dailydotdev · capJavert · May 15, 2026 · May 14, 2026 · May 15, 2026 · May 15, 2026
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,6 +8,13 @@ jobs:
       name: common/node
       tag: "24.14"
     steps:
+      - checkout
+      - run:
+          name: Enable pnpm
+          command: |
+            mkdir -p $HOME/.local/bin
+            corepack enable --install-directory $HOME/.local/bin
+            corepack prepare pnpm@10.33.4 --activate
       - common/setup-node
       - run:
           name: Build
@@ -38,6 +45,13 @@ jobs:
       - image: redis/redis-stack:7.2.0-v13
     parallelism: 6
     steps:
+      - checkout
+      - run:
+          name: Enable pnpm
+          command: |
+            mkdir -p $HOME/.local/bin
+            corepack enable --install-directory $HOME/.local/bin
+            corepack prepare pnpm@10.33.4 --activate
       - common/setup-node
       - common/wait-for:
           protocol: postgresql

diff --git a/.github/workflows/comment-jira-ticket.yml b/.github/workflows/comment-jira-ticket.yml
diff --git a/.infra/package.json b/.infra/package.json
@@ -7,12 +7,12 @@
     "@types/node": "24.x"
   },
   "dependencies": {
-    "@dailydotdev/pulumi-common": "^2.21.0",
-    "@pulumi/gcp": "^9.12.0",
-    "@pulumi/kubernetes": "^4.26.0",
-    "@pulumi/pulumi": "^3.223.0"
+    "@dailydotdev/pulumi-common": "2.21.0",
+    "@pulumi/gcp": "9.12.0",
+    "@pulumi/kubernetes": "4.26.0",
+    "@pulumi/pulumi": "3.223.0"
   },
-  "packageManager": "pnpm@9.14.4+sha256.26a726b633b629a3fabda006f696ae4260954a3632c8054112d7ae89779e5f9a",
+  "packageManager": "pnpm@10.33.4+sha256.8e70ddc6649b18bc3d895cf3a908c0291ea4c38039ad8722c47e018daf1e9cfc",
   "volta": {
     "node": "24.14.0"
   }

diff --git a/.infra/pnpm-lock.yaml b/.infra/pnpm-lock.yaml
diff --git a/.infra/pnpm-workspace.yaml b/.infra/pnpm-workspace.yaml
@@ -0,0 +1,6 @@
+# Delay new package versions for 7 days before pnpm may resolve them.
+minimumReleaseAge: 10080
+# First-party packages are reviewed in-tree and don't need the cooldown.
+minimumReleaseAgeExclude:
+  - "@dailydotdev/pulumi-common"
+blockExoticSubdeps: true
diff --git a/AGENTS.md b/AGENTS.md
@@ -5,7 +5,7 @@ This file provides guidance to coding agents when working with code in this repo
 ## Prerequisites
 
 - **Node.js**: 24.14.0 (managed via Volta)
-- **Package Manager**: pnpm 9.14.4
+- **Package Manager**: pnpm 10.33.4 (activate via `corepack enable && corepack prepare pnpm@10.33.4 --activate`)
 
 ## Essential Commands
 

diff --git a/Dockerfile b/Dockerfile
@@ -11,12 +11,14 @@ RUN chmod 644 /usr/local/share/ca-certificates/*.cer && \
     update-ca-certificates && \
     rm -rf /var/lib/apt/lists/* && \
     npm install -g corepack@0.31.0 && \
+    corepack enable && \
+    corepack prepare pnpm@10.33.4 --activate && \
     mkdir -p /opt/app && \
     chown -R node:node /opt/app
 
 WORKDIR /opt/app
 
-COPY --chown=node:node .npmrc package.json pnpm-lock.yaml ./
+COPY --chown=node:node .npmrc package.json pnpm-lock.yaml pnpm-workspace.yaml ./
 COPY --chown=node:node patches patches
 COPY --chown=node:node queries queries
 COPY --chown=node:node clickhouse/migrations/*.sql clickhouse/migrations/

diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -15,11 +15,14 @@ RUN apt-get update \
 RUN mkdir -p /opt/app
 WORKDIR /opt/app
 
-RUN npm install -g corepack@0.31.0
+RUN npm install -g corepack@0.31.0 \
+    && corepack enable \
+    && corepack prepare pnpm@10.33.4 --activate
 
 COPY .npmrc .
 COPY package.json .
 COPY pnpm-lock.yaml .
+COPY pnpm-workspace.yaml .
 COPY patches patches
 COPY queries queries
 COPY geoip geoip

diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ along with other very useful endpoints.
 
 - Node v22 (a `.nvmrc` is presented for [nvm](https://github.com/nvm-sh/nvm) users).
 
-- pnpm for managing dependencies.
+- [pnpm](https://pnpm.io/) 10.33.4 for managing dependencies (pinned via `packageManager` in `package.json`, activate with `corepack enable && corepack prepare pnpm@10.33.4 --activate`).
 
 - Fastify as the web framework
 
@@ -79,6 +79,12 @@ Finally, run `pnpm run dev` to run the service and listen on port `5000`.
 
 Currently, there is no staging environment for Algolia, so there is no search functionality for local development.
 
+## Dependency Supply-Chain Hardening
+
+This repo delays newly published package versions for seven days via `minimumReleaseAge: 10080` in `pnpm-workspace.yaml`, and rejects exotic transitive dependencies (git/tarball URLs) via `blockExoticSubdeps: true`. Both settings are only enforced by pnpm 10+ — keep using the pinned pnpm version from `package.json`.
+
+Keep `pnpm-lock.yaml` committed, use frozen-lockfile installs in CI, and avoid adding git or tarball dependencies unless they are reviewed explicitly. If an urgent dependency update must bypass the cooldown, add a temporary `minimumReleaseAgeExclude` entry in `pnpm-workspace.yaml`, review the package contents/provenance first, and remove the exception after the release ages out.
+
 ## GraphORM
 
 We have an internal solution to tackle the problems we have encountered along the way.