Sonarqube scanner perf degradation after switching to pnpm

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  SonarScanner 5.0.1.3006
  Java 17.0.8 Alpine (64-bit)
  Linux 5.15.0-1030-gcp amd64

• what are you trying to achieve]
  After switching to pnpm it took 4h to run sonar-scanner
  Before npm: it tooks around 10m

Eventually, I added the following exclusions for all the dist, reports, and other folders in sonar.exclusions:

sonar.sources=packages
sonar.exclusions=**/bower_components/**, **/node_modules/**, **/vendor/**, **/dist/**, **/out/**, **/reports/**, **/.pnpm/**, **/.scannerwork/**

I monitored the process, and it’s clear that the indexing step is taking significantly longer. Some files take around 10-30 minutes to index.

2024-11-11T04:55:04.3002175Z 04:55:04.299 INFO: 4725 files indexed...  (last one was packages/docs-website/scripts/examples/generate-docs-website-examples-index.ts)
...
2024-11-11T05:33:44.3413718Z 05:33:44.340 INFO: 4725 files indexed...  (last one was packages/docs-website/scripts/examples/generate-docs-website-examples-index.ts)

06:51:45.098 INFO: EXECUTION SUCCESS
06:51:45.099 INFO: ------------------------------------------------------------------------
06:51:45.099 INFO: Total time: 3:58:58.809s
06:51:45.199 INFO: Final Memory: 350M/900M

Hey there.

• What version of SonarQube are you using (you can find this in the footer of your instance)
• Is the scanner indexing the same number of files as before you made the switch?
• Probably, the most helpful logs would be DEBUG level scanner logs (sonar-scanner -X) from both before and after you made the switch to pnpm.

Hi Colin

• SonarQube server 9.9.3.79811
• The number files is exactly same before and after switching
• I tried running sonar-scanner -X, but it prompted a lot of logs, and I only noticed that the message 4725 files indexed... was different before and after

Well hopefully the folks over here can look at the logs with a critical eye and try to spot some differences

But without them, I don’t see how anybody can be helpful.

Otherwise, if you can build a small reproducer project that reproduces the issue (longer scan time when using pnpm), maybe that will be helpful.

Hi, I just noticed that removing the node_modules folder in each local project within the monorepo significantly speeds up the indexing process. Eventually, I have already added sonar.exclusions=**/node_modules/** to the configuration before but dont help much until remove the node_modules

I have a few questions:

• Does the SonarScanner need to interact with node_modules in any way?
• Can I safely remove it?
• Will removing it cause any issues?

My expectation is that if you’re excluding the node_modules folder with sonar.exclusions, it should behave as if that folder doesn’t exist.

Once again, I think DEBUG level analysis logs would help here.

Probably, the most helpful logs would be DEBUG level scanner logs (sonar-scanner -X) from both before and after you made the switch to pnpm.

Both this and one other thread never got a follow-up so I decided to investigate this since we are running into the same issue here.

Solution: Remove node_modules before scanning in pnpm monorepos

We’ve been experiencing the same issue after migrating our large Nx monorepo (~200+ packages) from Yarn to pnpm. Here’s what we found and how we solved it.

The Problem

After switching to pnpm, our SonarCloud CI jobs started showing:

• Symlink loop warnings during analysis
• Significantly slower scan times
• Occasional OOM kills in CI

The root cause is that pnpm’s node_modules structure uses symlinks extensively. When you have a package at packages/my-app/ with sonar.sources=., the scanner follows symlinks inside packages/my-app/node_modules/.pnpm/ which contains thousands of nested symlinked packages.

Even with sonar.exclusions=**/node_modules/** configured, the scanner appears to traverse these directories before applying exclusions, causing the symlink loop warnings.

Our Solution

Since SonarQube/SonarCloud only needs:

1. Source code (already in git)
2. Coverage reports (generated by test jobs)

It does not need node_modules at all. We simply delete each package’s node_modules directory immediately before running the scanner.

For Nx monorepos, we do this inside a custom executor so it happens after Nx builds its project graph but before sonar runs:

// packages/nx-helpers/src/executors/sonarqube/executor.ts
import { existsSync, rmSync } from 'fs';
import { join } from 'path';

export default async function runExecutor(options, context) {
  const projectRoot = /* ... get from context ... */;

  // Remove node_modules to prevent sonar from traversing pnpm symlinks
  // This is safe because sonar only needs source code and coverage reports
  const nodeModulesPath = join(context.root, projectRoot, 'node_modules');
  if (existsSync(nodeModulesPath)) {
    console.log(`Removing ${nodeModulesPath} to speed up sonar analysis...`);
    rmSync(nodeModulesPath, { recursive: true, force: true });
  }

  // Then run sonar-scanner
  const command = `pnpm sonar -Dsonar.token=... -Dsonar.organization=... ...`;
  // ...
}

Why not just use exclusions?

We tried several exclusion approaches:

1. sonar.exclusions=**/node_modules/** - Still causes symlink traversal warnings, suggesting the scanner walks the filesystem before applying exclusions.

2. More specific sonar.sources - Not practical in a large monorepo where each package has different source directories.

Results

• No more symlink loop warnings
• Faster scan times (less filesystem to traverse)
• No OOM issues
• Root node_modules preserved (needed for nx and @sonar/scan CLI)

Environment

• pnpm 10.x
• sonar/scan 4.3.2
• SonarCloud
• Nx 22.x monorepo

Suggestion for SonarSource

It would be helpful if the scanner could:

1. Skip symlink traversal entirely for excluded paths (don’t even readdir them)
2. Have a sonar.skipSymlinks=true option to avoid following symlinks
3. Better document pnpm-specific configuration for monorepos

Hope this helps others hitting the same issue!

Hi @Stanzilla,

Welcome to the community!

You’ve resurrected a topic that’s 1 year old. Per the FAQ, please don’t do that. Please create a new thread with all your details.

 
Thx,
Ann