Skip to content

Bump pnpm, and ensure packages are 7 days old#19891

Open
RobinMalfait wants to merge 23 commits intomainfrom
chore/limit-installing-new-packages
Open

Bump pnpm, and ensure packages are 7 days old#19891
RobinMalfait wants to merge 23 commits intomainfrom
chore/limit-installing-new-packages

Conversation

@RobinMalfait
Copy link
Copy Markdown
Member

@RobinMalfait RobinMalfait commented Apr 2, 2026

This PR bumps pnpm to 10.33, we required at least version 10.16 for the minimumReleaseAge setting to take effect.

We also now add the minimumReleaseAge to be 7 days, newer packages are not allowed.

[ci-all]

@RobinMalfait RobinMalfait requested a review from a team as a code owner April 2, 2026 13:15
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 2, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Updated package.json packageManager from pnpm@9.6.0 to pnpm@10.33.0. Added minimumReleaseAge: 10080 (commented) and onlyBuiltDependencies: bun to pnpm-workspace.yaml. Updated FreeBSD build steps in GitHub workflows to install pnpm@10.33.0. Tests in integrations/upgrade/upgrade-errors.test.ts now append || true to git commit calls. integrations/utils.ts also appends || true to the pre-migration commit and wraps testCallback(context) in a try/catch that captures and rethrows the error.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Bump pnpm, and ensure packages are 7 days old' directly and clearly summarizes the two main changes: upgrading pnpm and implementing the minimumReleaseAge setting.
Description check ✅ Passed The description is directly related to the changeset, explaining that pnpm is bumped to 10.33 for the minimumReleaseAge setting and that packages must be at least 7 days old.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 63: The FreeBSD CI job installs pnpm@9.6.0 which conflicts with the
repository's packageManager "pnpm@10.33.0"; update the install command in the
FreeBSD CI step (the sudo npm install -g pnpm@9.6.0 --unsafe-perm=true
invocation in .github/workflows/release.yml) to install pnpm v10 (e.g.,
pnpm@10.33.0 or a v10 range) so the CI uses the same major version as
packageManager and avoids lockfile/feature mismatches; also scan the workflow
for any other pinned pnpm@9.x occurrences and align them to v10.x.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2e396746-3f72-41e0-94f4-302fa60b2ef6

📥 Commits

Reviewing files that changed from the base of the PR and between d7fc281 and e90f998.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • package.json
  • pnpm-workspace.yaml

coderabbitai[bot]
coderabbitai bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@integrations/upgrade/upgrade-errors.test.ts`:
- Line 39: The test currently runs exec('git commit -m "before migration" ||
true') which is non-portable and can leave HEAD unborn; replace this with
explicit git user identity configuration and a deterministic commit: run
commands to set git config user.email and user.name locally (e.g., git config
user.email "test@example.com" && git config user.name "Test CI") before invoking
exec('git add -A' ) and exec('git commit -m "before migration"') (remove the ||
true). Apply the same fix where commits are performed in the utilities helper
(the code that calls exec for git commits/reset) so git reset --hard HEAD won't
run against an unborn HEAD.

In `@integrations/utils.ts`:
- Around line 454-459: The catch block in the wrapper around testCallback is
mutating the shared test function by calling Error.captureStackTrace(test) and
then rethrowing err, which doesn't update the thrown error's stack and can leak
state between tests; remove the entire try/catch so testCallback(context) is
awaited and any thrown error is propagated unchanged (i.e., delete
Error.captureStackTrace(test) and the catch that throws err), leaving the
original error and stack intact when invoking testCallback from this helper.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3ddf80c3-ddae-42a5-ba93-e56d3f7667e1

📥 Commits

Reviewing files that changed from the base of the PR and between 0498c9d and 31f3aa1.

📒 Files selected for processing (2)
  • integrations/upgrade/upgrade-errors.test.ts
  • integrations/utils.ts

@RobinMalfait RobinMalfait force-pushed the chore/limit-installing-new-packages branch 5 times, most recently from 7388266 to 69bc1ee Compare April 3, 2026 12:14
@RobinMalfait
only install dependencies that are at least 7 days old
bb74b69
@RobinMalfait
bump packageManager to pnpm v10.33.0
c88df14 
This also gives us the `minimumReleaseAge` (introduces in 10.16)
@RobinMalfait
ensure pnpm 10.33.0 is used in FreeBSD install
cacd528
@RobinMalfait
allow bun to run postinstall scripts
1555b93
@RobinMalfait
do not crash on git commit
7ecd538
@RobinMalfait
skip test in stack trace
291a1eb
@RobinMalfait
skip testCallback instead of test
1caabb0
@RobinMalfait
use --allow-empty instead of || true for Windows
8b915d1 
This will create an empty commit when there is nothing to commit, but we
don't really care about that. We only care that files are committed if
there are files such that we have a clean working directory.
@RobinMalfait
approve other known dependencies
4c27a29
@RobinMalfait
run bun's postinstall to make sure it's installed correctly
bf526c3
@RobinMalfait
strip the npm warn from the snapshot
72b6741 
In the test directly
@RobinMalfait
call vitest directly
6e98876 
I think `pnpm run` is injecting some environment variables
(https://pnpm.io/cli/run#environment) based on the pnpm-workspace.yaml
settings. You can at least see weird warnings in CI about it:

```
npm warn Unknown env config "catalog". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn Unknown env config "minimum-release-age". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn Unknown env config "npm-globalconfig". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn Unknown env config "verify-deps-before-run". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn Unknown env config "_jsr-registry". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
```

Let's see if we can exec vitest directly
@RobinMalfait
try pnpm 10.16.0
05273d2
@RobinMalfait
try pnpm 9.6.0
bcd7b7e
@RobinMalfait
use pnpm 10.33.0
f5898db
@RobinMalfait
use pnpm exec, bun x and npx
c6b8efd
@RobinMalfait RobinMalfait force-pushed the chore/limit-installing-new-packages branch from 4a5cb18 to c6b8efd Compare April 3, 2026 19:38
@RobinMalfait RobinMalfait force-pushed the chore/limit-installing-new-packages branch 2 times, most recently from 7f18edc to 03e0c32 Compare April 3, 2026 20:35
@RobinMalfait RobinMalfait force-pushed the chore/limit-installing-new-packages branch 5 times, most recently from 35c74f5 to a044c90 Compare April 3, 2026 21:36
@RobinMalfait RobinMalfait force-pushed the chore/limit-installing-new-packages branch from 31e0cff to 6672f75 Compare April 3, 2026 21:49
@RobinMalfait RobinMalfait force-pushed the chore/limit-installing-new-packages branch from c88d522 to a62b61d Compare April 3, 2026 22:21
lajczi
lajczi reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

@lajczi lajczi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

+1 more reviewer

@lajczi lajczi lajczi left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RobinMalfait @lajczi