Merge pull request #459 from iclanton/bump-rushstack-projects

Bump rushstack dependencies.

Author: iclanton

.gitignore

@@ -110,6 +110,7 @@ temp/
 lib/
 lib-amd/
 lib-es6/
+lib-esm/
 lib-esnext/
 lib-commonjs/
 lib-shim/

api-demo/package.json

@@ -11,7 +11,7 @@
   },
   "devDependencies": {
     "tsdoc-build-rig": "workspace:*",
-    "@rushstack/heft": "1.1.1",
+    "@rushstack/heft": "1.2.5",
     "eslint": "~9.25.1"
   },
   "scripts": {

common/changes/@microsoft/tsdoc-config/bump-rushstack-projects_2026-02-25-02-23.json

@@ -0,0 +1,11 @@
+{
+  "changes": [
+    {
+      "comment": "",
+      "type": "none",
+      "packageName": "@microsoft/tsdoc-config"
+    }
+  ],
+  "packageName": "@microsoft/tsdoc-config",
+  "email": "iclanton@users.noreply.github.com"
+}

common/changes/@microsoft/tsdoc/bump-rushstack-projects_2026-02-25-02-23.json

@@ -0,0 +1,11 @@
+{
+  "changes": [
+    {
+      "comment": "",
+      "type": "none",
+      "packageName": "@microsoft/tsdoc"
+    }
+  ],
+  "packageName": "@microsoft/tsdoc",
+  "email": "iclanton@users.noreply.github.com"
+}

common/changes/eslint-plugin-tsdoc/bump-rushstack-projects_2026-02-25-02-23.json

@@ -0,0 +1,11 @@
+{
+  "changes": [
+    {
+      "comment": "",
+      "type": "none",
+      "packageName": "eslint-plugin-tsdoc"
+    }
+  ],
+  "packageName": "eslint-plugin-tsdoc",
+  "email": "iclanton@users.noreply.github.com"
+}

common/config/rush/.npmrc

@@ -22,7 +22,12 @@
 #
 #   //registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}
 #
+
+# Explicitly specify the NPM registry that "rush install" and "rush update" will use by default:
 registry=https://registry.npmjs.org/
 
-# This seemed to interfere with authentication for publishing:
-# always-auth=false
+# Optionally provide an authentication token for the above registry URL (if it is a private registry):
+# //registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}
+
+# Change this to "true" if your registry requires authentication for read-only operations:
+always-auth=false

common/config/rush/.npmrc-publish

@@ -19,6 +19,8 @@
 #   //registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}
 #
 
+# Explicitly specify the NPM registry that "rush publish" will use by default:
 registry=https://registry.npmjs.org/
-always-auth=true
-//registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}
+
+# Provide an authentication token for the above registry URL:
+# //registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}

common/config/rush/command-line.json

@@ -119,6 +119,14 @@
     //   "enableParallelism": false,
     //
     //   /**
+    //    * Controls whether weighted operations can start when the total weight would exceed the limit
+    //    * but is currently below the limit. This setting only applies when "enableParallelism" is true
+    //    * and operations have a "weight" property configured in their rush-project.json "operationSettings".
+    //    * Choose true (the default) to favor parallelism.  Choose false to strictly stay under the limit.
+    //    */
+    //   "allowOversubscription": false,
+    //
+    //   /**
     //    * Normally projects will be processed according to their dependency order: a given project will not start
     //    * processing the command until all of its dependencies have completed.  This restriction doesn't apply for
     //    * certain operations, for example a "clean" task that deletes output files.  In this case

common/config/rush/experiments.json

@@ -3,7 +3,7 @@
  * Rush features.  More documentation is available on the Rush website: https://rushjs.io
  */
 {
-  "$schema": "https://developer.microsoft.com/json-schemas/rush/v5/experiments.schema.json"
+  "$schema": "https://developer.microsoft.com/json-schemas/rush/v5/experiments.schema.json",
 
   /**
    * By default, 'rush install' passes --no-prefer-frozen-lockfile to 'pnpm install'.
@@ -116,5 +116,13 @@
    * subspace.  This is useful for large product groups who work in separate subspaces and generally prefer to consume
    * each other's packages via the NPM registry.
    */
-  // "exemptDecoupledDependenciesBetweenSubspaces": false
+  // "exemptDecoupledDependenciesBetweenSubspaces": false,
+
+  /**
+   * If true, when running on macOS, Rush will omit AppleDouble files (._*) from build cache archives
+   * when a companion file exists in the same directory. AppleDouble files are automatically created by
+   * macOS to store extended attributes on filesystems that don't support them, and should generally not
+   * be included in the shared build cache.
+   */
+  "omitAppleDoubleFilesFromBuildCache": true
 }

common/config/rush/pnpm-config.json

@@ -67,6 +67,38 @@
    */
   // "autoInstallPeers": false,
 
+  /**
+   * The minimum number of minutes that must pass after a version is published before pnpm will install it.
+   * This setting helps reduce the risk of installing compromised packages, as malicious releases are typically
+   * discovered and removed within a short time frame.
+   *
+   * For example, the following setting ensures that only packages released at least one day ago can be installed:
+   *
+   * "minimumReleaseAge": 1440
+   *
+   * (SUPPORTED ONLY IN PNPM 10.16.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#minimumreleaseage
+   *
+   * The default value is 0 (disabled).
+   */
+  // "minimumReleaseAge": 1440,
+
+  /**
+   * An array of package names or patterns to exclude from the minimumReleaseAge check.
+   * This allows certain trusted packages to be installed immediately after publication.
+   * Patterns are supported using glob syntax (e.g., "@myorg/*" to exclude all packages from an organization).
+   *
+   * For example:
+   *
+   * "minimumReleaseAgeExclude": ["webpack", "react", "@myorg/*"]
+   *
+   * (SUPPORTED ONLY IN PNPM 10.16.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#minimumreleaseageexclude
+   */
+  // "minimumReleaseAgeExclude": ["@myorg/*"],
+
   /**
    * If true, then Rush will add the `--strict-peer-dependencies` command-line parameter when
    * invoking PNPM.  This causes `rush update` to fail if there are unsatisfied peer dependencies,
@@ -265,6 +297,29 @@
     // "fsevents"
   ],
 
+  /**
+   * The `globalOnlyBuiltDependencies` setting specifies which dependencies are permitted to run
+   * build scripts (`preinstall`, `install`, and `postinstall` lifecycle events). This is the inverse
+   * of `globalNeverBuiltDependencies`. In PNPM 10.x, build scripts are disabled by default for
+   * security, so this setting is required to explicitly permit specific packages to run their
+   * build scripts. The settings are written to the `onlyBuiltDependencies` field of the
+   * `pnpm-workspace.yaml` file that is generated by Rush during installation.
+   *
+   * (SUPPORTED ONLY IN PNPM 10.1.0 AND NEWER)
+   *
+   * PNPM documentation: https://pnpm.io/settings#onlybuiltdependencies
+   *
+   * Example:
+   *   "globalOnlyBuiltDependencies": [
+   *     "esbuild",
+   *     "playwright",
+   *     "@swc/core"
+   *   ]
+   */
+  // "globalOnlyBuiltDependencies": [
+  //   "esbuild"
+  // ],
+
   /**
    * The `globalIgnoredOptionalDependencies` setting suppresses the installation of optional NPM
    * dependencies specified in the list. This is useful when certain optional dependencies are