chore(CI): Using pnpm 11.

[RobinTail]

instead of #3375

• Node.js 22+ required — support for Node 18, 19, 20, and 21 is dropped, pnpm itself is now pure ESM, and the standalone exe requires glibc 2.27.
• Supply-chain protection on by default — minimumReleaseAge defaults to 1 day (newly published packages are not resolved for 24h) and blockExoticSubdeps defaults to true.
• Native publish flow — pnpm publish, login, logout, view, deprecate, unpublish, dist-tag, and version no longer delegate to the npm CLI, and the remaining npm passthrough commands now throw "not implemented".

Summary by CodeRabbit

• Chores
  • Updated repository package manager declaration to pnpm v11 to align tooling with current releases and integrity metadata.
  • Switched CI release workflow to use pnpm-based versioning, adjusted tag and pre-release handling, and added an explicit push step to publish commits and tags.
  • Bumped express-zod-api package version to 28.0.1-beta.0.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updates root package.json to declare pnpm@11.0.9 (integrity updated), replaces a bumpp-based bump step with pnpm -F <workspace> version (mapping flags and conditional --preid beta) in .github/workflows/bump.yml, adds git push --follow-tags, simplifies publish invocation, and bumps express-zod-api to 28.0.1-beta.0.

Changes

Package manager + Release Workflow

Layer / File(s)	Summary
Configuration Update package.json	The packageManager field is updated to pnpm@11.0.9+sha512... (integrity hash updated).
Workflow: remove fetch-depth .github/workflows/bump.yml	Removes actions/checkout fetch-depth: 0 configuration.
Workflow: remove old bump step .github/workflows/bump.yml	Removes previous pnpm dlx bumpp@10 bump invocation.
Workflow: pnpm version step .github/workflows/bump.yml	Adds pnpm -F <workspace> version ${{ inputs.kind }} with conditional --preid beta, --tag-version-prefix, and --message flags.
Workflow: push tags/commits .github/workflows/bump.yml	Adds a step to push commits and tags via git push --follow-tags.
Workflow: publish invocation .github/workflows/npm-publish.yml	Replaces pnpm -F <workspace> exec pnpm publish ... with pnpm -F <workspace> publish --provenance --tag ${{ inputs.tag }}.
Package version express-zod-api/package.json	Bumps version from 28.0.0 to 28.0.1-beta.0.

Sequence Diagram(s)

sequenceDiagram
  participant ActionsRunner
  participant pnpm
  participant Git
  ActionsRunner->>pnpm: run "pnpm -F <workspace> version <kind> [--preid beta]"
  pnpm->>Git: create commit and tag
  ActionsRunner->>Git: run "git push --follow-tags"
  Git->>ActionsRunner: push result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• RobinTail/express-zod-api#2428: Both PRs migrate repo pnpm usage and adjust CI workflows (package.json and workflows).
• RobinTail/express-zod-api#2749: Modifies the same .github/workflows/bump.yml version-bump step and invocation style.

Suggested labels

breaking

Poem

🐰 A tiny hop, a bump, a tune,
pnpm climbed up to eleven soon.
Workflows swapped a command so sly,
Tags and messages now fly by.
The rabbit cheers — release, oh my! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: updating pnpm from version 10 to version 11 in CI configuration, which is the primary focus of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch use-pnpm11-b

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls-official]

Coverage is 100.0% — use-pnpm11-b into master. No base build found for master.

[pullfrog]

No new issues found.

TL;DR — Bumps the root packageManager field from pnpm@10.33.4 to pnpm@11.0.9. CI is green across the full Node matrix and the bump propagates to all workflows automatically.

Key changes

• Bump packageManager to pnpm@11.0.9 — Single-line change in root package.json; the SHA-512 integrity matches the published artifact and Node >=22.13 requirement is already satisfied by engines.node.

_{Summary ｜ 1 file ｜ 1 commit ｜ base: master ← use-pnpm11-b}

pnpm 11 propagates without workflow edits

Before: Root pinned to pnpm@10.33.4; CI implicitly resolved the same version via pnpm/action-setup@v6 reading packageManager.
After: Root pinned to pnpm@11.0.9; the same action-setup@v6 mechanism picks up v11 with no workflow change.

Despite the chore(CI) prefix, no .github/workflows/*.yml file needs to be touched — every job uses pnpm/action-setup@v6 without a version: input, so they all read the root packageManager field. The matrix builds (Node 22.19.0, 22.x, 24.0.0, 24.x, 26.0.0, 26.x) and the publish, dependencies, headers, and bump workflows all consume the new pin transparently.

package.json

v11 default flips landed cleanly

Before: v10 defaults — strictDepBuilds: false, blockExoticSubdeps: false, minimumReleaseAgeStrict: false (even with minimumReleaseAge set).
After: v11 defaults — all three flip to true, with the last being implicit whenever minimumReleaseAge is configured.

The PR description already calls out the supply-chain default tightening, and the existing overrides for @scarf/scarf and lightningcss plus the curated minimumReleaseAgeExclude list were sufficient — pnpm install in CI did not require any new entries in allowBuilds or trigger an ERR_PNPM_IGNORED_BUILDS. Worth keeping in mind for future PRs: a freshly published transitive that isn't in minimumReleaseAgeExclude and isn't yet 48h old will now hard-fail resolution under v11 where v10 would have fallen back silently.

pnpm-workspace.yaml

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/bump.yml (1)

38-38: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update or remove stale comment.

The comment references "bumpp internally" but this workflow no longer uses bumpp—it now uses pnpm's native version command. Either update the comment to reflect whether pnpm version needs the full git history, or remove it if fetch-depth: 0 is no longer necessary.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bump.yml at line 38, The comment "for git describe --tags
(used by bumpp internally)" is stale because the workflow no longer uses bumpp;
update or remove it: either change the comment to explain why fetch-depth: 0 is
required for the current step (e.g., "for git describe --tags used by pnpm
version" if pnpm requires full history) or delete the comment entirely if pnpm's
`version` does not need full git history; update the line containing
"fetch-depth: 0" and its adjacent comment accordingly so it accurately reflects
current tooling (reference symbols: fetch-depth: 0, pnpm version, bumpp).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/bump.yml:
- Line 38: The comment "for git describe --tags (used by bumpp internally)" is
stale because the workflow no longer uses bumpp; update or remove it: either
change the comment to explain why fetch-depth: 0 is required for the current
step (e.g., "for git describe --tags used by pnpm version" if pnpm requires full
history) or delete the comment entirely if pnpm's `version` does not need full
git history; update the line containing "fetch-depth: 0" and its adjacent
comment accordingly so it accurately reflects current tooling (reference
symbols: fetch-depth: 0, pnpm version, bumpp).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 57a0c78a-d512-466d-8ff1-836cbede78ea

📥 Commits

Reviewing files that changed from the base of the PR and between 37b8b07 and 455a02d.

📒 Files selected for processing (1)

• .github/workflows/bump.yml

[pullfrog]

Caution

This PR introduces two regressions in .github/workflows/bump.yml that, taken together, make the Bump workflow a no-op as far as the remote is concerned: the version change in package.json is computed but never committed, never tagged, and never pushed. Reproduced locally against pnpm@11.0.9.

Reviewed the following changes:

• Bumped root packageManager to pnpm@11.0.9 (covered in the prior review; CI matrix stayed green).
• Replaced pnpm dlx bumpp@10 with native pnpm -F <ws> version <kind> in the Bump workflow.

  ^{｜ Fix all ➔ ｜ Fix 👍s ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[RobinTail]

Git commits and tags are always skipped in recursive mode because multiple packages may be bumped to different versions in a single run.

[pullfrog]

No new issues. Reviewed the following changes:

• Dropped -F ${{inputs.workspace}} from the pnpm version invocation and set working-directory: ${{inputs.workspace}} on the step, so pnpm version runs in non-recursive mode and creates the commit and tag.
• Added an explicit Push commit and tag step running git push --follow-tags to publish the new commit and tag to the remote.

This is exactly the shape suggested in the prior review and resolves both regressions called out against 455a02d.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

No new issues. Reviewed the following changes:

• Simplified the npm-publish.yml publish step to pnpm -F <workspace> publish ..., dropping the now-unnecessary exec pnpm publish indirection. Under pnpm 11, pnpm publish is implemented natively (no longer delegating to npm) and documents --filter as a first-class option, so the new invocation is the supported idiom and equivalent in behavior — provenance still works since the job already grants id-token: write.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}