fix(webpack-cli): declare json5/js-yaml/toml as optional peerDependencies

[alexander-akait]

What kind of change does this PR introduce?

Bugfix / dependency-metadata fix for the new non-JS config support.

Did you add tests for your changes?

No new automated test (this is a manifest/metadata change). It was verified manually with a real Yarn Berry PnP reproduction — see below.

Summary

webpack-cli now parses .json5, .yaml/.yml and .toml configs by loading the respective parser (json5, js-yaml, toml) from the user's project, and asks users to install it on demand. However, those packages were not declared anywhere in packages/webpack-cli/package.json — not in dependencies, peerDependencies, or peerDependenciesMeta.

Under Yarn PnP an undeclared package is unsound to resolve, so the parser cannot be reached and there is no package-manager signal telling users which package to install.

This PR declares the three parsers as optional peerDependencies (mirroring the existing webpack-dev-server / webpack-bundle-analyzer pattern):

"js-yaml": "^4.0.0 || ^5.0.0",
"json5": "^2.2.3",
"toml": "^3.0.0 || ^4.0.0"

Verification

Reproduced webpack-cli's actual parser-resolution mechanism under real Yarn Berry (4.17) PnP:

Scenario (strict PnP, pnpFallbackMode: none)	Result
Parser resolved from the package's own module context, not declared	❌ tried to access json5, but it isn't declared in its dependencies; this makes the require call ambiguous and unsound
Parser declared as optional peerDependency, user installs it	✅ resolves
Parser not installed	❌ undeclared / unsound

Notes:

• Default PnP (fallback-except-top-level) can mask the issue by silently falling back to a top-level dependency — the classic fragile phantom-dependency behavior. Strict setups (and configs that live in a workspace not declaring the parser) break.
• Without the declaration there is no signal prompting users to install the right parser; they only find out on a runtime crash.

The version ranges reflect the latest published versions (json5 2.2.3, js-yaml 5.1.0, toml 4.1.1) and the used APIs (.parse / .load), which are stable across those majors. Happy to tighten/loosen them per maintainer preference.

🤖 Generated with Claude Code

https://claude.ai/code/session_01E8q7bNUb92fDzxLRdLY6L5

---

Generated by Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3c8e7b2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes changesets to release 1 package

Name	Type
webpack-cli	Minor

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[linux-foundation-easycla]

• ✅ Unknown (3c8e7b2)
• ❌ - login: @claude / name: Claude. The commit (3c8e7b2) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please visit our EasyCLA portal and chat with our support bot.

One or more co-authors of this pull request were not found. You must specify co-authors in commit message trailer via:

Co-authored-by: name <email>

Supported Co-authored-by: formats include:

1. Anything <id+login@users.noreply.github.com> - it will locate your GitHub user by id part.
2. Anything <login@users.noreply.github.com> - it will locate your GitHub user by login part.
3. Anything <public-email> - it will locate your GitHub user by public-email part. Note that this email must be made public on Github.
4. Anything <other-email> - it will locate your GitHub user by other-email part but only if that email was used before for any other CLA as a main commit author.
5. login <any-valid-email> - it will locate your GitHub user by login part, note that login part must be at least 3 characters long.

Alternatively, if the co-author should not be included, remove the Co-authored-by: line from the commit message.

Please update your commit message(s) by doing git commit --amend and then git push [--force] and then request re-running CLA check via commenting on this pull request:

/easycla

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.43%. Comparing base (3471103) to head (3c8e7b2).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4787   +/-   ##
=======================================
  Coverage   93.43%   93.43%           
=======================================
  Files          14       14           
  Lines        5420     5420           
  Branches      788      788           
=======================================
  Hits         5064     5064           
  Misses        354      354           
  Partials        2        2           

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3471103...3c8e7b2. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.