Moved 29 base-level and first-party deps into the pnpm catalog

[9larsons]

Summary

Adds 29 dependencies to the default `catalog:` block in `pnpm-workspace.yaml`, following the precedent set by #27876. Selection criterion: deps that are either base-level functionality (test runners, routing, build/config helpers) or in the @TryGhost first-party namespace (alignment matters more for in-house packages).

Group	Deps
Test infrastructure	`mocha`, `chai`, `msw`, `@types/jest`, `@vitest/coverage-v8`*
Storybook	`storybook`, `@storybook/addon-docs`, `@storybook/addon-links`, `@storybook/react-vite`
Routing / HTTP	`react-router`, `cross-fetch`
Build / config	`fs-extra`, `jsonc-parser`, `dotenv`
Security	`dompurify`
Types tracking catalog'd packages	`@types/express`, `@types/validator`
@TryGhost first-party	`@tryghost/logging`, `@tryghost/koenig-lexical`, `@tryghost/color-utils`, `@tryghost/limit-service`, `@tryghost/nql`, `@tryghost/nql-lang`, `@tryghost/timezone-data`, `@tryghost/custom-fonts`, `@tryghost/helpers`, `@tryghost/kg-clean-basic-html`, `@tryghost/kg-converters`, `@tryghost/string`

* `@vitest/coverage-v8` was drifted across 8 workspaces (4.1.5 in admin-x-framework/posts/stats; 4.1.2 in announcement-bar/comments-ui/portal/shade/sodo-search). Bumped all consumers to 4.1.5 to track `vitest` itself, then catalogized in the same step.

Why

• Renovate (and humans) bump one entry instead of N package.jsons.
• First-party @tryghost/* packages should move together — catalog enforces that as the default rather than relying on every PR author to remember.
• Sets the catalog up as the canonical home for "what version of X do we use" for any dep that crosses workspace boundaries.

No resolved versions change (except the deliberate vitest-coverage bump)

Every catalog entry except `@vitest/coverage-v8` matches the version every consuming workspace already had pinned. The vitest-coverage bump is 5 workspaces moving from 4.1.2 → 4.1.5 (patch-level, same major/minor as the cohort already on 4.1.5).

Out of scope

• Drifted deps (`react`, `tailwindcss`, `@testing-library/*`, `@types/node`, `glob`, `sinon`, etc.) — need version negotiation or named catalogs.
• Singleton deps (used by exactly one workspace) — no centralization benefit.
• 2-workspace third-party utilities (`semver`, `mingo`, etc.) — kept out unless they hit the base-level or first-party criteria.

[coderabbitai]

Walkthrough

This PR centralizes dependency version management across the Ghost monorepo by migrating package.json files from pinned semver versions to catalog-sourced references. The pnpm-workspace.yaml catalog defines all pinned versions for Storybook packages, @tryghost internal packages, and common tooling. Root configuration is updated with catalog references for overrides. Ghost core packages, admin frameworks, and feature applications then reference versions from this central catalog instead of maintaining individual pins, while the @tryghost/activitypub package version is incremented to 3.1.21.

Possibly related PRs

• TryGhost/Ghost#27879: Addresses Docker installation failures caused by packed component tarballs containing pnpm-resolver metadata introduced by the catalog migration, by switching ghost/core/scripts/pack.js from npm pack to pnpm pack.
• TryGhost/Ghost#27873: Coordinates with the main PR's @vitest/coverage-v8 catalog migration in apps/comments-ui/package.json while also updating broader Vite/Vitest and SVG tooling dependencies.
• TryGhost/Ghost#27720: Overlaps with main PR's edits to apps/activitypub/package.json devDependency specifications, particularly for @types/jest and dompurify entries.

Suggested reviewers

• EvanHahn

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Moved 29 base-level and first-party deps into the pnpm catalog' directly and accurately reflects the main change: adding dependencies to pnpm-workspace.yaml's catalog section.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining what was changed (29 deps added to catalog), why, and how it impacts the codebase with specific examples and version impact details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch deps-catalog-batch-b

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pnpm-workspace.yaml`:
- Line 36: The catalog pins vitest to 4.1.2 while `@vitest/coverage-v8`@4.1.5
requires vitest@4.1.5 as a peer; update the pinned vitest entry in the pnpm
workspace/catalog to 4.1.5 so the peer dependency is satisfied (locate the
vitest version string in pnpm-workspace.yaml and change the version from 4.1.2
to 4.1.5), then run the lockfile install/update to regenerate the lockfile.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ea70ae15-374a-4642-badd-88aa0d823e27

📥 Commits

Reviewing files that changed from the base of the PR and between 9afbdc2 and f935aba.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (20)

• apps/activitypub/package.json
• apps/admin-x-design-system/package.json
• apps/admin-x-framework/package.json
• apps/admin-x-settings/package.json
• apps/admin/package.json
• apps/announcement-bar/package.json
• apps/comments-ui/package.json
• apps/portal/package.json
• apps/posts/package.json
• apps/shade/package.json
• apps/signup-form/package.json
• apps/sodo-search/package.json
• apps/stats/package.json
• e2e/package.json
• ghost/admin/package.json
• ghost/core/package.json
• ghost/i18n/package.json
• ghost/parse-email-address/package.json
• package.json
• pnpm-workspace.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

❓ Verification inconclusive

Script executed:

#!/bin/bash
set -euo pipefail

echo "coverage-v8@4.1.5 peerDependencies:"
curl -s https://registry.npmjs.org/@vitest%2Fcoverage-v8/4.1.5 | jq '.peerDependencies'

echo
echo "vitest@4.1.2 version payload:"
curl -s https://registry.npmjs.org/vitest/4.1.2 | jq '{name, version}'

Repository: TryGhost/Ghost

---

Repository: TryGhost/Ghost
Exit code: 0

stdout:

coverage-v8@4.1.5 peerDependencies:
{
  "vitest": "4.1.5",
  "@vitest/browser": "4.1.5"
}

vitest@4.1.2 version payload:
{
  "name": "vitest",
  "version": "4.1.2"
}

---

Fix Vitest version mismatch in catalog.

@vitest/coverage-v8@4.1.5 declares vitest@4.1.5 as a peer dependency (per npm registry), but the catalog pins vitest to 4.1.2. Update vitest to 4.1.5 to satisfy the peer dependency constraint and prevent coverage failures.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` at line 36, The catalog pins vitest to 4.1.2 while
`@vitest/coverage-v8`@4.1.5 requires vitest@4.1.5 as a peer; update the pinned
vitest entry in the pnpm workspace/catalog to 4.1.5 so the peer dependency is
satisfied (locate the vitest version string in pnpm-workspace.yaml and change
the version from 4.1.2 to 4.1.5), then run the lockfile install/update to
regenerate the lockfile.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.81%. Comparing base (9afbdc2) to head (f935aba).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #27886   +/-   ##
=======================================
  Coverage   73.81%   73.81%           
=======================================
  Files        1519     1519           
  Lines      128185   128185           
  Branches    15352    15352           
=======================================
  Hits        94615    94615           
  Misses      32616    32616           
  Partials      954      954           

Flag	Coverage Δ
admin-tests	53.46% <ø> (ø)
e2e-tests	73.81% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.