Dedupe node & pnpm versions; bump pnpm to 10.33.1

Address feedback: make package.json the single source of truth for node
and pnpm versions where possible, and bump pnpm to the latest release.

- package.json: bump `packageManager` to `pnpm@10.33.1` (pinned with
  the upstream sha512 integrity hash so corepack/pnpm verify the binary).
- package.json: tighten `engines.node` from `>=22` to `22.14.0` so
  dev's built-in node-version validator catches any drift against
  dev.yml on every `dev up`.
- dev.yml: bump to `package_manager: pnpm@10.33.1` and add a comment
  noting the versions must stay in lockstep with package.json.
- .github/actions/setup: read node from `engines.node` via
  `node-version-file: package.json`, and let `pnpm/action-setup`
  read the version from the `packageManager` field (drop the hardcoded
  `version: 10.28.0` and `node-version: 22.22.1`).

dev.yml itself is plain YAML (no ERB/interpolation) and the node task
requires an explicit `version:` + `package_manager:`, so full
deduplication into a single literal isn't supported upstream. Every
other pnpm-using zone in World mirrors the value. The setup we have
here — package.json as SoT, dev's validator as the enforcer, CI
reading directly from package.json — is the closest equivalent.

Requested by Kieran Osgood <kieran.osgood@shopify.com>

Author: kieran-osgood-shopify

.github/actions/setup/action.yml

@@ -4,15 +4,17 @@ description: Setup Node.js and install dependencies
 runs:
   using: composite
   steps:
+    # Versions are sourced from package.json:
+    #   - pnpm: `packageManager` field (read by pnpm/action-setup)
+    #   - node: `engines.node` field (read by setup-node via node-version-file)
+    # Keep package.json as the single source of truth.
     - name: Install pnpm
       uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
-      with:
-        version: 10.28.0
 
     - name: Setup Node.js
       uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
       with:
-        node-version: 22.22.1
+        node-version-file: package.json
         registry-url: 'https://registry.npmjs.org'
         cache: pnpm
 

.github/workflows/ci.yml

@@ -32,9 +32,9 @@ jobs:
         uses: ./.github/actions/setup
 
       - run: |
-          yarn module clean
-          yarn module build
-          yarn compare-snapshot
+          pnpm module clean
+          pnpm module build
+          pnpm compare-snapshot
 
   lint:
     name: Lint module + sample
@@ -52,9 +52,9 @@ jobs:
         uses: ./.github/actions/setup
 
       - run: |
-          yarn module build
-          yarn module lint
-          yarn sample lint
+          pnpm module build
+          pnpm module lint
+          pnpm sample lint
 
   test:
     name: Run jest tests
@@ -70,7 +70,7 @@ jobs:
         uses: ./.github/actions/setup
 
       - run:
-          yarn test --coverage
+          pnpm test --coverage
           --testPathPatterns="modules/@shopify/checkout-sheet-kit/tests"
           --coverageReporters=json-summary
 
@@ -111,8 +111,8 @@ jobs:
           java -version
           javac -version
           echo "STOREFRONT_DOMAIN=myshopify.com" > sample/.env
-          yarn module build
-          yarn sample test:android --no-daemon
+          pnpm module build
+          pnpm sample test:android --no-daemon
 
   test-ios:
     name: Run Swift Tests
@@ -138,4 +138,4 @@ jobs:
 
       - name: Run Swift tests
         run: |
-          yarn sample test:ios
+          pnpm sample test:ios

.github/workflows/publish.yml

@@ -38,8 +38,8 @@ jobs:
       - name: Prepare release
         run: |
           cp README.md modules/@shopify/checkout-sheet-kit
-          yarn module clean
-          yarn module build
+          pnpm module clean
+          pnpm module build
           cd modules/@shopify/checkout-sheet-kit
           npm publish --access public --tag ${{ steps.npm-tag.outputs.tag }}
         env:

.gitignore

@@ -42,6 +42,7 @@ upload-keystore.jks
 # node.js
 #
 node_modules/
+.yarn/
 npm-debug.log
 yarn-error.log
 pnpm-debug.log

dev.yml

@@ -15,9 +15,18 @@ up:
         ios:
           - version: 23C54 # 26.2
             architecture_variant: arm64
+  # Node / pnpm versions are mirrored from package.json (engines.node,
+  # packageManager). dev validates engines.node matches the version below on
+  # every `dev up`, so drift is caught automatically. If you bump one, bump
+  # both.
   - node:
       version: v22.14.0
-      package_manager: pnpm@10.28.0
+      package_manager: pnpm@10.33.1
+  - custom:
+      name: Remove stale Yarn artifacts
+      met?: test ! -d .yarn
+      meet: |
+        rm -rf .yarn
   - custom:
       name: Install NPM dependencies
       met?: ls -l | grep node_modules

package.json

@@ -10,7 +10,7 @@
     "url": "https://github.com/Shopify/checkout-sheet-kit-react-native/issues"
   },
   "homepage": "https://github.com/Shopify/checkout-sheet-kit-react-native",
-  "packageManager": "pnpm@10.28.0",
+  "packageManager": "pnpm@10.33.1+sha512.05ba3c1d5d1c18f68df06470d74055e62d41fc110a0c660db1b2dfb2785327f04cf0f68345d4609bc52089e7fa0343c31593b2f9594e2c5d5da426230acc9820",
   "pnpm": {
     "onlyBuiltDependencies": [
       "unrs-resolver"
@@ -58,7 +58,7 @@
     "typescript": "^5.9.2"
   },
   "engines": {
-    "node": ">=22"
+    "node": "22.14.0"
   },
   "prettier": {
     "arrowParens": "avoid",

sample/android/app/build.gradle

@@ -2,7 +2,27 @@ apply plugin: "com.android.application"
 apply plugin: "org.jetbrains.kotlin.android"
 apply plugin: "com.facebook.react"
 
-project.ext["REACT_NATIVE_NODE_MODULES_DIR"] = file("../../../node_modules/react-native")
+def resolveNodeModuleDir(String packageName) {
+    def output = new ByteArrayOutputStream()
+    def workspaceRoot = new File(rootProject.projectDir, "../..").canonicalFile
+    exec {
+        commandLine(
+            "node",
+            "--print",
+            "require.resolve('${packageName}/package.json', { paths: [process.argv[1], process.argv[2]] })",
+            workspaceRoot.getAbsolutePath(),
+            rootProject.projectDir.getAbsolutePath()
+        )
+        standardOutput = output
+    }
+    return file(output.toString().trim()).parentFile
+}
+
+def reactNativeDirPath = resolveNodeModuleDir("react-native")
+def reactNativeCodegenDirPath = resolveNodeModuleDir("@react-native/codegen")
+def vectorIconsDirPath = resolveNodeModuleDir("react-native-vector-icons")
+
+project.ext["REACT_NATIVE_NODE_MODULES_DIR"] = reactNativeDirPath
 
 /**
  * This is the configuration block to customize your React Native Android app.
@@ -13,11 +33,11 @@ react {
     //   The root of your project, i.e. where "package.json" lives. Default is '..'
     root = file("../../")
     //   The folder where the react-native NPM package is. Default is ../node_modules/react-native
-    reactNativeDir = file("../../../node_modules/react-native")
+    reactNativeDir = reactNativeDirPath
     //   The folder where the react-native Codegen package is. Default is ../node_modules/@react-native/codegen
-    codegenDir = file("../../../node_modules/@react-native/codegen")
+    codegenDir = reactNativeCodegenDirPath
     //   The cli.js file which is the React Native CLI entrypoint. Default is ../node_modules/react-native/cli.js
-    cliFile = file("../../node_modules/react-native/cli.js")
+    cliFile = new File(reactNativeDirPath, "cli.js")
 
     /* Variants */
     //   The list of variants to that are debuggable. For those we're going to
@@ -47,7 +67,7 @@ react {
 
     /* Hermes Commands */
     //   The hermes compiler command to run. By default it is 'hermesc'
-    hermesCommand = "../node_modules/react-native/sdks/hermesc/%OS-BIN%/hermesc"
+    hermesCommand = new File(reactNativeDirPath, "sdks/hermesc/%OS-BIN%/hermesc").getAbsolutePath()
     //
     //   The list of flags to pass to the Hermes compiler. By default is "-O", "-output-source-map"
     hermesFlags = ["-O", "-output-source-map"]
@@ -158,7 +178,7 @@ project.ext.vectoricons = [
     iconFontNames: [ 'Entypo.ttf' ]
 ]
 
-apply from: file("../../node_modules/react-native-vector-icons/fonts.gradle")
+apply from: new File(vectorIconsDirPath, "fonts.gradle")
 
 apply from: project(':react-native-config').projectDir.getPath() + "/dotenv.gradle"
 

sample/android/settings.gradle

@@ -1,6 +1,12 @@
 pluginManagement { includeBuild("../../node_modules/@react-native/gradle-plugin") }
 plugins { id("com.facebook.react.settings") }
-extensions.configure(com.facebook.react.ReactSettingsExtension){ ex -> ex.autolinkLibrariesFromCommand() }
+extensions.configure(com.facebook.react.ReactSettingsExtension) { ex ->
+    ex.autolinkLibrariesFromCommand(
+        ["pnpm", "exec", "react-native", "config"],
+        file(".."),
+        files("../package.json", "../react-native.config.js", "../../package.json", "../../pnpm-lock.yaml")
+    )
+}
 
 rootProject.name = 'ReactNative'
 
@@ -9,4 +15,22 @@ include ':react-native-config'
 
 includeBuild('../../node_modules/@react-native/gradle-plugin')
 
-project(':react-native-config').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-config/android')
+def resolveNodeModuleDir(String packageName) {
+    def workspaceRoot = new File(rootProject.projectDir, "../..").canonicalFile
+    def process = [
+        "node",
+        "--print",
+        "require.resolve('${packageName}/package.json', { paths: [process.argv[1], process.argv[2]] })",
+        workspaceRoot.getAbsolutePath(),
+        rootProject.projectDir.getAbsolutePath()
+    ].execute(null, rootProject.projectDir)
+    def output = new StringBuffer()
+    def error = new StringBuffer()
+    process.consumeProcessOutput(output, error)
+    if (process.waitFor() != 0) {
+        throw new GradleException("Failed to resolve ${packageName}: ${error}")
+    }
+    return new File(output.toString().trim()).parentFile
+}
+
+project(':react-native-config').projectDir = new File(resolveNodeModuleDir('react-native-config'), 'android')