Skip to content

🔒 Migrate JavaScript installs to pnpm#276

Merged
Robdel12 merged 3 commits into
mainfrom
rd/migrate-to-pnpm
May 25, 2026
Merged

🔒 Migrate JavaScript installs to pnpm#276
Robdel12 merged 3 commits into
mainfrom
rd/migrate-to-pnpm

Conversation

@Robdel12
Copy link
Copy Markdown
Contributor

@Robdel12 Robdel12 commented May 25, 2026

Why

Move this repo to a single pnpm workspace lockfile and add stronger dependency-supply-chain controls after the Dependabot churn.

What changed

  • Replaced npm lockfiles with one pnpm workspace lockfile.
  • Added pnpm 11.3.0 via packageManager and migrated CI/dev scripts to frozen pnpm installs.
  • Added pnpm minimum release age settings with a one-off exact exception for @vizzly-testing/honeydiff@0.10.3.
  • Added explicit build-script allowlists for canvas, esbuild, node-pty, and odiff-bin.
  • Added Dependabot cooldowns for npm ecosystem updates.
  • Added pnpm overrides for @babel/runtime, ws, and uuid to clear moderate audit findings.

Verification

  • npx pnpm@11.3.0 install --frozen-lockfile
  • npx pnpm@11.3.0 audit --audit-level=moderate (passes; 3 low findings remain)
  • npx pnpm@11.3.0 run build
  • npx pnpm@11.3.0 run format:check
  • npx pnpm@11.3.0 run lint
  • npx pnpm@11.3.0 run test:types
  • npx pnpm@11.3.0 test
  • npx pnpm@11.3.0 run test:reporter
  • git diff --check

Docker TUI build was attempted, but Docker stalled on node:22-slim metadata resolution before reaching our Dockerfile steps.

@Robdel12
🔒 Migrate JavaScript installs to pnpm
dc3bd9e 
Replace npm lockfiles with a pnpm workspace lockfile, add dependency cooldowns and pnpm supply-chain guards, and move CI/dev workflows onto frozen pnpm installs.

Keep the Vizzly-controlled honeydiff maturity bypass as a one-off exact version exception instead of a blanket scope exception.
@vizzly-testing

This comment has been minimized.

Sign in to view
@Robdel12
📝 Update docs for pnpm workflows
73dcfc1 
Move repo docs, SDK dev docs, CLI help examples, reporter snippets, and test fixtures from npm/npx commands to pnpm equivalents.

Keep npm references only where they describe the npm registry, publish/version release steps, compatibility history, or package-lock handling for user projects.
@vizzly-testing

This comment has been minimized.

Sign in to view
@Robdel12
🐛 Fix Ember pnpm build arguments
a465584 
pnpm does not need npm's extra argument separator here. Passing -- --mode development made Vite receive a literal -- and build the Ember test app in production mode, which omitted testem.js and caused CI to time out.
@vizzly-testing
Copy link
Copy Markdown

vizzly-testing Bot commented May 25, 2026
edited
Loading

Vizzly - Visual Test Results

CLI Reporter - Approved

19 comparisons approved.

Review changes

CLI TUI - Approved

5 comparisons, no changes detected.

View build

rd/migrate-to-pnpm · a465584c

@Robdel12 Robdel12 merged commit a43b746 into main May 25, 2026
37 checks passed
@Robdel12 Robdel12 deleted the rd/migrate-to-pnpm branch May 25, 2026 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Robdel12