chore: migrate from npm to pnpm 10#232
Merged
Merged
Conversation
- Drop package-lock.json, add pnpm-lock.yaml - Set packageManager: pnpm@10.33.4 and matching devEngines (onFail: warn — pnpm v10 still shells to npm for some subcommands like `pnpm version` and `pnpm config`, so error would trip CI; warn keeps the visible signal without blocking) - engines.node stays at >=20 so consumers on Node 20+ are unaffected; pnpm v10 is the right choice given that constraint (pnpm v11 requires Node 22+) - Add pnpm-workspace.yaml with minimumReleaseAge: 1440 (24-hour quarantine on new package versions; excludes our own scopes) and onlyBuiltDependencies for @napi-rs/keyring (native postinstall that the keychain feature depends on) - Replace `npm run` in scripts with `pnpm run`; same for `npm version` and `npm publish` in release.yml - Update CI workflows (ci, conformance, e2e-windows, release): - actions/setup-node@v6 with cache: npm → just node setup - npm ci → apify/workflows/pnpm-install@v0.41.1 - npm run X → pnpm run X - release.yml: bump-pre-release uses pnpm version; publish uses pnpm publish --no-git-checks (CI controls the git side separately) - `git add package-lock.json` → `git add pnpm-lock.yaml` in the release-commit step devEngines is only enforced at this repo's root, never on transitive installs, so consumers of @apify/mcpc are unaffected.
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
4c2d8e6 to
8674c89
Compare
4 tasks
jancurn
pushed a commit
that referenced
this pull request
May 11, 2026
Refs #232 - Replace npm with pnpm across dev setup, testing, and release sections - Add a short note on the 24h minimumReleaseAge supply-chain quarantine so contributors aren't surprised when a fresh dependency bump waits - Fix stale references: keytar → @napi-rs/keyring, and the outdated `mcpc <url> session @name` CLI syntax in the session-lifecycle example - Trim the architecture overview section: the protocol/IPC/lifecycle detail duplicated CLAUDE.md and was already rotting. Replaced with a high-level module map plus a pointer to CLAUDE.md for the deep dive.
jancurn
added a commit
that referenced
this pull request
May 11, 2026
…tion (#233) * docs: update CLAUDE.md and CHANGELOG for pnpm migration Refs #232 - Replace npm with pnpm in CLAUDE.md dev/release workflow snippets (install, build, test, link, lint, format, release). - Add a Security entry to CHANGELOG noting the 24-hour package quarantine (`minimumReleaseAge: 1440`) introduced with the pnpm migration to reduce supply-chain attack risk. * docs: shorten changelog entry for pnpm migration * docs: update CONTRIBUTING.md for pnpm and trim duplicated architecture Refs #232 - Replace npm with pnpm across dev setup, testing, and release sections - Add a short note on the 24h minimumReleaseAge supply-chain quarantine so contributors aren't surprised when a fresh dependency bump waits - Fix stale references: keytar → @napi-rs/keyring, and the outdated `mcpc <url> session @name` CLI syntax in the session-lifecycle example - Trim the architecture overview section: the protocol/IPC/lifecycle detail duplicated CLAUDE.md and was already rotting. Replaced with a high-level module map plus a pointer to CLAUDE.md for the deep dive. --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes
package-lock.json, addpnpm-lock.yaml.packageManager: pnpm@10.33.4and matchingdevEngines.packageManagerwithonFail: warn. pnpm v10 still shells to npm for some subcommands (pnpm version,pnpm config), soerrorwould trip CI;warnkeeps the visible signal without blocking.engines.nodestays at>=20— pnpm v10 is the right fit (pnpm v11 requires Node 22+, which would break consumers on Node 20).pnpm-workspace.yamlwith:minimumReleaseAge: 1440(24-hour quarantine; excludes for our own scopes)onlyBuiltDependencies: ["@napi-rs/keyring"]so the keychain native binding gets built on installnpm runinscriptswithpnpm run. Same fornpm versionandnpm publishin the release workflow.ci,conformance,e2e-windows,release):actions/setup-node@v6(dropcache: npm)npm ci→apify/workflows/pnpm-install@v0.41.1npm run X→pnpm run Xrelease.yml: pre-release/release bumps usepnpm version; publish usespnpm publish --no-git-checks(CI controls the git side separately).git add package-lock.json→git add pnpm-lock.yamlin the release-commit step.devEnginesis only enforced at this repo's root, never on transitive installs, so consumers of@apify/mcpcare unaffected.Why pnpm v10 not v11
engines.node: ">=20". pnpm v11 requires Node 22+, so going to v11 would force consumers off Node 20 (which is still LTS). v10 keeps the supported Node matrix unchanged.