fix(repo): pin utf-8-validate via overrides to stabilize pnpm dedupe

[jacekradko]

Summary

pnpm dedupe --check has been flaky on main — returning exit 0 or 1 non-deterministically against the same lockfile. This PR pins utf-8-validate via pnpm.overrides to make the check deterministic.

Root cause

This is upstream pnpm bug pnpm/pnpm#8155 — pnpm dedupe non-deterministically resolves transitive peer-dep variants.

The way it manifests in our lockfile:

• rpc-websockets@9.3.7 (transitive optional dep via @solana/web3.js) is the only package in the tree that requests utf-8-validate@^6.0.0; every other consumer uses ^5.x.
• pnpm therefore materializes both utf-8-validate@5.0.10 and @6.0.6, which cascades into duplicate metro@0.83.3, metro-config@0.83.3, and react-native@0.81.5 peer-dep variants.
• The two metro-config@0.83.3 variants have identical content, which hits the pnpm bug: the dedupe heuristic non-deterministically flips between collapsing them in either direction, so pnpm dedupe --check flaps accordingly.

Fix

Pin utf-8-validate to 5.0.10 via pnpm.overrides in the root package.json. utf-8-validate is an optional native peer of ws — it's a compile-time speedup only, and ws falls back to a JS implementation when the native version doesn't match. Consolidating to one version is safe and has no functional impact.

With only one utf-8-validate version in the tree, the duplicate metro-config@0.83.3 variants disappear entirely, and pnpm has nothing to non-deterministically flip between.

The lockfile diff is large but consists almost entirely of resolution-context rewrites; no actual package versions changed.

Verification

• pnpm dedupe --check passes 10/10 runs locally (previously ~3/10)
• pnpm build passes (21/21 tasks)
• Unit tests pass for affected packages

Test plan

• CI's "Verify lockfile is deduped" check passes
• Build succeeds
• No regression in unit/integration tests

[changeset-bot]

🦋 Changeset detected

Latest commit: 186d998

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Apr 8, 2026 2:15am

[coderabbitai]

📝 Walkthrough

Walkthrough

Two files are modified to manage dependency versions. A new changeset markdown file is created to document the changes. The package.json file is updated in the pnpm.overrides section, where a trailing comma is added to the rolldown override and a new utf-8-validate override is introduced, pinning it to version 5.0.10.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning utf-8-validate via pnpm overrides to fix a flaky dedupe issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description clearly relates to the changeset, explaining the flaky pnpm dedupe issue and how pinning utf-8-validate via pnpm.overrides resolves it.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8262

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8262

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8262

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8262

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8262

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8262

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8262

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8262

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8262

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8262

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8262

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8262

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8262

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8262

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8262

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8262

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8262

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8262

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8262

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8262

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8262

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8262

commit: 186d998