chore: migrate from yarn 1 to pnpm with supply chain hardening#182
Conversation
- Pin packageManager to pnpm@10.23.0 - Migrate resolutions -> pnpm.overrides - Add pnpm-workspace.yaml with minimumReleaseAge (7d) and trustPolicy=no-downgrade - Record husky in ignoredBuiltDependencies (git-hooks only; safe to block in CI) - Add explicit tslib devDep (previously phantom via yarn hoisting) - Update CircleCI: bump to cimg/node:22.14.0, corepack bootstrap, cache pnpm store - Update publish workflow: pnpm/action-setup + pnpm install/build - Update CONTRIBUTING (pnpm) and README (npm install for consumers) - Delete yarn.lock; commit pnpm-lock.yaml (versions preserved via pnpm import) Published package: intentionally no preinstall guard. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
The Node 22 container exposes a jest-worker OOM on render.test.ts — that suite instantiates every renderer, and --coverage adds ts-jest instrumentation on top, blowing past Node's default old-space around 2 GB. Bumping to 4 GB fits the worker; scoped to the CI step so it does not affect local runs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Avoid constraining consumers to a single package manager. The library is installable identically under any of them; documenting all three removes the mental translation step for yarn/pnpm consumers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Local verificationEvidence from local testing of this branch before opening the PR. Test suite on the branch — 24 suites / 55 tests / 47 snapshots green: Tarball manifest from Consumer install via npm — the branch tarball installed into a scratch project + Consumer install via pnpm — same tarball, same result: Because A note on yarn 1: the same tarball installs fine for consumers on yarn — a smoke-test attempt on my laptop failed for a local-machine reason (unmaintained yarn 1 + corporate SSL proxy + Node 22 don't play well together), not a package or migration issue. The tarball is byte-for-byte the same one npm and pnpm above installed without incident. What CI now covers (for reviewers)The updated CircleCI pipeline (
Between the local checks above (build + tarball + consumer install + CLI runtime) and CI (install + supply-chain enforcement + lint + format + tests), every stage of the release path is covered. |
Corepack accepts a "<manager>@<version>+<algo>.<hash>" form. Without the hash, corepack downloads whatever the registry serves for pnpm@10.23.0; with it, any tarball that does not hash-match is refused. Zero-cost tightening of the supply-chain surface — same version, now cryptographically pinned. Frozen install verified. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>




Why?
yarn 1is unmaintained. Migrating topnpm 10provides a stricter dependency graph (which surfaced a phantom devDep in this repo —tslib) and unlocks pnpm-native supply-chain controls (minimumReleaseAge,trustPolicy: no-downgrade).How?
pnpm importtranslatesyarn.lock→pnpm-lock.yamlverbatim; no version drift.yarn.lockis deleted;packageManager: pnpm@10.23.0+sha512.…pins the manager for corepack with an integrity hash, so any tarball that doesn't hash-match is refused.resolutionsmoves topnpm.overrides.huskygoes toignoredBuiltDependencies— its install script only sets up local git hooks, so blocking it in CI is safe.pnpm-workspace.yamlwithminimumReleaseAge: 10080(refuse to resolve versions less than 7 days old) andtrustPolicy: no-downgrade(refuse a package whose provenance is weaker than what's currently locked).tslibexplicitly. Previously a phantom devDep silently satisfied by yarn 1's flat hoisting;rollup-plugin-typescript2needs it at build time.circleci/node:12.21→cimg/node:22.14.0(pnpm 10+ requires Node 20+; matches.nvmrc), corepack bootstrap (withsudofor the non-root executor), cache key keyed onpnpm-lock.yaml. Also raises Node's old-space size to 4 GB fortest:ci— Node 22's stricter heap accounting exposed an OOM on the coverage-instrumentedrender.test.tsworker that Node 12 tolerated.pnpm/action-setup@v4.1.0(SHA-pinned) and swapyarn install/yarn buildfor the pnpm equivalents. All existing hardening (SHA-pinned actions,persist-credentials: false, env-routed${{ }}, explicitpermissions:) preserved.CONTRIBUTING.mdmoves contributors to pnpm (contributors work inside this repo, where pnpm is enforced).README.md's consumer-install snippet lists npm, yarn, and pnpm side by side — this is a published library, and we deliberately don't want to constrain consuming apps to any one package manager. Every JS package manager reads the samepackage.json, so the installed result is identical regardless of which command a consumer runs; documenting all three removes the mental translation step and avoids implying an opinion we don't have.Contributor-flow change: local git hooks (via husky) no longer install automatically on
pnpm install— a contributor who wants them runspnpm rebuild huskyonce. This is deliberate: the alternative (addinghuskytoonlyBuiltDependencies) executes its install script on every install, including in CI where hooks are meaningless.Generated with Claude Code