Describe the Issue
Summary
The CLI repo was only partly on pnpm (packageManager and many scripts already used pnpm, but package-lock.json was still present and there was no pnpm-lock.yaml). This issue tracks completing the migration: a single lockfile with pnpm, CI/release workflows that install with pnpm, Docker images that build with pnpm, and contributor docs updated accordingly.
Note: PR testing and some other workflows are centrally managed in asyncapi/.github and still assume package-lock.json + npm ci until that repo is updated.
What exactly was done
Lockfiles
Removed root and fixture/template package-lock.json files (root cli/, test/fixtures/minimaltemplate, test/fixtures/newtemplate, assets/create-template/templates/default).
Generated and committed pnpm-lock.yaml via pnpm install.
Node version for CI
Added .nvmrc (24) so workflows no longer depend on get-node-version-from-package-lock where we switched them away from npm’s lockfile.
package.json
Replaced remaining npm run usage in scripts with pnpm run (e.g. prepublishOnly, pretest, test, action:test, api:*).
get-version script now uses node -p "require('./package.json').version".
Added @changesets/cli and @changesets/changelog-git as devDependencies so release/versioning does not rely on an ad hoc npm install in CI.
Docker
Dockerfile, github-action/Dockerfile, src/apps/api/Dockerfile: enable Corepack, pin pnpm 9.15.5, copy pnpm-lock.yaml, use pnpm install / pnpm run; API release image keeps trimming heavy deps (@asyncapi/studio, next) in line with the old npm behavior.
Release-assets Alpine matrix image bumped to node:24-alpine for consistency with Node 24.
GitHub Actions (repo-local workflows only)
upload-release-assets.yml, release-with-changesets.yml: pnpm/action-setup, setup-node with cache: pnpm, pnpm install --frozen-lockfile, pnpm run for build/pack/changesets; npm publish / npm view unchanged for the registry.
bump-homebrew-formula.yml, release-chocolatey.yml: read version with node -p "require('./package.json').version" instead of npm-only helpers.
Docs
README.md, DEVELOPMENT.md, src/apps/api/README.md, default create-template readme.md: contributor/local instructions updated to pnpm (including corepack enable where relevant).
Intentionally unchanged
Centrally managed workflows under .github (e.g. if-nodejs-pr-testing.yml, update-docs-on-docs-commits.yml) still use npm ci / package-lock.json — follow-up belongs in asyncapi/.github.
github-action/entrypoint.sh still uses npm install -g for installing the published package from the npm registry.
.github/workflows/scripts/mailchimp/ left as-is (central copy + package-lock.json)
Expected Outcome
For the repo
One install path: Contributors use corepack enable + pnpm install; the only committed lockfile for the CLI is pnpm-lock.yaml (no package-lock.json at the project root).
Reproducible installs: pnpm install --frozen-lockfile in CI matches local installs for the same commit.
Scripts and Docker: pnpm run … and Docker builds that copy pnpm-lock.yaml complete successfully; release asset jobs (Linux/macOS/Windows/Alpine) still produce the same artifacts as before.
For publishing
Registry unchanged: The package still publishes to npm with npm publish / npm view where those are used; end users can still npm install -g @asyncapi/cli. pnpm is for developing this repo, not for replacing the public registry client for consumers.
For CI (fully, once everything is aligned)
PR and release pipelines that run on this repo use pnpm for install and test, and they pass on the same Node version the project expects (e.g. 24 per .nvmrc / engines).
Known gap until upstream changes
If central AsyncAPI workflows still run npm ci and expect package-lock.json, those jobs may fail or stay out of date until asyncapi/.github adds support for pnpm-lock.yaml and pnpm. The “expected outcome” for org-wide PR testing is: either those templates are updated or this repo documents that maintainers must sync central CI with pnpm.
Screenshots
No response
Steps to Reproduce
If the issue is “PR CI still fails after switching to pnpm” (central workflows):
Open the repo: Clone asyncapi/cli on a branch that only has pnpm-lock.yaml (no root package-lock.json).
Go to the failing automation: Open Actions and find a workflow synced from the org template, e.g. “PR testing - if Node project” (if-nodejs-pr-testing.yml).
Perform the action: Open a PR (or push a commit) so that job runs on your branch.
See the result: The job runs npm ci (and/or uses get-node-version-from-package-lock) and fails because there is no package-lock.json / npm lockfile, or Node resolution does not match the new setup.
If the issue is “verify pnpm works locally after migration”:
Open the tool: Terminal on macOS/Linux/WSL (or Windows with Git Bash/PowerShell).
Go to the project: cd into the cli repo root.
Perform the action: Run corepack enable, then pnpm install, then pnpm run build (and optionally pnpm test).
See the result: Install and build complete without requiring npm ci or a root package-lock.json.
Browser/Device
Not applicable — this is Node.js / pnpm / GitHub Actions, not a website or mobile app.
Additional Notes
No response
Check Before Submitting
Would you like to help fix this issue? (Not required, but appreciated!)
Describe the Issue
Summary
The CLI repo was only partly on pnpm (packageManager and many scripts already used pnpm, but package-lock.json was still present and there was no pnpm-lock.yaml). This issue tracks completing the migration: a single lockfile with pnpm, CI/release workflows that install with pnpm, Docker images that build with pnpm, and contributor docs updated accordingly.
Note: PR testing and some other workflows are centrally managed in asyncapi/.github and still assume package-lock.json + npm ci until that repo is updated.
What exactly was done
Lockfiles
Removed root and fixture/template package-lock.json files (root cli/, test/fixtures/minimaltemplate, test/fixtures/newtemplate, assets/create-template/templates/default).
Generated and committed pnpm-lock.yaml via pnpm install.
Node version for CI
Added .nvmrc (24) so workflows no longer depend on get-node-version-from-package-lock where we switched them away from npm’s lockfile.
package.json
Replaced remaining npm run usage in scripts with pnpm run (e.g. prepublishOnly, pretest, test, action:test, api:*).
get-version script now uses node -p "require('./package.json').version".
Added @changesets/cli and @changesets/changelog-git as devDependencies so release/versioning does not rely on an ad hoc npm install in CI.
Docker
Dockerfile, github-action/Dockerfile, src/apps/api/Dockerfile: enable Corepack, pin pnpm 9.15.5, copy pnpm-lock.yaml, use pnpm install / pnpm run; API release image keeps trimming heavy deps (@asyncapi/studio, next) in line with the old npm behavior.
Release-assets Alpine matrix image bumped to node:24-alpine for consistency with Node 24.
GitHub Actions (repo-local workflows only)
upload-release-assets.yml, release-with-changesets.yml: pnpm/action-setup, setup-node with cache: pnpm, pnpm install --frozen-lockfile, pnpm run for build/pack/changesets; npm publish / npm view unchanged for the registry.
bump-homebrew-formula.yml, release-chocolatey.yml: read version with node -p "require('./package.json').version" instead of npm-only helpers.
Docs
README.md, DEVELOPMENT.md, src/apps/api/README.md, default create-template readme.md: contributor/local instructions updated to pnpm (including corepack enable where relevant).
Intentionally unchanged
Centrally managed workflows under .github (e.g. if-nodejs-pr-testing.yml, update-docs-on-docs-commits.yml) still use npm ci / package-lock.json — follow-up belongs in asyncapi/.github.
github-action/entrypoint.sh still uses npm install -g for installing the published package from the npm registry.
.github/workflows/scripts/mailchimp/ left as-is (central copy + package-lock.json)
Expected Outcome
For the repo
One install path: Contributors use corepack enable + pnpm install; the only committed lockfile for the CLI is pnpm-lock.yaml (no package-lock.json at the project root).
Reproducible installs: pnpm install --frozen-lockfile in CI matches local installs for the same commit.
Scripts and Docker: pnpm run … and Docker builds that copy pnpm-lock.yaml complete successfully; release asset jobs (Linux/macOS/Windows/Alpine) still produce the same artifacts as before.
For publishing
Registry unchanged: The package still publishes to npm with npm publish / npm view where those are used; end users can still npm install -g @asyncapi/cli. pnpm is for developing this repo, not for replacing the public registry client for consumers.
For CI (fully, once everything is aligned)
PR and release pipelines that run on this repo use pnpm for install and test, and they pass on the same Node version the project expects (e.g. 24 per .nvmrc / engines).
Known gap until upstream changes
If central AsyncAPI workflows still run npm ci and expect package-lock.json, those jobs may fail or stay out of date until asyncapi/.github adds support for pnpm-lock.yaml and pnpm. The “expected outcome” for org-wide PR testing is: either those templates are updated or this repo documents that maintainers must sync central CI with pnpm.
Screenshots
No response
Steps to Reproduce
If the issue is “PR CI still fails after switching to pnpm” (central workflows):
Open the repo: Clone asyncapi/cli on a branch that only has pnpm-lock.yaml (no root package-lock.json).
Go to the failing automation: Open Actions and find a workflow synced from the org template, e.g. “PR testing - if Node project” (if-nodejs-pr-testing.yml).
Perform the action: Open a PR (or push a commit) so that job runs on your branch.
See the result: The job runs npm ci (and/or uses get-node-version-from-package-lock) and fails because there is no package-lock.json / npm lockfile, or Node resolution does not match the new setup.
If the issue is “verify pnpm works locally after migration”:
Open the tool: Terminal on macOS/Linux/WSL (or Windows with Git Bash/PowerShell).
Go to the project: cd into the cli repo root.
Perform the action: Run corepack enable, then pnpm install, then pnpm run build (and optionally pnpm test).
See the result: Install and build complete without requiring npm ci or a root package-lock.json.
Browser/Device
Not applicable — this is Node.js / pnpm / GitHub Actions, not a website or mobile app.
Additional Notes
No response
Check Before Submitting
Would you like to help fix this issue? (Not required, but appreciated!)