Upgrade pnpm 9 → 10 with supply chain security hardening (cloudflare#13148)

penalosa · web-flow · commit db9ebd55b08a · 2026-04-01T17:00:18.000+01:00
diff --git a/.github/actions/install-dependencies/action.yml b/.github/actions/install-dependencies/action.yml
@@ -18,8 +18,6 @@ runs:
   steps:
     - name: Install pnpm
       uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
-      with:
-        version: 9.12.0
 
     - name: Install Node.js ${{ inputs.node-version }}
       uses: actions/setup-node@v4
diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml
@@ -23,8 +23,6 @@ jobs:
 
       - name: Install pnpm
         uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
-        with:
-          version: 9.12.0
 
       - name: Install Dependencies
         run: pnpm i -F tools --frozen-lockfile
diff --git a/.github/workflows/c3-e2e.yml b/.github/workflows/c3-e2e.yml
@@ -22,15 +22,15 @@ jobs:
         filter: ["cli", "workers", "frameworks"]
         os: [{ name: ubuntu-latest, description: Linux }]
         pm:
-          - { name: pnpm, version: "9.12.0" }
+          - { name: pnpm, version: "10.33.0" }
           - { name: npm, version: "0.0.0" }
           # The yarn tests keep failing on Linux with out of space errors, with no clear reason why. Disabling for now.
           # - { name: yarn, version: "1.0.0" }
         include:
           - os: { name: windows-latest, description: Windows }
-            pm: { name: pnpm, version: "9.12.0" }
+            pm: { name: pnpm, version: "10.33.0" }
           - os: { name: ubuntu-latest, description: Linux }
-            pm: { name: pnpm, version: "9.12.0" }
+            pm: { name: pnpm, version: "10.33.0" }
             experimental: true
     runs-on: ${{ matrix.os.name }}
     steps:
diff --git a/.npmrc b/.npmrc
diff --git a/package.json b/package.json
@@ -54,39 +54,12 @@
 		"vitest": "catalog:default"
 	},
 	"engines": {
-		"node": ">=18.20.0",
-		"pnpm": "^9.12.0"
+		"node": ">=20.0.0",
+		"pnpm": "^10.33.0"
 	},
 	"volta": {
 		"node": "20.19.3",
-		"pnpm": "9.12.0"
+		"pnpm": "10.33.0"
 	},
-	"packageManager": "pnpm@9.12.0",
-	"pnpm": {
-		"peerDependencyRules": {
-			"allowedVersions": {
-				"react": "18",
-				"react-dom": "18",
-				"@types/react": "18",
-				"@types/react-dom": "18"
-			}
-		},
-		"overrides": {
-			"@types/react-dom@18>@types/react": "^18",
-			"@types/react-tabs>@types/react": "^18",
-			"@types/react-transition-group>@types/react": "^18",
-			"@cloudflare/elements>@types/react": "^18",
-			"@types/node": "$@types/node",
-			"@types/node>undici-types": "catalog:default"
-		},
-		"patchedDependencies": {
-			"@cloudflare/component-listbox@1.10.6": "patches/@cloudflare__component-listbox@1.10.6.patch",
-			"toucan-js@4.0.0": "patches/toucan-js@4.0.0.patch",
-			"postal-mime": "patches/postal-mime.patch",
-			"youch@4.1.0-beta.10": "patches/youch@4.1.0-beta.10.patch",
-			"@netlify/build-info": "patches/@netlify__build-info.patch",
-			"buffer-equal-constant-time@1.0.1": "patches/buffer-equal-constant-time@1.0.1.patch",
-			"undici@7.24.4": "patches/undici@7.24.4.patch"
-		}
-	}
+	"packageManager": "pnpm@10.33.0"
 }
diff --git a/packages/vitest-pool-workers/test/global-setup.ts b/packages/vitest-pool-workers/test/global-setup.ts
@@ -55,6 +55,13 @@ async function createTestProject() {
 		},
 	};
 	await fs.writeFile(packageJsonPath, JSON.stringify(packageJson));
+	// pnpm 10 blocks lifecycle scripts by default. The transitive deps
+	// (workerd, esbuild) need their postinstall to download platform binaries.
+	const workspaceYamlPath = path.join(projectPath, "pnpm-workspace.yaml");
+	await fs.writeFile(
+		workspaceYamlPath,
+		["allowBuilds:", "  esbuild: true", "  workerd: true", ""].join("\n")
+	);
 	return projectPath;
 }
 
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -15,6 +15,72 @@ packages:
 # Node update         | Every 2 years | Bump node dependency in workers-sdk
 # Quick Editor update | Every quarter | Update VSCode dependency and patches
 
+# ──────────────────────────────────────────────────────────────────────────────
+# Settings (migrated from .npmrc in pnpm 10)
+# ──────────────────────────────────────────────────────────────────────────────
+
+gitChecks: false
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Supply chain security
+# See: https://pnpm.io/supply-chain-security
+# ──────────────────────────────────────────────────────────────────────────────
+
+# Prevent transitive dependencies from pulling code from git repos or tarball
+# URLs. Only direct dependencies may use exotic sources.
+blockExoticSubdeps: true
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Build scripts
+# pnpm 10 blocks lifecycle scripts by default. Only the packages listed here
+# are allowed to run install/postinstall scripts.
+# ──────────────────────────────────────────────────────────────────────────────
+
+allowBuilds:
+  esbuild: true
+  workerd: true
+  sharp: true
+  playwright-chromium: true
+  prisma: true
+  # Explicitly silence warnings for packages whose postinstall scripts are not
+  # required for correct operation.
+  protobufjs: false # version-scheme diagnostic warning only
+  msw: false # copies mockServiceWorker.js to msw.workerDirectory — unused in this repo
+  core-js: false # telemetry
+  core-js-pure: false # telemetry
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Dependency resolution (migrated from package.json "pnpm" field in pnpm 10)
+# ──────────────────────────────────────────────────────────────────────────────
+
+overrides:
+  "@types/react-dom@18>@types/react": "^18"
+  "@types/react-tabs>@types/react": "^18"
+  "@types/react-transition-group>@types/react": "^18"
+  "@cloudflare/elements>@types/react": "^18"
+  "@types/node": "$@types/node"
+  "@types/node>undici-types": "catalog:default"
+
+peerDependencyRules:
+  allowedVersions:
+    react: "18"
+    react-dom: "18"
+    "@types/react": "18"
+    "@types/react-dom": "18"
+
+patchedDependencies:
+  "@cloudflare/component-listbox@1.10.6": "patches/@cloudflare__component-listbox@1.10.6.patch"
+  "toucan-js@4.0.0": "patches/toucan-js@4.0.0.patch"
+  "postal-mime": "patches/postal-mime.patch"
+  "youch@4.1.0-beta.10": "patches/youch@4.1.0-beta.10.patch"
+  "@netlify/build-info": "patches/@netlify__build-info.patch"
+  "buffer-equal-constant-time@1.0.1": "patches/buffer-equal-constant-time@1.0.1.patch"
+  "undici@7.24.4": "patches/undici@7.24.4.patch"
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Catalog
+# ──────────────────────────────────────────────────────────────────────────────
+
 catalog:
   "@hey-api/openapi-ts": "^0.94.0"
   "@types/node": "^22.10.1"
@@ -36,7 +102,7 @@ catalog:
   workerd: "1.20260401.1"
   jsonc-parser: "^3.2.0"
   smol-toml: "^1.5.2"
-  msw: "2.12.4"
+  msw: 2.12.4
   "tree-kill": "^1.2.2"
   "capnp-es": "^0.0.14"
   "capnweb": "^0.5.0"
