chore: migrate from npm to pnpm 11#16
Conversation
- package.json: scripts npm->pnpm, drop npm-style overrides, add packageManager + devEngines.packageManager (pnpm@11.1.2) and engines.node>=22 (pnpm 11 requires Node 22+) - pnpm-workspace.yaml: pnpm 11 config home (.npmrc is now auth/registry only). minimumReleaseAge: 2880 correctly encodes the 48h supply-chain cooldown (old .npmrc min-release-age=2 was malformed; pnpm 11 default is only 1440/24h). allowBuilds for @swc/core + unrs-resolver set false (prebuilt platform bindings used; strictDepBuilds is a pnpm 11 default). overrides migrated here (pnpm does not read npm-style top-level overrides). - delete .npmrc (held only the malformed general setting) - ci.yml/release.yml: SHA-pinned pnpm/action-setup@v6.0.8, cache: pnpm, pnpm install --frozen-lockfile / build / test. release.yml keeps npm publish --provenance (OIDC trusted publishing is an npm-registry feature) - replace package-lock.json with pnpm-lock.yaml (v9.0) Verified with pnpm 11.1.2 on Node 22: frozen-lockfile install, build (cjs+esm), test (34 passed, 4 skipped), lint all exit 0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
actions/checkout@v4 and actions/setup-node@v4 run on Node.js 20, which GitHub forces to Node 24 by 2026-06-02 and removes by 2026-09-16. Bump to the latest majors (checkout v6.0.2, setup-node v6.4.0) and SHA-pin them in ci.yml (was tag-pinned) and release.yml (was pinned at v4.3.1/v4.4.0), consistent with the third-party action pinning policy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request migrates the project from npm to pnpm 11, which includes updating the package manager, development engines, and build scripts, as well as introducing a pnpm-workspace.yaml configuration file. Feedback suggests that the update to Node.js version 22 in the engines field may be an unnecessary breaking change for consumers and recommends keeping a broader range if compatibility allows. Furthermore, it is advised to explicitly define workspace members in the new workspace configuration file to ensure full compliance with the pnpm schema.
| } | ||
| }, | ||
| "engines": { | ||
| "node": ">=22" |
There was a problem hiding this comment.
Bumping engines.node to >=22 is a breaking change for consumers of this library. While pnpm 11 requires Node 22+ for the development environment, this requirement does not necessarily extend to the library's runtime compatibility. If the code is still compatible with Node 18 or 20, it is recommended to keep a broader range in engines.node. The requirement for developers is already correctly handled by the devEngines field added in this PR.
| @@ -0,0 +1,24 @@ | |||
| # pnpm 11 configuration. | |||
There was a problem hiding this comment.
The pnpm-workspace.yaml file should explicitly define the workspace members using the packages field. Although pnpm may currently default to the root directory if it's the only package found, explicitly including '.' ensures compliance with the workspace schema and prevents potential issues if subdirectories are added or if pnpm commands are run from different locations.
packages:
- '.'
# pnpm 11 configuration.- package.json: remove engines.node ">=22". The repo had no engines field before this PR; constraining library consumers' Node runtime is unrelated to the pnpm dev-tooling migration and would be a breaking change. The pnpm/Node dev requirement is already covered by devEngines + the pinned CI Node version. - pnpm-workspace.yaml: add explicit `packages: ['.']` so the single-package workspace is declared (schema-compliant, robust if subdirs are added). Lockfile regenerated (gains importers: section); resolution unchanged. Re-verified with pnpm 11.1.2 / Node 22: frozen-lockfile install, build, test, lint all exit 0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 participant
Verified with pnpm 11.1.2 on Node 22: frozen-lockfile install, build (cjs+esm), test (34 passed, 4 skipped), lint all exit 0.
Need help on this PR? Tag
@codesmithwith what you need.