Skip to content

chore: migrate from npm to pnpm#278

Merged
saeedjamshaid merged 2 commits into
devfrom
saeedjamshaid/pnpm-migration
May 12, 2026
Merged

chore: migrate from npm to pnpm#278
saeedjamshaid merged 2 commits into
devfrom
saeedjamshaid/pnpm-migration

Conversation

@saeedjamshaid
Copy link
Copy Markdown
Collaborator

@saeedjamshaid saeedjamshaid commented May 12, 2026

No description provided.

saeedjamshaid and others added 2 commits May 12, 2026 15:40
@saeedjamshaid @claude
chore: migrate from npm to pnpm
24aac7c 
- Pin pnpm via `packageManager` + Corepack; no `pnpm/action-setup` action
- Declare phantom deps (`ansis`, `picocolors`, `@clack/core`, `simple-git`,
  `string-argv`) that npm's flat hoisting was masking — required for pnpm's
  default symlinked layout
- Move `overrides`, `allowBuilds`, `enablePrePostScripts` to
  `pnpm-workspace.yaml` (pnpm 11 no longer reads `pnpm.overrides` from
  package.json)
- Drop Node 18 from `check_build.yml` matrix (engines.node says >=20;
  pnpm 11 requires Node >= 20.6 via Corepack)
- Keep `@semantic-release/npm` plugin — it shells out to the `npm` binary
  preinstalled on `ubuntu-latest` for the actual publish; pnpm only owns
  the local + CI install/run lifecycle

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@saeedjamshaid @claude
chore: add pnpm supply-chain protections
67de4a6 
- minimumReleaseAge: 10080 (7-day quarantine on freshly-published
  package versions) — defends against compromised maintainer accounts
  and typosquatting; most malicious packages are detected and removed
  within days
- minimumReleaseAgeExclude: '@apimatic/*' (glob exemption for our own
  org since the exclusion is name-only, not transitive)
- blockExoticSubdeps: true — refuses transitive deps from git/tarball/
  URL sources; direct deps in package.json can still use exotic specs
  if needed
- Document the workflow gotcha in .ai/instructions.md
  (ERR_PNPM_PACKAGE_RECENTLY_PUBLISHED, --ignore-minimum-release-age
  escape hatch, CI's --frozen-lockfile bypasses the check)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@saeedjamshaid saeedjamshaid self-assigned this May 12, 2026
@saeedjamshaid saeedjamshaid changed the base branch from beta to dev May 12, 2026 10:55
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

aliasghar98
aliasghar98 reviewed May 12, 2026
View reviewed changes
Comment thread .github/workflows/check_build.yml
aliasghar98
aliasghar98 approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@aliasghar98 aliasghar98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@saeedjamshaid saeedjamshaid merged commit 8619bd6 into dev May 12, 2026
2 checks passed
@saeedjamshaid saeedjamshaid deleted the saeedjamshaid/pnpm-migration branch May 12, 2026 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aliasghar98 aliasghar98 aliasghar98 approved these changes

@Shield-Jaguar Shield-Jaguar Awaiting requested review from Shield-Jaguar Shield-Jaguar is a code owner

Assignees

@saeedjamshaid saeedjamshaid

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saeedjamshaid @aliasghar98