Open
Conversation
Review Summary by QodoMigrate from Yarn to pnpm package manager
WalkthroughsDescription• Replace Yarn Classic with pnpm as package manager • Update all CI workflows to use pnpm/action-setup@v4 • Convert internal dependencies to workspace:^ protocol • Update documentation and configuration files for pnpm • Remove @types/conventional-commits-parser dependency Diagramflowchart LR
A["Yarn Classic"] -- "migrate to" --> B["pnpm"]
B -- "enables" --> C["workspace:^ protocol"]
B -- "requires" --> D["pnpm/action-setup@v4"]
B -- "config" --> E["pnpm-workspace.yaml"]
B -- "config" --> F[".npmrc shamefully-hoist"]
C -- "updates" --> G["All package.json files"]
File Changes1. .github/workflows/CI.yml
|
Code Review by Qodo
1. Unpinned pnpm in CI
|
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. |
escapedcat
force-pushed
the
chore/migrate-to-pnpm
branch
from
f0ad29c to
2423dea
Compare
Review Summary by QodoMigrate from Yarn to pnpm with workspace protocol support
WalkthroughsDescription• Migrate package manager from Yarn to pnpm for improved performance • Update all internal dependencies to use workspace:^ protocol • Configure CI/CD workflows and development tools for pnpm compatibility • Remove Yarn-specific configuration and lock files • Update documentation with pnpm commands and setup instructions Diagramflowchart LR
A["Yarn Classic"] -->|"Replace with"| B["pnpm 10.32.1"]
C["Versioned deps<br/>^20.5.0"] -->|"Convert to"| D["workspace:^ protocol"]
E["yarn.lock<br/>.yarnrc"] -->|"Remove"| F["pnpm-lock.yaml"]
G["CI workflows<br/>yarn commands"] -->|"Update to"| H["pnpm/action-setup<br/>pnpm commands"]
I["Documentation<br/>yarn examples"] -->|"Update to"| J["pnpm examples"]
File Changes1. .github/workflows/CI.yml
|
Code Review by Qodo
1. Lerna configured for Yarn
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates the commitlint monorepo from Yarn to pnpm to improve workspace dependency correctness and installation performance, updating tooling/docs/CI accordingly.
Changes:
- Add pnpm workspace configuration and pin pnpm via
packageManager. - Switch internal monorepo package references to
workspace:^across packages. - Update CI workflows, Husky hooks, and docs to use pnpm commands.
Reviewed changes
Copilot reviewed 48 out of 50 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pnpm-workspace.yaml | Defines pnpm workspace package globs for the monorepo. |
| package.json | Pins pnpm via packageManager and updates root scripts to use pnpm. |
| lerna.json | Switches Lerna’s npmClient from yarn to pnpm. |
| README.md | Updates local dev commands from yarn to pnpm. |
| @packages/utils/pkg-check.js | Replaces yarn pack usage with pnpm pack output parsing. |
| @commitlint/types/package.json | Updates internal devDependency to workspace:^ and removes @types/conventional-commits-parser. |
| @commitlint/travis-cli/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/top-level/package.json | Converts internal devDependency to workspace:^. |
| @commitlint/to-lines/package.json | Converts internal devDependency to workspace:^. |
| @commitlint/rules/package.json | Converts internal deps/devDeps to workspace:^ and removes @types/conventional-commits-parser. |
| @commitlint/resolve-extends/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/read/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/prompt/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/prompt-cli/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/parse/package.json | Converts internal deps/devDeps to workspace:^ and removes @types/conventional-commits-parser. |
| @commitlint/message/package.json | Converts internal devDependencies to workspace:^. |
| @commitlint/load/package.json | Converts internal dependencies to workspace:^. |
| @commitlint/lint/package.json | Converts internal dependencies to workspace:^. |
| @commitlint/is-ignored/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/format/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/execute-rule/package.json | Converts internal devDependency to workspace:^. |
| @commitlint/ensure/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/cz-commitlint/package.json | Converts internal dependencies to workspace:^. |
| @commitlint/core/package.json | Converts internal dependencies to workspace:^. |
| @commitlint/config-workspace-scopes/package.json | Converts internal devDependencies to workspace:^. |
| @commitlint/config-validator/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-rush-scopes/package.json | Converts internal devDependencies to workspace:^. |
| @commitlint/config-pnpm-scopes/package.json | Converts internal devDependencies to workspace:^. |
| @commitlint/config-patternplate/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-nx-scopes/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-lerna-scopes/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-conventional/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-angular/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-angular-type-enum/package.json | Converts internal devDependency to workspace:^. |
| @commitlint/cli/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-patternplate/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-nx-scopes/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-lerna-scopes/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-angular/package.json | Converts internal deps/devDeps to workspace:^. |
| .yarnrc | Removes Yarn configuration file as part of migration. |
| .npmrc | Adds pnpm hoisting configuration (shamefully-hoist=true). |
| .mise.toml | Adds pnpm tool entry for mise-based setup. |
| .husky/pre-commit | Updates Husky hook commands from yarn to pnpm. |
| .github/workflows/docs-deploy.yml | Switches GitHub Pages/docs workflow to pnpm install/build and pnpm caching. |
| .github/workflows/commitlint.yml | Switches commitlint workflow to pnpm install/build and pnpm caching. |
| .github/workflows/CI.yml | Switches CI workflows to pnpm install/build/test and pnpm caching. |
| .github/CONTRIBUTING.md | Updates contributor instructions from yarn to pnpm. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the commitlint monorepo from Yarn to pnpm by introducing pnpm workspace configuration, updating internal dependency specifiers to workspace:^, and switching developer/CI tooling and docs to pnpm-based commands.
Changes:
- Add pnpm workspace setup (
pnpm-workspace.yaml) and pin pnpm viapackageManager. - Convert internal monorepo dependencies to
workspace:^and configure Lerna to use pnpm. - Update CI workflows, Husky hook(s), and contributor documentation to use pnpm.
Reviewed changes
Copilot reviewed 48 out of 50 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| pnpm-workspace.yaml | Defines pnpm workspace package globs for the monorepo. |
| package.json | Pins pnpm via packageManager, updates scripts, removes workspaces field. |
| lerna.json | Switches Lerna npm client from Yarn to pnpm. |
| README.md | Updates dev commands from yarn to pnpm. |
| @packages/utils/pkg-check.js | Switches tarball creation from yarn pack to pnpm pack. |
| @commitlint/types/package.json | Switches internal devDependency to workspace:^ and removes redundant types dep. |
| @commitlint/travis-cli/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/top-level/package.json | Switches internal devDependency to workspace:^. |
| @commitlint/to-lines/package.json | Switches internal devDependency to workspace:^. |
| @commitlint/rules/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/resolve-extends/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/read/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/prompt/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/prompt-cli/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/parse/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/message/package.json | Switches internal devDependencies to workspace:^. |
| @commitlint/load/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/lint/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/is-ignored/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/format/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/execute-rule/package.json | Switches internal devDependency to workspace:^. |
| @commitlint/ensure/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/cz-commitlint/package.json | Switches internal dependencies to workspace:^. |
| @commitlint/core/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/config-workspace-scopes/package.json | Switches internal devDependencies to workspace:^. |
| @commitlint/config-validator/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/config-rush-scopes/package.json | Switches internal devDependencies to workspace:^. |
| @commitlint/config-pnpm-scopes/package.json | Switches internal devDependencies to workspace:^. |
| @commitlint/config-patternplate/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/config-nx-scopes/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/config-lerna-scopes/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/config-conventional/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/config-angular/package.json | Switches internal deps/devDeps to workspace:^. |
| @commitlint/config-angular-type-enum/package.json | Switches internal devDependency to workspace:^. |
| @commitlint/cli/package.json | Switches internal deps/devDeps to workspace:^. |
| @alias/commitlint/package.json | Switches internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-patternplate/package.json | Switches internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-nx-scopes/package.json | Switches internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-lerna-scopes/package.json | Switches internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-angular/package.json | Switches internal deps/devDeps to workspace:^. |
| .yarnrc | Removes Yarn configuration file. |
| .npmrc | Adds shamefully-hoist=true (plus explanatory comments). |
| .mise.toml | Pins pnpm tool version for local dev environments. |
| .husky/pre-commit | Switches Husky hook commands from yarn to pnpm. |
| .github/workflows/docs-deploy.yml | Switches docs deploy workflow to pnpm install/cache and commands. |
| .github/workflows/commitlint.yml | Switches commitlint workflow to pnpm setup/cache/install and commands. |
| .github/workflows/CI.yml | Switches CI workflow jobs to pnpm setup/cache/install and commands. |
| .github/CONTRIBUTING.md | Updates contributor docs to pnpm commands. |
Comments suppressed due to low confidence (1)
package.json:59
- Root
package.jsonno longer defines aworkspacesarray, but the repo's commitlint config extends@commitlint/config-workspace-scopes, which readsworkspacesfrom the rootpackage.jsonto compute valid scopes. With this removal, the scope list will become empty and scope-enum enforcement will effectively be skipped. Either keep theworkspacesfield in the rootpackage.json, or switch the root commitlint config to@commitlint/config-pnpm-scopes(which readspnpm-workspace.yaml).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| @@ -1,5 +1,5 @@ | |||
| yarn lint-staged | |||
| pnpm lint-staged | |||
Comment on lines
+41
to
44
| pnpm --version | ||
| # commitlint binary is available at root via shamefully-hoist=true in .npmrc | ||
| pnpm commitlint --version | ||
|
|
| pnpm install | ||
| pnpm build | ||
| pnpm test | ||
| pnpm lerna publish --conventional-commits --dist-tag [`next` | `next` | `[release-vXX(BRANCH)]`] --otp <one-time password> |
escapedcat
force-pushed
the
chore/migrate-to-pnpm
branch
from
2d397d2 to
da9aa10
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates the commitlint monorepo tooling from Yarn Classic to pnpm, updating workspace configuration, CI workflows, Docker images, and internal dependency specifiers accordingly.
Changes:
- Introduce pnpm workspace + supply-chain hardening config (
pnpm-workspace.yaml,.npmrc,allowed-scripts.json) and set rootpackageManager. - Update CI workflows, Dockerfiles, docs, and Husky hooks to use pnpm commands and pnpm caching.
- Convert internal package dependencies to
workspace:^and remove Yarn-specific config.
Reviewed changes
Copilot reviewed 51 out of 53 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates local dev commands from Yarn to pnpm. |
| pnpm-workspace.yaml | Defines pnpm workspace package globs. |
| package.json | Pins pnpm via packageManager, updates scripts, removes Yarn workspaces field. |
| lerna.json | Switches Lerna npmClient from yarn to pnpm. |
| Dockerfile.dev | Uses Corepack + pnpm for dev image install/build. |
| Dockerfile.ci | Uses Corepack + pnpm for CI build/pack steps. |
| allowed-scripts.json | Allowlist for dependency build scripts under pnpm hardening. |
| @packages/utils/pkg-check.js | Replaces yarn pack with pnpm pack for tarball verification. |
| @commitlint/types/package.json | Converts internal devDependency to workspace:^ and removes a types package. |
| @commitlint/travis-cli/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/top-level/package.json | Converts internal devDependency to workspace:^. |
| @commitlint/to-lines/package.json | Converts internal devDependency to workspace:^. |
| @commitlint/rules/package.json | Converts internal deps/devDeps to workspace:^ and removes a types package. |
| @commitlint/resolve-extends/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/read/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/prompt/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/prompt-cli/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/parse/package.json | Converts internal deps/devDeps to workspace:^ and removes a types package. |
| @commitlint/message/package.json | Converts internal devDeps to workspace:^. |
| @commitlint/load/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/lint/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/is-ignored/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/format/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/execute-rule/package.json | Converts internal devDeps to workspace:^. |
| @commitlint/ensure/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/cz-commitlint/package.json | Converts internal dependencies to workspace:^. |
| @commitlint/core/package.json | Converts internal dependencies to workspace:^. |
| @commitlint/config-workspace-scopes/package.json | Converts internal devDeps to workspace:^. |
| @commitlint/config-validator/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-rush-scopes/package.json | Converts internal devDeps to workspace:^. |
| @commitlint/config-pnpm-scopes/package.json | Converts internal devDeps to workspace:^. |
| @commitlint/config-patternplate/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-nx-scopes/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-lerna-scopes/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-conventional/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-angular/package.json | Converts internal deps/devDeps to workspace:^. |
| @commitlint/config-angular-type-enum/package.json | Converts internal devDeps to workspace:^. |
| @commitlint/cli/package.json | Converts internal deps/devDeps to workspace:^ and removes a types package. |
| @alias/commitlint/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-patternplate/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-nx-scopes/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-lerna-scopes/package.json | Converts internal deps/devDeps to workspace:^. |
| @alias/commitlint-config-angular/package.json | Converts internal deps/devDeps to workspace:^. |
| .yarnrc | Removes Yarn Classic configuration. |
| .npmrc | Adds pnpm hardening config (ignore scripts + allowlist file). |
| .mise.toml | Adds pnpm tool pin for mise. |
| .husky/pre-commit | Switches hook commands from Yarn to pnpm. |
| .github/workflows/docs-deploy.yml | Uses pnpm setup + pnpm cache + pnpm install/build in docs deploy. |
| .github/workflows/commitlint.yml | Uses pnpm setup + pnpm cache + pnpm install/build/audit + pnpm exec commitlint. |
| .github/workflows/CI.yml | Uses pnpm setup + pnpm cache + pnpm install/build/test/audit across CI jobs. |
| .github/CONTRIBUTING.md | Updates contributor instructions from Yarn to pnpm commands. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1,5 +1,5 @@ | |||
| yarn lint-staged | |||
| pnpm lint-staged | |||
There was a problem hiding this comment.
pnpm lint-staged will fail unless there is a lint-staged script in the root package.json (currently there isn't). To invoke the dependency binary reliably under pnpm, use pnpm exec lint-staged (or add a lint-staged script and call pnpm lint-staged intentionally).
Suggested change
| pnpm lint-staged | |
| pnpm exec lint-staged |
Comment on lines
56
to
58
| "engines": { | ||
| "node": ">=v18", | ||
| "npm": ">=7" |
There was a problem hiding this comment.
With workspaces removed from the root package.json, @commitlint/config-workspace-scopes (still referenced in commitlint.extends) will return an empty scope list and therefore stop enforcing scope-enum (see @commitlint/config-workspace-scopes/index.js:22-26 and @commitlint/rules/src/scope-enum.ts:14-16). If this repo should continue validating scopes against workspaces after migrating to pnpm, update the repo’s commitlint config to extend @commitlint/config-pnpm-scopes (or reintroduce the workspaces field specifically for commitlint).
Switch package manager from Yarn Classic to pnpm for better performance, stricter dependency resolution, and native workspace support. - Add pnpm-workspace.yaml with workspace configuration - Update all internal deps to workspace:^ protocol - Add shamefully-hoist=true to .npmrc for TypeScript compatibility - Update CI workflows to use pnpm/action-setup@v4 - Update CONTRIBUTING.md with pnpm commands - Update husky hooks to use pnpm - Add pnpm to .mise.toml - Remove @types/conventional-commits-parser (package has own types now) - Delete yarn.lock and .yarnrc Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The `reinstall` and `start` scripts still invoked `yarn`, which would fail in a pnpm-only environment. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
lerna.json still had `npmClient` set to `yarn`, which conflicts with the pnpm migration and could cause lerna commands to fail. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pkg-check.js hardcoded `yarn pack --filename`, which fails without yarn. Switched to `pnpm pack --pack-destination` and parse the output tarball filename from stdout. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add comments clarifying that pnpm/action-setup@v4 reads the version from the packageManager field in package.json, so no explicit version input is needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pnpm pack --pack-destination prints an absolute path to the tarball. Using path.join(cwd, absolutePath) produced a broken double-path. Use path.basename() to extract just the filename. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pnpm uses pnpm-workspace.yaml exclusively for workspace definitions and ignores the workspaces field in package.json. Keeping both creates ambiguity about the source of truth. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
npm install --global pnpm was installing latest, which may differ from the 10.32.1 pinned in the packageManager field and could cause lockfile compatibility issues. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ensures reproducible builds by preventing lockfile mutation during CI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Consistent with the other CI jobs that already use --frozen-lockfile. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Explains that hoisting is required so workspace binaries like commitlint are accessible from the root for CI workflows. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The commitlint binary is available at the workspace root because of shamefully-hoist=true in .npmrc. Added a comment to make this dependency explicit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Aligns the mise tool definition with the pnpm@10.32.1 version declared in package.json to avoid version drift for developers using mise. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove shamefully-hoist (restores strict dependency isolation), block install scripts by default with an explicit allowlist, add pnpm audit to CI, and switch to `pnpm exec commitlint` for binary invocation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
These were missed in the initial migration. Uses corepack to enable pnpm in both the CI and dev container images. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pnpm pack silently ignores positional package name arguments (unlike npm pack) and packs the root workspace instead. Use --filter to target each workspace package and --pack-destination to place tarballs in /src. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The lockfile had global-directory pinned at ^4.0.1 while @commitlint/resolve-extends/package.json requires ^5.0.0, causing frozen-lockfile installs to fail in CI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Aligns with the revert on master — global-directory v5 requires Node 20+ but the project supports Node 18+. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
escapedcat
force-pushed
the
chore/migrate-to-pnpm
branch
from
da9aa10 to
bc716b5
Compare
Without shamefully-hoist, packages must explicitly declare all dependencies they import. Adds @types/node to 7 packages, conventional-commits-parser and @types/fs-extra to @commitlint/cli, and rxjs to @commitlint/prompt. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dev tooling (lerna, eslint) has transitive vulnerabilities that cannot be fixed from this repo. Restrict audit to --prod so CI only flags issues that affect shipped code. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All current audit findings are in transitive deps of lerna and eslint that cannot be fixed from this repo. Use continue-on-error so the audit reports issues without blocking CI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Without shamefully-hoist the commitlint binary is only available in the @commitlint/cli workspace, not at the root. Use pnpm --filter @commitlint/cli exec to target it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Without shamefully-hoist, vitest cannot resolve the custom test environment from the workspace. Declaring it explicitly in the root package.json makes it available to vitest. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Package specifiers like @commitlint/format should be kept as-is and resolved at import time. With pnpm's strict node_modules structure, resolveFrom resolves them to absolute paths which breaks tests and leaks internal paths into config output. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Without shamefully-hoist, workspace package binaries are not linked at root node_modules/.bin/. Use direct node invocation matching the pattern already used in .husky/commit-msg. Also add @commitlint/config-conventional and @commitlint/config-workspace-scopes to root devDependencies so the commitlint config can resolve its extends. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 52 out of 54 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
package.json:59
- Removing the root
workspacesfield will cause@commitlint/config-workspace-scopesto return an empty scope list (it readsworkspacesfrompackage.json), but this repo’s commitlint config still extends@commitlint/config-workspace-scopes. That will makescope-enumeffectively reject any scoped commits and can break the commitlint CI job / local hooks.
Either keep a workspaces array in the root package.json for config-workspace-scopes, or switch the root commitlint config to a pnpm-aware preset (e.g. @commitlint/config-pnpm-scopes).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+212
to
+215
| pnpm install | ||
| pnpm build # run build tasks | ||
| pnpm start # run tests, again on change | ||
| node @commitlint/cli/lib/cli.js # run CLI |
There was a problem hiding this comment.
The PR description says commitlint invocation was switched to pnpm exec commitlint, but this documentation now uses node @commitlint/cli/lib/cli.js. Please either update the docs to use the intended pnpm-based invocation (e.g. pnpm --filter @commitlint/cli exec commitlint ...) or adjust the PR description/approach so they match.
Comment on lines
+45
to
+50
| pnpm --version | ||
| node @commitlint/cli/lib/cli.js --version | ||
|
|
||
| - name: Validate current commit (last commit) with commitlint | ||
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | ||
| run: yarn commitlint --last --verbose | ||
| run: node @commitlint/cli/lib/cli.js --last --verbose |
There was a problem hiding this comment.
The workflow now runs commitlint via node @commitlint/cli/lib/cli.js, but the PR description states the repo should use pnpm exec commitlint to avoid relying on hoisting. Please align the workflow with that approach (for example by using pnpm --filter @commitlint/cli exec commitlint ... or by adding @commitlint/cli to the workspace root and using pnpm exec commitlint) or update the PR description if the direct node .../lib/cli.js invocation is intentional.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates the commitlint monorepo from Yarn Classic to pnpm as the package manager.
Why pnpm:
workspace:^protocolKey changes:
pnpm-workspace.yamlwith workspace configurationworkspace:^protocolpnpm/action-setup@v4@types/conventional-commits-parser(package provides own types)yarn.lockand.yarnrc.mise.tomlSupply chain hardening:
shamefully-hoist— restores pnpm's strict dependency isolation so transitive deps can't be accessed by packagesthat don't declare them
ignore-scripts=truewith an explicit allowlist (allowed-scripts.json) — blocks the most common supply chainattack vector (malicious postinstall scripts)
pnpm audit --audit-level=highto CI — catches known vulnerabilities on every push and on the daily scheduled runpnpm exec commitlintfor binary invocation (no more reliance on hoisting)