2 files changed, 13 insertions, 0 deletions

diff --git a/pkgs/build-support/node/fetch-pnpm-deps/default.nix b/pkgs/build-support/node/fetch-pnpm-deps/default.nix
index 20df85467c16..564dc338ce99 100644
--- a/pkgs/build-support/node/fetch-pnpm-deps/default.nix
+++ b/pkgs/build-support/node/fetch-pnpm-deps/default.nix
@@ -146,6 +146,10 @@ in
               # Run any additional pnpm configuration commands that users provide.
               ${prePnpmInstall}
 
+              echo "Final pnpm config:"
+              pnpm config list
+              echo
+
               # pnpm is going to warn us about using --force
               # --force allows us to fetch all dependencies including ones that aren't meant for our host platform
               pnpm install \
diff --git a/pkgs/build-support/node/fetch-pnpm-deps/pnpm-config-hook.sh b/pkgs/build-support/node/fetch-pnpm-deps/pnpm-config-hook.sh
index 79c8f2d1a3a9..dc732c3822f8 100644
--- a/pkgs/build-support/node/fetch-pnpm-deps/pnpm-config-hook.sh
+++ b/pkgs/build-support/node/fetch-pnpm-deps/pnpm-config-hook.sh
@@ -28,6 +28,11 @@ pnpmConfigHook() {
     if versionAtLeast "$pnpmVersion" "11"; then
       # pnpm 11 uses a different mechanism to manage package manager versions
       export pnpm_config_pm_on_fail=ignore
+
+      # Disable lockfile verification against supply-chain policies. This is
+      # already done in fetchPnpmDeps, so if these checks failed there, we
+      # wouldn't be here in the first place
+      export pnpm_config_trust_lockfile=true
     else
       pnpm config set manage-package-manager-versions false
     fi
@@ -84,6 +89,10 @@ pnpmConfigHook() {
 
     runHook prePnpmInstall
 
+    echo "Final pnpm config:"
+    pnpm config list
+    echo
+
     if ! pnpm install \
         --offline \
         --ignore-scripts \