fix(lambda-nodejs): run beforeInstall hook after workspace files are written

[Zelys-DFKH]

Fixes #37898.

Credit to @cmodijk: the issue report traces the execution order exactly, identifies the root cause, and spells out what the fix should look like. This PR implements what you described.

---

The problem

On pnpm v11, strictDepBuilds is the effective default. Any NodejsFunction that bundles nodeModules with a native-build dependency (e.g. ssh2-sftp-client → cpu-features) hits this at deploy time:

ERR_PNPM_INSTALL_SCRIPTS_NOT_ALLOWED  cpu-features@1.x.x is not allowed to run install scripts

The beforeInstall hook was designed to handle this: append allowBuilds entries to pnpm-workspace.yaml before the install runs. It silently doesn't work, which is worse than not existing.

Why

CDK writes an empty pnpm-workspace.yaml to prevent pnpm from walking up to a monorepo root (introduced in #21910, still the right call). The bug was ordering. Before this fix:

beforeBundling → esbuild → [beforeInstall] → write pnpm-workspace.yaml + install → afterBundling
                                ↑ hook fires here        ↑ empty yaml written here

Whatever the user wrote in beforeInstall got overwritten a step later. The hook's name is a lie.

Fix

Splits node-modules file-ops into two phases via a new NodeModuleFileOps interface:

• prepareSteps: writes pnpm-workspace.yaml, package.json, and the lockfile
• installSteps: runs the package manager and post-install cleanup

createBundlingSteps puts beforeInstall between them, for both Docker and local bundling.

beforeBundling → esbuild → write pnpm-workspace.yaml → [beforeInstall] → install → afterBundling
                                        ↑ files written here    ↑ hook fires here

No behavior change for callers where beforeInstall returns [] (the default).

The refactor makes createBundlingSteps slightly more involved. dockerFileOps and localFileOps are both private, so there's no API surface change.

Validation

Unit test (bundling.test.ts): beforeInstall hook fires after pnpm workspace files are written (Docker) — asserts the Docker shell command orders pnpm-workspace.yaml write → beforeInstall output → pnpm install. This is the test that would have caught the bug.

E2E behavioral test (bundling-e2e.test.ts): pnpm-specific / beforeInstall writes to pnpm-workspace.yaml survive CDK workspace setup — runs CDK synthesis with a minimal pnpm project (local and Docker where available), writes allowBuilds: to pnpm-workspace.yaml in beforeInstall, then reads the output file and asserts the content survived. Skipped when pnpm is unavailable locally and Docker bundling is off.

Integration test (integ.dependencies-pnpm-before-install.ts): deploys a real Lambda with a delay dependency via forceDockerBundling: true, where beforeInstall writes allowBuilds: delay: true to pnpm-workspace.yaml. The snapshot ships with zeroed hashes: Docker + full CDK build aren't available in this environment. Regenerate with:

yarn integ test/aws-lambda-nodejs/test/integ.dependencies-pnpm-before-install.js --update-on-failed

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.