From b708309247b68dfe798852469ecb4dd01f9420fa Mon Sep 17 00:00:00 2001
From: OB <ob@coroboros.com>
Date: Wed, 20 May 2026 18:44:54 +0700
Subject: [PATCH 1/2] docs(readme): add lockfile=true to recommended
 NPM_CONFIG_FILE for pnpm 10 compat

Pnpm < 11.0.0 interprets `package-lock=false` as `lockfile=false`,
disabling pnpm-lock.yaml reads and breaking the
`pnpm install --frozen-lockfile` step in javascript/base. Adding an
explicit `lockfile=true` on the next line re-enables the pnpm lockfile
on pnpm 10.x and is harmless (already the default) on pnpm >= 11.

Surfaced when a consumer pinned to pnpm@10.x hit ERR_PNPM_NO_LOCKFILE
after the previous NPM_CONFIG_FILE recommendation rolled out today.
Consumers updating NPM_CONFIG_FILE to this template should append the
new line; existing consumers on pnpm 11 keep working either way.
---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 5c62d77..81882e3 100644
--- a/README.md
+++ b/README.md
@@ -246,6 +246,7 @@ fund=false
 audit=false
 ignore-scripts=true
 package-lock=false
+lockfile=true
 prefer-online=true
 ```
 
@@ -257,6 +258,7 @@ prefer-online=true
 | `audit=false` | `osv-scanner` (in `security.yml`) covers vulnerability scans natively. |
 | `ignore-scripts=true` | Belt-and-suspenders against postinstall supply-chain attacks — backs up the `--ignore-scripts` flag already passed by `javascript/base` on every `pnpm install`. |
 | `package-lock=false` | Prevent `npm` from emitting a parasitic `package-lock.json` in pnpm repos. |
+| `lockfile=true` | Explicit `pnpm-lock.yaml` enablement. Required on pnpm `< 11.0.0` consumers, where the preceding `package-lock=false` is interpreted as `lockfile=false` and collides with `pnpm install --frozen-lockfile`. Pnpm `>= 11` already defaults to `true` and ignores `package-lock` for `pnpm-lock.yaml`, so the line is harmless there. |
 | `prefer-online=true` | Re-fetch dep metadata each install — local cache cannot mask a yanked or republished version. |
 
 </details>

From 3605a6174ea7d99a9d5133130df18c36fc9fd44e Mon Sep 17 00:00:00 2001
From: OB <ob@coroboros.com>
Date: Wed, 20 May 2026 18:47:24 +0700
Subject: [PATCH 2/2] chore: release 0.1.13

---
 CHANGELOG.md | 5 +++++
 package.json | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 53dbcad..4626a1e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.1.13 - 20/05/2026
+
+### Documentation
+- `README` — add `lockfile=true` to the recommended `NPM_CONFIG_FILE` template. Pnpm `< 11.0.0` interprets the preceding `package-lock=false` line as `lockfile=false`, disabling `pnpm-lock.yaml` reads and breaking `pnpm install --frozen-lockfile` in `javascript/base`. The new line re-enables pnpm's lockfile explicitly on pnpm 10.x and is harmless on pnpm `>= 11`, where `lockfile=true` is already the default and `package-lock` is scoped to npm's lockfile only.
+
 ## v0.1.12 - 20/05/2026
 
 ### Documentation
diff --git a/package.json b/package.json
index 0835a9e..f9f5197 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@coroboros/ci",
-  "version": "0.1.12",
+  "version": "0.1.13",
   "private": true,
   "description": "Reusable GitHub Actions CI for the Coroboros stack.",
   "license": "SEE LICENSE IN LICENSE.md",