Skip to content

chore: bump pnpm #424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
iiio2 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: bump pnpm #424

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@
"yaml": "^2.8.0",
"zod": "^3.24.2"
},
"packageManager": "pnpm@9.8.0+sha512.8e4c3550fb500e808dbc30bb0ce4dd1eb614e30b1c55245f211591ec2cdf9c611cabd34e1364b42f564bd54b3945ed0f49d61d1bbf2ec9bd74b866fcdc723276",
"packageManager": "pnpm@10.17.0",
Copy link

@coderabbitai coderabbitai bot Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

🧩 Analysis chain

pnpm v10 bump looks fine; verify CI/Node and add minimal v10 config to avoid surprises.

  • Node requirement: pnpm 10 needs Node >= 18.12. Ensure all runners, Docker images, and dev machines satisfy this. (app.unpkg.com)
  • Breaking default: v10 blocks transitive dependency lifecycle scripts (e.g., esbuild, sharp, bcrypt) unless explicitly allowed. Add a small allowlist or run an approval step in CI to prevent build/test failures. (github.com)
  • Production installs: v10 installs all deps even when NODE_ENV=production; use flags (e.g., pnpm install --prod) if images relied on NODE_ENV to skip devDeps. (github.com)
  • Lockfile/hosting: lockfile v9 is supported by v9 and v10; Vercel auto‑uses v10 for lockfileVersion '9.0'. (vercel.com)
  • Optional hardening: keep integrity in packageManager (e.g., +sha512-…) for supply‑chain pinning. Corepack supports and recommends it. (app.unpkg.com)

Apply if helpful:

-  "packageManager": "pnpm@10.17.0",
+  "packageManager": "pnpm@10.17.0",
+  "engines": {
+    "node": ">=18.12",
+    "pnpm": ">=10"
+  },
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "esbuild"
+    ]
+  }

Run to sanity‑check the repo for CI/Docker implications:

🏁 Script executed:

#!/bin/bash
# CI/corepack/pnpm usage
rg -nCI --glob '.github/**' -e 'setup-node|corepack|pnpm/action-setup|pnpm install|NODE_ENV=production' || true
# Dockerfiles that may rely on NODE_ENV or global pnpm
fd -HI --type f --strip-cwd-prefix -g 'Dockerfile*' | xargs -I{} sh -c 'echo "=== {} ==="; rg -nCI "NODE_ENV=production|pnpm install|corepack" "{}" || true'
# Check for v10 allowlist already present
rg -nCI '"onlyBuiltDependencies"|approve-builds|dangerouslyAllowAllBuilds' --json || true

Length of output: 441

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Environment checks =="
command -v rg >/dev/null 2>&1 && echo "rg: $(rg --version | head -n1)" || echo "rg: not found"
command -v fd >/dev/null 2>&1 && echo "fd: $(fd --version 2>/dev/null | head -n1)" || echo "fd: not found"
echo

if command -v rg >/dev/null 2>&1; then
  echo "1) Searching .github workflows for pnpm/corepack/setup-node or NODE_ENV..."
  rg -n --hidden -S --glob '.github/**' -e 'setup-node|corepack|pnpm/action-setup|pnpm install|NODE_ENV=production' || true
  echo

  echo "2) Searching repo for packageManager/engines/pnpm allowlist markers..."
  rg -n --hidden -S -e 'packageManager|engines|onlyBuiltDependencies|approve-builds|dangerouslyAllowAllBuilds' || true
  echo

  echo "3) Dockerfiles (matching Dockerfile*) and relevant lines..."
  if command -v fd >/dev/null 2>&1; then
    fd -HI --type f -g 'Dockerfile*' | while read -r f; do
      echo "=== $f ==="
      rg -n -S -e 'NODE_ENV=production|pnpm install|corepack' "$f" || true
    done
  else
    find . -type f -name 'Dockerfile*' -print | while read -r f; do
      echo "=== $f ==="
      rg -n -S -e 'NODE_ENV=production|pnpm install|corepack' "$f" || true
    done
  fi
  echo

  echo "4) package.json files: show lines with packageManager / engines / pnpm"
  rg -n --hidden -S -g '**/package.json' -e '"packageManager"|"engines"|"pnpm"' || true
else
  echo "rg not installed; falling back to grep (slower, may produce more noise)."
  echo "1) .github..."
  grep -Rni --exclude-dir=.git -e 'setup-node\|corepack\|pnpm/action-setup\|pnpm install\|NODE_ENV=production' . || true
  echo

  echo "2) packageManager/engines/allowlist markers..."
  grep -Rni --exclude-dir=.git -e 'packageManager\|engines\|onlyBuiltDependencies\|approve-builds\|dangerouslyAllowAllBuilds' . || true
  echo

  echo "3) Dockerfiles..."
  find . -type f -name 'Dockerfile*' -print | while read -r f; do
    echo "=== $f ==="
    grep -nHi -e 'NODE_ENV=production\|pnpm install\|corepack' "$f" || true
  done
  echo

  echo "4) package.json files..."
  find . -name package.json -print | while read -r f; do
    echo "=== $f ==="
    grep -nHi -e '"packageManager"\|\"engines\"' "$f" || true
  done
fi

Length of output: 106282

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/workflows/test.yml ==="
sed -n '1,240p' .github/workflows/test.yml || true
echo
echo "=== .github/workflows/ci.yml ==="
sed -n '1,240p' .github/workflows/ci.yml || true
echo
echo "=== package.json (root) ==="
sed -n '1,240p' package.json || true
echo
echo "=== cli/package.json ==="
sed -n '1,240p' cli/package.json || true
echo
echo "=== Dockerfile ==="
sed -n '1,240p' Dockerfile || true
echo
echo "=== ai/Dockerfile ==="
sed -n '1,240p' ai/Dockerfile || true
echo
echo "=== ai/Dockerfile.dev ==="
sed -n '1,240p' ai/Dockerfile.dev || true

Length of output: 8434

pnpm v10 bump — CI/Docker mismatch; pin pnpm and add engines/allowlist

  • .github/workflows/test.yml installs pnpm v9 (pnpm/action-setup@v2 with version: 9) while root package.json has "packageManager": "pnpm@10.17.0" — update the workflow to use pnpm v10 (or match package.json).
  • .github/workflows/ci.yml runs corepack enable but does not pin Node or pnpm — add node-version (e.g., 22) to actions/setup-node and pin pnpm (corepack prepare pnpm@10.17.0 --activate or pnpm/action-setup@v2 with version: 10.17.0).
  • Dockerfiles (Dockerfile, ai/Dockerfile, ai/Dockerfile.dev) use corepack/pnpm@latest — pin the exact pnpm (10.17.0) to avoid drift.
  • Add minimal engine and pnpm allowlist to root package.json to document Node requirement and avoid blocked lifecycle scripts (repo already has onlyBuiltDependencies in cli/package.json for prisma). Recommended change:
-  "packageManager": "pnpm@10.17.0",
+  "packageManager": "pnpm@10.17.0",
+  "engines": {
+    "node": ">=18.12",
+    "pnpm": ">=10"
+  },
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "esbuild"
+    ]
+  }

Files to fix: .github/workflows/test.yml, .github/workflows/ci.yml, Dockerfile, ai/Dockerfile, ai/Dockerfile.dev, and root package.json.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"packageManager": "pnpm@10.17.0",
"packageManager": "pnpm@10.17.0",
"engines": {
"node": ">=18.12",
"pnpm": ">=10"
},
"pnpm": {
"onlyBuiltDependencies": [
"esbuild"
]
}
🤖 Prompt for AI Agents 
In package.json around line 91, the repo pins packageManager to pnpm@10.17.0 but
lacks engine metadata and a pnpm allowlist; update the root package.json to (1)
keep "packageManager": "pnpm@10.17.0", (2) add a minimal "engines" entry (e.g.
"engines": {"node": ">=22"}) and (3) add a "pnpm" config object with an
allowlist entry to permit necessary lifecycle scripts (use the pnpm "allowlist"
key to whitelist the packages/scripts that need to run during install). Also
ensure the CI/workflows and Dockerfiles are pinned to pnpm v10.17.0 (update
.github/workflows/test.yml to use pnpm v10, add node-version and pinned pnpm in
.github/workflows/ci.yml, and change corepack/pnpm@latest references in
Dockerfile, ai/Dockerfile, ai/Dockerfile.dev to the exact 10.17.0 pin) so
packageManager and runtime tooling match.

"devDependencies": {
"@auth/prisma-adapter": "^2.8.0",
"@iconify-json/heroicons": "^1.2.2",
Expand Down
Loading