chore: upgrade pnpm 9 → 11 with supply-chain protection#235
chore: upgrade pnpm 9 → 11 with supply-chain protection#235cameronapak wants to merge 10 commits into
Conversation
- Upgrade pnpm 9.0.0 → 11.1.1 (packageManager, engines, corepack) - Add minimumReleaseAge: 4320 (3-day cooldown) to pnpm-workspace.yaml - Move overrides from package.json → pnpm-workspace.yaml (pnpm 11 requirement) - Add @internal/eslint-config and eslint-plugin-storybook as root devDeps - Add allowBuilds for esbuild, @parcel/watcher, msw - Remove version pins from CI workflows (reads from packageManager field) - Update AGENTS.md with pnpm 11 refs and supply-chain docs
|
- Bump node-version from 20 → 22 in ci.yml and storybook.yml (pnpm 11 requires Node >= 22.13) - Bump engines.node from >=20 → >=22 in package.json - Remove minimumReleaseAgeExclude — workspace packages bypass the gate inherently - Update AGENTS.md Node requirement references
|
Hey @jhampton, Can I get your feedback on this PR? Mainly around the idea of it. I just want to make sure that with the rise of supply chain attacks, that we are protected on our repos. So I just want to share this with you and let me know so that I can hear your feedback (any feedback) |
Resolve pnpm-lock.yaml conflict by regenerating against main (YPE-642 verse action popover) with pnpm 11.10.0. Supply-chain hardening follow-ups: - pnpm 11.1.1 -> 11.10.0 (latest stable 11.x; corepack-written hash) - vite override ">=5.4.21" -> exact "7.3.3" (closes the last loose version range; a >= let a bad newer release resolve silently) - allowBuilds: '@swc/core': false (tsup uses esbuild by default; no tsup.config requests swc, so its native postinstall is unneeded) - CONTRIBUTING.md prerequisites: Node >=22, pnpm >=11 (match engines) Verified: pnpm lint (7/7), typecheck (6/6), test (751 pass: core 298, hooks 275, ui 178), build. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
CLAUDITHAN SAYS Re: the Greptile note that 1. Stale premise. After the lockfile regen on the current head, Greptile reviewed an earlier commit where swc had transiently dropped out; the regen restored it, so "resolves without it" no longer describes this code. 2. Wrong mechanism regardless. tsup always transforms/bundles with esbuild. Net: nothing to fix. The green build is expected, not just reassuring — esbuild was always the transformer. (Also FYI: |
pnpm 11 reads only auth/registry settings from .npmrc; the publicHoistPattern / autoInstallPeers / strictPeerDependencies lines were silently ignored. Verified publicHoistPattern default is [] under pnpm 11, so eslint/prettier/@types/* were no longer hoisted to root. Migrate them to pnpm-workspace.yaml to preserve the repo's intended hoisting. Confirmed via `pnpm install --force`: full @types/* set is hoisted to root node_modules again (was just @types/node before). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
pnpm 11.x declares engines.node >=22.13 in its own package.json (verified against the npm registry). Aligns engines with the docs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
RELATES TO https://lifechurch.atlassian.net/browse/YPE-2688
The recent news of seeing more and more supply-chain attacks via npm has caused me to want to make sure we're as secure as can be. That's what this PR does.
Summary
minimumReleaseAge: 4320(3-day cooldown) to mitigate supply-chain attacks on new package versionspackage.json→pnpm-workspace.yaml(pnpm 11 breaking change — overrides in package.json no longer enforce for auto-installed peers)vitewas the last loose range (>=5.4.21→7.3.3), which could otherwise resolve a compromised newer release silentlypnpm/action-setup@v4now reads frompackageManagerfield (single source of truth)Changes
package.jsonpackageManager: "pnpm@11.10.0",engines.pnpm: ">=11.0.0", removedpnpm.overrides, added@internal/eslint-config+eslint-plugin-storybookas root devDepspnpm-workspace.yamlminimumReleaseAge, exact-pinnedoverrides(incl.vite: "7.3.3"),allowBuilds(@swc/core: false— tsup uses esbuild, swc native build unneeded)CONTRIBUTING.md>=22, pnpm>=11to matchengines.github/workflows/ci.ymlversion: 9.0.0pins.github/workflows/release.ymlversion: 9.0.0pin.github/workflows/storybook.ymlversion: 9.0.0pinAGENTS.mdpnpm 11 breaking changes handled
pnpm-workspace.yaml(notpackage.json) to enforce for auto-installed peersallowBuildsapproval (esbuild, @parcel/watcher, msw)@internal/eslint-configandeslint-plugin-storybookmust be root devDependenciesminimumReleaseAgeblocks packages published < 3 days ago; override with--forceif needed urgentlyVerification
pnpm lint— all 7 packages passpnpm typecheck— all 6 packages passpnpm test— 751 tests pass (core: 298, hooks: 275, ui: 178)Greptile Summary
This PR upgrades the workspace to pnpm 11 and adds supply-chain install protections. The main changes are:
packageManagerat 11.10.0.pnpm-workspace.yaml.minimumReleaseAgeand exact dependency overrides are added.pnpm/action-setupread the package manager version.Confidence Score: 5/5
This looks safe to merge.
Important Files Changed
Comments Outside Diff (1)
pnpm-lock.yaml, line 194-195 (link)@swc/coreno longer resolved as atsuppeerAcross every package (
root,packages/core,packages/hooks,packages/ui),tsup@8.5.0previously resolved with@swc/core@1.13.5as a satisfied peer; after this upgrade it resolves without it. This means tsup will now use esbuild as its transformer instead of SWC. If any package'stsup.config.tsexplicitly sets esbuildOptions or SWC-specific options, behaviour changes silently. The test suite passing is reassuring, but it's worth confirming notsup.configreferencesexperimentalDtsor similar options that behaved differently under SWC.Prompt To Fix With AI
Reviews (10): Last reviewed commit: "Merge branch 'main' into chore/pnpm-11-u..." | Re-trigger Greptile
Context used (4)