushd v101 && npx -y pnpm@~10 install --lockfile-only && popd
+
+# pnpm v11 rc
+pushd v110 && npx -y pnpm@next-11 install --lockfile-only && popd