Dedupe node & pnpm versions; bump pnpm to 10.33.1

shopify-river[bot] · shopify-river[bot] · commit eec4f26a04e5 · 2026-04-22T11:16:49.000Z
Address feedback: make package.json the single source of truth for node
and pnpm versions where possible, and bump pnpm to the latest release.

- package.json: bump `packageManager` to `pnpm@10.33.1` (pinned with
  the upstream sha512 integrity hash so corepack/pnpm verify the binary).
- package.json: tighten `engines.node` from `&gt;=22` to `22.14.0` so
  dev's built-in node-version validator catches any drift against
  dev.yml on every `dev up`.
- dev.yml: bump to `package_manager: pnpm@10.33.1` and add a comment
  noting the versions must stay in lockstep with package.json.
- .github/actions/setup: read node from `engines.node` via
  `node-version-file: package.json`, and let `pnpm/action-setup`
  read the version from the `packageManager` field (drop the hardcoded
  `version: 10.28.0` and `node-version: 22.22.1`).

dev.yml itself is plain YAML (no ERB/interpolation) and the node task
requires an explicit `version:` + `package_manager:`, so full
deduplication into a single literal isn't supported upstream. Every
other pnpm-using zone in World mirrors the value. The setup we have
here — package.json as SoT, dev's validator as the enforcer, CI
reading directly from package.json — is the closest equivalent.

Requested by Kieran Osgood &lt;kieran.osgood@shopify.com&gt;
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -4,15 +4,17 @@ description: Setup Node.js and install dependencies
 runs:
   using: composite
   steps:
+    # Versions are sourced from package.json:
+    #   - pnpm: `packageManager` field (read by pnpm/action-setup)
+    #   - node: `engines.node` field (read by setup-node via node-version-file)
+    # Keep package.json as the single source of truth.
     - name: Install pnpm
       uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
-      with:
-        version: 10.28.0
 
     - name: Setup Node.js
       uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
       with:
-        node-version: 22.22.1
+        node-version-file: package.json
         registry-url: 'https://registry.npmjs.org'
         cache: pnpm
 
diff --git a/dev.yml b/dev.yml
@@ -15,9 +15,13 @@ up:
         ios:
           - version: 23C54 # 26.2
             architecture_variant: arm64
+  # Node / pnpm versions are mirrored from package.json (engines.node,
+  # packageManager). dev validates engines.node matches the version below on
+  # every `dev up`, so drift is caught automatically. If you bump one, bump
+  # both.
   - node:
       version: v22.14.0
-      package_manager: pnpm@10.28.0
+      package_manager: pnpm@10.33.1
   - custom:
       name: Install NPM dependencies
       met?: ls -l | grep node_modules
diff --git a/package.json b/package.json
@@ -10,7 +10,7 @@
     "url": "https://github.com/Shopify/checkout-sheet-kit-react-native/issues"
   },
   "homepage": "https://github.com/Shopify/checkout-sheet-kit-react-native",
-  "packageManager": "pnpm@10.28.0",
+  "packageManager": "pnpm@10.33.1+sha512.05ba3c1d5d1c18f68df06470d74055e62d41fc110a0c660db1b2dfb2785327f04cf0f68345d4609bc52089e7fa0343c31593b2f9594e2c5d5da426230acc9820",
   "pnpm": {
     "onlyBuiltDependencies": [
       "unrs-resolver"
@@ -58,7 +58,7 @@
     "typescript": "^5.9.2"
   },
   "engines": {
-    "node": ">=22"
+    "node": "22.14.0"
   },
   "prettier": {
     "arrowParens": "avoid",
