Skip to content

refactor(many): upgrade to pnpm 11#2588

Open
matyasf wants to merge 1 commit into
masterfrom
upgrade_pnpm
Open

refactor(many): upgrade to pnpm 11#2588
matyasf wants to merge 1 commit into
masterfrom
upgrade_pnpm

Conversation

@matyasf

@matyasf matyasf commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

also do not allow some dependencies to run scripts for better security. Some dependencies needed to be added because pnpm now has a more strict peer dependency resolution.

pnpm 11 has lots of good new features:

  • it disables dependencies running scripts by default, we are manually allowing them in pnpm-workspace.yml. Please only add here new entries if you checked that its needed and safe (Claude can do this)
  • by default it will only install dependencies that are more than 1 day old. This gives some time npmjs.org to detect and take down malicious packages
  • it seems to have a stricter package resolution, not allowing bleeding trough packages

INSTUI-5064

@matyasf matyasf self-assigned this Jun 11, 2026
@github-actions

github-actions Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
PR Preview Action v1.8.1

QR code for preview link

🚀 View preview at
https://instructure.design/pr-preview/pr-2588/

Built to branch gh-pages at 2026-06-11 20:43 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

@github-actions

github-actions Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Visual regression report

No changes.

Status Count
Unchanged 32
Changed 0
New 0
Removed 0

📊 View full report

Baselines come from the visual-baselines branch. They refresh on every merge to master.

github-actions Bot pushed a commit that referenced this pull request Jun 11, 2026
@matyasf
visual-regression: PR #2588 (0908247) 0908247
b735237
@matyasf
refactor(many): upgrade to pnpm 11
5a47f75 
also do not allow some dependencies to run scripts for better security.
Some dependencies needed to be added because pnpm now has a more
strict peer dependency resolution.

INSTUI-5064
matyasf
matyasf commented Jun 11, 2026
View reviewed changes
Comment thread packages/__docs__/package.json
Comment on lines +116 to +127
"@babel/runtime": "^7.29.2",
"@babel/standalone": "^7.29.3",
"codesandbox": "^2.2.3",
"lorem-ipsum": "^3.0.0",
"marked-react": "^4.0.0",
"moment": "^2.30.1",
"react": "18.3.1",
"react-dom": "18.3.1",
"uuid": "^14.0.0",
"webpack-merge": "^6.0.1"
"webpack-merge": "^6.0.1",
"hoist-non-react-statics": "^3.3.2",
"buffer": "^6.0.3"

@matyasf matyasf Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I needed to add lots of dependencies because in earlier versions pnpm read these if they were in the root node_modules folder, now it needs to be added explicitly. This also uncovered some bugs, e.g. babel runtime not added everywhere

matyasf
matyasf commented Jun 11, 2026
View reviewed changes
Comment thread package.json
Comment on lines -53 to -60
"pnpm": {
"overrides": {
"react": "18.3.1",
"react-dom": "18.3.1",
"@types/react": "18.3.26",
"git-raw-commits>dargs": "7.0.0"
}
},

@matyasf matyasf Jun 11, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now in [pnpm-workspace.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HerrTopi HerrTopi Awaiting requested review from HerrTopi

@balzss balzss Awaiting requested review from balzss

@joyenjoyer joyenjoyer Awaiting requested review from joyenjoyer

At least 2 approving reviews are required to merge this pull request.

Assignees

@matyasf matyasf

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matyasf