chore: upgrade pnpm to v11 and add minimumReleaseAge

[HugoRCD]

Summary

Two related changes to harden the supply chain and modernize the package manager setup.

1. Upgrade pnpm to v11

• Bump packageManager to pnpm@11.1.3
• Drop pinned version: 10.33.4 from pnpm/action-setup workflows — the action now reads packageManager from package.json (single source of truth)
• Migrate onlyBuiltDependencies + ignoredBuiltDependencies → unified allowBuilds map (required in v11)
• Move overrides from package.json → pnpm-workspace.yaml (the pnpm field in package.json is no longer recognized in v11)
• Move shamefullyHoist, strictPeerDependencies from .npmrc → pnpm-workspace.yaml (in v11, .npmrc only holds auth/registry)
• Delete .npmrc (now empty)

2. Add minimumReleaseAge to harden supply chain

Sets a 2-day minimum age (2880 minutes) before any newly published dependency can resolve. Mitigates compromised-package attacks where a malicious version is pushed and pulled into installs within hours.

Trusted-source allowlist exempts the Nuxt and Vercel ecosystems:

• @nuxt/*, @nuxtjs/*, nuxt, nuxt-*
• @vercel/*, @ai-sdk/*, ai

Test plan

• pnpm install resolves cleanly with v11 (lockfile already verified via --lockfile-only, 1975 entries pass supply-chain policies)
• CI passes: ci.yml, autofix.yml
• Module dev workflow still works (pnpm dev:prepare)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nuxt-mcp-toolkit-docs	Ready	Preview, Comment	May 21, 2026 11:42am

[github-actions]

Thank you for following the naming conventions! 🙏

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxtjs/mcp-toolkit@265

commit: 7035c26