Conversation
📝 WalkthroughWalkthroughThis PR updates workspace and package manager configuration. The pnpm package manager is upgraded from version 10.33.4 to 11.1.2 in package.json. The pnpm-workspace.yaml file is refactored to replace the ignoredBuiltDependencies configuration with a new allowBuilds block that explicitly disables builds for Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 3: The packageManager entry was bumped to "pnpm@11.1.2" but pnpm v11
introduces breaking changes; before committing this upgrade revert or hold the
packageManager change until you complete migration steps: move any pnpm config
keys out of package.json into pnpm-workspace.yaml (use camelCase keys) and
ensure .npmrc contains only auth/registry settings, update CI/Docker/shell
profiles and env variables from npm_config_* → pnpm_config_*, verify the repo
will run on Node.js 22+ (update engines field or CI node versions if needed),
apply the codemod (pnpx codemod run pnpm-v10-to-v11) and manually review its
changes, and adjust global install scripts and security defaults (release-age
guard/exotic subdeps) in CI configs so that packageManager in package.json can
safely be set to pnpm@11.1.2.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e3c2519d-d57b-4066-bee8-842bbf2fb08c
📒 Files selected for processing (2)
package.jsonpnpm-workspace.yaml
| { | ||
| "name": "@nuxt/telemetry", | ||
| "packageManager": "pnpm@10.33.4", | ||
| "packageManager": "pnpm@11.1.2", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
pnpm version 11.1.2 release date and stability
💡 Result:
The pnpm version 11.1.2 was released on May 14, 2026 [1]. As a patch release within the 11.x major version cycle, it is considered a stable production release, following the standard release practices of the pnpm project [1][2]. Users are generally encouraged to use the latest stable version to benefit from the most recent bug fixes and improvements [3].
Citations:
- 1: https://github.com/pnpm/pnpm/releases/tag/v11.1.2
- 2: https://github.com/pnpm/pnpm/releases
- 3: https://endoflife.date/pnpm
🌐 Web query:
pnpm v11 breaking changes migration guide
💡 Result:
pnpm v11 is a major release that introduces significant breaking changes, primarily focused on security, configuration consolidation, and architectural modernization [1]. Migration Guide The official migration path from v10 to v11 is documented at https://pnpm.io/11.x/migration [2]. pnpm provides a dedicated codemod to automate many of the mechanical configuration changes [3][2]. You can run it in your project directory: pnpx codemod run pnpm-v10-to-v11 Key Breaking Changes Configuration Consolidation: - Configuration is no longer read from the pnpm field in package.json; move these settings to pnpm-workspace.yaml [3][2]. - The.npmrc file is now restricted to auth and registry settings only [3][1]. All other settings (e.g., hoist-pattern, node-linker, save-exact) must be moved to pnpm-workspace.yaml using camelCase keys [3][2]. - Environment variables prefixed with npm_config_* are no longer read; rename them to pnpm_config_* [3][1]. Dependency and Build Management: - Build-dependency settings (onlyBuiltDependencies, neverBuiltDependencies, etc.) have been consolidated into a single allowBuilds map [3][1]. - Package manager strictness settings have been collapsed into a single pmOnFail setting [3]. Security and Defaults: - Minimum Release Age: By default, pnpm 11 prevents the installation of package versions published within the last 24 hours to mitigate supply chain attacks [4][5][6]. - Exotic Subdependencies: Blocked by default, preventing resolution from non-standard sources like Git repositories or direct tarball URLs [4][6]. Environment and CLI: - Node.js Support: Node.js versions 18, 19, 20, and 21 are no longer supported; Node.js 22+ is required [1]. - Distribution: pnpm is now distributed as pure ESM [1]. - CLI Changes: pnpm install -g (with no arguments) is no longer supported; use pnpm add -g instead [3][1]. Several legacy commands (e.g., access, bugs, owner) have been removed or replaced by native implementations [1]. - Script Shadowing: Scripts defined in package.json (e.g., clean, setup, deploy) now shadow built-in pnpm commands [3]. Use pnpm pm to invoke the built-in command if needed [3]. Manual Attention Required Some changes cannot be fully automated by the codemod and require manual review, such as renaming environment variables in CI/CD pipelines, Docker images, and shell profiles [3][2]. Additionally, users should be aware that global binary migration may require manual verification [7].
Citations:
- 1: https://pnpm.io/blog/releases/11.0
- 2: https://pnpm.io/11.x/migration
- 3: https://pnpm.io/migration
- 4: https://gbhackers.com/pnpm-11-enables-default-release-age-guard/
- 5: https://cyberpress.org/pnpm-blocks-supply-attacks/
- 6: https://undercodenews.com/pnpm-11-reinvents-javascript-security-a-new-era-for-dependency-protection/
- 7: upgrading to pnpm 11 does not migrate global bins pnpm/pnpm#11528
Address pnpm v11 breaking changes before upgrading to v11.1.2.
pnpm v11.1.2 (released May 14, 2026) is a stable release, but this major version upgrade introduces breaking changes that require migration work:
- Configuration consolidation: Move pnpm settings from
package.json→pnpm-workspace.yaml(camelCase keys);.npmrcnow restricted to auth/registry only - Node.js requirement: Node.js 22+ is required; versions 18–21 are no longer supported
- Security defaults: 24-hour release age guard and exotic subdependencies blocked by default
- CLI changes:
pnpm install -gremoved, usepnpm add -ginstead; script shadowing now affects built-in commands - Manual migration steps: Env variables (
npm_config_*→pnpm_config_*), CI/CD, Docker, and shell profiles require manual updates
A codemod (pnpx codemod run pnpm-v10-to-v11) automates mechanical changes, but manual review is essential. See the official migration guide for complete details.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 3, The packageManager entry was bumped to "pnpm@11.1.2"
but pnpm v11 introduces breaking changes; before committing this upgrade revert
or hold the packageManager change until you complete migration steps: move any
pnpm config keys out of package.json into pnpm-workspace.yaml (use camelCase
keys) and ensure .npmrc contains only auth/registry settings, update
CI/Docker/shell profiles and env variables from npm_config_* → pnpm_config_*,
verify the repo will run on Node.js 22+ (update engines field or CI node
versions if needed), apply the codemod (pnpx codemod run pnpm-v10-to-v11) and
manually review its changes, and adjust global install scripts and security
defaults (release-age guard/exotic subdeps) in CI configs so that packageManager
in package.json can safely be set to pnpm@11.1.2.
1 participant
📚 Description
this migrates us to pnpm v11, and - in particular - to moving to
allowBuilds