Updated pnpm to 11.4.0

[9larsons]

no ref

Updating pnpm 10.33>11.4.0:

• Stops reading the pnpm field from package.json. overrides, packageExtensions, and onlyBuiltDependencies (renamed to allowBuilds) now live in pnpm-workspace.yaml.
• Stops reading non-auth/registry keys from .npmrc.
• Replaces the millions of index/*.json files in the store with a single SQLite index.db (v11 store format) — faster lookups, fewer syscalls.
• New supply-chain defaults: minimumReleaseAge: 1440 (1 day) and blockExoticSubdeps: true.

Node version requirement is unchanged for us (already on 22.18.0).

What changed

• Moved the pnpm: {…} block out of package.json into pnpm-workspace.yaml.
• onlyBuiltDependencies (array) → allowBuilds (map of name → true).
• Declared minimumReleaseAge: 4320 (3 days, matches our Renovate cadence) and blockExoticSubdeps: true explicitly, even though the latter is now the default — keeps the supply-chain stance visible in the config rather than implicit.
• Added an override redirecting perf-primitives to the npm-published ^0.0.6. liquid-wormhole@3.0.1 (transitive in ghost/admin) pins perf-primitives via a personal-fork git URL, which blockExoticSubdeps (correctly) refuses; the override routes us to the upstream-maintained package at the same version.
• Deleted .npmrc — both entries (shamefully-hoist=false, engine-strict=false) were pnpm 11 defaults that are no longer honored in .npmrc anyway.
• Regenerated pnpm-lock.yaml against the new policies under pnpm 11's v11 store.

Verification

• pnpm install clean under pnpm 11.4.0.
• pnpm test:unit in ghost/core: 6600 pass, 10 skip, 0 fail.
• pnpm nx run @tryghost/admin:build (Ember + 8 dependent Vite app builds): success.

Notes for reviewers

• The biggest behavioral change is the perf-primitives override — ghost/admin previously shipped a personal-fork git ref of this package; it now resolves to the upstream npm release at v0.0.6. The admin build is green; if anything regresses around liquid-wormhole transitions, that's the first place to look.
• CI's pnpm cache and the Docker pnpm-store mount will cold-fill the v11 store on the first run after merge, then settle.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR upgrades pnpm from version 10.33.0 to 11.4.0 and restructures dependency management configuration. The package manager version is bumped in package.json and related configuration is migrated into pnpm-workspace.yaml, which now includes supply-chain hardening policies (minimumReleaseAge, blockExoticSubdeps, allowBuilds allowlist), extensive dependency overrides with version constraints, and packageExtensions to augment specific package dependencies. GitHub Actions workflows across CI and release jobs are updated to use pnpm/action-setup v6.0.8 instead of v4. The .npmrc file had two configuration entries removed.

Possibly related PRs

• TryGhost/Ghost#27886: Modifies pnpm workspace configuration and adds catalog-based workspace entries that interact with workspace-level pnpm rules.
• TryGhost/Ghost#27969: Updates pnpm packageExtensions for specific packages (e.g., @tryghost/nql, lodash), touching the same pnpm workspace mechanisms for dependency installation.

Suggested reviewers

• EvanHahn
• troyciesco

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Updated pnpm to 11.4.0' directly and clearly reflects the main change: upgrading the pnpm package manager version from 10.33.0 to 11.4.0, which is the primary objective of this pull request.
Description check	✅ Passed	The description comprehensively covers all aspects of the changeset including configuration migrations, supply-chain policies, dependency overrides, and verification steps, with clear notes for reviewers about behavioral changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upgrade/pnpm-11

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/enforce-package-manager.js:
- Around line 7-14: The comment overstates certainty about pnpm-specific env
vars; update the explanatory comment above the fallback that checks
Object.keys(process.env).some(key => key.startsWith('pnpm_config_')) to use
softer wording—e.g., "pnpm-driven lifecycles typically set `pnpm_config_*`, so
we use this as a heuristic"—and remove or generalize the specific pnpm v10/v11
GitHub Actions shim claim so the note accurately reflects it as a heuristic
rather than an absolute guarantee.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b162616f-5e44-4201-82f5-2e958a82530e

📥 Commits

Reviewing files that changed from the base of the PR and between 8939d41 and dbc39e5.

📒 Files selected for processing (1)

• .github/scripts/enforce-package-manager.js

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that pnpm sets pnpm_config_* environment variables in lifecycle scripts

# Create a minimal test package.json with a script that prints pnpm_config_* vars
mkdir -p /tmp/pnpm-env-test
cd /tmp/pnpm-env-test

cat > package.json << 'EOF'
{
  "name": "pnpm-env-test",
  "version": "1.0.0",
  "scripts": {
    "test": "node -e \"Object.keys(process.env).filter(k => k.startsWith('pnpm_config_')).forEach(k => console.log(k + '=' + process.env[k]))\""
  }
}
EOF

echo "=== Testing pnpm ==="
pnpm run test 2>/dev/null || echo "No pnpm_config_* variables found or pnpm not available"

# Clean up
cd - > /dev/null
rm -rf /tmp/pnpm-env-test

Repository: TryGhost/Ghost

Length of output: 173

---

🌐 Web query:

Does pnpm set environment variables with the pnpm_config_ prefix during lifecycle scripts?

💡 Result:

No, as of pnpm v11, pnpm does not set environment variables with the pnpm_config_ prefix during lifecycle scripts [1][2]. Historically, pnpm would populate npm_config_* environment variables with pnpm configuration values during lifecycle script execution [2]. However, this behavior was changed to reduce noise and avoid warnings when lifecycle scripts invoke npm internally [2]. Since pnpm v11, only well-known npm_* environment variables are set (such as npm_lifecycle_event, npm_package_name, and npm_package_version), aligning pnpm's behavior with Yarn [1][2].

Citations:

• 1: https://pnpm.io/scripts
• 2: fix: stop setting npm_config_ env vars during lifecycle scripts pnpm/pnpm#11116

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

tmpdir="$(mktemp -d)"
cleanup() { rm -rf "$tmpdir"; }
trap cleanup EXIT

cd "$tmpdir"

cat > package.json <<'EOF'
{
  "name": "env-test",
  "version": "1.0.0",
  "scripts": {
    "print": "node -e \"const p=Object.keys(process.env).filter(k=>k.startsWith('pnpm_config_')).sort(); console.log('pnpm_config_keys=' + (p.length?p.join(','):'')); p.forEach(k=>console.log(k+'='+process.env[k])); const n=Object.keys(process.env).filter(k=>k.startsWith('npm_config_')).sort(); console.log('npm_config_keys=' + (n.length?n.join(','):''));\""
  }
}
EOF

echo "=== pnpm ==="
if command -v pnpm >/dev/null 2>&1; then
  pnpm -v
  pnpm run print || true
else
  echo "pnpm not found"
fi

echo "=== npm ==="
if command -v npm >/dev/null 2>&1; then
  npm -v
  npm run print || true
else
  echo "npm not found"
fi

echo "=== yarn ==="
if command -v yarn >/dev/null 2>&1; then
  yarn -v
  yarn run print || true
else
  echo "yarn not found"
fi

echo "=== bun ==="
if command -v bun >/dev/null 2>&1; then
  bun -v
  bun run print || true
else
  echo "bun not found"
fi

Repository: TryGhost/Ghost

Length of output: 2177

---

Soften the “exclusive/reliably set” wording for the pnpm_config_* fallback

• In lifecycle scripts, pnpm provides pnpm_config_* (e.g., pnpm_config_verify_deps_before_run), while npm and yarn did not set any pnpm_config_* keys—so the fallback won’t be bypassed by npm/yarn.
• The explanatory comment’s “exclusive to pnpm” and the specific GitHub Actions “pnpm v10 shim strips … when pnpm 11 is active” scenario are stronger than the evidence shown here; consider rephrasing to a heuristic (pnpm-driven lifecycles typically set pnpm_config_*) or removing the v10/11 shim specifics.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/enforce-package-manager.js around lines 7 - 14, The comment
overstates certainty about pnpm-specific env vars; update the explanatory
comment above the fallback that checks Object.keys(process.env).some(key =>
key.startsWith('pnpm_config_')) to use softer wording—e.g., "pnpm-driven
lifecycles typically set `pnpm_config_*`, so we use this as a heuristic"—and
remove or generalize the specific pnpm v10/v11 GitHub Actions shim claim so the
note accurately reflects it as a heuristic rather than an absolute guarantee.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.88%. Comparing base (e2322f8) to head (3c3582b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #28197   +/-   ##
=======================================
  Coverage   73.88%   73.88%           
=======================================
  Files        1531     1531           
  Lines      129865   129865           
  Branches    15582    15585    +3     
=======================================
+ Hits        95954    95956    +2     
+ Misses      32949    32946    -3     
- Partials      962      963    +1     

Flag	Coverage Δ
admin-tests	54.17% <ø> (-0.03%)	⬇️
e2e-tests	73.88% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.