chore: migrate to pnpm and enable minimum release age#883
Open
chore: migrate to pnpm and enable minimum release age#883
Conversation
Migrates apify-client-js from npm workspaces to pnpm workspaces and adds a 1-day minimum release age supply-chain guard at the package manager layer (pnpm-workspace.yaml) and at the Renovate layer. Internal `@apify/*` and `@crawlee/*` packages are whitelisted at both layers. The website/ directory becomes a proper workspace (previously had its own lockfile). Single root lockfile now. Notable changes: - package.json: set packageManager to pnpm@10.24.0; "npm run X" -> "pnpm X" in scripts - pnpm-workspace.yaml: packages [website], release-age settings - .npmrc: node-linker=hoisted, link-workspace-packages=true, prefer-workspace-packages=true, public-hoist-pattern[]=* (kept the pre-existing legacy-peer-deps=true) - website/package.json: add "name": "apify-client-website" so pnpm recognises it as a workspace; "npm run" -> "pnpm" in scripts - website/docusaurus.config.js: rename future.experimental_faster -> future.faster (renamed in Docusaurus 3.10, which is what pnpm resolves from the ^3.8.1 range; npm previously resolved 3.9.x via --force) - New .github/actions/pnpm-install composite action (cached pnpm store, keyed by year-month + lockfile hash — pattern from apify/apify-cli#1068) - All 5 CI workflows (check, docs, publish_to_npm, release, pre_release) use the composite; npm/npx/`npm version` -> pnpm equivalents. docs workflow's `npm update @apify/docs-theme` becomes `pnpm --filter apify-client-website update @apify/docs-theme`. publish uses `pnpm publish --tag X --no-git-checks`. - renovate.json: add minimumReleaseAge "1 day", internalChecksFilter "strict", @apify/* + @crawlee/* whitelist; drop old npm constraint - Both package-lock.json files deleted; single pnpm-lock.yaml Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
827f25c to
d762cd0
Compare
github-actions
bot
added
the
t-tooling
pnpm hoists @apify/docs-theme to root node_modules, not website/node_modules. Using require.resolve makes the staticDirectories path work under both npm (nested) and pnpm (hoisted) layouts.
pnpm 10's build script approval via onlyBuiltDependencies isn't reliably downloading Chrome in CI. Run the explicit command instead.
Replaces the local .github/actions/pnpm-install composite copy with the shared one from apify/workflows@main. Identical behavior, less duplication.
…m release-age gate
Silences npm warnings about unknown options like node-linker; pnpm reads the same keys from pnpm-workspace.yaml in camelCase form.
Block accidental npm/yarn install — npm 10.5+ and pnpm 10.x both honor devEngines.packageManager and refuse to run when it doesn't match.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… with pnpm-workspace exclusions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devEngines.packageManager breaks pnpm commands that delegate to npm (pnpm version, pnpm pkg set, etc). Use the battle-tested only-allow approach instead (same as Vite, Vue, Astro).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Part of the org-wide supply-chain hardening + pnpm migration. Migrates apify-client-js from npm workspaces to pnpm workspaces and adds a 1-day minimum release age guard at two layers:
minimumReleaseAge: 1440inpnpm-workspace.yamlblocks installs of versions < 1 day oldminimumReleaseAge: "1 day"delays PR creation@apify/*and@crawlee/*excluded at both layersThe website/ directory becomes a proper workspace (previously had its own
package-lock.json). Single root lockfile now.Changes
package.json:packageManager→pnpm@10.24.0;npm run X→pnpm Xpnpm-workspace.yaml:packages: [website]+ release age settings.npmrc:node-linker=hoisted,link-workspace-packages=true,prefer-workspace-packages=true,public-hoist-pattern[]=*(kept pre-existinglegacy-peer-deps=true)website/package.json: add"name": "apify-client-website"so pnpm recognises the workspace;npm run→pnpmwebsite/docusaurus.config.js: renamefuture.experimental_faster→future.faster. Docusaurus 3.10 renamed the key, and that's what pnpm resolves from the^3.8.1range (npm previously resolved 3.9.x via--force)..github/actions/pnpm-installcomposite action (cached pnpm store, year-month + lockfile hash key — pattern from chore: move to pnpm from yarn apify-cli#1068)check,docs,publish_to_npm,release,pre_release) use the composite;npm→pnpmeverywhere.publishswitches topnpm publish --no-git-checks.renovate.json:minimumReleaseAge: "1 day",internalChecksFilter: "strict",@apify/*+@crawlee/*whitelist; drop old npm constraintpackage-lock.jsonfiles deleted; single rootpnpm-lock.yaml🤖 Generated with Claude Code