chore(deps): upgrade pnpm 10.32 → 11.5#149
Merged
Merged
Conversation
Bumps the package manager from pnpm 10.32.1 to 11.5.2 (latest stable). - frontend/package.json: packageManager → pnpm@11.5.2 - CI: pnpm/action-setup version 10 → 11 (ci.yml ×4, release.yml ×1) - Docs: README + setup/deployment/maintainer guides → pnpm 11.5+ pnpm 11 reproduces the existing lockfile byte-for-byte (lockfileVersion 9.0 is unchanged between 10.x and 11.x), so frontend/pnpm-lock.yaml is untouched. Node >=22.13 satisfied (project on Node 26). Workspace config in pnpm-workspace.yaml (overrides, peerDependencyRules, onlyBuiltDependencies, allowedDeprecatedVersions) is read identically by pnpm 11 — no config drift. Historical records (docs/plan/* audits, inception) intentionally left as-is. Verified with pnpm 11.5.2: frozen install (lockfile reproduces clean) + turbo typecheck (5) + build (1) + test (3) + lint (1) + prettier + markdownlint.
Owner
Author
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
The pnpm 11 bump surfaced two breaking install-policy changes that failed CI's `pnpm install --frozen-lockfile` (Frontend Install job): 1. minimumReleaseAge — pnpm 11 enables a publish-cooldown by default and rejected the freshly-published typescript-eslint@8.61.0 lockfile entries (ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION). Set `minimumReleaseAge: 0` explicitly: our policy is to track latest-compatible, and supply-chain safety is already covered by the `overrides` IOC pins and Dependabot. 2. strictDepBuilds / allowBuilds — pnpm 11 removed `onlyBuiltDependencies` in favour of an `allowBuilds` map and makes ignored build scripts fatal (ERR_PNPM_IGNORED_BUILDS). Migrated the list to `allowBuilds`: esbuild + msw build (true), node-llama-cpp stays disabled (false), preserving the prior pnpm 10 behaviour (the web app uses prebuilt llama binaries). Lockfile is unchanged. Verified by reproducing CI's exact command (`CI=true pnpm install --frozen-lockfile`, clean node_modules) → exit 0, plus turbo typecheck/build/test/lint + prettier, all green on pnpm 11.5.2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades the package manager from pnpm 10.32.1 → 11.5.2 (latest stable),
as a dedicated follow-up to the dependency consolidation in #148 (kept separate
so the package-manager major bump is independently reviewable/revertible).
Changes
frontend/package.jsonpackageManager→pnpm@11.5.2.github/workflows/ci.ymlpnpm/action-setupversion10→11(×4 jobs).github/workflows/release.ymlpnpm/action-setupversion10→11README.md,docs/setup-guide.md,docs/deployment-guide.md,docs/maintainer-guide.md10.32+→11.5+Why this is low-risk
lockfileVersion: 9.0(same as 10.x) andreproduces
frontend/pnpm-lock.yamlbyte-for-byte — no format churn, noresolution drift. The lockfile is deliberately not in this diff because it
regenerated identical.
Node 26.
pnpm-workspace.yaml(overrides,peerDependencyRules,onlyBuiltDependencies,allowedDeprecatedVersions) isread identically by pnpm 11 — none of the v10-era
package.json#pnpmdrift fromchore(deps): consolidate Dependabot PRs #112–#123 + fix pnpm v10 config drift #124 recurs.
Historical records (
docs/plan/*audits, inception) are intentionally left as-is.Verification (with pnpm 11.5.2)
pnpm install --frozen-lockfile— passes, lockfile reproduces cleanturbo typecheck(5),turbo build(1),turbo test(3),turbo lint(1)prettier --check, markdownlint, yamllint — all clean