chore: migrate to pnpm 11 via corepack and test Node 22/24/26#62
Conversation
- Pin pnpm to 11.8.0 through the packageManager field (corepack) - Replace removed onlyBuiltDependencies with pnpm 11 allowBuilds map - Use pnpm/action-setup + corepack enable in all workflows, caching the pnpm store via setup-node (cache: pnpm) - Test against Node 22, 24, and 26; keep Node 24 LTS for the single-version workflows (release, code-coverage) and .nvmrc Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01MVGY8SQ7gQP8PL5BvWDFBN
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install pnpm | ||
| uses: pnpm/action-setup@v6 |
There was a problem hiding this comment.
3rd party Github Actions should be pinned - high severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.
| uses: pnpm/action-setup@v6 | |
| uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 |
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install pnpm | ||
| uses: pnpm/action-setup@v6 |
There was a problem hiding this comment.
3rd party Github Actions should be pinned - high severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.
| uses: pnpm/action-setup@v6 | |
| uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 |
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install pnpm | ||
| uses: pnpm/action-setup@v6 |
There was a problem hiding this comment.
3rd party Github Actions should be pinned - high severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.
| uses: pnpm/action-setup@v6 | |
| uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 |
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request configures the package manager in package.json and attempts to set up build permissions in pnpm-workspace.yaml. Feedback indicates that allowBuilds is not supported in pnpm-workspace.yaml and is incorrectly formatted as a map; it should instead be configured as an array under the "pnpm" field in the root package.json.
| allowBuilds: | ||
| '@swc/core': true | ||
| esbuild: true | ||
| unrs-resolver: true | ||
| minimumReleaseAge: 2880 |
There was a problem hiding this comment.
In pnpm, configuration options like allowBuilds (or the deprecated onlyBuiltDependencies) are not supported in pnpm-workspace.yaml. Placing them here will cause pnpm to ignore them, which can lead to ERR_PNPM_IGNORED_BUILDS errors during installation because the build scripts for @swc/core, esbuild, and unrs-resolver won't be allowed to run.
Additionally, in pnpm 11, allowBuilds is defined as an array of package names (strings), rather than a map of package names to booleans.
These configurations should be moved to the root package.json under the "pnpm" field, or defined in .npmrc as allow-builds.
minimumReleaseAge: 2880| "dependencies": { | ||
| "hookified": "^2.1.1" | ||
| } | ||
| }, | ||
| "packageManager": "pnpm@11.8.0+sha512.c1f5e7c4cb241c8f174b743851d82f42b802324afc8b0f116b96adb15aa06664948dde36960a3ba1079ba5b4b29dd0140135b94b5b5f5263592249d68e555f26" |
There was a problem hiding this comment.
To correctly configure allowed builds in pnpm 11, define allowBuilds as an array of package names under the "pnpm" field in your root package.json.
"dependencies": {
"hookified": "^2.1.1"
},
"pnpm": {
"allowBuilds": [
"@swc/core",
"esbuild",
"unrs-resolver"
]
},
"packageManager": "pnpm@11.8.0+sha512.c1f5e7c4cb241c8f174b743851d82f42b802324afc8b0f116b96adb15aa06664948dde36960a3ba1079ba5b4b29dd0140135b94b5b5f5263592249d68e555f26"
2 participants
Summary
Migrates the SDK from pnpm 10 to pnpm 11 using corepack, and refreshes the CI tooling and Node.js test matrix.
Changes
"packageManager": "pnpm@11.8.0+sha512…"topackage.json(generated withcorepack use pnpm@11.8.0). pnpm now resolves from this field rather than the previous unpinnednpm install pnpm -g.allowBuildsconfig — pnpm 11 removedonlyBuiltDependencies(andneverBuiltDependencies,ignoredBuiltDependencies, etc.), replacing them with the unifiedallowBuildsmap.pnpm-workspace.yamlnow uses:ERR_PNPM_IGNORED_BUILDSfor@swc/coreandesbuild.tests.yamlnow runs against Node 22, 24, and 26..nvmrcis unchanged (24) and the single-version workflows (release.yaml,code-coverage.yaml) continue to use Node 24.pnpm/action-setup@v6+corepack enable, with the pnpm store cached viaactions/setup-node(cache: 'pnpm'), replacingnpm install pnpm -g && pnpm install. This matches the pattern used in the siblingHyphen/nodejs-sdkandjaredwray/cacheablerepos.Verification
Run locally with pnpm 11.8.0:
pnpm install --frozen-lockfile— ✅ clean, build scripts now run (@swc/core,esbuild), no ignored-builds errorpnpm build— ✅ passespnpm test— ✅ 151/156 pass; the 5 failures are the live-APIToggle Evaluationstests that requireHYPHEN_PUBLIC_API_KEY/HYPHEN_APPLICATION_ID(provided via secrets in CI, absent locally) — unrelated to this change.🤖 Generated with Claude Code
Generated by Claude Code