Skip to content

chore: migrate pnpm settings to pnpm-workspace.yaml and bump to pnpm 11#4623

Merged
tothandras merged 2 commits into
mainfrom
chore/pnpm-workspaces
Jul 1, 2026
Merged

chore: migrate pnpm settings to pnpm-workspace.yaml and bump to pnpm 11#4623
tothandras merged 2 commits into
mainfrom
chore/pnpm-workspaces

Conversation

@tothandras

@tothandras tothandras commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

pnpm 11 no longer reads the pnpm field in package.json (it warns and ignores onlyBuiltDependencies, patchedDependencies, and overrides). This moves those settings into each pnpm-workspace.yaml and bumps the packageManager pins to pnpm@11.1.2.

Affected workspace roots:

  • api/spec
  • api/client/javascript

Why

Without the migration, a fresh pnpm install under pnpm 11 silently drops the TypeSpec compiler/emitter patches, the openapi-typescript patch, and the semver/vite version overrides — changing generated output and dependency resolution without any error.

Verification

  • pnpm install --lockfile-only in both roots: exit 0, no deprecation warning, running pnpm v11.1.2.
  • Both pnpm-lock.yaml files retain their patchedDependencies and overrides sections, confirming the patches remain applied. api/spec/pnpm-lock.yaml reformatted to the pnpm 11 lockfile layout (patches stored as inline content hashes instead of path: sub-maps); api/client/javascript/pnpm-lock.yaml was already in that format and is unchanged.

Notes

  • Nested manifests under api/spec/packages/* still pin packageManager: pnpm@10.28.0. They are workspace members (not roots), did not trigger warnings, and are left untouched here.

Summary by CodeRabbit

  • Chores
    • Updated the pinned package manager version to a newer release.
    • Refreshed workspace dependency controls, including improved handling of patched dependency packages and an explicit build allow/deny configuration.
    • Added a safer rule to ensure a shared dependency version resolves to a compatible range.

pnpm 11 no longer reads the "pnpm" field in package.json. Move
onlyBuiltDependencies, patchedDependencies, and overrides into each
pnpm-workspace.yaml (api/spec and api/client/javascript) and bump the
packageManager pins to pnpm@11.1.2. Without this, a fresh pnpm 11
install silently drops the TypeSpec/openapi-typescript patches and
version overrides.
@tothandras tothandras requested a review from a team as a code owner July 1, 2026 09:06
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: adb07791-3779-4c21-b948-e8e5e84ff1bd

📥 Commits

Reviewing files that changed from the base of the PR and between 690ca27 and 77eaaa4.

⛔ Files ignored due to path filters (1)
  • api/client/javascript/pnpm-workspace.yaml is excluded by !api/client/**
📒 Files selected for processing (1)
  • api/spec/pnpm-workspace.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • api/spec/pnpm-workspace.yaml

📝 Walkthrough

Walkthrough

This PR bumps the pnpm packageManager pin in api/spec/package.json to 11.1.2, removes its inline pnpm config, and moves the workspace-level dependency patches, semver override, and build allow/deny rules into api/spec/pnpm-workspace.yaml.

Changes

pnpm Workspace Config Migration

Layer / File(s) Summary
Move pnpm config to workspace file
api/spec/package.json, api/spec/pnpm-workspace.yaml
package.json updates the pnpm pin and removes the embedded pnpm block; pnpm-workspace.yaml adds patched dependency mappings, a semver override, and build allow/deny settings.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • openmeterio/openmeter#4229: Earlier pnpm tooling changes in api/spec/package.json and related patch/allowlist config overlap with this workspace config migration.

Suggested reviewers: gergely-kurucz-konghq

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the pnpm config migration and the pnpm 11 upgrade.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/pnpm-workspaces

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@tothandras tothandras added the release-note/ignore Ignore this change when generating release notes label Jul 1, 2026
@greptile-apps

greptile-apps Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR updates the pnpm setup for the TypeSpec and JavaScript client workspaces.

  • Moves pnpm patch and override settings into workspace YAML files.
  • Bumps both workspace roots to pnpm 11.1.2.
  • Updates the api/spec lockfile patched-dependency layout.
  • Replaces old build allowlists with pnpm 11 allowBuilds settings.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
api/client/javascript/package.json Removes pnpm-specific config from the manifest and updates the package manager pin.
api/client/javascript/pnpm-workspace.yaml Adds workspace-level pnpm patch, override, and build allowance settings.
api/spec/package.json Removes pnpm-specific config from the manifest and updates the package manager pin.
api/spec/pnpm-lock.yaml Refreshes patched dependency entries for the pnpm 11 lockfile format.
api/spec/pnpm-workspace.yaml Adds workspace-level pnpm patch, override, and build allowance settings.

Reviews (2): Last reviewed commit: "chore: use pnpm 11 allowBuilds instead o..." | Re-trigger Greptile

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/spec/pnpm-workspace.yaml`:
- Around line 11-12: The workspace config is using the deprecated
onlyBuiltDependencies approval list, so pnpm 11 will ignore it. Update the
pnpm-workspace.yaml entry to use allowBuilds instead, keeping the same package
identifier (`@typespec/http-client-python`) under the new key so build approval
still applies.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c9ff54f0-f10c-42b0-a324-c6c6831635ed

📥 Commits

Reviewing files that changed from the base of the PR and between c0a5530 and 690ca27.

⛔ Files ignored due to path filters (3)
  • api/client/javascript/package.json is excluded by !api/client/**
  • api/client/javascript/pnpm-workspace.yaml is excluded by !api/client/**
  • api/spec/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • api/spec/package.json
  • api/spec/pnpm-workspace.yaml

Comment thread api/spec/pnpm-workspace.yaml Outdated
pnpm 11 replaces onlyBuiltDependencies with an explicit allowBuilds
allow/deny map and errors on ignored build scripts by default
(ERR_PNPM_IGNORED_BUILDS), breaking `pnpm --frozen-lockfile install`
in CI code generation.

- api/client/javascript: allow esbuild; drop unrs-resolver, which is
  not present in this workspace's dependency tree.
- api/spec: preserve the prior allowlist by allowing
  @typespec/http-client-python and explicitly denying core-js, esbuild,
  and protobufjs so their postinstall scripts do not start running.
@tothandras tothandras enabled auto-merge (squash) July 1, 2026 09:21
@tothandras tothandras merged commit 32ac526 into main Jul 1, 2026
28 checks passed
@tothandras tothandras deleted the chore/pnpm-workspaces branch July 1, 2026 09:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release-note/ignore Ignore this change when generating release notes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants