chore: bump pnpm

[iiio2]

For security perspective I think it is important to update pnpm. pnpm v10 disables lifecycle scripts by default (https://github.com/orgs/pnpm/discussions/8918). Most compromised packages have used postinstall scripts to run code immediately upon installation. (https://pnpm.io/supply-chain-security).

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
v4	Ready	Preview	Comment	Sep 19, 2025 1:06pm

[coderabbitai]

Walkthrough

Updated the packageManager field in package.json from pnpm@9.8.0+sha512[...] to pnpm@10.17.0. No other fields, dependencies, scripts, or configurations were modified.

Changes

Cohort / File(s)	Summary of Changes
Manifest update package.json	Changed packageManager from pnpm@9.8.0+sha512.8e4c3550fb500e808dbc30bb0ce4dd1eb614e30b1c55245f211591ec2cdf9c611cabd34e1364b42f564bd54b3945ed0f49d61d1bbf2ec9bd74b866fcdc723276 to pnpm@10.17.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I thump my paws—new PNPM skies,
A version hop, concise and wise.
No scripts disturbed, no deps to chase,
Just smoother hops from place to place.
With 10.17.0 I gleefully run,
A tidy burrow—updates done! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "chore: bump pnpm" is concise, follows conventional commit style, and accurately describes the primary change in the diff (updating package.json's packageManager to a newer pnpm version). It clearly communicates the PR's intent to reviewers scanning history without extraneous detail. The phrasing is specific enough for team context and not vague.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/bump-pnpm

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 04dbcc5 and 59ddfda.

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

pnpm v10 bump looks fine; verify CI/Node and add minimal v10 config to avoid surprises.

• Node requirement: pnpm 10 needs Node >= 18.12. Ensure all runners, Docker images, and dev machines satisfy this. (app.unpkg.com)
• Breaking default: v10 blocks transitive dependency lifecycle scripts (e.g., esbuild, sharp, bcrypt) unless explicitly allowed. Add a small allowlist or run an approval step in CI to prevent build/test failures. (github.com)
• Production installs: v10 installs all deps even when NODE_ENV=production; use flags (e.g., pnpm install --prod) if images relied on NODE_ENV to skip devDeps. (github.com)
• Lockfile/hosting: lockfile v9 is supported by v9 and v10; Vercel auto‑uses v10 for lockfileVersion '9.0'. (vercel.com)
• Optional hardening: keep integrity in packageManager (e.g., +sha512-…) for supply‑chain pinning. Corepack supports and recommends it. (app.unpkg.com)

Apply if helpful:

-  "packageManager": "pnpm@10.17.0",
+  "packageManager": "pnpm@10.17.0",
+  "engines": {
+    "node": ">=18.12",
+    "pnpm": ">=10"
+  },
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "esbuild"
+    ]
+  }

Run to sanity‑check the repo for CI/Docker implications:

---

🏁 Script executed:

#!/bin/bash
# CI/corepack/pnpm usage
rg -nCI --glob '.github/**' -e 'setup-node|corepack|pnpm/action-setup|pnpm install|NODE_ENV=production' || true
# Dockerfiles that may rely on NODE_ENV or global pnpm
fd -HI --type f --strip-cwd-prefix -g 'Dockerfile*' | xargs -I{} sh -c 'echo "=== {} ==="; rg -nCI "NODE_ENV=production|pnpm install|corepack" "{}" || true'
# Check for v10 allowlist already present
rg -nCI '"onlyBuiltDependencies"|approve-builds|dangerouslyAllowAllBuilds' --json || true

Length of output: 441

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Environment checks =="
command -v rg >/dev/null 2>&1 && echo "rg: $(rg --version | head -n1)" || echo "rg: not found"
command -v fd >/dev/null 2>&1 && echo "fd: $(fd --version 2>/dev/null | head -n1)" || echo "fd: not found"
echo

if command -v rg >/dev/null 2>&1; then
  echo "1) Searching .github workflows for pnpm/corepack/setup-node or NODE_ENV..."
  rg -n --hidden -S --glob '.github/**' -e 'setup-node|corepack|pnpm/action-setup|pnpm install|NODE_ENV=production' || true
  echo

  echo "2) Searching repo for packageManager/engines/pnpm allowlist markers..."
  rg -n --hidden -S -e 'packageManager|engines|onlyBuiltDependencies|approve-builds|dangerouslyAllowAllBuilds' || true
  echo

  echo "3) Dockerfiles (matching Dockerfile*) and relevant lines..."
  if command -v fd >/dev/null 2>&1; then
    fd -HI --type f -g 'Dockerfile*' | while read -r f; do
      echo "=== $f ==="
      rg -n -S -e 'NODE_ENV=production|pnpm install|corepack' "$f" || true
    done
  else
    find . -type f -name 'Dockerfile*' -print | while read -r f; do
      echo "=== $f ==="
      rg -n -S -e 'NODE_ENV=production|pnpm install|corepack' "$f" || true
    done
  fi
  echo

  echo "4) package.json files: show lines with packageManager / engines / pnpm"
  rg -n --hidden -S -g '**/package.json' -e '"packageManager"|"engines"|"pnpm"' || true
else
  echo "rg not installed; falling back to grep (slower, may produce more noise)."
  echo "1) .github..."
  grep -Rni --exclude-dir=.git -e 'setup-node\|corepack\|pnpm/action-setup\|pnpm install\|NODE_ENV=production' . || true
  echo

  echo "2) packageManager/engines/allowlist markers..."
  grep -Rni --exclude-dir=.git -e 'packageManager\|engines\|onlyBuiltDependencies\|approve-builds\|dangerouslyAllowAllBuilds' . || true
  echo

  echo "3) Dockerfiles..."
  find . -type f -name 'Dockerfile*' -print | while read -r f; do
    echo "=== $f ==="
    grep -nHi -e 'NODE_ENV=production\|pnpm install\|corepack' "$f" || true
  done
  echo

  echo "4) package.json files..."
  find . -name package.json -print | while read -r f; do
    echo "=== $f ==="
    grep -nHi -e '"packageManager"\|\"engines\"' "$f" || true
  done
fi

Length of output: 106282

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/workflows/test.yml ==="
sed -n '1,240p' .github/workflows/test.yml || true
echo
echo "=== .github/workflows/ci.yml ==="
sed -n '1,240p' .github/workflows/ci.yml || true
echo
echo "=== package.json (root) ==="
sed -n '1,240p' package.json || true
echo
echo "=== cli/package.json ==="
sed -n '1,240p' cli/package.json || true
echo
echo "=== Dockerfile ==="
sed -n '1,240p' Dockerfile || true
echo
echo "=== ai/Dockerfile ==="
sed -n '1,240p' ai/Dockerfile || true
echo
echo "=== ai/Dockerfile.dev ==="
sed -n '1,240p' ai/Dockerfile.dev || true

Length of output: 8434

---

pnpm v10 bump — CI/Docker mismatch; pin pnpm and add engines/allowlist

• .github/workflows/test.yml installs pnpm v9 (pnpm/action-setup@v2 with version: 9) while root package.json has "packageManager": "pnpm@10.17.0" — update the workflow to use pnpm v10 (or match package.json).
• .github/workflows/ci.yml runs corepack enable but does not pin Node or pnpm — add node-version (e.g., 22) to actions/setup-node and pin pnpm (corepack prepare pnpm@10.17.0 --activate or pnpm/action-setup@v2 with version: 10.17.0).
• Dockerfiles (Dockerfile, ai/Dockerfile, ai/Dockerfile.dev) use corepack/pnpm@latest — pin the exact pnpm (10.17.0) to avoid drift.
• Add minimal engine and pnpm allowlist to root package.json to document Node requirement and avoid blocked lifecycle scripts (repo already has onlyBuiltDependencies in cli/package.json for prisma). Recommended change:

-  "packageManager": "pnpm@10.17.0",
+  "packageManager": "pnpm@10.17.0",
+  "engines": {
+    "node": ">=18.12",
+    "pnpm": ">=10"
+  },
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "esbuild"
+    ]
+  }

Files to fix: .github/workflows/test.yml, .github/workflows/ci.yml, Dockerfile, ai/Dockerfile, ai/Dockerfile.dev, and root package.json.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"packageManager": "pnpm@10.17.0",
	"packageManager": "pnpm@10.17.0",
	"engines": {
	"node": ">=18.12",
	"pnpm": ">=10"
	},
	"pnpm": {
	"onlyBuiltDependencies": [
	"esbuild"
	]
	}

🤖 Prompt for AI Agents

In package.json around line 91, the repo pins packageManager to pnpm@10.17.0 but
lacks engine metadata and a pnpm allowlist; update the root package.json to (1)
keep "packageManager": "pnpm@10.17.0", (2) add a minimal "engines" entry (e.g.
"engines": {"node": ">=22"}) and (3) add a "pnpm" config object with an
allowlist entry to permit necessary lifecycle scripts (use the pnpm "allowlist"
key to whitelist the packages/scripts that need to run during install). Also
ensure the CI/workflows and Dockerfiles are pinned to pnpm v10.17.0 (update
.github/workflows/test.yml to use pnpm v10, add node-version and pinned pnpm in
.github/workflows/ci.yml, and change corepack/pnpm@latest references in
Dockerfile, ai/Dockerfile, ai/Dockerfile.dev to the exact 10.17.0 pin) so
packageManager and runtime tooling match.