🔒 Migrate JavaScript installs to pnpm (#276)

## Why

Move this repo to a single pnpm workspace lockfile and add stronger
dependency-supply-chain controls after the Dependabot churn.

## What changed

- Replaced npm lockfiles with one pnpm workspace lockfile.
- Added pnpm 11.3.0 via packageManager and migrated CI/dev scripts to
frozen pnpm installs.
- Added pnpm minimum release age settings with a one-off exact exception
for @vizzly-testing/honeydiff@0.10.3.
- Added explicit build-script allowlists for canvas, esbuild, node-pty,
and odiff-bin.
- Added Dependabot cooldowns for npm ecosystem updates.
- Added pnpm overrides for @babel/runtime, ws, and uuid to clear
moderate audit findings.

## Verification

- npx pnpm@11.3.0 install --frozen-lockfile
- npx pnpm@11.3.0 audit --audit-level=moderate (passes; 3 low findings
remain)
- npx pnpm@11.3.0 run build
- npx pnpm@11.3.0 run format:check
- npx pnpm@11.3.0 run lint
- npx pnpm@11.3.0 run test:types
- npx pnpm@11.3.0 test
- npx pnpm@11.3.0 run test:reporter
- git diff --check

Docker TUI build was attempted, but Docker stalled on node:22-slim
metadata resolution before reaching our Dockerfile steps.

Author: Robdel12

.codex/config.toml

@@ -1,3 +1,3 @@
 [mcp_servers.playwright]
-args = ["@playwright/mcp@latest"]
-command = "npx"
+args = ["pnpm", "dlx", "@playwright/mcp@latest"]
+command = "corepack"

.github/dependabot.yml

@@ -20,5 +20,9 @@ updates:
         update-types:
           - "major"
     open-pull-requests-limit: 10
+    cooldown:
+      semver-major-days: 30
+      semver-minor-days: 14
+      semver-patch-days: 3
     reviewers:
-      - "@dependabot"
+      - "@dependabot"

.github/workflows/ci.yml

@@ -18,16 +18,18 @@ jobs:
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
-          cache: 'npm'
+
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
 
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
       - name: Run linter
-        run: npm run lint
+        run: pnpm run lint
 
       - name: Check formatting
-        run: npm run format:check
+        run: pnpm run format:check
 
   test:
     name: Test (Node ${{ matrix.node-version }})
@@ -46,21 +48,23 @@ jobs:
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
+
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
 
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
       - name: Run tests
-        run: npm test
+        run: pnpm test
         env:
           CI: true
 
       - name: Build
-        run: npm run build
+        run: pnpm run build
 
       - name: Run type tests
-        run: npm run test:types
+        run: pnpm run test:types
 
   check:
     name: CI Status

.github/workflows/release-beta.yml

@@ -37,14 +37,16 @@ jobs:
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: '22'
-          cache: 'npm'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Upgrade npm for Trusted Publishers
         run: npm install -g npm@11.5.1
 
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
+
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
       - name: Configure git
         run: |

.github/workflows/release-ember-client.yml

@@ -41,6 +41,9 @@ jobs:
       - name: Upgrade npm for Trusted Publishers
         run: npm install -g npm@11.5.1
 
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
+
       - name: Configure git
         run: |
           git config --local user.email "${{ secrets.GIT_USER_EMAIL }}"
@@ -111,15 +114,15 @@ jobs:
 
       - name: Install dependencies
         working-directory: ./clients/ember
-        run: npm install
+        run: pnpm install --frozen-lockfile
 
       - name: Run tests
         working-directory: ./clients/ember
-        run: npm test
+        run: pnpm test
 
       - name: Run linter
         working-directory: ./clients/ember
-        run: npm run lint
+        run: pnpm run lint
 
       - name: Update CHANGELOG.md
         working-directory: ./clients/ember

.github/workflows/release-static-site-client.yml

@@ -36,6 +36,9 @@ jobs:
       - name: Upgrade npm for Trusted Publishers
         run: npm install -g npm@11.5.1
 
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
+
       - name: Configure git
         run: |
           git config --local user.email "${{ secrets.GIT_USER_EMAIL }}"
@@ -102,15 +105,15 @@ jobs:
 
       - name: Install dependencies
         working-directory: ./clients/static-site
-        run: npm install
+        run: pnpm install --frozen-lockfile
 
       - name: Run tests
         working-directory: ./clients/static-site
-        run: npm test
+        run: pnpm test
 
       - name: Run linter
         working-directory: ./clients/static-site
-        run: npm run lint
+        run: pnpm run lint
 
       - name: Update CHANGELOG.md
         working-directory: ./clients/static-site
@@ -160,7 +163,7 @@ jobs:
 
       - name: Build package
         working-directory: ./clients/static-site
-        run: npm run build
+        run: pnpm run build
 
       - name: Reconfigure git auth
         run: |

.github/workflows/release-storybook-client.yml

@@ -31,12 +31,14 @@ jobs:
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: '22'
-          cache: 'npm'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Upgrade npm for Trusted Publishers
         run: npm install -g npm@11.5.1
 
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
+
       - name: Configure git
         run: |
           git config --local user.email "${{ secrets.GIT_USER_EMAIL }}"
@@ -103,15 +105,15 @@ jobs:
 
       - name: Install dependencies
         working-directory: ./clients/storybook
-        run: npm install
+        run: pnpm install --frozen-lockfile
 
       - name: Run tests
         working-directory: ./clients/storybook
-        run: npm test
+        run: pnpm test
 
       - name: Run linter
         working-directory: ./clients/storybook
-        run: npm run lint
+        run: pnpm run lint
 
       - name: Update CHANGELOG.md
         working-directory: ./clients/storybook
@@ -145,7 +147,7 @@ jobs:
 
       - name: Build package
         working-directory: ./clients/storybook
-        run: npm run build
+        run: pnpm run build
 
       - name: Reconfigure git auth
         run: |

.github/workflows/release-vitest-client.yml

@@ -36,6 +36,9 @@ jobs:
       - name: Upgrade npm for Trusted Publishers
         run: npm install -g npm@11.5.1
 
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
+
       - name: Configure git
         run: |
           git config --local user.email "${{ secrets.GIT_USER_EMAIL }}"
@@ -102,15 +105,15 @@ jobs:
 
       - name: Install dependencies
         working-directory: ./clients/vitest
-        run: npm install
+        run: pnpm install --frozen-lockfile
 
       - name: Run tests
         working-directory: ./clients/vitest
-        run: npm run test:unit
+        run: pnpm run test:unit
 
       - name: Run linter
         working-directory: ./clients/vitest
-        run: npm run lint
+        run: pnpm run lint
 
       - name: Update CHANGELOG.md
         working-directory: ./clients/vitest

.github/workflows/release.yml

@@ -32,14 +32,16 @@ jobs:
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: '22'
-          cache: 'npm'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Upgrade npm for Trusted Publishers
         run: npm install -g npm@11.5.1
 
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
+
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
       - name: Configure git
         run: |
@@ -59,7 +61,7 @@ jobs:
           echo "package_version=$PACKAGE_VERSION" >> $GITHUB_OUTPUT
 
           if [ "${{ github.event.inputs.version_type }}" != "current" ]; then
-            git add package.json package-lock.json
+            git add package.json pnpm-lock.yaml
             git commit -m "🔖 v$PACKAGE_VERSION"
           fi
 

.github/workflows/reporter.yml

@@ -19,17 +19,19 @@ jobs:
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
-          cache: 'npm'
+
+      - name: Install pnpm
+        run: corepack enable && corepack prepare pnpm@11.3.0 --activate
 
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
       - name: Build
-        run: npm run build
+        run: pnpm run build
 
       - name: Get installed Playwright version
         id: playwright-version
-        run: echo "version=$(npx playwright --version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')" >> $GITHUB_OUTPUT
+        run: echo "version=$(pnpm exec playwright --version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')" >> $GITHUB_OUTPUT
 
       - name: Cache Playwright browsers
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
@@ -40,10 +42,10 @@ jobs:
 
       - name: Install Playwright browsers
         if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: npx playwright install firefox --with-deps
+        run: pnpm exec playwright install firefox --with-deps
 
       - name: Run reporter visual tests
-        run: npm run test:reporter:visual
+        run: pnpm run test:reporter:visual
         env:
           CI: true
           VIZZLY_TOKEN: ${{ secrets.VIZZLY_REPORTER_TOKEN }}