chore: update pnpm to 11

[zzjiaxiang]

pnpm

Summary by CodeRabbit

版本更新说明

• 其他更新
  • 将构建 CI 中使用的 Node.js 版本从 20 升级至 24，并更新相关构建动作到新版
  • 将 pnpm 升级至 11.1.2，并移除以前固定的 pnpm 版本配置
  • 清理根目录 npm 配置（移除若干 .npmrc 设置）
  • 新增并统一项目级 pnpm 工作区配置以规范包管理与构建允许列表

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 14dfc412-8343-40cc-b3c3-dcf2a56316c6

📥 Commits

Reviewing files that changed from the base of the PR and between 189a738 and f7abde2.

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

将 CI 的 Node.js 从 20 升级到 24，更新 GitHub Actions 版本，移除 .npmrc 中的旧 pnpm/npm 配置并新增 pnpm-workspace.yaml，同时将 package.json 的 packageManager 升级到 pnpm@11.1.2。

变更

工具链与依赖升级

Layer / File(s)	Summary
工作区配置与版本 package.json, pnpm-workspace.yaml	packageManager 更新为 pnpm@11.1.2；新增 pnpm-workspace.yaml，包含 nodeOptions、publicHoistPattern（仅 @types*）、autoInstallPeers: false、以及 allowBuilds 白名单。
NPM 配置迁移 .npmrc	清空 .npmrc 中的 node-options、public-hoist-pattern[] 和 auto-install-peers 设置（仅保留注释/头部）。
CI 与 Node.js 版本更新 .github/workflows/build.yml	CI job matrix 和 actions/setup-node 的 node-version 改为 24；actions/checkout、pnpm/action-setup、actions/setup-node 升级为 v6；移除 pnpm/action-setup 中显式的 pnpm version 字段。

评审工作量估算

🎯 3 (Moderate) | ⏱️ ~20 minutes

诗

🐰 换壳跳级去奔忙，
Node 二四光华彰，
pnpm 新约入工作场，
旧 .npmrc 轻轻藏，
构建流转更从容。

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective of the pull request - updating pnpm to version 11, which is the primary change evident in package.json, pnpm-workspace.yaml, and the GitHub Actions workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build.yml (1)

11-22: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

升级 pnpm/action-setup 至 v6 并同步版本管理。

Line 11/21 升级到 Node 22 后，workflow 仍在使用已弃用的 pnpm/action-setup@v2 并固定 pnpm 10.13.1。官方明确警告 v2 已停止支持较新 Node 版本，建议升级到最新版本。同时，这个配置与 package.json 中的 pnpm@11.0.9 不一致，增加 CI 失败和锁文件行为不一致的风险。

建议修复

-      - uses: pnpm/action-setup@v2
-        with:
-          version: 10.13.1
+      - uses: pnpm/action-setup@v6

升级到 v6 后，action 会自动读取 package.json 中的 packageManager 字段，无需显式指定版本。

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 11 - 22, 将 workflow 中已弃用的
pnpm/action-setup@v2 升级为 pnpm/action-setup@v6，并移除硬编码的 with: version: 10.13.1
配置以便 action 自动读取 package.json 的 packageManager 字段（确保与 package.json 中的
pnpm@11.0.9 保持一致）；保留 actions/setup-node@v4 的 node-version: 22 和 pnpm 缓存设置（cache:
'pnpm'），以保证 Node 版本与缓存策略不变并避免 CI 与锁文件不一致的问题。

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 11-22: 将 workflow 中已弃用的 pnpm/action-setup@v2 升级为
pnpm/action-setup@v6，并移除硬编码的 with: version: 10.13.1 配置以便 action 自动读取
package.json 的 packageManager 字段（确保与 package.json 中的 pnpm@11.0.9 保持一致）；保留
actions/setup-node@v4 的 node-version: 22 和 pnpm 缓存设置（cache: 'pnpm'），以保证 Node
版本与缓存策略不变并避免 CI 与锁文件不一致的问题。

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7a123278-cfdf-4290-831e-727a333e9fb7

📥 Commits

Reviewing files that changed from the base of the PR and between d1f558d and 996af09.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .npmrc
• package.json
• pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• .npmrc

[gemini-code-assist]

Code Review

This pull request updates the project to pnpm 11.0.9 and migrates configuration settings from .npmrc to a new pnpm-workspace.yaml file. Feedback identifies that the packages field is missing, which is required for workspace functionality, and recommends using onlyBuiltDependencies instead of allowBuilds for better compatibility with the new pnpm version.

[gemini-code-assist]

The pnpm-workspace.yaml file is missing the packages field. In a pnpm workspace, this field is required to define the directories that contain your workspace members (e.g., packages/*). Without it, pnpm will not correctly identify the sub-packages in this monorepo, which will break the workspace functionality.

packages:
  - 'packages/*'
nodeOptions: --max_old_space_size=8192

[gemini-code-assist]

While allowBuilds might be supported in some versions of pnpm, onlyBuiltDependencies is the officially documented field in pnpm 10 and 11 for controlling which dependencies are allowed to run build scripts. It is recommended to use the standard array format for better compatibility and adherence to the official documentation.

onlyBuiltDependencies:
  - '@parcel/watcher'
  - '@swc/core'
  - 'core-js'
  - 'core-js-pure'
  - 'esbuild'
  - 'less'
  - 'yorkie'

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 16: The workflow currently uses the action identifier
pnpm/action-setup@v6 which can rely on packageManager in package.json and is
known to be unreliable; update the GitHub Actions step that uses
pnpm/action-setup@v6 to explicitly pass a fixed pnpm version (e.g., 11.0.9) via
the action's "with: version" input so the action always installs the pinned pnpm
release and avoids CI flakiness.
- Around line 15-17: 工作流中升级到
actions/checkout@v6、pnpm/action-setup@v6、actions/setup-node@v6
引入若干破坏性/行为变更：检查是否在自托管 Docker 运行器上使用 actions/checkout@v6 并在必要时确保 Actions Runner
>= v2.329.0; 如果 repository 的 package.json 使用 "packageManager" 字段以控制 pnpm
版本，锁定或升级 pnpm/action-setup@v6 到包含 PR#230 之后修复的子版本以避免 packageManager 选择 bug; 对于
actions/setup-node@v6，若工作流依赖 yarn 或 pnpm 的自动缓存，显式添加 cache 输入或设置
package-manager-cache 为 yarn/pnpm（否则默认仅自动缓存 npm）。

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8e92df15-2886-4038-96fe-541c84779048

📥 Commits

Reviewing files that changed from the base of the PR and between 423b673 and 189a738.

📒 Files selected for processing (1)

• .github/workflows/build.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/checkout v6 release and breaking changes

💡 Result:

actions/checkout v6 release & breaking changes (as of 2026-05-10) Release timing - The latest v6 release is v6.0.2 dated 2026-01-09. [1] - The major v6.0.0 release notes are described in the repo changelog under “v6.0.0”. [2] Breaking change / behavioral change (most important) - Credential persistence security change: when using the default persist-credentials behavior, v6 improves security by storing Git credentials in a separate file under $RUNNER_TEMP instead of directly in.git/config. [3] - Workflow impact: the action’s docs state there are “No workflow changes required” for normal git fetch/push usage because git fetch/push continue to work automatically. [3] - Self-hosted/Docker runner requirement: if you run authenticated git commands from a Docker container action, the docs state you need Actions Runner v2.329.0 or later (because the credentials are now read from their new location). [3] Related v6.x updates (not major-breaking, but relevant) - v6.0.1: adds “worktree support for persist-credentials includeIf”. [4][5] - v6.0.2: fixes “tag handling” (preserve annotations and explicit fetch-tags). [4][6] Source-backed summary for upgrading v5 -> v6 - Upgrade is typically safe for standard workflows; the key functional difference is the location of persisted credentials when persist-credentials is enabled. [3] - If you have self-hosted runners (especially with Docker container actions) you may need to update the runner version to at least v2.329.0. [3]

Citations:

• 1: https://github.com/actions/checkout
• 2: https://github.com/actions/checkout/blob/main/CHANGELOG.md
• 3: actions/checkout@8e8c483
• 4: https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md
• 5: https://github.com/actions/checkout/releases/tag/v6.0.1
• 6: actions/checkout@0c366fd

---

🌐 Web query:

pnpm/action-setup v6 release and breaking changes

💡 Result:

Summary (pnpm/action-setup v6) 1) v6 release / timeline - The latest v6 release at the time of research is v6.0.6 (published 2026-05-08). Its only listed change is a fix for the bin_dest output pointing to the self-updated pnpm rather than the bootstrap pnpm. [1] 2) Breaking-change themes / what to watch when upgrading to v6 A) pnpm version selection can be impacted (packageManager/devEngines.packageManager) - Reports indicate that v6 (at least v6.0.2–v6.0.3) did not correctly respect the pnpm version specified in a package.json when using package_json_file (and similarly for devEngines.packageManager). [2] - A related issue describes that v6 can “ignore the version specified in the packageManager field” of package.json compared to v5 output/behavior. [3] - A later merged fix explains the root cause: pnpm self-update installed the requested binary into PNPM_HOME/bin/pnpm, but PATH precedence made the bootstrap binary at PNPM_HOME/pnpm shadow the self-updated one; the fix was to adjust PATH ordering so PNPM_HOME/bin takes precedence (and to parse an explicit target version from packageManager: "pnpm@..." for pnpm self-update). [4] B) PATH / runner environment handling changed to support self-hosted & Windows - The v6.0.4 release includes a change to “use npm co-located with the action node binary”, by prepending the action’s node directory to PATH so that npm’s #!/usr/bin/env node shebang resolves on runners where node isn’t already on PATH (notably self-hosted/GHE). [5] C) Install command error handling expectations may differ (run_install) - An issue reports that when run_install is configured with multiple install targets, a failed pnpm install does not stop subsequent run_install commands; the action marks failure via core.setFailed(...) and continues the loop. [6] D) Practical outcome in docs - The action’s README/usage examples for v6 show the version input as optional when the repository package.json has a packageManager field, but “otherwise, this field is required” (i.e., for repos that do not specify a packageManager). This is the expected contract users should rely on—but the issues above show that some early v6 builds had bugs around honoring that contract. [7] 3) Concrete upgrade guidance - If your workflow relies on pnpm version from package.json packageManager (or devEngines.packageManager) via package_json_file and you were on early v6 versions (e.g., v6.0.2/v6.0.3), ensure you’re using a v6 build that includes the PATH/self-update fix (merged in PR #230, later reflected in subsequent v6 releases). [2][4] - If you use run_install with multiple commands and want fail-fast semantics, be aware that the action has been reported to continue running after a failed install. [6] If you tell me your exact pinned action version (e.g., pnpm/action-setup@v6.0.2) and how you specify the pnpm version (explicit version: input vs packageManager in package.json), I can map the likely impact and recommended minimum v6 version more precisely from the release sequence.

Citations:

• 1: https://github.com/pnpm/action-setup/releases/tag/v6.0.6
• 2: action-setup@v6 does not install pnpm version specified in package_json_file pnpm/action-setup#227
• 3: action-setup should print the version of pnpm that it picked pnpm/action-setup#238
• 4: fix: pnpm self-update binary shadowed by bootstrap on PATH pnpm/action-setup#230
• 5: https://github.com/pnpm/action-setup/releases/tag/v6.0.4
• 6: run_install continues after a failed install command pnpm/action-setup#235
• 7: https://github.com/pnpm/action-setup

---

🌐 Web query:

actions/setup-node v6 release and breaking changes

💡 Result:

actions/setup-node v6.0.0 was released on 2025-10-14, and the key v6 breaking change called out in that release is limiting automatic dependency caching to npm only (disabling auto-caching for other package managers unless configured explicitly). [1] 1) Release: v6.0.0 - v6.0.0 release tag: published 2025-10-14. [1] 2) Breaking changes (v6) - Automatic caching behavior changed: “Limit automatic caching to npm” (Breaking Changes) in v6.0.0. [1] - More specifically, the change restricts automatic caching to npm (detected from package.json via packageManager/devEngines.packageManager) and for Yarn/pnpm caching is disabled by default and must be enabled via the action’s cache input. [2][3] - This behavior is controlled by the input package-manager-cache (defaults to true): to disable automatic npm caching, set package-manager-cache: false. [3] Related v6-era behavioral change (not labeled breaking, but relevant to migration) - The action also supports reading packageManager from node-version-file: PR #1399 “Use node-version-file when available for packageManager” (i.e., it can load packageManager from the file specified by node-version-file). [4] 3) Other v6 release-line notes (non-breaking highlights) - v6.1.0 (published 2025-12-03) includes “Remove always-auth configuration handling”. [5] - v6.3.0 (published 2026-03-04) includes “Support parsing devEngines field” and prefers devEngines.runtime over engines.node when using node-version-file: package.json. [6] If you want, paste your current setup-node step (and whether you use yarn/pnpm, and whether you set cache or package-manager-cache). I can tell you exactly what to change for v6 based on these documented behaviors.

Citations:

• 1: https://github.com/actions/setup-node/releases/tag/v6.0.0
• 2: actions/setup-node@2028fbc
• 3: https://github.com/actions/setup-node/
• 4: Use node-version-file when available for packageManager (fixes #1398) actions/setup-node#1399
• 5: https://github.com/actions/setup-node/releases/tag/v6.1.0
• 6: https://github.com/actions/setup-node/releases/tag/v6.3.0

---

检查 GitHub Actions v6 版本升级的重大变更配置。

工作流升级到多个 v6 版本存在重大变更需要确认：

• actions/checkout@v6：Git 凭证存储位置已更改（安全改进）。在标准用法中无需工作流变更，但自托管 Docker 运行器需要 Actions Runner v2.329.0 或更高版本。

• pnpm/action-setup@v6：早期版本（v6.0.2–v6.0.3）存在 packageManager 字段版本选择的 bug，已在后续版本修复。如果 package.json 中指定了 packageManager 字段来控制 pnpm 版本，请确保使用包含路径/自更新修复的 v6 版本（PR #230 之后）。

• actions/setup-node@v6：破坏性变更——自动缓存现在仅限 npm，yarn/pnpm 的自动缓存默认禁用。如果工作流依赖 yarn 或 pnpm 自动缓存，需要显式配置 cache 输入或设置 package-manager-cache。

请确认工作流是否使用 yarn/pnpm 缓存，如果使用需要添加显式配置。

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 15 - 17, 工作流中升级到
actions/checkout@v6、pnpm/action-setup@v6、actions/setup-node@v6
引入若干破坏性/行为变更：检查是否在自托管 Docker 运行器上使用 actions/checkout@v6 并在必要时确保 Actions Runner
>= v2.329.0; 如果 repository 的 package.json 使用 "packageManager" 字段以控制 pnpm
版本，锁定或升级 pnpm/action-setup@v6 到包含 PR#230 之后修复的子版本以避免 packageManager 选择 bug; 对于
actions/setup-node@v6，若工作流依赖 yarn 或 pnpm 的自动缓存，显式添加 cache 输入或设置
package-manager-cache 为 yarn/pnpm（否则默认仅自动缓存 npm）。

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

pnpm 11.0.9 release notes and breaking changes

💡 Result:

pnpm 11.0.9 is a patch release with no breaking changes. It includes the following fixes under Patch Changes [1]: - Fixed installation of GitLab-hosted dependencies by downloading tarballs from the correct URL instead of the API endpoint that caused 406 errors and invalid module specifiers #11533 [1]. - Honor NPM_CONFIG_USERCONFIG (and npm_config_userconfig) as a low-priority fallback for locating user-level.npmrc, restoring compatibility with actions/setup-node in GitHub Actions #11539 [1]. - Fix pnpm pack not bundling dependencies listed in bundleDependencies (or bundledDependencies) due to npm-packlist API changes #11519 [1]. - Fixed CLI crash on unsupported Node.js versions (now requires Node.js v22.13+), showing a clear error instead of SyntaxError #11546 [1]. Breaking changes apply to the pnpm 11.0 major release, not this patch [2][3]: - Requires Node.js 22+ (drops 18-21) [2]. - Distributed as pure ESM; standalone exe requires glibc 2.27+ [2]. -.npmrc now only for auth/registry; other settings moved to pnpm-workspace.yaml [2][3]. - Native publish, no npm fallback; removed several npm passthrough commands [2]. - Global installs isolated in virtual store [2]. - Other config migrations like allowBuilds replacing old build settings, no npm_config_* env vars, etc. [3].

Citations:

• 1: https://github.com/pnpm/pnpm/releases/tag/v11.0.9
• 2: https://pnpm.io/blog/releases/11.0
• 3: https://pnpm.io/migration

---

🌐 Web query:

pnpm action-setup v6 packageManager field support

💡 Result:

pnpm/action-setup@v6 supports reading the pnpm version from the packageManager field in package.json, but there are open v6 issues indicating it may not reliably respect that field when using the package_json_file input. 1) Documented support for packageManager field (when package_json_file is used) - The action documentation states that the version input is optional when there is a packageManager field in the package.json. It also states that you can “omit version input to use the version in the packageManager field in the package.json.” [1][2] - The documented input package_json_file is “File path to the package.json/package.yaml to read ‘packageManager’ configuration.” [1][3] 2) Reported behavior in v6: packageManager may be ignored (open issues) - Issue #227 reports: “When specifying package_json_file and that package.json file has a packageManager field … the v6 release does not load the specified version.” The issue includes a workaround: pass version explicitly to the action. [4] - Issue #225 similarly reports that v6 does not take the requested pnpm version into account. [5] 3) What this means for you (practical guidance) - If you rely on automatic pnpm version selection from package.json’s packageManager field via package_json_file, v6 may not consistently work as expected (per the open issues above). [4][5] - To be safe/explicit in CI today, pass the desired pnpm version via the action’s with: version input, instead of relying on packageManager auto-detection. The workaround is explicitly called out in the v6 issue report. [4] Example (safe / explicit) - uses: pnpm/action-setup@v6 with: version: 10.28.1 # set explicitly Example (auto, as documented but reported as unreliable in v6) - uses: pnpm/action-setup@v6 with: package_json_file: path/to/package.json

Citations:

• 1: https://github.com/pnpm/action-setup?tab=readme-ov-file
• 2: https://github.com/marketplace/actions/setup-pnpm
• 3: https://github.com/pnpm/action-setup/tree/master
• 4: action-setup@v6 does not install pnpm version specified in package_json_file pnpm/action-setup#227
• 5: action-setup@v6 does not take the requested pnpm version into account pnpm/action-setup#225

---

为 pnpm/action-setup@v6 明确指定版本。

pnpm/action-setup@v6 存在已知问题（#227、#225），当依赖 package.json 中的 packageManager 字段来隐式指定版本时，不能可靠地加载该版本。建议显式指定版本以避免 CI 中出现不可预测的行为：

- uses: pnpm/action-setup@v6
  with:
    version: '11.0.9'

pnpm 11.0.9 是有效的发布版本，在该补丁级别内无重大变更。

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 16, The workflow currently uses the
action identifier pnpm/action-setup@v6 which can rely on packageManager in
package.json and is known to be unreliable; update the GitHub Actions step that
uses pnpm/action-setup@v6 to explicitly pass a fixed pnpm version (e.g., 11.0.9)
via the action's "with: version" input so the action always installs the pinned
pnpm release and avoids CI flakiness.