chore: upgrade pnpm to v11 and add minimumReleaseAge

[HugoRCD]

Summary

Two related changes to harden the supply chain and modernize the package manager setup.

1. Upgrade pnpm to v11

• Bump packageManager to pnpm@11.1.3
• Migrate onlyBuiltDependencies + ignoredBuiltDependencies → unified allowBuilds map (required in v11)
• Move overrides from package.json → pnpm-workspace.yaml (the pnpm field in package.json is no longer recognized in v11)
• Move shamefullyHoist and strictPeerDependencies from .npmrc → pnpm-workspace.yaml (in v11, .npmrc only holds auth/registry)
• Delete .npmrc (now empty)

CI already runs on Node 22 and pnpm/action-setup@v6, which read packageManager from package.json — no workflow changes needed.

2. Add minimumReleaseAge to harden supply chain

Sets a 2-day minimum age (2880 minutes) before any newly published dependency can resolve. Mitigates compromised-package attacks where a malicious version is pushed and pulled into installs within hours.

Trusted-source allowlist exempts the Nuxt and Vercel ecosystems:

• @nuxt/*, @nuxtjs/*, nuxt, nuxt-*
• @vercel/*, @ai-sdk/*, ai

Test plan

• pnpm install resolves cleanly with v11 (lockfile already verified via --lockfile-only)
• CI passes: ci.yml, e2e.yml, autofix.yml
• No regression in pnpm dev:prepare and pnpm build

Summary by CodeRabbit

• Chores
  • Upgraded package manager to pnpm 11.1.3.
  • Refined workspace build allowances and dependency overrides.
  • Removed legacy npm installation flags from repository config.
  • Stopped pinning a specific pnpm version in CI and workflow setup steps.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
evlog-docs	Ready	Preview, Comment, Open in v0	May 21, 2026 10:07am
just-use-evlog	Ready	Preview, Comment	May 21, 2026 10:07am

[coderabbitai]

📝 Walkthrough

Walkthrough

pnpm is upgraded from 10.33.2 to 11.1.3. Configuration settings are consolidated: .npmrc entries and root package.json overrides are removed, then centralized in pnpm-workspace.yaml. Build dependency controls transition from ignoredBuiltDependencies/onlyBuiltDependencies lists to a new allowBuilds policy map with explicit per-dependency build toggles.

Changes

pnpm upgrade and configuration consolidation

Layer / File(s)	Summary
pnpm version upgrade package.json	packageManager field updated from pnpm@10.33.2 to pnpm@11.1.3.
Configuration migration to workspace file package.json, pnpm-workspace.yaml	Root pnpm.overrides block removed from package.json. pnpm-workspace.yaml receives consolidated configuration: shamefullyHoist and strictPeerDependencies settings (previously in .npmrc), overrides for minimark and @nuxtjs/mcp-toolkit, minimumReleaseAge with exclusion list, and a new allowBuilds map replacing prior ignored/only build lists.
Remove pnpm version pins from CI workflows .github/workflows/*	pnpm/action-setup@v6 steps no longer pin version: 10.33.2 across autofix, bench, ci, e2e, and mutation workflows.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description provides comprehensive details about both changes, includes rationale and test plan, but lacks explicit issue linking and documentation update checkboxes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'chore: upgrade pnpm to v11 and add minimumReleaseAge' clearly and accurately summarizes the two main changes in the pull request: upgrading pnpm to v11 and adding minimumReleaseAge configuration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/min-release-age

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Thank you for following the naming conventions! 🙏

[pkg-pr-new]

npm i https://pkg.pr.new/evlog@347

npm i https://pkg.pr.new/@evlog/nuxthub@347

commit: 88ba5ce