Switch from yarn@1.22.22 to pnpm@11.0.8

[karlhorky]

Switch from yarn@1.22.22 to pnpm@11.0.8, as per #945 (comment).

This also pins @types/node@22.9.0, matching the version previously resolved through yarn.lock. Without the pin, pnpm resolves @types/node@25.6.0, which TypeScript 4.9 cannot check. The observed diagnostics:

• error TS1165: A computed property name in an ambient context must refer to an expression whose type is a literal type or a 'unique symbol' type
• error TS2339: Property 'dispose' does not exist on type 'SymbolConstructor'
• error TS2726: Cannot find lib definition for 'esnext.disposable'

Install pnpm via the methods on the installation page:

• https://pnpm.io/installation

TODO:

• Delete yarn.lock
• Generate pnpm-lock.yaml
• Update package scripts from Yarn commands to pnpm commands
• Update GitHub Actions from Yarn commands to pnpm commands
• Update contributor docs from Yarn commands to pnpm commands
• Remove the README install example with Yarn
• Update CI from Node 18 to Node 22 for pnpm 11 compatibility
• Enable pnpm dependency caching in CI
• Pin devEngines.packageManager to pnpm@11.0.8
• Pin @types/node@22.9.0
• Verify dependencies before scripts with verifyDepsBeforeRun: error
• Declare the root workspace package with packages: ['.']
• Block packages newer than seven days with minimumReleaseAge: 10080
• Apply release-age checks strictly with minimumReleaseAgeStrict: true
• Treat missing publish times as unsafe with minimumReleaseAgeIgnoreMissingTime: false
• Prevent trust downgrades with trustPolicy: no-downgrade
• Allow the trust-policy exception eslint-config-prettier@8.10.2
• Allow the trust-policy exception eslint-plugin-prettier@4.2.5
• Allow the trust-policy exception semver@5.7.2 || 6.3.1
• Allow the trust-policy exception undici-types@6.19.8
• Block exotic subdependencies with blockExoticSubdeps: true

Summary by CodeRabbit

• Chores

  • Updated CI and project tooling to Node.js 22.x.
  • Migrated package management from Yarn to pnpm across CI, scripts, and project config.
  • Added a pnpm workspace with stricter dependency and verification policies.
  • Updated developer scripts and bumped dev tooling/type dependency versions.

• Documentation

  • Updated install and contribution instructions to reflect pnpm and Node.js 22.x.

[karlhorky]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Migrate CI and project configuration from Yarn to pnpm and upgrade Node.js targets to 22.x; update package scripts, add a pnpm workspace config, and adjust CONTRIBUTING/README instructions.

Changes

Package Manager and Node.js Migration

Layer / File(s)	Summary
Node.js 22 and dependency updates .github/workflows/coveralls.yaml, .github/workflows/webpack.yaml, package.json	Node.js version updated from 18.x to 22.x in CI matrices; @types/node bumped to 22.9.0.
pnpm workspace and package manager configuration pnpm-workspace.yaml, package.json	Added pnpm-workspace.yaml with strict pnpm settings and migrated package.json scripts and devEngines.packageManager from yarn to pnpm.
GitHub Actions workflow pnpm integration .github/workflows/coveralls.yaml, .github/workflows/webpack.yaml	Coveralls and webpack workflows now set up pnpm/action-setup@v6, enable pnpm caching via actions/setup-node@v4, install with pnpm install --ignore-scripts, and run CI steps via pnpm run ....
Contributor and user documentation CONTRIBUTING.md, README.md	CONTRIBUTING.md replaced yarn instructions with pnpm equivalents; README consolidated install snippet to a single npm install line noting alternatives (yarn/pnpm/bun).

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant PnpmSetup as pnpm/action-setup@v6
  participant SetupNode as actions/setup-node@v4
  participant Runner
  GitHubActions->>PnpmSetup: install pnpm (version from package.json)
  GitHubActions->>SetupNode: configure Node 22.x + cache: pnpm
  Runner->>Runner: pnpm install --ignore-scripts
  Runner->>Runner: pnpm run lint / pnpm run test -- --coverage / pnpm run build / pnpm run ts:check

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 From Yarn to pnpm I bound and cheer,
Node twenty-two now leads the year,
CI swaps scripts for speedy runs,
Workspace rules keep builds well-spun,
I hop, I nibble, change is near!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title directly and precisely describes the main change: migrating the project's package manager from yarn to pnpm with specific versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch switch-from-yarn-v1-to-pnpm-v11

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[karlhorky]

Node.js 18 and 20 are EOL

[Copilot]

Pull request overview

Switches the project’s development package manager from Yarn Classic to pnpm, updating docs, scripts, CI, and pnpm workspace/security configuration.

Changes:

• Replaces Yarn commands with pnpm commands in scripts, docs, and GitHub Actions.
• Adds pnpm workspace configuration and pnpm lockfile.
• Pins @types/node and updates CI to Node 22 with pnpm caching/Corepack.

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
README.md	Updates install example from Yarn to pnpm.
CONTRIBUTING.md	Updates contributor setup, test, and release commands to pnpm.
package.json	Converts scripts to pnpm and pins pnpm/@types/node metadata.
pnpm-workspace.yaml	Adds pnpm workspace and security-related settings.
pnpm-lock.yaml	Adds pnpm dependency lockfile.
yarn.lock	Removes legacy Yarn lockfile.
.github/workflows/webpack.yaml	Updates PR CI workflow to Node 22 and pnpm.
.github/workflows/coveralls.yaml	Updates coverage workflow to Node 22 and pnpm.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/coveralls.yaml:
- Line 18: The CI job step using the pnpm/action-setup action (the step that
currently references "pnpm/action-setup@v6") should explicitly pin the pnpm
version via the action input to avoid the resolution bug; update that workflow
step to include a with: version: 11.0.8 (matching devEngines.packageManager) so
the action always installs pnpm 11.0.8 instead of relying on the action's
bootstrap resolution.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2015d31c-949c-4022-9627-680b0483090c

📥 Commits

Reviewing files that changed from the base of the PR and between f03823a and 2f7e7a9.

📒 Files selected for processing (4)

• .github/workflows/coveralls.yaml
• .github/workflows/webpack.yaml
• README.md
• pnpm-workspace.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/webpack.yaml
• README.md
• pnpm-workspace.yaml

[nene]

In general I'm all good with this.

The single showstopper for me is the pmOnFail issue. If we could just add to the config file:

pmOnFail: download

Then I would be fine with merging this. Even when this gets fixed in pnpm, the old pnpm versions with this issue will still be around for a while, troubling people who would like to check out this library.

[karlhorky]

@nene Good point, I forgot that I wanted to add that as a workaround - done:

• dcee63f

[nene]

Awesome.