chore: upgrade pnpm 10 to 11 and enable frozenLockfile#1185
chore: upgrade pnpm 10 to 11 and enable frozenLockfile#1185james-elicx wants to merge 2 commits into
Conversation
- Bump packageManager from pnpm@10.32.1 to pnpm@11.1.1 - Migrate .npmrc settings to pnpm-workspace.yaml (pnpm 11 only reads auth/registry from .npmrc) - auto-install-peers=false -> autoInstallPeers: false - Remove playground save-exact=true (minor pnpm add preference, not needed for builds) - Convert onlyBuiltDependencies list to allowBuilds map (pnpm 11 format) - Add frozenLockfile: true and preferFrozenLockfile: true - Delete .npmrc files (contained no auth settings)
commit: |
|
james-elicx
force-pushed
the
chore/pnpm-11-frozen-lockfile
branch
3 times, most recently
from
3dcb1e1 to
77827e0
Compare
james-elicx
force-pushed
the
chore/pnpm-11-frozen-lockfile
branch
from
77827e0 to
da8bfdd
Compare
|
/bigbonk review |
![ask-bonk[bot]](https://avatars.githubusercontent.com/in/2454580?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review
Clean migration. The .npmrc → pnpm-workspace.yaml moves, onlyBuiltDependencies → allowBuilds conversion, and CI env overrides all look correct per the pnpm v11 migration guide.
One question
minimumReleaseAgeExclude removal — The PR removes all five exclusions (@vitejs/plugin-rsc, react-server-dom-webpack, react-dom, react, next) without replacement. The PR description says they are "retained", but the diff shows them deleted. This means new releases of these packages will now be subject to the 24-hour minimumReleaseAge: 1440 hold.
Is this intentional? These are fast-moving core deps where the team previously wanted immediate adoption. If you still want that behavior, add the list back:
minimumReleaseAgeExclude:
- "@vitejs/plugin-rsc"
- react-server-dom-webpack
- react-dom
- react
- nextThe setting is still supported in pnpm 11, so this isn't a migration requirement — it looks like an accidental deletion in the second commit ("fix: handle pnpm 11 strictDepBuilds, preserve autoInstallPeers, remove minimumReleaseAgeExclude"). The commit message even says "Remove minimumReleaseAgeExclude entirely", but the PR body says the opposite. One of these is wrong.
Everything else LGTM
autoInstallPeers: falsecorrectly preserves the.npmrcbehavior.frozenLockfile: true+preferFrozenLockfile: trueare the right lockfile settings.allowBuildsmap is correct —unrs-resolver: falseexplicitly denies its build scripts, which is the right call.pnpm_config_strict_dep_builds: "false"on the two create-next-app CI steps is the correct fix — the scaffolded project is outside the workspace so ourallowBuildsconfig doesn't apply, and pnpm 11's defaultstrictDepBuilds: truewould abort on unreviewed build scripts from CNA's deps.- Both
.npmrcdeletions are safe (no auth settings).
|
Review posted on PR #1185. Summary: The pnpm 10 → 11 migration is clean and mechanically correct. The one issue I flagged is a contradiction between the PR description (which says the |
james-elicx
force-pushed
the
chore/pnpm-11-frozen-lockfile
branch
from
da8bfdd to
149ee89
Compare
…e minimumReleaseAgeExclude - Add unrs-resolver: false to allowBuilds (reviewed, deny build scripts) - Keep autoInstallPeers: false to match existing lockfile - Remove minimumReleaseAgeExclude entirely - Pre-seed pnpm-workspace.yaml with allowBuilds in the scaffolded create-next-app directory so pnpm 11 doesn't abort on unreviewed build scripts (sharp, unrs-resolver)
james-elicx
force-pushed
the
chore/pnpm-11-frozen-lockfile
branch
from
149ee89 to
267cd55
Compare
1 participant
Summary
packageManagerfrompnpm@10.32.1topnpm@11.1.1frozenLockfile: trueandpreferFrozenLockfile: trueinpnpm-workspace.yaml.npmrcsettings moved topnpm-workspace.yaml,onlyBuiltDependenciesconverted toallowBuildsChanges
pnpm 11 migration
Per the pnpm v10 → v11 migration guide, pnpm 11 only reads auth/registry settings from
.npmrc. All other settings must live inpnpm-workspace.yaml..npmrc/ pnpm 10)pnpm-workspace.yaml/ pnpm 11)auto-install-peers=falsein root.npmrcautoInstallPeers: falsesave-exact=truein playground.npmrcpnpm addpreference, not needed for builds)onlyBuiltDependencieslistallowBuildsmap ({ name: true })Both
.npmrcfiles are deleted since they contained no auth settings.Lockfile enforcement
frozenLockfile: true— prevents lockfile modifications during install. Fails if lockfile is out of sync. This was already the default in CI (viaci-infodetection), but is now explicit and applies everywhere. Developers updating deps should use--no-frozen-lockfile.preferFrozenLockfile: true— when the lockfile satisfiespackage.json, performs a headless install (skips dependency resolution entirely). Faster installs when nothing changed.minimumReleaseAgeExcludeAll five exclusions (
@vitejs/plugin-rsc,react-server-dom-webpack,react-dom,react,next) are retained. These are fast-moving core dependencies where the team wants to adopt new versions immediately without waiting 24h.Verification
vp install --no-frozen-lockfilecompleted successfully with pnpm 11.1.1vp checkpassed (format, lint, type checks)