Skip to content

feat: Upgrade pnpm to 11.5 and Node to use 24.16#896

Merged
kingston merged 7 commits into
mainfrom
kingston/eng-1163-upgrade-pnpm-to-115-and-node-to-use-24160
Jun 1, 2026
Merged

feat: Upgrade pnpm to 11.5 and Node to use 24.16#896
kingston merged 7 commits into
mainfrom
kingston/eng-1163-upgrade-pnpm-to-115-and-node-to-use-24160

Conversation

@kingston

@kingston kingston commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • Chores
    • Updated Node.js from 24.14.0 to 24.16.0
    • Updated pnpm from 10.33.0 to 11.5.0
    • Updated tsx from 4.20.6 to 4.22.3
    • Disabled pnpm strict dependency builds configuration

@changeset-bot

changeset-bot Bot commented Jun 1, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: cda26eb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 24 packages
Name Type
@baseplate-dev/sync Patch
@baseplate-dev/project-builder-dev Patch
@baseplate-dev/core-generators Patch
@baseplate-dev/fastify-generators Patch
@baseplate-dev/create-project Patch
@baseplate-dev/project-builder-common Patch
@baseplate-dev/project-builder-lib Patch
@baseplate-dev/project-builder-server Patch
@baseplate-dev/react-generators Patch
@baseplate-dev/plugin-ai Patch
@baseplate-dev/plugin-auth Patch
@baseplate-dev/plugin-email Patch
@baseplate-dev/plugin-observability Patch
@baseplate-dev/plugin-payments Patch
@baseplate-dev/plugin-queue Patch
@baseplate-dev/plugin-rate-limit Patch
@baseplate-dev/plugin-storage Patch
@baseplate-dev/project-builder-test Patch
@baseplate-dev/project-builder-cli Patch
@baseplate-dev/project-builder-web Patch
@baseplate-dev/code-morph Patch
@baseplate-dev/tools Patch
@baseplate-dev/ui-components Patch
@baseplate-dev/utils Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Node.js, pnpm, and tsx are upgraded across all project configurations and generated examples. Environment variables in command execution and e2e test runners disable pnpm's strictDepBuilds behavior, and a workspace-level allowBuilds configuration prevents builds for specific native packages. A test helper is hardened to detect incomplete CodeMirror syntax trees.

Changes

Toolchain Upgrades and Build Configuration

Layer / File(s) Summary
Toolchain version constants and release documentation
.changeset/upgrade-pnpm-node.md, .changeset/upgrade-tsx.md, packages/core-generators/src/constants/node.ts, packages/fastify-generators/src/constants/fastify-packages.ts
Changesets document patch-level releases for version upgrades. NODE_VERSION and PNPM_VERSION constants are bumped to 24.16.0 and 11.5.0; FASTIFY_PACKAGES catalog entry for tsx is updated to 4.22.3.
Configuration and manifest version pins
.node-version, .nvmrc, mise.toml, package.json, examples/blog-with-auth/package.json, examples/blog-with-auth/apps/admin/package.json, examples/blog-with-auth/apps/backend/package.json, examples/blog-with-auth/libs/transactional/package.json, examples/todo-with-better-auth/package.json, examples/todo-with-better-auth/apps/admin/package.json, examples/todo-with-better-auth/apps/backend/package.json, examples/todo-with-better-auth/apps/web/package.json, examples/todo-with-better-auth/libs/transactional/package.json
All runtime tool version constraints updated: engines.node to ^24.16.0, engines.pnpm to ^11.5.0, packageManager to pnpm@11.5.0, and volta pins to 24.16.0 and 11.5.0. tsx devDependencies updated to 4.22.3 in backend packages.
Docker images and example documentation
examples/blog-with-auth/Dockerfile, examples/todo-with-better-auth/Dockerfile, examples/todo-with-better-auth/CLAUDE.md
Docker base images updated to node:24.16.0-alpine. Project documentation Volta pin updated to 24.16.0.
pnpm strictDepBuilds workaround in installation environments
.changeset/disable-strict-dep-builds-install.md, packages/sync/src/utils/exec.ts, packages/project-builder-dev/src/e2e-runner/environment.ts, pnpm-workspace.yaml
Changeset documents disabling strictDepBuilds for generated project installs. executeCommand in sync and getBaseEnv() in project-builder-dev both set pnpm_config_strict_dep_builds: 'false' to prevent install failures from unreviewed dependency build scripts. Workspace allowBuilds block disables package builds for @prisma/engines, cpu-features, esbuild, protobufjs, ssh2, and unrs-resolver.
CodeMirror syntax tree parsing reliability
packages/project-builder-web/src/routes/data/models/edit.$key/-components/authorizer/authorizer-expression-autocomplete.unit.test.ts
Test helper createState validates ensureSyntaxTree return value and throws on incomplete parsing (30,000 ms budget) to prevent flaky failures caused by partial syntax trees.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • halfdomelabs/baseplate#872: Also modifies packages/project-builder-dev/src/e2e-runner/environment.ts to restructure environment variable handling for spawned commands.
  • halfdomelabs/baseplate#679: Updates pnpm and Node version metadata in packages/core-generators/src/constants/node.ts and generated package.json engine constraints.
  • halfdomelabs/baseplate#440: Also bumps tsx version in packages/fastify-generators/src/constants/fastify-packages.ts and pnpm-workspace.yaml catalog.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main changes: upgrading pnpm to version 11.5 and Node to version 24.16, which aligns with the primary focus of the changeset across all files.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch kingston/eng-1163-upgrade-pnpm-to-115-and-node-to-use-24160

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@socket-security

socket-security Bot commented Jun 1, 2026

Copy link
Copy Markdown

@socket-security

socket-security Bot commented Jun 1, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: npm caniuse-lite under CC-BY-4.0

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (npm metadata)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/package.json)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/LICENSE)

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@tanstack/router-plugin@1.159.5npm/@graphql-codegen/cli@7.1.0npm/@graphql-eslint/eslint-plugin@4.4.0npm/eslint-plugin-react-hooks@7.0.1npm/eslint-plugin-unicorn@62.0.0npm/caniuse-lite@1.0.30001769

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001769. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm ioredis is 96.0% likely obfuscated

Confidence: 0.96

Location: Package overview

From: examples/todo-with-better-auth/apps/backend/baseplate/generated/package.jsonnpm/ioredis@5.8.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ioredis@5.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/body

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/body@0.2.1

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/body@0.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/button

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/button@0.2.1

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/button@0.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/code-block

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/code-block@0.2.1

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/code-block@0.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/code-inline

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/code-inline@0.0.6

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/code-inline@0.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/column

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/column@0.0.14

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/column@0.0.14. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/components

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/libs/transactional/baseplate/generated/package.jsonnpm/@react-email/components@1.0.3

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/components@1.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/container

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/container@0.0.16

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/container@0.0.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/font

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/font@0.0.10

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/font@0.0.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/head

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/head@0.0.13

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/head@0.0.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/heading

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/heading@0.0.16

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/heading@0.0.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/hr

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/hr@0.0.12

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/hr@0.0.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/html

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/html@0.0.12

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/html@0.0.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/img

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/img@0.0.12

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/img@0.0.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/link

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/link@0.0.13

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/link@0.0.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/markdown

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/markdown@0.0.18

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/markdown@0.0.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/preview

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/preview@0.0.14

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/preview@0.0.14. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/row

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/row@0.0.13

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/row@0.0.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/section

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/section@0.0.17

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/section@0.0.17. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/tailwind

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/tailwind@2.0.3

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/tailwind@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @react-email/text

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@react-email/components@1.0.3npm/@react-email/text@0.1.6

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-email/text@0.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm fast-wrap-ansi

Location: Package overview

From: examples/todo-with-better-auth/pnpm-lock.yamlnpm/@graphql-codegen/cli@7.1.0npm/fast-wrap-ansi@0.2.2

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-wrap-ansi@0.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 1, 2026

Copy link
Copy Markdown

Deploying baseplate-storybook with  Cloudflare Pages  Cloudflare Pages

Latest commit: d55cb5f
Status: ✅  Deploy successful!
Preview URL: https://694446aa.baseplate-storybook.pages.dev
Branch Preview URL: https://kingston-eng-1163-upgrade-pn.baseplate-storybook.pages.dev

View logs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.changeset/disable-strict-dep-builds-install.md:
- Around line 6-8: Update the release-note sentence in the changelog
description: change the phrase "so generation and e2e `pnpm install` do not
fail" to use singular agreement (e.g., "so generation and e2e `pnpm install`
does not fail" or rephrase to "so generation and e2e installs do not fail") in
the line beginning with "Disable pnpm strictDepBuilds for Baseplate-run
installs..." to correct grammar.

In `@pnpm-workspace.yaml`:
- Around line 57-63: Remove the legacy ignoredBuiltDependencies block from
pnpm-workspace.yaml since pnpm v11 uses allowBuilds; locate the existing
ignoredBuiltDependencies key and its entries (the legacy block referenced
alongside the new allowBuilds) and delete that entire block so only the
allowBuilds configuration remains, ensuring there are no duplicate or stale
build-dependency settings left.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 36379221-9f18-442b-a5be-137096b76923

📥 Commits

Reviewing files that changed from the base of the PR and between db93095 and cda26eb.

⛔ Files ignored due to path filters (12)
  • examples/blog-with-auth/apps/admin/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/apps/backend/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/libs/transactional/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • examples/todo-with-better-auth/apps/admin/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-better-auth/apps/backend/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-better-auth/apps/web/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-better-auth/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-better-auth/libs/transactional/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-better-auth/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (25)
  • .changeset/disable-strict-dep-builds-install.md
  • .changeset/upgrade-pnpm-node.md
  • .changeset/upgrade-tsx.md
  • .node-version
  • .nvmrc
  • examples/blog-with-auth/Dockerfile
  • examples/blog-with-auth/apps/admin/package.json
  • examples/blog-with-auth/apps/backend/package.json
  • examples/blog-with-auth/libs/transactional/package.json
  • examples/blog-with-auth/package.json
  • examples/todo-with-better-auth/CLAUDE.md
  • examples/todo-with-better-auth/Dockerfile
  • examples/todo-with-better-auth/apps/admin/package.json
  • examples/todo-with-better-auth/apps/backend/package.json
  • examples/todo-with-better-auth/apps/web/package.json
  • examples/todo-with-better-auth/libs/transactional/package.json
  • examples/todo-with-better-auth/package.json
  • mise.toml
  • package.json
  • packages/core-generators/src/constants/node.ts
  • packages/fastify-generators/src/constants/fastify-packages.ts
  • packages/project-builder-dev/src/e2e-runner/environment.ts
  • packages/project-builder-web/src/routes/data/models/edit.$key/-components/authorizer/authorizer-expression-autocomplete.unit.test.ts
  • packages/sync/src/utils/exec.ts
  • pnpm-workspace.yaml

Comment on lines +6 to +8
Disable pnpm strictDepBuilds for Baseplate-run installs so generation and e2e
`pnpm install` do not fail on unreviewed dependency build scripts in freshly
generated projects

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix release-note grammar in the description.

Line 7 should use singular agreement: "pnpm install does not fail" (or "installs do not fail") for clarity in published changelog text.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.changeset/disable-strict-dep-builds-install.md around lines 6 - 8, Update
the release-note sentence in the changelog description: change the phrase "so
generation and e2e `pnpm install` do not fail" to use singular agreement (e.g.,
"so generation and e2e `pnpm install` does not fail" or rephrase to "so
generation and e2e installs do not fail") in the line beginning with "Disable
pnpm strictDepBuilds for Baseplate-run installs..." to correct grammar.

Comment thread pnpm-workspace.yaml
Comment on lines +57 to +63
allowBuilds:
'@prisma/engines': false
cpu-features: false
esbuild: false
protobufjs: false
ssh2: false
unrs-resolver: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In pnpm 11.x settings docs, is ignoredBuiltDependenciesremoved and replaced byallowBuilds? Please cite the exact migration note.

💡 Result:

Yes, in pnpm 11.x, the ignoredBuiltDependencies setting has been removed and replaced by the allowBuilds setting [1][2][3]. The pnpm 11.0 release notes explicitly state the following regarding this migration: "allowBuilds replaces the legacy build-dependency settings. onlyBuiltDependencies, onlyBuiltDependenciesFile, neverBuiltDependencies, ignoredBuiltDependencies, and ignoreDepScripts are gone." [3] Further, the official migration documentation provides this note: "Consolidates build-dependency settings into allowBuilds. onlyBuiltDependencies, neverBuiltDependencies, ignoredBuiltDependencies, and onlyBuiltDependenciesFile are merged into a single allowBuilds map ({ name: true | false })." [1] The new allowBuilds setting uses a map where the key is the package name (or pattern) and the value is a boolean (true to allow, false to disallow) [2][3]. To assist with this transition, pnpm provides a codemod command, which can be run via pnpx codemod run pnpm-v10-to-v11 [2].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show the relevant section of pnpm-workspace.yaml around the referenced lines
if [ -f pnpm-workspace.yaml ]; then
  echo "=== pnpm-workspace.yaml (lines 20-80) ==="
  nl -ba pnpm-workspace.yaml | sed -n '20,80p'
else
  echo "pnpm-workspace.yaml not found in repo root"
  ls -la
fi

Repository: halfdomelabs/baseplate

Length of output: 169


🏁 Script executed:

#!/bin/bash
set -euo pipefail

if [ -f pnpm-workspace.yaml ]; then
  echo "=== pnpm-workspace.yaml (lines 20-80) ==="
  awk 'NR>=20 && NR<=80 {printf "%5d  %s\n", NR, $0}' pnpm-workspace.yaml
else
  echo "pnpm-workspace.yaml not found in repo root"
  ls -la
fi

echo "=== Search for ignoredBuiltDependencies and allowBuilds ==="
rg -n "ignoredBuiltDependencies|allowBuilds" pnpm-workspace.yaml || true

Repository: halfdomelabs/baseplate

Length of output: 1230


Remove legacy ignoredBuiltDependencies when migrating to pnpm v11 allowBuilds.

pnpm-workspace.yaml still contains ignoredBuiltDependencies (lines 31-38) alongside the new allowBuilds (lines 57-63). In pnpm 11.x, allowBuilds replaces the legacy build-dependency settings—“ignoredBuiltDependencies … are gone”—so keeping the old key leaves stale/invalid configuration.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` around lines 57 - 63, Remove the legacy
ignoredBuiltDependencies block from pnpm-workspace.yaml since pnpm v11 uses
allowBuilds; locate the existing ignoredBuiltDependencies key and its entries
(the legacy block referenced alongside the new allowBuilds) and delete that
entire block so only the allowBuilds configuration remains, ensuring there are
no duplicate or stale build-dependency settings left.

@kingston kingston merged commit f5ad6d2 into main Jun 1, 2026
13 checks passed
@kingston kingston deleted the kingston/eng-1163-upgrade-pnpm-to-115-and-node-to-use-24160 branch June 1, 2026 17:51
@github-actions github-actions Bot mentioned this pull request Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant