chore: migrate from npm to pnpm 11 (#16)

* chore: migrate from npm to pnpm 11

- package.json: scripts npm->pnpm, drop npm-style overrides,
  add packageManager + devEngines.packageManager (pnpm@11.1.2)
  and engines.node>=22 (pnpm 11 requires Node 22+)
- pnpm-workspace.yaml: pnpm 11 config home (.npmrc is now
  auth/registry only). minimumReleaseAge: 2880 correctly encodes
  the 48h supply-chain cooldown (old .npmrc min-release-age=2 was
  malformed; pnpm 11 default is only 1440/24h). allowBuilds for
  @swc/core + unrs-resolver set false (prebuilt platform bindings
  used; strictDepBuilds is a pnpm 11 default). overrides migrated
  here (pnpm does not read npm-style top-level overrides).
- delete .npmrc (held only the malformed general setting)
- ci.yml/release.yml: SHA-pinned pnpm/action-setup@v6.0.8,
  cache: pnpm, pnpm install --frozen-lockfile / build / test.
  release.yml keeps npm publish --provenance (OIDC trusted
  publishing is an npm-registry feature)
- replace package-lock.json with pnpm-lock.yaml (v9.0)

Verified with pnpm 11.1.2 on Node 22: frozen-lockfile install,
build (cjs+esm), test (34 passed, 4 skipped), lint all exit 0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(CI): SHA-pin and bump checkout/setup-node to Node 24 majors

actions/checkout@v4 and actions/setup-node@v4 run on Node.js 20,
which GitHub forces to Node 24 by 2026-06-02 and removes by
2026-09-16. Bump to the latest majors (checkout v6.0.2,
setup-node v6.4.0) and SHA-pin them in ci.yml (was tag-pinned)
and release.yml (was pinned at v4.3.1/v4.4.0), consistent with
the third-party action pinning policy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: address review — drop engines.node, declare workspace root

- package.json: remove engines.node ">=22". The repo had no engines
  field before this PR; constraining library consumers' Node runtime
  is unrelated to the pnpm dev-tooling migration and would be a
  breaking change. The pnpm/Node dev requirement is already covered
  by devEngines + the pinned CI Node version.
- pnpm-workspace.yaml: add explicit `packages: ['.']` so the
  single-package workspace is declared (schema-compliant, robust if
  subdirs are added). Lockfile regenerated (gains importers: section);
  resolution unchanged.

Re-verified with pnpm 11.1.2 / Node 22: frozen-lockfile install,
build, test, lint all exit 0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: yosriady

.github/workflows/ci.yml

@@ -17,35 +17,45 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          version: 11.1.2
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: "22.14.0"
-          cache: 'npm'
+          cache: 'pnpm'
 
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
       - name: Build SDK
-        run: npm run build
+        run: pnpm build
 
   test:
     runs-on: ubuntu-latest
     needs: build
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          version: 11.1.2
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: "22.14.0"
-          cache: 'npm'
+          cache: 'pnpm'
 
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
       - name: Run tests
-        run: npm test
+        run: pnpm test

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0  # Fetch all history for changelog generation
 
@@ -33,17 +33,24 @@ jobs:
           fi
           echo "✅ Tag is on main branch, proceeding with release"
 
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          version: 11.1.2
+
       - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: "22.14.0"
-          cache: 'npm'
+          cache: 'pnpm'
 
+      # Trusted publishing (OIDC) is an npm-registry feature; keep the
+      # publish step on the npm CLI even though deps use pnpm.
       - name: Update npm for trusted publishing
         run: npm install -g npm@latest
 
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
       - name: Extract version from tag
         id: version
@@ -76,10 +83,10 @@ jobs:
           echo "✅ Version match confirmed: $TAG_VERSION"
 
       - name: Build SDK
-        run: npm run build
+        run: pnpm build
 
       - name: Run tests
-        run: npm test
+        run: pnpm test
 
       - name: Generate release notes
         id: release_notes