chore: migrate to pnpm and enable minimum release age (#616)

## Summary

Pilot of the org-wide supply-chain hardening + pnpm migration plan
(first of ~14 repos). This PR migrates `apify-shared-js` from npm
workspaces to pnpm workspaces and adds a 1-day minimum release age guard
at two layers so newly-published package versions cannot be installed
for 24h after they hit the registry.

- **pnpm layer** — `minimumReleaseAge: 1440` in `pnpm-workspace.yaml`
blocks `pnpm install` on versions < 1 day old
- **Renovate layer** — `minimumReleaseAge: "1 day"` delays PR creation
until the version has aged
- **Internal allowlist** — `@apify/*` and `@crawlee/*` (plus `apify`,
`apify-client`, `crawlee`, `got-scraping`) are excluded at both layers
so internal releases ship immediately

## Changes

- `package.json`: drop `"workspaces"` (moved to `pnpm-workspace.yaml`);
set `packageManager` to `pnpm@10.24.0`; add `rimraf` as explicit devDep
(was previously relying on npm transitive hoisting — pnpm's hoisted
linker does not link undeclared transitive bins); replace `devEngines`
with `npx only-allow pnpm` preinstall hook
- `lerna.json`: `npmClient: "pnpm"` so `lerna run ...` invokes pnpm
- `pnpm-workspace.yaml`: pnpm config moved here from `.npmrc`;
`node-linker=hoisted` keeps a flat `node_modules` for the same debugging
ergonomics as npm
- `packages/*/package.json` scripts: `npm run X` → `pnpm X`
- CI workflows: use the shared `apify/workflows/pnpm-install` composite
(with pnpm-store caching). Node test matrix dropped to **[20, 22, 24]**
— Node 16 is dropped because pnpm 10 needs ≥18, and Node 18 is dropped
because the test runner was bumped to **vitest 4**, which declares
`engines.node: ^20 || ^22 || >=24`. `engines.node` in the published
packages is unchanged (no major bumps)
- `release` workflow: `pull: '--rebase --autostash'` on the bot push
step to avoid non-fast-forward rejection if another commit lands while
CI is running
- `renovate.json`: `minimumReleaseAge: "1 day"`, `internalChecksFilter:
"strict"`, internal allowlist; drop old npm constraint
- `CONTRIBUTING.md` + `CLAUDE.md`: updated command examples

Pilot for the remaining ~13 repos in the same migration.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: B4nan

.github/workflows/publish_to_npm.yaml

@@ -27,20 +27,16 @@ jobs:
               with:
                   node-version: 24
                   registry-url: 'https://registry.npmjs.org'
-                  cache: 'npm'
-                  cache-dependency-path: 'package-lock.json'
-            - name: Update NPM
-              run: npm install -g npm@latest
-            - name: Install dependencies
-              run: npm ci --no-audit
+            - name: Install pnpm and dependencies
+              uses: apify/workflows/pnpm-install@main
             - name: Build module
-              run: npm run build
+              run: pnpm build
             - name: Publish to NPM
               run: |
                   git checkout -- .
-                  npx lerna publish --contents dist --yes
-                  npm i --no-audit # reinstall to have updated lock file
-                  npx lerna ls --json | node scripts/sync-root-changelog.ts
+                  pnpm exec lerna publish --contents dist --yes
+                  pnpm install --no-frozen-lockfile # reinstall to have updated lock file
+                  pnpm exec lerna ls --json | node scripts/sync-root-changelog.ts
               env:
                   GH_TOKEN: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
                   GIT_AUTHOR_NAME: Apify Release Bot
@@ -53,3 +49,4 @@ jobs:
                   author_name: Apify Release Bot
                   author_email: noreply@apify.com
                   message: 'chore: update root lock file and changelog [skip ci]'
+                  pull: '--rebase --autostash'

.github/workflows/test_and_release.yaml

@@ -15,50 +15,37 @@ jobs:
         strategy:
             fail-fast: false
             matrix:
-                node-version: [ 18, 20, 22 ]
+                node-version: [ 20, 22, 24 ]
 
         steps:
             -   uses: actions/checkout@v6
             -   name: Use Node.js ${{ matrix.node-version }}
                 uses: actions/setup-node@v6
                 with:
                     node-version: ${{ matrix.node-version }}
-            -   name: Cache node_modules
-                uses: actions/cache@v5
-                with:
-                    path: '**/node_modules'
-                    key: ${{ runner.os }}-${{ matrix.node-version }}-modules-${{ hashFiles('**/package-lock.json') }}
-            -   name: Update NPM
-                run: npm install --no-audit -g npm@9
-                if: matrix.node-version < 18
-            -   name: Install Dependencies
-                run: npm ci --no-audit
+            -   name: Install pnpm and dependencies
+                uses: apify/workflows/pnpm-install@main
             -   name: Run Tests
-                run: npm test
+                run: pnpm test
 
     build:
         name: Build
         runs-on: ubuntu-latest
 
         steps:
             -   uses: actions/checkout@v6
-            -   name: Use Node.js
+            -   name: Use Node.js 24
                 uses: actions/setup-node@v6
                 with:
                     node-version: 24
-            -   name: Cache node_modules
-                uses: actions/cache@v5
-                with:
-                    path: '**/node_modules'
-                    key: ${{ runner.os }}-${{ matrix.node-version }}-modules-${{ hashFiles('**/package-lock.json') }}
-            -   name: Install Dependencies
-                run: npm ci --no-audit
-            -   run: npm run build
+            -   name: Install pnpm and dependencies
+                uses: apify/workflows/pnpm-install@main
+            -   run: pnpm build
 
             -   name: Check build consistency
                 run: |
                     git diff --exit-code || {
-                        echo -e "Some files changed after running npm run build! Please build the project locally and commit the changes.";
+                        echo -e "Some files changed after running pnpm build! Please build the project locally and commit the changes.";
                         exit 1;
                     }
 
@@ -68,18 +55,13 @@ jobs:
 
         steps:
             -   uses: actions/checkout@v6
-            -   name: Use Node.js
+            -   name: Use Node.js 24
                 uses: actions/setup-node@v6
                 with:
                     node-version: 24
-            -   name: Cache node_modules
-                uses: actions/cache@v5
-                with:
-                    path: '**/node_modules'
-                    key: ${{ runner.os }}-${{ matrix.node-version }}-modules-${{ hashFiles('**/package-lock.json') }}
-            -   name: Install Dependencies
-                run: npm ci --no-audit
-            -   run: npm run lint
+            -   name: Install pnpm and dependencies
+                uses: apify/workflows/pnpm-install@main
+            -   run: pnpm lint
 
     publish:
         name: Publish to NPM
@@ -93,15 +75,12 @@ jobs:
             -   uses: actions/setup-node@v6
                 with:
                     node-version: 24
-            -   name: Cache node_modules
-                uses: actions/cache@v5
-                with:
-                    path: '**/node_modules'
-                    key: ${{ runner.os }}-${{ matrix.node-version }}-modules-${{ hashFiles('**/package-lock.json') }}
+            -   name: Install pnpm and dependencies
+                uses: apify/workflows/pnpm-install@main
             -   name: Check for changes
                 id: changed_packages
                 run: |
-                    echo "changed_packages=$(npx lerna changed -p | wc -l | xargs)" | tee -a $GITHUB_OUTPUT
+                    echo "changed_packages=$(pnpm exec lerna changed -p | wc -l | xargs)" | tee -a $GITHUB_OUTPUT
             -   name: Execute publish workflow
                 if: steps.changed_packages.outputs.changed_packages != '0'
                 uses: apify/workflows/execute-workflow@main

.gitignore

@@ -11,7 +11,8 @@ logs
 pids
 .idea
 yarn.lock
+.yarn
 packages/*/package-lock.json
-.npmrc
 
+.npmrc
 .vscode

CLAUDE.md

@@ -4,20 +4,20 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Overview
 
-Internal Apify monorepo of shared TypeScript utilities and constants published as `@apify/*` packages on npm. Managed with Lerna (independent versioning) and npm workspaces.
+Internal Apify monorepo of shared TypeScript utilities and constants published as `@apify/*` packages on npm. Managed with Lerna (independent versioning) and pnpm workspaces.
 
 ## Commands
 
 ```bash
-npm install              # Install all dependencies
-npm run build            # Build all packages (lerna run build)
-npm test                 # Run all tests (vitest)
-npm run test-cov         # Run tests with coverage
-npx vitest run test/consts.test.ts              # Run a single test file
-npx vitest run test/consts.test.ts -t "pattern" # Run specific test by name
-npm run lint             # Lint all source and test files
-npm run lint:fix         # Lint with auto-fix
-npm run clean            # Clean all dist/ folders
+pnpm install              # Install all dependencies
+pnpm build                # Build all packages (lerna run build)
+pnpm test                 # Run all tests (vitest)
+pnpm test-cov             # Run tests with coverage
+pnpm exec vitest run test/consts.test.ts              # Run a single test file
+pnpm exec vitest run test/consts.test.ts -t "pattern" # Run specific test by name
+pnpm lint                 # Lint all source and test files
+pnpm lint:fix             # Lint with auto-fix
+pnpm clean                # Clean all dist/ folders
 ```
 
 ## Architecture

CONTRIBUTING.md

@@ -4,20 +4,20 @@ When contributing to this repository, please first discuss the change you wish t
 
 ## Submitting a pull request
 
-- Fork the project and install NPM dependencies. **NPM 7 is needed to have support for workspaces.**
+- Fork the project and install dependencies with [pnpm](https://pnpm.io/) (we use pnpm workspaces).
 
     ```sh
-    npm install
+    pnpm install
     ```
 
 - Run tests before you start working, to be sure they all pass, and your setup is working correctly:
 
      ```sh
-     npm test
+     pnpm test
      ```
 
 - Be sure to **include appropriate test cases**.
-- Follow defined coding standard, use `npm run lint` command to check it.
+- Follow defined coding standard, use `pnpm lint` command to check it.
 - Commit your changes using a descriptive commit message that follows defined
   [commit message conventions](#commit-message-guidelines). Adherence to these conventions is necessary because release notes are automatically generated from these messages.
 - Push the code to your forked repository and create a pull request on GitHub.
@@ -52,7 +52,7 @@ empty line to separate subject and body).
 
 ## Adding new package
 
-This repository is managed via `lerna` and NPM workspaces. When adding new package, be sure to include all
+This repository is managed via `lerna` and pnpm workspaces. When adding new package, be sure to include all
 the appropriate config files (`package.json`, `tsconfig.json` and `tsconfig.build.json`). It should be mostly
 ok to just copy&paste one of the existing packages, wipe its contents and change the package name. Be sure
 to clean up the dependencies as well. Keep all the scripts defined in the `package.json`, especially the `build` one.

lerna.json

@@ -15,6 +15,7 @@
         }
     },
     "useNx": false,
+    "npmClient": "pnpm",
     "ignoreChanges": [
         "**/test/**",
         "**/*.md"