chore(deps): migrate to pnpm 11#2
Merged
Merged
Conversation
- Remove `pnpm.onlyBuiltDependencies` from package.json (removed in pnpm 11) - Create pnpm-workspace.yaml with `allowBuilds` map (esbuild, lefthook) - Bump packageManager to pnpm@11.1.3 - Bump engines.pnpm to >=11.0.0 Removes the pnpm 10 pin that was a tactical measure during the Node 22 engine bump. Reference: https://pnpm.io/migration Dev-only; published package surface unchanged.
Snyk's pnpm plugin sees pnpm-workspace.yaml (added in the prior commit for pnpm 11 migration) and treats the repo as a monorepo, erroring with SNYK-CLI-0000: Both `pnpm-lock.yaml` and `pnpm-workspace.yaml` were found in /github/workspace. Please run your command again specifying `--all-projects` flag. The previous workflow was masking this failure via the `if: hashFiles` guard on the upload step — the job reported green even though Snyk never actually scanned. With --all-projects, Snyk runs cleanly and produces a real SARIF.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes the pnpm 10 pin and migrates to pnpm 11 by moving the build-script allowlist from
package.jsontopnpm-workspace.yamlper https://pnpm.io/migration.Why
pnpm.onlyBuiltDependencies(and the rest of that family) was removed in pnpm 11 and replaced withallowBuildsinpnpm-workspace.yaml. The pnpm 10 pin shipped with the Node 22 bump was a tactical measure to defer this migration; this PR finishes it.Changes
pnpm-workspace.yamlat repo root withallowBuilds: { esbuild: true, lefthook: true }package.json: removedpnpm.onlyBuiltDependencies; bumpedpackageManagertopnpm@11.1.3; bumpedengines.pnpmto>=11.0.0Verification
pnpm typecheck && pnpm lint && pnpm test && pnpm build— green (497 unit tests)Breaking changes
None for consumers. Maintainers will need pnpm 11 to develop against this repo (corepack reads
packageManagerautomatically;corepack enable && corepack prepare pnpm@11 --activate).Related
Parallel PRs landing the same migration:
fhir-resource-difffhir-capability-analyzerTest plan
🤖 Generated with Claude Code