Update root workspace to pnpm 11

package.json

@@ -49,7 +49,7 @@
 		"checks:fix": "fluid-build --task checks:fix",
 		"ci:build": "fluid-build --task ci:build",
 		"ci:build:docs": "fluid-build --task ci:build:docs",
-		"ci:check:are-the-types-wrong": "pnpm run -r --parallel --no-bail --color check:are-the-types-wrong",
+		"ci:check:are-the-types-wrong": "pnpm run -r --parallel --no-bail --color=always check:are-the-types-wrong",
 		"ci:test:jest": "npm run test:jest:report",
 		"ci:test:jest:coverage": "c8 --no-clean npm run test:jest:report",
 		"ci:test:mocha": "npm run test:mocha",
@@ -190,10 +190,9 @@
 		"type-fest": "^2.19.0",
 		"typescript": "~5.4.5"
 	},
-	"packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319",
+	"packageManager": "pnpm@11.1.3+sha512.c85357fe17ca12dd23dd7071822666dfd7e3cb76fe214e3370b5ea2fb34f2a231185509b63e717f3cd0acb38dd3f8d82bcd5e8172400ae678b70ea4fbed0896d",
 	"engines": {
-		"node": ">=22.22.2",
-		"pnpm": "10"
+		"node": ">=22.22.2"
 	},
 	"fluidBuild": {
 		"tasks": {
@@ -349,43 +348,5 @@
 				"script": false
 			}
 		}
-	},
-	"pnpm": {
-		"peerDependencyComments": [
-			"The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't seem to be maintained and it works fine with React 18. TODO: AB#18876",
-			"@types/node is ignored because it is usually not needed by packages, and if it is, then the package will hit a compilation failure.",
-			"Peer dependencies on fluid-framework are never fulfilled since that's an in-repo dependency; we expect a customer using some packages to install it as a dependency.",
-			"markdown-magic is provided by another dependency so is ignored here.",
-			"oclif includes some AWS-related features, but we don't use them, so we ignore @aws-sdk peer dependencies."
-		],
-		"peerDependencyRules": {
-			"allowedVersions": {
-				"react": "18.3.1",
-				"react-dom": "18.3.1"
-			},
-			"ignoreMissing": [
-				"@types/node",
-				"fluid-framework",
-				"markdown-magic",
-				"@aws-sdk/*"
-			]
-		},
-		"patchedDependencies": {
-			"@microsoft/api-extractor@7.58.1": "patches/@microsoft__api-extractor@7.58.1.patch"
-		},
-		"onlyBuiltDependencies": [
-			"@azure/msal-node-extensions",
-			"@azure/msal-node-runtime",
-			"@biomejs/biome",
-			"@parcel/watcher",
-			"@vvago/vale",
-			"classic-level",
-			"core-js",
-			"esbuild",
-			"keytar",
-			"msgpackr-extract",
-			"puppeteer",
-			"unrs-resolver"
-		]
 	}
 }

packages/test/test-version-utils/compat-workspaces/full/package.json

@@ -10,7 +10,12 @@
   },
   "license": "MIT",
   "author": "Microsoft and contributors",
-  "scripts": {
-    "preinstall": "node ../scripts/only-pnpm.cjs"
-  }
+    "scripts": {
+    "preinstall": "node ../../../../../scripts/only-pnpm.cjs"
+  },
+	"packageManager": "pnpm@11.1.3+sha512.c85357fe17ca12dd23dd7071822666dfd7e3cb76fe214e3370b5ea2fb34f2a231185509b63e717f3cd0acb38dd3f8d82bcd5e8172400ae678b70ea4fbed0896d",
+	"engines": {
+		"node": ">=22.22.2",
+		"pnpm": "11"
+	}
 }

packages/test/test-version-utils/package.json

@@ -43,7 +43,7 @@
 		"eslint:fix": "eslint --quiet --format stylish src --fix --fix-type problem,suggestion,layout",
 		"format": "npm run format:biome",
 		"format:biome": "biome check . --write",
-		"postinstall": "pnpm --dir compat-workspaces/full install --frozen-lockfile",
+		"postinstall": "pnpm --dir compat-workspaces/full install --frozen-lockfile --config.confirmModulesPurge=false",
 		"lint": "fluid-build . --task lint",
 		"lint:fix": "fluid-build . --task eslint:fix --task format",
 		"test": "npm run test:mocha",

pnpm-workspace.yaml

@@ -25,16 +25,21 @@ packages:
 
 # Supply chain security settings - see /DEV.md for documentation
 minimumReleaseAge: 1440
+
 minimumReleaseAgeExclude: [
   # Temporary exceptions go here as needed.
 ]
+
 resolutionMode: highest
+
 blockExoticSubdeps: true
+
 # See: https://github.com/orgs/pnpm/discussions/11084 for some discussion.
 # Enabling no-downgrade requires every transitive trust-policy violation to either be remediated
 # at the source or excluded below with a documented rationale. Run `flub check trustPolicy` to
 # surface current violations.
 trustPolicy: no-downgrade
+
 trustPolicyExclude:
   # axios@0.30.3 is the last legitimate 0.30.x release (published 2026-02-18). The trust
   # downgrade fires because 0.30.x was published via direct CLI rather than the OIDC/GitHub
@@ -67,13 +72,16 @@ trustPolicyExclude:
   # current 7.x line publishes through the npm-cli OIDC/Actions pipeline. The 5.x/6.x
   # lines will not be retroactively re-published with provenance. Pulled in by widely-
   # used legacy tooling that pins ^5 / ^6.
-  - "semver@5.7.2"
-  - "semver@6.3.1"
+  # Note: multiple versions of the same package must be combined with "||" — pnpm's
+  # trust-policy evaluator returns on the first name match and does not aggregate
+  # subsequent entries for the same package.
+  - "semver@5.7.2||6.3.1"
   # undici-types@6.21.0 (published 2024-11-13, by matteo.collina) — pipeline regression.
   # Prior trusted: undici-types@6.19.2 (provenance, 2024-06-18, by matteo.collina).
   # Same publisher (undici project lead). Type-only package (.d.ts shipped from undici
   # repo); provenance attestation was lost on a subsequent 6.x release.
   - "undici-types@6.21.0"
+
 strictDepBuilds: true
 
 catalogs:
@@ -93,82 +101,127 @@ catalogs:
 
 overrides:
   # biome is overridden to make review of the upgrade easier. This can be removed once merged.
-  "@biomejs/biome": "~2.4.5"
-
+  "@biomejs/biome": ~2.4.5
   # node types are forced to a consistent version to avoid conflicts between globals.
-  "@types/node": "catalog:types"
-
-  # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x have no fix in
-  # their major range so they are bumped to the nearest patched major.
-  "diff@>=3 <4": "^4.0.4"
-  "diff@>=5 <6": "^5.2.2"
-  "diff@>=7 <8": "^8.0.3"
-  "diff@>=8 <9": "^8.0.3"
-
-  # fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity
-  # expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range.
-  "fast-xml-parser": "^4.5.4"
-
-  # node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities.
-  "node-forge": "^1.4.0"
-
-  # nodegit is replaced with an empty package here because it's currently only used by good-fences for features we do
-  # not need, and has issues building when changing node versions. See https://github.com/smikula/good-fences/issues/105
-  # for details. Note that using '-' to completely drop it, results in build failures complaining about nodegit not
-  # being there.
-  "good-fences>nodegit": "npm:empty-npm-package@1.0.0"
-
-  # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.
-  "qs": "^6.15.0"
-
-  # simple-git: overridden to ^3.32.3 to resolve a CG alert.
-  "simple-git": "^3.32.3"
-
-  # systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.
-  "systeminformation": "^5.31.0"
-
-  # codemirror and marked overrides are because simplemde uses * versions, and the fully up to date versions of its
-  # deps do not work. packageExtensions was tried to fix this, but did not work.
-  "simplemde>codemirror": "^5.65.11"
-  "simplemde>marked": "^4.3.0"
-
-  # @fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, so overriding it
-  # forces a version that meets peer dependency requirements is installed.
-  "@fluentui/react-positioning>@floating-ui/dom": "~1.5.4"
-
-  # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce
-  # lockfile churn since the deps release very frequently.
-  "oclif>@aws-sdk/client-cloudfront": "-"
-  "oclif>@aws-sdk/client-s3": "-"
-
-  # axios pre-1.0 needs an override to stay current on a version with no reported CVEs. Caret dependencies aren't
-  # enough on a pre-1.0 package.
-  "axios@<0.30.0": "^0.30.0"
-
-  # tar: Security overrides to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w,
+  "@types/node": catalog:types
+  # diff is overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x
+  # have no fix in their major range so they are bumped to the nearest patched major.
+  diff@>=3 <4: ^4.0.4
+  diff@>=5 <6: ^5.2.2
+  diff@>=7 <8: ^8.0.3
+  diff@>=8 <9: ^8.0.3
+  # fast-xml-parser is overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass,
+  # DoS via entity expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range.
+  fast-xml-parser: ^4.5.4
+  # node-forge is overridden to ^1.4.0 to resolve known security vulnerabilities.
+  node-forge: ^1.4.0
+  # nodegit is replaced with an empty package here because it's currently only used by good-fences for
+  # features we do not need, and has issues building when changing node versions.
+  # See https://github.com/smikula/good-fences/issues/105 for details. Note that using '-' to completely
+  # drop it results in build failures complaining about nodegit not being there.
+  good-fences>nodegit: npm:empty-npm-package@1.0.0
+  # qs is overridden to ^6.15.0 to resolve a known vulnerability in older versions.
+  qs: ^6.15.0
+  # overridden to resolve a CG alert.
+  simple-git: ^3.32.3
+  # overridden to resolve command injection vulnerabilities.
+  systeminformation: ^5.31.0
+  # codemirror and marked overrides are because simplemde uses * versions, and the fully up-to-date
+  # versions of its deps do not work. packageExtensions was tried to fix this, but did not work.
+  simplemde>codemirror: ^5.65.11
+  simplemde>marked: ^4.3.0
+  # @fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation,
+  # so overriding it forces a version that meets peer dependency requirements to be installed.
+  "@fluentui/react-positioning>@floating-ui/dom": ~1.5.4
+  # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies.
+  # This helps reduce lockfile churn since the deps release very frequently.
+  oclif>@aws-sdk/client-cloudfront: "-"
+  oclif>@aws-sdk/client-s3: "-"
+  # axios pre-1.0 needs an override to stay current on a version with no reported CVEs.
+  # Caret dependencies aren't enough on a pre-1.0 package.
+  axios@<0.30.0: ^0.30.0
+  # Security overrides to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w,
   # GHSA-34x7-hfp2-rc4v).
-  "tar": "^7.5.11"
-
+  tar: ^7.5.11
   # minimatch: overridden to patched versions to resolve a known security vulnerability.
-  "minimatch@>=3 <4": "^3.1.5"
-  "minimatch@>=5 <6": "^5.1.9"
-  "minimatch@>=6 <7": "^6.2.3"
-  "minimatch@>=7 <8": "^7.4.9"
-  "minimatch@>=8 <9": "^8.0.7"
-  "minimatch@>=9 <10": "^9.0.9"
-  "minimatch@>=10 <11": "^10.2.4"
-
-  # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible
-  # (only drops Node <20 support).
-  "serialize-javascript@>=6 <7": "^7.0.4"
-
-  # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.
-  "express@>=4 <5": "^4.22.1"
-
-  # picomatch: overridden to patched versions to resolve a known security vulnerability.
-  "picomatch@>=2 <3": "^2.3.2"
-  "picomatch@>=4 <5": "^4.0.4"
-
-  # langsmith: overridden to ^0.5.15 to resolve a known security vulnerability. The consumer declares ^0.3.x so the
-  # override is needed to cross the minor version boundary.
-  "langsmith": "^0.5.15"
+  minimatch@>=3 <4: ^3.1.5
+  minimatch@>=5 <6: ^5.1.9
+  minimatch@>=6 <7: ^6.2.3
+  minimatch@>=7 <8: ^7.4.9
+  minimatch@>=8 <9: ^8.0.7
+  minimatch@>=9 <10: ^9.0.9
+  minimatch@>=10 <11: ^10.2.4
+
+  # serialize-javascript is overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq.
+  # No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).
+  serialize-javascript@>=6 <7: ^7.0.4
+  # express is overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.
+  express@>=4 <5: ^4.22.1
+  # picomatch is overridden to patched versions to resolve a known security vulnerability.
+  picomatch@>=2 <3: ^2.3.2
+  picomatch@>=4 <5: ^4.0.4
+  # langsmith is overridden to ^0.5.15 to resolve a known security vulnerability.
+  # The consumer declares ^0.3.x so the override is needed to cross the minor version boundary.
+  langsmith: ^0.5.15
+
+peerDependencyRules:
+  # The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't
+  # seem to be maintained and it works fine with React 18. TODO: AB#18876
+  allowedVersions:
+    react: 18.3.1
+    react-dom: 18.3.1
+  ignoreMissing:
+    # @types/node is ignored because it is usually not needed by packages, and if it is, then the
+    # package will hit a compilation failure.
+    - '@types/node'
+    # Peer dependencies on fluid-framework are never fulfilled since that's an in-repo dependency;
+    # we expect a customer using some packages to install it as a dependency.
+    - fluid-framework
+    # markdown-magic is provided by another dependency so is ignored here.
+    - markdown-magic
+    # oclif includes some AWS-related features, but we don't use them, so we ignore @aws-sdk peer
+    # dependencies.
+    - '@aws-sdk/*'
+
+patchedDependencies:
+  '@microsoft/api-extractor@7.58.1': patches/@microsoft__api-extractor@7.58.1.patch
+
+engineStrict: true
+
+frozenLockfile: true
+
+strictPeerDependencies: true
+
+linkWorkspacePackages: true
+
+# Disable pnpm update notifications since we use corepack to install package managers
+updateNotifier: false
+
+# Use the number of cores on the machine by default.
+workspaceConcurrency: 0
+
+# pnpm 11 enabled this check by default, which runs a frozen-lockfile install before every `pnpm run <script>`.
+# That breaks CI flows that modifies versions via `flub bump` then runs script like `pnpm run format`.
+# We may want to enable this in the future, but doing so requires changes to the pipelines, so we restore the pnpm 10 defaults for now.
+verifyDepsBeforeRun: false
+
+# Hoist these dependencies to the root workspace
+publicHoistPattern:
+  - '@arethetypeswrong/cli'
+  # ['*eslint*', '*prettier*'] is the default, so we add those as well
+  - '*eslint*'
+  - '*prettier*'
+
+allowBuilds:
+  '@azure/msal-node-extensions': true
+  '@azure/msal-node-runtime': true
+  '@biomejs/biome': true
+  '@parcel/watcher': true
+  '@vvago/vale': true
+  classic-level: true
+  core-js: true
+  esbuild: true
+  keytar: true
+  msgpackr-extract: true
+  puppeteer: true
+  unrs-resolver: true

scripts/only-pnpm.cjs

@@ -21,7 +21,7 @@ const message = `
 ╚══════════════════════════════════════════════════════════════════╝
 `;
 
-const used_pnpm = process.env.npm_config_user_agent.startsWith(`pnpm`);
+const used_pnpm = (process.env.npm_execpath ?? "").includes(`pnpm`);
 
 if (!used_pnpm) {
 	console.error(message);