chore(dev): migrate to yarn 4

[ioncache]

Overview

Migrate the project from Yarn Classic to Yarn 4 Plug'n'Play while keeping local development, editor diagnostics, hooks, and CI workflows aligned with the new dependency model.

Details

• Pins Yarn 4.15.0 in package metadata and Volta, adds .yarnrc.yml for Plug'n'Play, and updates install behavior to use immutable Yarn installs.
• Updates CI and CodeQL setup to enable Corepack before Yarn cache/install steps so fresh runners use the package-manager-pinned Yarn version.
• Adds Yarn-generated VS Code TypeScript SDK files and recommends ZipFS so editor diagnostics can resolve package-backed configs and types without node_modules.
• Removes the node_modules-specific TypeScript typeRoots setting so TypeScript resolves declared types through the active package manager.
• Expands validation to include Oxlint, Oxfmt, actionlint, and YAML linting, with lint-staged filtering generated Yarn SDK files before source tools run.
• Updates development docs and the migration plan with the Yarn 4/PnP workflow and validation expectations.

Summary by CodeRabbit

• Documentation

  • Updated development setup guidance and added a Yarn Modern migration plan with stepwise verification and editor/tooling notes.

• Chores

  • Migrated repo tooling to Yarn 4 Plug’n’Play and adjusted CI for deterministic installs, Corepack support and CI lint steps.
  • Added a staged lint/format pipeline, VS Code recommendations/settings, and updated ignore/formatter/linter rules to exclude generated SDK files.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR migrates the repo to Yarn 4 Plug'n'Play: pins Yarn 4.15.0 and adds .yarnrc.yml, updates CI and CodeQL to enable Corepack and run yarn install --immutable, relocates lint-staged, adjusts formatter/linter ignores and VS Code settings for generated SDKs, and adds migration documentation.

Changes

Yarn 4 Plug'n'Play Migration

Layer / File(s)	Summary
Package manager declaration and Yarn configuration package.json, .yarnrc.yml	Yarn pinned to 4.15.0 (volta.yarn and packageManager) and .yarnrc.yml added with nodeLinker: pnp and packageExtensions for specific packages.
CI & CodeQL preparation .github/workflows/ci.yml, .github/workflows/codeql-analysis.yml, tsconfig.json	CI and CodeQL workflows now run corepack enable and yarn install --immutable; CodeQL matrix and Node setup updated; CI coverage output quoting adjusted; typeRoots removed from TS config for PnP resolution.
Lint-staged, formatter/linter ignores, and scripts lint-staged.config.mjs, package.json, .oxfmtrc.json, .oxlintrc.json, .gitignore	Lint-staged moved to lint-staged.config.mjs with .yarn/sdks filtering; formatter/linter ignore patterns updated for generated SDKs; root clean/lint scripts adjusted and embedded lint-staged block removed.
VS Code workspace environment .vscode/settings.json, .vscode/extensions.json	Adds arcanis.vscode-zipfs recommendation and configures search.exclude and workspace TypeScript SDK settings for PnP-generated SDKs.
Documentation and migration planning docs/plans/007-yarn-modern-migration.md, docs/development.md	Adds a migration plan and updates development docs to require Yarn 4 PnP, immutable install instructions, and verification steps; updates CI lint invocation to yarn lint:ci.
Repository metadata formatting .github/dependabot.yml	Dependabot config reformatted to use single-quoted strings; no behavioral changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

dependencies, javascript

Poem

🐰 I hopped through yarn files, tidy and spry,
Corepack enabled, installs fly by,
PnP seeds planted in .yarnrc.yml,
SDKs hum for the editor's smile,
Four-point-fifteen — a bouncing tie.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: migrating the project from Yarn Classic to Yarn 4, which is the primary objective of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/yarn-modern-migration

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql-analysis.yml:
- Around line 43-46: The workflow uses a mutable tag for the setup-node action
("uses: actions/setup-node@v6"); replace that tag with the action's full
40-character commit SHA to satisfy the pinned-action policy. Edit the job step
that contains uses: actions/setup-node@v6 (and its with: node-version: 24,
cache: yarn) to reference the specific commit SHA for actions/setup-node so the
workflow is pinned and immutable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6290b7dc-199b-42c3-81c4-f3a12ec4eb40

📥 Commits

Reviewing files that changed from the base of the PR and between f684f1a and d9c86be.

⛔ Files ignored due to path filters (9)

• .yarn/sdks/integrations.yml is excluded by !**/.yarn/**
• .yarn/sdks/typescript/bin/tsc is excluded by !**/.yarn/**
• .yarn/sdks/typescript/bin/tsserver is excluded by !**/.yarn/**
• .yarn/sdks/typescript/lib/tsc.js is excluded by !**/.yarn/**
• .yarn/sdks/typescript/lib/tsserver.js is excluded by !**/.yarn/**
• .yarn/sdks/typescript/lib/tsserverlibrary.js is excluded by !**/.yarn/**
• .yarn/sdks/typescript/lib/typescript.js is excluded by !**/.yarn/**
• .yarn/sdks/typescript/package.json is excluded by !**/.yarn/**
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (13)

• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml
• .gitignore
• .oxfmtrc.json
• .oxlintrc.json
• .vscode/extensions.json
• .vscode/settings.json
• .yarnrc.yml
• docs/development.md
• docs/plans/007-yarn-modern-migration.md
• lint-staged.config.mjs
• package.json
• tsconfig.json

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	100% (🎯 100%)	127 / 127
🔵	Statements	100% (🎯 100%)	129 / 129
🔵	Functions	100% (🎯 100%)	14 / 14
🔵	Branches	100% (🎯 100%)	72 / 72

File Coverage

No changed files found.

Generated in workflow #174 for commit 6c5d676 by the Vitest Coverage Report Action

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 35: The CI uses a generic lint invocation that forwards flags to
sub-scripts (currently "run: yarn lint --format=github") which can route flags
to the wrong subcommand; replace that invocation with the CI-specific script
name by changing the workflow step to call "yarn lint:ci" so the
GitHub-formatted output is handled by the dedicated lint:ci script instead of
passing --format=github to the top-level "lint" script.
- Around line 23-25: Replace the mutable action tags with pinned full commit
SHAs for actions/checkout and actions/setup-node (i.e., change
actions/checkout@v6 and actions/setup-node@v6 to their respective full-sha refs)
and add with: persist-credentials: false to the actions/checkout step;
specifically update the checkout step (actions/checkout) to include the
with.persist-credentials: false setting and swap both uses lines to use the full
commit SHAs instead of the v6 tag.

In @.github/workflows/codeql-analysis.yml:
- Around line 40-41: Update the "Checkout repository" step that currently uses
"uses: actions/checkout@v6" to pin the action to a specific, immutable commit
SHA instead of the tag and add the "persist-credentials: false" input to the
checkout step; specifically modify the uses value (actions/checkout@...) to the
full commit SHA and add persist-credentials: false under that step so
credentials are not persisted to later workflow steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: cc858c69-17e7-4807-97cd-400f82becb1e

📥 Commits

Reviewing files that changed from the base of the PR and between d9c86be and 1dcbc9a.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (9)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml
• .oxfmtrc.json
• .yarnrc.yml
• docs/development.md
• docs/plans/007-yarn-modern-migration.md
• lint-staged.config.mjs
• package.json

💤 Files with no reviewable changes (1)

• .oxfmtrc.json

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/ci.yml (1)

23-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin actions/checkout and actions/setup-node to full SHAs (still unresolved).

These steps still use mutable @v6 tags. Please pin both actions to 40-character commit SHAs; also set persist-credentials: false on checkout for least-privilege handling in this read-only CI job.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 23 - 25, The workflow uses mutable
tags for actions — replace the two uses entries "actions/checkout@v6" and
"actions/setup-node@v6" with their corresponding 40-character commit SHAs to pin
versions, and add persist-credentials: false to the checkout step (the step that
uses actions/checkout) to enforce least-privilege; update only the "uses" values
and add the persist-credentials option in the checkout step while leaving
corepack enable as-is.

.github/workflows/codeql-analysis.yml (1)

40-43: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

actions/checkout is still tag-pinned; switch to a full commit SHA.

Good fix adding persist-credentials: false, but uses: actions/checkout@v6 is still mutable and should be pinned to an immutable 40-char SHA.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql-analysis.yml around lines 40 - 43, The workflow
uses a mutable tag for the checkout action ("uses: actions/checkout@v6");
replace that tag with the corresponding immutable 40-character commit SHA for
the actions/checkout release you want to pin to (keep the existing
"persist-credentials: false" setting). Locate the "uses: actions/checkout@v6"
line in the workflow and update it to "uses: actions/checkout@<full-commit-sha>"
so the action is pinned to a specific commit.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 23-25: The workflow uses mutable tags for actions — replace the
two uses entries "actions/checkout@v6" and "actions/setup-node@v6" with their
corresponding 40-character commit SHAs to pin versions, and add
persist-credentials: false to the checkout step (the step that uses
actions/checkout) to enforce least-privilege; update only the "uses" values and
add the persist-credentials option in the checkout step while leaving corepack
enable as-is.

In @.github/workflows/codeql-analysis.yml:
- Around line 40-43: The workflow uses a mutable tag for the checkout action
("uses: actions/checkout@v6"); replace that tag with the corresponding immutable
40-character commit SHA for the actions/checkout release you want to pin to
(keep the existing "persist-credentials: false" setting). Locate the "uses:
actions/checkout@v6" line in the workflow and update it to "uses:
actions/checkout@<full-commit-sha>" so the action is pinned to a specific
commit.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 887f4a28-90f9-4546-8c47-faf7ddb3f262

📥 Commits

Reviewing files that changed from the base of the PR and between 1dcbc9a and ac4511a.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/codeql-analysis.yml (1)

45-47: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Move corepack enable after actions/setup-node for consistency with best practices.

Enabling Corepack before Node setup can apply it to the runner's default Node rather than Node 24. Standard practice is to enable Corepack after installing the target Node version.

♻️ Recommended reordering

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
-      - run: corepack enable
-
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 24
           cache: yarn
 
+      - run: corepack enable
+
       - run: yarn install --immutable

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql-analysis.yml around lines 45 - 47, The step
invoking "corepack enable" is placed before the "uses:
actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" step; move the run:
corepack enable line so it executes immediately after the actions/setup-node
step to ensure Corepack is enabled for the installed Node version (i.e., reorder
the steps so actions/setup-node runs first, then run: corepack enable).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 26-27: Move the "corepack enable" step so it runs after the
actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e step; specifically
locate the steps referencing the literal "corepack enable" command and the
"uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" action in
the workflow and reorder them so setup-node executes first, then run corepack
enable to ensure Corepack is enabled for the configured Node version.

---

Outside diff comments:
In @.github/workflows/codeql-analysis.yml:
- Around line 45-47: The step invoking "corepack enable" is placed before the
"uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" step; move
the run: corepack enable line so it executes immediately after the
actions/setup-node step to ensure Corepack is enabled for the installed Node
version (i.e., reorder the steps so actions/setup-node runs first, then run:
corepack enable).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 27bad2ce-e6eb-46fb-b506-8b86a190dee2

📥 Commits

Reviewing files that changed from the base of the PR and between ac4511a and bf0cfe1.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml