chore: update pnpm and add pacquet to config deps#11765
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
🔇 Additional comments (1)
📝 WalkthroughWalkthroughBumps pnpm to 11.2.2, pins Changespnpm Upgrade and CI Workflow Alignment
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the repo to pnpm 11.2.0 and switches CI/workspace configuration to use pacquet via configDependencies, so pnpm install can delegate the materialization phase to pacquet.
Changes:
- Add
@pnpm/pacquettoconfigDependenciesinpnpm-workspace.yaml. - Update
packageManager/lockfile to pnpm 11.2.0 and include pacquet + its platform packages inpnpm-lock.yaml. - Simplify CI workflows by removing the explicit
pacquet installstep and lettingpnpm/setupperform installation.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pnpm-workspace.yaml | Adds configDependencies entry to enable pacquet-backed installs. |
| pnpm-lock.yaml | Bumps pnpm to 11.2.0 and records pacquet/config dependency resolutions. |
| package.json | Updates packageManager and devEngines.packageManager to 11.2.0. |
| .github/workflows/test.yml | Removes manual pacquet install and relies on pnpm/setup install. |
| .github/workflows/ci.yml | Removes manual pacquet install and relies on pnpm/setup install. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 61: Update the packageManager entries in package.json from the
non-existent "pnpm@11.2.0" to a valid released version (e.g., "pnpm@11.1.3");
locate the "packageManager" key(s) in the file and replace their values with
"pnpm@11.1.3" (or the intended officially released pnpm version) so the manifest
points to a published pnpm release.
In `@pnpm-workspace.yaml`:
- Around line 331-332: The configDependencies entry for '`@pnpm/pacquet`' uses an
unquoted, non-existent version token; update the value for the
configDependencies key by verifying and pinning the correct published version of
'`@pnpm/pacquet`' and write it as a quoted YAML string (e.g., "'0.2.2-10'" or the
correct version like "'0.2.3'") ensuring the identifier '`@pnpm/pacquet`' stays
unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: de392f36-8148-4225-b03c-a2a5feb51595
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (4)
.github/workflows/ci.yml.github/workflows/test.ymlpackage.jsonpnpm-workspace.yaml
💤 Files with no reviewable changes (2)
- .github/workflows/ci.yml
- .github/workflows/test.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Agent
- GitHub Check: Run benchmark on ubuntu-latest
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-05-05T23:03:04.286Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11479
File: __utils__/scripts/package.json:6-9
Timestamp: 2026-05-05T23:03:04.286Z
Learning: The pattern cross-env NODE_OPTIONS="$NODE_OPTIONS ..." in package.json scripts is an established convention in the pnpm/pnpm repository and is used across many packages (e.g., fs/hard-link-dir, worker, __utils__/scripts). Do not flag this as a cross-platform issue in individual files; if a change is needed, apply it as a repo-wide change in a separate PR. Scope this guidance to all package.json files in the repo; use the minimatch pattern '**/package.json' to identify relevant files and review changes at the repository level rather than per-file.
Applied to files:
package.json
Contributor
Integrated-Benchmark Report (Linux)Scenario: Frozen Lockfile
BENCHMARK_REPORT.json{
"results": [
{
"command": "pacquet@HEAD",
"mean": 2.5293496174800003,
"stddev": 0.10022818245735587,
"median": 2.5188660278799997,
"user": 2.7523333199999995,
"system": 3.77741798,
"min": 2.35853072538,
"max": 2.74069718638,
"times": [
2.50858347538,
2.5489786293799996,
2.52914858038,
2.49612385838,
2.74069718638,
2.56909552938,
2.35853072538,
2.47886622438,
2.60420696338,
2.45926500238
]
},
{
"command": "pacquet@main",
"mean": 2.4189599801799995,
"stddev": 0.0724097192453061,
"median": 2.3922381473799996,
"user": 2.7874781199999994,
"system": 3.7601714799999995,
"min": 2.33344565038,
"max": 2.53201358838,
"times": [
2.35348095638,
2.53201358838,
2.40777447338,
2.3640270973799997,
2.50911655138,
2.3767018213799997,
2.37453794838,
2.43238062938,
2.50612108538,
2.33344565038
]
},
{
"command": "pnpm",
"mean": 4.85474403148,
"stddev": 0.06208705430566961,
"median": 4.8486917383799994,
"user": 8.13281162,
"system": 4.28850718,
"min": 4.78032800938,
"max": 4.99025597038,
"times": [
4.90491047738,
4.87482250138,
4.81023728838,
4.99025597038,
4.78032800938,
4.84848422138,
4.84889925538,
4.82161703738,
4.79003836538,
4.87784718838
]
}
]
}Scenario: Frozen Lockfile (Hot Cache)
BENCHMARK_REPORT.json{
"results": [
{
"command": "pacquet@HEAD",
"mean": 0.68233866148,
"stddev": 0.030908578016133448,
"median": 0.67389796048,
"user": 0.38173996000000004,
"system": 1.5693598999999998,
"min": 0.66427176898,
"max": 0.76899517698,
"times": [
0.76899517698,
0.67380027798,
0.66967974198,
0.67896000798,
0.66433604798,
0.66427176898,
0.67734026098,
0.67399564298,
0.67293903898,
0.67906864998
]
},
{
"command": "pacquet@main",
"mean": 0.69049136178,
"stddev": 0.029883126554707335,
"median": 0.67144513398,
"user": 0.37168256,
"system": 1.578293,
"min": 0.66272072398,
"max": 0.73314334798,
"times": [
0.72537203598,
0.66272072398,
0.70879934598,
0.66837980298,
0.67451046498,
0.66774051298,
0.73314334798,
0.72983901698,
0.66733210198,
0.66707626398
]
},
{
"command": "pnpm",
"mean": 2.66712493548,
"stddev": 0.08329856809134902,
"median": 2.6544773044800003,
"user": 3.21079966,
"system": 2.2852465000000004,
"min": 2.53273849498,
"max": 2.79370306798,
"times": [
2.74563789798,
2.70232576698,
2.75486421698,
2.79370306798,
2.65319643198,
2.53273849498,
2.56958868698,
2.65363014498,
2.61024018198,
2.65532446398
]
}
]
} |
3 tasks
coderabbitai
Bot
added
the
area: supply chain security
2 tasks
zkochan
added a commit
that referenced
this pull request
May 21, 2026
When the install engine is delegated to pacquet via configDependencies, pnpm hard-coded the args to `install --frozen-lockfile --reporter=ndjson` and silently dropped the user's other CLI flags. `pnpm install --no-runtime` therefore still installed the workspace's runtime devDependency, clobbering the Node version the surrounding tooling had set up — visible as the `Verify Node version` failure on PR #11765 where setup-pnpm provisions Node 24.0.0 but pacquet then materializes node 24.6.0. Pacquet's `install` subcommand already mirrors pnpm's surface for the common flags (`--no-runtime`, `--prod`, `--dev`, `--no-optional`, `--node-linker`, `--offline`, `--prefer-offline`, `--cpu`/`--os`/`--libc`). Forward the user's argv verbatim when the command is `install`/`i`; `add`/`update`/`dedupe` still don't forward — their flag surfaces don't line up with pacquet's `install`.
zkochan
added a commit
that referenced
this pull request
May 21, 2026
…1781) * fix(installing.commands): forward `pnpm install` flags to pacquet When the install engine is delegated to pacquet via configDependencies, pnpm hard-coded the args to `install --frozen-lockfile --reporter=ndjson` and silently dropped the user's other CLI flags. `pnpm install --no-runtime` therefore still installed the workspace's runtime devDependency, clobbering the Node version the surrounding tooling had set up — visible as the `Verify Node version` failure on PR #11765 where setup-pnpm provisions Node 24.0.0 but pacquet then materializes node 24.6.0. Pacquet's `install` subcommand already mirrors pnpm's surface for the common flags (`--no-runtime`, `--prod`, `--dev`, `--no-optional`, `--node-linker`, `--offline`, `--prefer-offline`, `--cpu`/`--os`/`--libc`). Forward the user's argv verbatim when the command is `install`/`i`; `add`/`update`/`dedupe` still don't forward — their flag surfaces don't line up with pacquet's `install`. * fix(installing.commands): pass --ignore-manifest-check to pacquet `pnpm up` / `add` / `remove` were aborting with `pacquet_package_manager::outdated_lockfile` whenever pacquet was declared in `configDependencies`. After resolving and writing the updated lockfile, pnpm hands materialization off to pacquet but hasn't yet written the post-mutation `package.json` — that write happens after `mutateModules` returns. Pacquet's frozen-lockfile freshness gate then saw the new lockfile paired with the pre-mutation manifest and refused to install. Pass pacquet's new `--ignore-manifest-check` flag (pacquet PR #11811) on every delegation. The flag is narrow: it only skips `satisfies_package_manifest`. Settings drift like `overrides` is still enforced, and pnpm already re-validated the lockfile before delegating, so re-checking the manifest here was redundant work that only ever fired false positives on the mutate-then-materialize path. Requires a pacquet release that ships the flag; bump `PACQUET_VERSION` in `pnpm/test/install/pacquet.ts` once it does, or the existing e2e tests will fail against pacquet 0.2.2-9 (which doesn't recognize the flag and clap would reject). Closes #11797. --- Written by an agent (Claude Code, claude-opus-4-7). * fix: update pacquet in tests * fix(installing.commands): strip positionals + always-injected flags when forwarding to pacquet `collectForwardedFlags` checked `argv[0] === 'install'` to find the command token to strip. Any global flag the user typed before `install` (e.g. `--config.registry=...` in the e2e test) shifted the token out of position, so the function returned the full argv and pacquet saw `install` twice — `error: unexpected argument 'install' found`. Use the parsed argv that `@pnpm/cli.parse-cli-args` already produced: `remain` lists positionals (the `install`/`i` token and nothing else on this code path, since `isInstallCommand` is only true when no package params are present), and `original` preserves the user's exact tokens. Drop positionals + the flags we always inject (`--reporter=ndjson`, `--frozen-lockfile`, `--ignore-manifest-check`) so clap doesn't reject duplicates either. `original` over `cooked` deliberately: nopt's `cooked` splits `--key=value` into two tokens, which would break pacquet's `--config.<key>=<value>` parser (it requires the `=` form). * fix(installing.commands): make argv.cooked/remain optional on InstallCommandOptions Widening these to required broke test fixtures elsewhere (publish/pack/ deprecate/dist-tag/deploy) that construct minimal `argv: { original }` options for code paths that never reach pacquet. Only the pacquet delegation actually reads `remain`, so make the two new fields optional on the shared options type and supply a default at the runPacquet call site. The runtime path through main.ts already populates all three. * fix(installing.commands): strip any user-supplied --reporter when forwarding to pacquet Pacquet's `--reporter` is a clap value option with last-value-wins semantics, so `pnpm install --reporter=silent` (or `--reporter silent` two-token form) reached pacquet and overrode the `--reporter=ndjson` pnpm injects, breaking the NDJSON-to- streamParser plumbing the default reporter depends on. The previous filter only matched the exact `--reporter=ndjson` token. Walk argv with a lookahead so both `--reporter=<value>` and `--reporter <value>` are dropped without consuming an adjacent flag. * fix(installing.commands): drop negated/value forms of always-injected flags `collectForwardedFlags` only matched the exact positive tokens `--frozen-lockfile` and `--ignore-manifest-check`, so a user typing `pnpm install --no-frozen-lockfile` (or `--frozen-lockfile=false`) forwarded the negation to pacquet, which then saw both our injected `--frozen-lockfile` and the user's `--no-frozen-lockfile` and crashed clap with "unexpected argument". Match every shape the user can write the same flag in: positive, `--no-` negated, and any `=value` form. Can't blindly strip `--no-` either way — pacquet has flags whose literal name starts with `no-` (`--no-runtime`, `--no-optional`); those must still forward. The user's `--no-frozen-lockfile` intent is honored upstream — pnpm did a fresh resolve before delegating; pacquet's role here is just lockfile-driven materialization, which is always frozen. * fix(installing.commands): match positionals by index, hide reporter from dropped-flags warning `collectForwardedFlags` matched positionals via `new Set(argv.remain)`, which strips by value: a flag value that happened to equal a positional token (e.g. `pnpm install --node-linker install`) was wrongly dropped from the forwarded list, costing pacquet the value of `--node-linker`. Walk `argv.original` with a subsequence pointer into `argv.remain` so only the actual positional indexes get skipped. `collectDroppedFlags` still surfaced `--reporter foo` / `--reporter=foo` in the "may not be honored" warning on `add`/`update`/`dedupe`, but pnpm honors reporter selection itself before delegation — so the warning was misleading. Route both helpers through the same `isAlwaysInjected` check and consume `--reporter` and its value the same way `collectForwardedFlags` already does.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit