chore: migrate to pnpm

[Crunchyman-ralph]

What type of PR is this?

• 🐛 Bug fix
• ✨ Feature
• 🔌 Integration
• 📝 Docs
• 🧹 Refactor
• Other:

Description

Related Issues

How to Test This

# Example commands or steps

Expected result:

Contributor Checklist

• Created changeset: npm run changeset
• Tests pass: npm test
• Format check passes: npm run format-check (or npm run format to fix)
• Addressed CodeRabbit comments (if any)
• Linked related issues (if any)
• Manually tested the changes

Changelog Entry

---

For Maintainers

• PR title follows conventional commits
• Target branch correct
• Labels added
• Milestone assigned (if applicable)

Summary by CodeRabbit

• Chores
  • Migrated project package manager from npm to pnpm throughout all workflows and configurations
  • Added pnpm workspace configuration for monorepo structure
  • Updated all build scripts and dependencies to use pnpm equivalents
  • Updated workspace dependency resolution to use workspace protocol

[changeset-bot]

⚠️ No Changeset found

Latest commit: feb2532

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Migration from npm to pnpm across the monorepo. Updates include: replacing npm commands with pnpm equivalents in CI workflows, changing workspace dependency specs from loose wildcards to workspace:* protocol, updating package.json scripts to use pnpm, adding packageManager field, and introducing pnpm-workspace.yaml configuration.

Changes

Cohort / File(s)	Change Summary
CI Workflows .github/workflows/ci.yml, .github/workflows/pre-release.yml, .github/workflows/release.yml	Replace npm/npx commands with pnpm equivalents: npm install → pnpm install --frozen-lockfile, npm ci → pnpm install --frozen-lockfile, npx <cmd> → pnpm exec <cmd>, npm run <script> → pnpm run <script>. Add explicit pnpm/action-setup@v4 step before Node.js setup. Switch cache strategy from npm to pnpm.
Root & App Package Configurations package.json, apps/cli/package.json, apps/extension/package.json, apps/mcp/package.json	Update workspace dependency specs for @tm/core from "*" to "workspace:*". In root and extension, update build/dev scripts from npm to pnpm equivalents (e.g., npm run build → pnpm run build, npx @tailwindcss/cli → pnpm exec @tailwindcss/cli). Update root packageManager field from npm@10.9.2 to pnpm@9.15.4.
Bridge Package Configuration packages/tm-bridge/package.json	Update workspace dependency spec for @tm/core from "*" to "workspace:*".
Workspace Configuration pnpm-workspace.yaml	New file configuring pnpm workspace with package globs for apps/* and packages/*.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify pnpm command equivalents (e.g., pnpm install --frozen-lockfile vs. npm ci) are correct and semantically identical
• Confirm workspace:* protocol resolution aligns with monorepo structure and intended dependency linking
• Validate CI workflow steps execute correctly with pnpm setup ordering and cache configuration
• Check that build scripts in apps/extension (Tailwind CSS commands via pnpm exec) function identically to npm equivalents

Possibly related PRs

• chore: improve pre-release CI to be able to release more than one release candidate #1036: Modifies the same pre-release CI workflow (pre-release.yml) with overlapping changeset and RC-flow logic changes
• chore: improve release and pre-release CI #1075: Updates the same GitHub Actions workflow files (pre-release.yml and release.yml) for CI configuration
• chore: fix pre-release CI #1213: Modifies pre-release and release workflows—adds/adjusts build and format steps in the same files

Suggested reviewers

• eyaltoledano

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "chore: migrate to pnpm" directly and accurately reflects the main change in the changeset. The changeset comprehensively migrates the project from npm to pnpm across multiple files, including CI/CD workflows, package.json configuration files, workspace dependencies, and the addition of pnpm-workspace.yaml. The title is concise, follows conventional commits format with the "chore:" prefix, and uses clear, specific language that avoids vague terms or noise. A developer scanning the repository history would immediately understand that this PR represents a package manager migration.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ralph/chore/migrate.to.pnpm

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 560a469 and feb2532.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• .github/workflows/ci.yml (5 hunks)
• .github/workflows/pre-release.yml (3 hunks)
• .github/workflows/release.yml (1 hunks)
• apps/cli/package.json (1 hunks)
• apps/extension/package.json (2 hunks)
• apps/mcp/package.json (1 hunks)
• package.json (3 hunks)
• packages/tm-bridge/package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

package.json

📄 CodeRabbit inference engine (.cursor/rules/test_workflow.mdc)

Add and update test scripts in package.json to include test, test:watch, test:coverage, test:unit, test:integration, test:e2e, and test:ci

Files:

• package.json

🧠 Learnings (30)

📓 Common learnings

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1232
File: packages/tm-core/package.json:50-51
Timestamp: 2025-09-22T19:45:04.337Z
Learning: In the eyaltoledano/claude-task-master project, Crunchyman-ralph intentionally omits version fields from internal/private packages in package.json files to prevent changesets from releasing new versions of these packages while still allowing them to be processed for dependency updates. The changesets warnings about missing versions are acceptable as they don't break the process and achieve the desired behavior of only releasing public packages.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1232
File: packages/build-config/package.json:14-15
Timestamp: 2025-09-22T19:45:13.323Z
Learning: In the eyaltoledano/claude-task-master repository, Crunchyman-ralph intentionally omits version fields from internal packages (like tm/build-config) to prevent changesets from releasing new versions for these packages. This is the desired behavior for internal tooling packages that should not be published or versioned independently.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/package.json:13-64
Timestamp: 2025-09-03T12:16:15.866Z
Learning: For internal packages in the claude-task-master project, Crunchyman-ralph prefers pointing package.json "types" entries to src .ts files rather than dist .d.ts files for better developer experience (DX), as the packages are not being exported as SDKs.

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: assets/AGENTS.md:0-0
Timestamp: 2025-09-24T15:12:58.855Z
Learning: Applies to assets/.claude/commands/taskmaster-complete.md : Create .claude/commands/taskmaster-complete.md with steps to review task, verify, run tests, set status done, and show next task

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1090
File: apps/extension/package.json:241-243
Timestamp: 2025-08-07T13:00:22.966Z
Learning: In monorepos, local packages should use "*" as the version constraint in package.json dependencies, as recommended by npm. This ensures the local version from within the same workspace is always used, rather than attempting to resolve from external registries. This applies to packages like task-master-ai within the eyaltoledano/claude-task-master monorepo.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1213
File: .github/workflows/pre-release.yml:68-73
Timestamp: 2025-09-17T20:26:17.277Z
Learning: User Crunchyman-ralph clarified that not all packages in the monorepo need build steps, so adding turbo:build scripts to every workspace package.json is unnecessary and incorrect.

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-07-18T17:12:57.903Z
Learning: Applies to scripts/modules/*.js : Ensure new features trigger migration when needed, handle migration errors gracefully, test feature behavior with pre-migration projects, and do not assume projects are already migrated.

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-08-03T12:13:33.875Z
Learning: Applies to package.json : Add and update test scripts in package.json to include test, test:watch, test:coverage, test:unit, test:integration, test:e2e, and test:ci

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/src/auth/config.ts:5-7
Timestamp: 2025-09-02T21:51:27.921Z
Learning: The user Crunchyman-ralph prefers not to use node: scheme imports (e.g., 'node:os', 'node:path') for Node.js core modules and considers suggestions to change bare imports to node: scheme as too nitpicky.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1069
File: .changeset/fix-tag-complexity-detection.md:0-0
Timestamp: 2025-08-02T15:33:22.656Z
Learning: For changeset files (.changeset/*.md), Crunchyman-ralph prefers to ignore formatting nitpicks about blank lines between frontmatter and descriptions, as he doesn't mind having them and wants to avoid such comments in future reviews.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1132
File: .github/workflows/weekly-metrics-discord.yml:81-93
Timestamp: 2025-08-13T22:10:46.958Z
Learning: Crunchyman-ralph ignores YAML formatting nitpicks about trailing spaces when there's no project-specific YAML formatter configured, preferring to focus on functionality over cosmetic formatting issues.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1132
File: .github/workflows/weekly-metrics-discord.yml:81-93
Timestamp: 2025-08-13T22:10:46.958Z
Learning: Crunchyman-ralph ignores YAML formatting nitpicks about trailing spaces when there's no project-specific YAML formatter configured, preferring to focus on functionality over cosmetic formatting issues.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1200
File: src/ai-providers/custom-sdk/grok-cli/language-model.js:96-100
Timestamp: 2025-09-19T16:06:42.182Z
Learning: The user Crunchyman-ralph prefers to keep environment variable names explicit (like GROK_CLI_API_KEY) rather than supporting multiple aliases, to avoid overlap and ensure clear separation between different CLI implementations.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/src/subpath-exports.test.ts:6-9
Timestamp: 2025-09-03T12:45:30.724Z
Learning: The user Crunchyman-ralph prefers to avoid overly nitpicky or detailed suggestions in code reviews, especially for test coverage of minor import paths. Focus on more substantial issues rather than comprehensive coverage of all possible edge cases.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1105
File: scripts/modules/supported-models.json:242-254
Timestamp: 2025-08-08T11:33:15.297Z
Learning: Preference: In scripts/modules/supported-models.json, the "name" field is optional. For OpenAI entries (e.g., "gpt-5"), Crunchyman-ralph prefers omitting "name" when the id is explicit enough; avoid nitpicks requesting a "name" in such cases.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1217
File: apps/cli/src/index.ts:16-21
Timestamp: 2025-09-18T16:35:35.147Z
Learning: The user Crunchyman-ralph considers suggestions to export types for better ergonomics (like exporting UpdateInfo type alongside related functions) as nitpicky and prefers not to implement such suggestions.

📚 Learning: 2025-08-07T13:00:22.966Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1090
File: apps/extension/package.json:241-243
Timestamp: 2025-08-07T13:00:22.966Z
Learning: In monorepos, local packages should use "*" as the version constraint in package.json dependencies, as recommended by npm. This ensures the local version from within the same workspace is always used, rather than attempting to resolve from external registries. This applies to packages like task-master-ai within the eyaltoledano/claude-task-master monorepo.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-09-26T19:10:32.906Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: tsconfig.json:22-28
Timestamp: 2025-09-26T19:10:32.906Z
Learning: In the eyaltoledano/claude-task-master repository, all internal tm/ package path mappings in tsconfig.json consistently point to TypeScript source files (e.g., "./packages/*/src/index.ts") rather than built JavaScript. This is intentional architecture because tsdown bundles internal packages directly from source during build time, eliminating the need for separate compilation of internal packages.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-09-26T19:07:10.485Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: packages/ai-sdk-provider-grok-cli/package.json:21-35
Timestamp: 2025-09-26T19:07:10.485Z
Learning: In the eyaltoledano/claude-task-master repository, the tsdown build configuration uses `noExternal: [/^tm\//]` which means internal tm/ packages are bundled into the final output while external npm dependencies remain external and are resolved from the root package.json dependencies at runtime. This eliminates the need for peer dependencies in internal packages since the root package.json already provides the required external dependencies.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-09-26T19:03:33.225Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: package.json:130-132
Timestamp: 2025-09-26T19:03:33.225Z
Learning: In the eyaltoledano/claude-task-master repository, packages are bundled using tsdown during the build process, which means dependencies imported by the source code (including tm internal packages like tm/ai-sdk-provider-grok-cli) are included in the final bundle and don't need to be available as separate runtime dependencies, so they should remain as devDependencies rather than being moved to dependencies.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-10-08T19:57:00.982Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1282
File: packages/tm-core/src/utils/index.ts:16-34
Timestamp: 2025-10-08T19:57:00.982Z
Learning: For the tm-core package in the eyaltoledano/claude-task-master repository, the team prefers a minimal, need-based export strategy in index files rather than exposing all internal utilities. Exports should only be added when functions are actually consumed by other packages in the monorepo.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-09-26T19:05:47.555Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: packages/ai-sdk-provider-grok-cli/package.json:11-13
Timestamp: 2025-09-26T19:05:47.555Z
Learning: In the eyaltoledano/claude-task-master repository, internal tm/ packages use a specific export pattern where the "exports" field points to TypeScript source files (./src/index.ts) while "main" points to compiled output (./dist/index.js) and "types" points to source files (./src/index.ts). This pattern is used consistently across internal packages like tm/core and tm/ai-sdk-provider-grok-cli because they are consumed directly during build-time bundling with tsdown rather than being published as separate packages.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-09-22T19:45:04.337Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1232
File: packages/tm-core/package.json:50-51
Timestamp: 2025-09-22T19:45:04.337Z
Learning: In the eyaltoledano/claude-task-master project, Crunchyman-ralph intentionally omits version fields from internal/private packages in package.json files to prevent changesets from releasing new versions of these packages while still allowing them to be processed for dependency updates. The changesets warnings about missing versions are acceptable as they don't break the process and achieve the desired behavior of only releasing public packages.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-09-17T20:26:17.277Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1213
File: .github/workflows/pre-release.yml:68-73
Timestamp: 2025-09-17T20:26:17.277Z
Learning: User Crunchyman-ralph clarified that not all packages in the monorepo need build steps, so adding turbo:build scripts to every workspace package.json is unnecessary and incorrect.

Applied to files:

• packages/tm-bridge/package.json
• .github/workflows/ci.yml
• apps/extension/package.json
• package.json

📚 Learning: 2025-09-26T19:03:33.225Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: package.json:130-132
Timestamp: 2025-09-26T19:03:33.225Z
Learning: In the eyaltoledano/claude-task-master repository, all packages with tm prefix are internal packages that are part of the monorepo structure and are not published externally.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-09-22T19:45:13.323Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1232
File: packages/build-config/package.json:14-15
Timestamp: 2025-09-22T19:45:13.323Z
Learning: In the eyaltoledano/claude-task-master repository, Crunchyman-ralph intentionally omits version fields from internal packages (like tm/build-config) to prevent changesets from releasing new versions for these packages. This is the desired behavior for internal tooling packages that should not be published or versioned independently.

Applied to files:

• packages/tm-bridge/package.json
• apps/cli/package.json
• apps/extension/package.json
• package.json

📚 Learning: 2025-09-03T12:16:15.866Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/package.json:13-64
Timestamp: 2025-09-03T12:16:15.866Z
Learning: For internal packages in the claude-task-master project, Crunchyman-ralph prefers pointing package.json "types" entries to src .ts files rather than dist .d.ts files for better developer experience (DX), as the packages are not being exported as SDKs.

Applied to files:

• packages/tm-bridge/package.json
• apps/extension/package.json
• package.json

📚 Learning: 2025-08-03T12:13:33.875Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-08-03T12:13:33.875Z
Learning: Applies to package.json : Add and update test scripts in package.json to include test, test:watch, test:coverage, test:unit, test:integration, test:e2e, and test:ci

Applied to files:

• .github/workflows/ci.yml
• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-09-09T19:13:55.652Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1194
File: .github/workflows/ci.yml:31-35
Timestamp: 2025-09-09T19:13:55.652Z
Learning: The claude-task-master project has only one package-lock.json file in the entire workspace (at the root level), so cache-dependency-path configuration is unnecessary for the npm cache in GitHub Actions.

Applied to files:

• .github/workflows/ci.yml
• .github/workflows/release.yml
• .github/workflows/pre-release.yml
• package.json

📚 Learning: 2025-08-03T12:13:33.875Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-08-03T12:13:33.875Z
Learning: Run npm run test:coverage before commits to ensure all tests pass with sufficient coverage

Applied to files:

• .github/workflows/ci.yml
• .github/workflows/pre-release.yml

📚 Learning: 2025-07-18T17:12:57.903Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-07-18T17:12:57.903Z
Learning: Applies to scripts/modules/**/*.test.js : Test CLI and MCP interfaces with real task data, verify end-to-end workflows across tag contexts, and test error scenarios and recovery in integration tests.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-08-03T12:13:33.875Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-08-03T12:13:33.875Z
Learning: Verify testing framework setup and coverage reporting before starting TDD workflow

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-07-18T17:10:31.810Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/git_workflow.mdc:0-0
Timestamp: 2025-07-18T17:10:31.810Z
Learning: Applies to **/*.{test,spec}.{js,ts,jsx,tsx} : Create a test file if needed and ensure all tests pass before completing a task

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-08-03T12:13:33.875Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-08-03T12:13:33.875Z
Learning: Applies to **/*.test.ts : Test all code paths, including edge cases and error scenarios, in test files

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-08-03T12:13:33.875Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-08-03T12:13:33.875Z
Learning: Applies to {src/utils/**,src/middleware/**} : Test coverage for all code should meet or exceed 80% lines/functions and 70% branches globally; critical code (utils, middleware) should meet higher thresholds (90% utils, 85% middleware)

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-07-18T17:12:57.903Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-07-18T17:12:57.903Z
Learning: Applies to scripts/modules/**/*.test.js : Every new feature must include comprehensive tests following the guidelines in 'tests.mdc', including unit tests, integration tests, edge cases, and at least 80% coverage.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-07-31T20:49:04.638Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 997
File: apps/extension/package.publish.json:2-8
Timestamp: 2025-07-31T20:49:04.638Z
Learning: In the eyaltoledano/claude-task-master repository, the VS Code extension uses a 3-file packaging system where package.json (with name "extension") is for development within the monorepo, while package.publish.json (with name "task-master-hamster") contains the clean manifest for VS Code marketplace publishing. The different names are intentional and serve distinct purposes in the build and publishing workflow.

Applied to files:

• apps/extension/package.json
• pnpm-workspace.yaml
• package.json

📚 Learning: 2025-07-18T17:09:45.690Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dependencies.mdc:0-0
Timestamp: 2025-07-18T17:09:45.690Z
Learning: Applies to scripts/modules/dependency-manager.js : Track and report changes made during dependency cleanup

Applied to files:

• apps/extension/package.json
• apps/mcp/package.json
• package.json

📚 Learning: 2025-07-18T17:14:29.399Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-07-18T17:14:29.399Z
Learning: Applies to scripts/modules/task-manager.js : Use consistent formatting for task files, include all task properties in text files, and format dependencies with status indicators.

Applied to files:

• apps/extension/package.json

📚 Learning: 2025-09-17T19:09:08.882Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1211
File: jest.resolver.cjs:8-15
Timestamp: 2025-09-17T19:09:08.882Z
Learning: In the eyaltoledano/claude-task-master project, the team only uses .ts files and does not plan to use .tsx or .mts extensions, so Jest resolver and build tooling should focus on .js → .ts mapping only.

Applied to files:

• apps/extension/package.json
• package.json

📚 Learning: 2025-07-17T21:33:57.585Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1002
File: .changeset/puny-friends-give.md:2-3
Timestamp: 2025-07-17T21:33:57.585Z
Learning: In the eyaltoledano/claude-task-master repository, the MCP server code in mcp-server/src/ is part of the main "task-master-ai" package, not a separate "mcp-server" package. When creating changesets for MCP server changes, use "task-master-ai" as the package name.

Applied to files:

• apps/mcp/package.json

📚 Learning: 2025-07-18T17:11:36.732Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/mcp.mdc:0-0
Timestamp: 2025-07-18T17:11:36.732Z
Learning: Applies to mcp-server/src/{tools,core/direct-functions}/*.js : Use helpers from mcp-server/src/tools/utils.js, mcp-server/src/core/utils/path-utils.js, and mcp-server/src/core/utils/ai-client-utils.js for centralized utilities.

Applied to files:

• apps/mcp/package.json

📚 Learning: 2025-07-18T17:18:17.759Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-07-18T17:18:17.759Z
Learning: Applies to mcp-server/src/{core/utils,tools}/**/*.js : Place utilities specifically designed to support the MCP server implementation into the appropriate subdirectories within `mcp-server/src/` (e.g., path/core logic helpers in `mcp-server/src/core/utils/`, tool execution/response helpers in `mcp-server/src/tools/utils.js`).

Applied to files:

• apps/mcp/package.json

📚 Learning: 2025-07-18T17:10:53.657Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/glossary.mdc:0-0
Timestamp: 2025-07-18T17:10:53.657Z
Learning: Guidelines for using Changesets (npm run changeset) to manage versioning and changelogs (changeset.mdc).

Applied to files:

• .github/workflows/pre-release.yml

📚 Learning: 2025-07-18T17:06:04.909Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/ai_providers.mdc:0-0
Timestamp: 2025-07-18T17:06:04.909Z
Learning: Applies to src/ai-providers/*.js : Provider modules must import the provider's create<ProviderName> function from ai-sdk/<provider-name>, and import generateText, streamText, generateObject from the core ai package, as well as the log utility from ../../scripts/modules/utils.js.

Applied to files:

• package.json

🔇 Additional comments (9)

packages/tm-bridge/package.json (1)

18-22: LGTM!

The migration from "" to "workspace:" is correct for pnpm's workspace protocol. This ensures the local @tm/core from the workspace is always resolved, consistent with the new pnpm-workspace.yaml configuration.

apps/mcp/package.json (1)

24-28: LGTM!

The workspace:* protocol change for @tm/core is correct and consistent with the pnpm workspace migration.

.github/workflows/release.yml (1)

22-51: LGTM!

The workflow migration to pnpm is complete and correct. All changes follow standard pnpm GitHub Actions patterns: setup action, cache configuration, and --frozen-lockfile for reproducible builds.

.github/workflows/ci.yml (1)

32-138: LGTM!

The CI workflow migration to pnpm is comprehensive and consistent across all jobs. Setup, caching, and command patterns are correct throughout. The --prefer-offline flag is a good optimization for pnpm cache usage.

apps/extension/package.json (2)

227-241: LGTM!

All script updates from npm/npx to pnpm equivalents are correct. The npx replacements with pnpm exec and parallel execution via & operator are properly handled.

---

242-279: LGTM!

The workspace:* dependency change for @tm/core aligns with the pnpm workspace configuration.

pnpm-workspace.yaml (1)

1-3: LGTM!

The pnpm-workspace.yaml configuration is correct and complete. The globs for apps/* and packages/* properly define the workspace structure and align with all workspace:* dependency changes throughout the monorepo.

apps/cli/package.json (1)

24-33: LGTM!

The workspace:* dependency change for @tm/core is correct and consistent with the pnpm workspace migration pattern applied across the monorepo.

.github/workflows/pre-release.yml (1)

18-87: LGTM!

The pre-release workflow migration to pnpm is complete and correct. Setup, dependencies, and all command invocations properly use pnpm. The changeset commands correctly use pnpm exec, and the RC mode logic is preserved.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

pnpm migration changes look correct.

The migration from npm to pnpm is implemented properly:

• Scripts correctly updated to use pnpm (line 14) and pnpm filtering (line 19)
• packageManager field properly specifies pnpm version (line 117)
• Workspace dependencies correctly use the workspace:* protocol (lines 142–143), which is pnpm's standard for local monorepo packages

Test scripts remain intact with all required test targets present.

Please verify that pnpm@9.15.4 is the intended stable version and has no known security advisories:

Also applies to: 19-19, 117-117, 142-143

---

🌐 Web query:

What is the latest stable version of pnpm and are there any security issues with pnpm 9.15.4?

💡 Result:

Latest stable pnpm (as of Nov 1, 2025) is 10.19.0. [1][2]

Security status of pnpm 9.15.4:

• It is affected by the "Use of Weak Hash" issue that Snyk lists for versions < 10.0.0-alpha.0 (medium severity). [3]
• The "Untrusted Search Path" issue was fixed in >= 9.14.4, so 9.15.4 includes that fix. [3]

Sources:

1. pnpm release notes / GitHub (v10.19.0). [1]
2. Homebrew formula / package listing (pnpm 10.19.0). [2]
3. Snyk pnpm vulnerability summary (shows Use of Weak Hash affecting <10.0.0-alpha.0 and Untrusted Search Path fixed >=9.14.4). [3]

---

Update pnpm to latest stable version; pnpm 9.15.4 has a known security vulnerability.

The specified version pnpm@9.15.4 is significantly outdated. The latest stable pnpm as of November 1, 2025 is 10.19.0. Additionally, pnpm 9.15.4 is affected by a "Use of Weak Hash" issue (medium severity) that affects versions below 10.0.0-alpha.0.

Update packageManager field (line 117) to specify pnpm@10.19.0 or the latest stable version to address this security concern and stay current with the project's dependencies.

🤖 Prompt for AI Agents

In package.json (referencing the script at line ~14 and the packageManager field
at line ~117), the project currently pins pnpm to an outdated/vulnerable version
(pnpm@9.15.4); update the packageManager entry to use the latest stable pnpm
(e.g., pnpm@10.19.0) to remediate the "Use of Weak Hash" issue and keep
dependencies current — modify the packageManager field value accordingly and
ensure any CI or docs referencing pnpm version are updated to match.

[Crunchyman-ralph]

Won't do for now, will come back to at another time