Skip to content

chore: migrate to pnpm and enable minimum release age#587

Open
B4nan wants to merge 12 commits intomasterfrom
chore/migrate-to-pnpm
Open

chore: migrate to pnpm and enable minimum release age#587
B4nan wants to merge 12 commits intomasterfrom
chore/migrate-to-pnpm

Conversation

@B4nan
Copy link
Copy Markdown
Member

@B4nan B4nan commented Apr 14, 2026

Summary

Migrates apify-sdk-js from npm to pnpm as part of an org-wide supply-chain hardening. Adds a 1-day minimumReleaseAge guard at both the package manager layer (pnpm-workspace.yaml) and the Renovate layer. Internal @apify/* and @crawlee/* packages are whitelisted at both layers. website/ becomes a proper pnpm workspace — single root lockfile now.

Changes

  • package.json: packageManager set to pnpm@10.24.0; engines.node bumped to >=18; npm run X -> pnpm X in scripts
  • pnpm-workspace.yaml (new): packages [website]; minimumReleaseAge: 1440; whitelist @apify/* and @crawlee/*
  • .npmrc (new): node-linker=hoisted, link-workspace-packages=true, prefer-workspace-packages=true, public-hoist-pattern[]=*
  • website/package.json: add "name": "apify-sdk-website" and "private": true so pnpm recognises it as a workspace; npm run X -> pnpm X
  • website/docusaurus.config.js: rename future.experimental_faster -> future.faster (renamed in Docusaurus 3.10, which pnpm resolves from the ^3.8.1 range)
  • .github/actions/pnpm-install/action.yml (new): composite action with cached pnpm store keyed by year-month + lockfile hash (pattern from apify-client-js)
  • CI workflows (test-and-release, docs, release, test-e2e, publish-to-npm) updated to use the composite; npm ci / npx / npm version -> pnpm equivalents; docs workflow's npm update @apify/docs-theme becomes pnpm --filter apify-sdk-website update @apify/docs-theme; publish uses pnpm publish --tag X --no-git-checks
  • renovate.json: add minimumReleaseAge: "1 day", internalChecksFilter: "strict", and @apify/* + @crawlee/* whitelist package rule
  • .prettierignore: ignore pnpm-lock.yaml
  • package-lock.json and website/package-lock.json deleted; single pnpm-lock.yaml at root

Local verification: pnpm install --frozen-lockfile, pnpm build, pnpm test, pnpm lint all pass. pnpm format:check passes (only warnings are for untracked local files that don't exist in CI).

🤖 Generated with Claude Code

@B4nan @claude
chore: migrate to pnpm and enable minimum release age
cfd4503 
Migrates apify-sdk-js from npm to pnpm and adds a 1-day minimum
release age supply-chain guard at the package manager layer
(pnpm-workspace.yaml) and at the Renovate layer. Internal
`@apify/*` and `@crawlee/*` packages are whitelisted at both layers.

The website/ directory becomes a proper workspace (previously had
its own lockfile). Single root lockfile now.

Notable changes:
- package.json: set packageManager to pnpm@10.24.0; bump engines.node
  to >=18; "npm run X" -> "pnpm X" in scripts
- pnpm-workspace.yaml: packages [website], release-age settings
- .npmrc: node-linker=hoisted, link-workspace-packages=true,
  prefer-workspace-packages=true, public-hoist-pattern[]=*
- website/package.json: add "name": "apify-sdk-website" and
  "private": true so pnpm recognises it as a workspace
- website/docusaurus.config.js: rename future.experimental_faster
  -> future.faster (renamed in Docusaurus 3.10, which pnpm resolves
  from the ^3.8.1 range)
- New .github/actions/pnpm-install composite action (cached pnpm
  store, keyed by year-month + lockfile hash)
- All relevant CI workflows (test-and-release, docs, release,
  test-e2e, publish-to-npm) use the composite; npm/npx/`npm version`
  -> pnpm equivalents. docs workflow's `npm update @apify/docs-theme`
  becomes `pnpm --filter apify-sdk-website update @apify/docs-theme`.
  publish uses `pnpm publish --tag X --no-git-checks`.
- renovate.json: add minimumReleaseAge "1 day",
  internalChecksFilter "strict", @apify/* + @crawlee/* whitelist
- .prettierignore: ignore pnpm-lock.yaml
- Both package-lock.json files deleted; single pnpm-lock.yaml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot added this to the 138th sprint - Tooling team milestone Apr 14, 2026
@github-actions github-actions bot added the t-tooling Issues with this label are in the ownership of the tooling team. label Apr 14, 2026
@B4nan B4nan added the adhoc Ad-hoc unplanned task added during the sprint. label Apr 14, 2026
@B4nan B4nan marked this pull request as ready for review April 15, 2026 14:02
B4nan and others added 7 commits April 15, 2026 16:17
@B4nan
chore: whitelist internal apify-client/apify/crawlee/got-scraping fro…
19f0178 
…m release-age gate
@B4nan
chore: keep engines.node at >=16, CI-only matrix change
4b8b543
@B4nan
chore: move pnpm config from .npmrc to pnpm-workspace.yaml
9f16b0f 
Silences npm warnings about unknown options like node-linker; pnpm
reads the same keys from pnpm-workspace.yaml in camelCase form.
@B4nan
chore: enforce pnpm via devEngines, switch husky hook to pnpm exec
e769bb0 
npx invokes npm which now refuses to run because of devEngines.
@B4nan
chore: normalize .gitignore — add yarn.lock and .yarn, drop .pnpm-store
1b0a09b
@B4nan @claude
chore: sync renovate allowlist with pnpm-workspace exclusions
5feecb3 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@B4nan
chore: replace devEngines with only-allow preinstall
3bb76aa 
devEngines.packageManager breaks pnpm commands that delegate to npm
(pnpm version, pnpm pkg set, etc). Use the battle-tested only-allow
approach instead (same as Vite, Vue, Astro).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@B4nan B4nan

Labels

adhoc Ad-hoc unplanned task added during the sprint. t-tooling Issues with this label are in the ownership of the tooling team.

Projects

None yet

Milestone

138th sprint - Tooling team

Development

Successfully merging this pull request may close these issues.

2 participants

@B4nan @apify-service-account