[HOTE-803] feat: pnpm package manager

[mikeeq]

Description

Context

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[Copilot]

Pull request overview

This PR is a WIP that experiments with moving installs/CI commands to pnpm, while also improving WireMock-based NHS Login test stubs by making JWT issuer configurable and preventing stale JWKS caching via unique kids per run.

Changes:

• Add a per-process nonce to JWT kid values to force JWKS re-fetches between runs.
• Introduce WIREMOCK_JWT_ISSUER wiring through test config, global setup, and the WireMock mapping push script.
• Update local/CI tooling: switch install + Playwright commands to pnpm, add pnpm to mise tooling, and bump Postgres images to 17.9.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/utils/users/wiremockAuthMappings.ts	Appends a per-run nonce to kid to avoid serving stale cached JWKS keys.
tests/scripts/push-wiremock-mappings.ts	Adds WIREMOCK_JWT_ISSUER support and uses shared OS Places mapping helper.
tests/global-setup.ts	Uses configured JWT issuer when generating WireMock auth/userinfo mappings.
tests/configuration/EnvironmentVariables.ts	Adds WIREMOCK_JWT_ISSUER env var.
tests/configuration/EnvironmentConfiguration.ts	Adds wiremockJwtIssuer to config with env overrides.
package.json	Switches postinstall/start to pnpm-based installs/commands.
.github/actions/init-mise/action.yaml	Switches caching/install flow to pnpm store.
.github/workflows/playwright-e2e.yaml	Uses pnpm exec playwright ... and starts app via pnpm script.
.mise.toml	Adds pnpm tool and changes install task to pnpm install --frozen-lockfile.
mise.lock	Adds pnpm tool lock entry and updates locked tool metadata.
local-environment/scripts/database/Dockerfile	Bumps Postgres base image to 17.9.
local-environment/docker-compose.yml	Bumps Postgres service image to 17.9.
lambdas/src/lib/db/db-client.integration.test.ts	Updates the Postgres testcontainer image to 17.9 and tidies client init.

Comments suppressed due to low confidence (1)

.mise.toml:75

• The install-npm task now runs pnpm install --frozen-lockfile, but there are no pnpm-lock.yaml files in the repo (only package-lock.json), so this task will fail as soon as it runs.

Suggested fix: add/commit pnpm lockfile(s) (or switch this task back to npm ci until pnpm lockfiles are in place); if keeping pnpm here, consider renaming the task to avoid confusion.

[tasks.install-npm]
description = "Install pnpm dependencies"
run = "pnpm install --frozen-lockfile"

[Copilot]

The root scripts now run pnpm ... --frozen-lockfile, but the repo currently only has package-lock.json files (no pnpm-lock.yaml in root/ui/lambdas/tests), so postinstall/start will fail immediately when pnpm enforces the lockfile.

Suggested fix: either commit the appropriate pnpm-lock.yaml file(s) (and remove/stop generating the package-lock.json equivalents), or temporarily drop --frozen-lockfile until the pnpm lockfiles are added and stable.

[Copilot]

This cache key hashes **/pnpm-lock.yaml, but the repository does not currently contain any pnpm-lock.yaml files, so the key will be effectively constant and the cache will be stale/ineffective.

Suggested fix: add the pnpm lockfile(s) as part of the migration, or key the cache off the existing package-lock.json files until pnpm lockfiles exist.

Suggested change

	key: pnpm-store-${{ runner.os }}-${{ hashFiles('**/pnpm-lock.yaml') }}
	key: pnpm-store-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}

[Copilot]

wiremockJwtIssuer defaults to wiremockBaseUrl (localhost), which changes the previous default behaviour where JWTs were issued with iss=http://wiremock:8080; for local Docker runs the login lambda typically validates against the Docker-internal issuer, so this default is likely to produce tokens with an issuer the lambda rejects.

Suggested fix: default wiremockJwtIssuer to http://wiremock:8080 (or leave it undefined so createWireMockAuthManifest() falls back to its internal default) and only use WIREMOCK_BASE_URL as the issuer when explicitly targeting a remote WireMock.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 31 changed files in this pull request and generated 4 comments.

Files not reviewed (2)

• pnpm-lock.yaml: Language not supported
• tests/pnpm-lock.yaml: Language not supported

[Copilot]

serve:static now uses pnpm exec http-server, but http-server is not listed in dependencies/devDependencies, so this script will fail unless the package is installed globally; either add http-server as a devDependency or switch to pnpm dlx http-server to preserve the previous npx behavior.

Suggested change

	"serve:static": "pnpm run build && pnpm exec http-server build -p 8085 -c-1 --proxy http://localhost:8085?",
	"serve:static": "pnpm run build && pnpm dlx http-server build -p 8085 -c-1 --proxy http://localhost:8085?",

[Copilot]

This README instructs cd test, but the directory in this repo is tests/ (and later the tree example also uses test/), so the setup steps will fail if followed as written.

[Copilot]

wiremockJwtIssuer defaults to wiremockBaseUrl (http://localhost:8080), but the local Terraform config sets NHS_LOGIN_BASE_ENDPOINT_URL to the Docker-internal http://wiremock:8080, so running this script with defaults will generate tokens with an iss that the login-lambda will reject; consider defaulting WIREMOCK_JWT_ISSUER to http://wiremock:8080 for localhost runs (or update the usage docs to require setting it).

[Copilot]

.prettierignore no longer ignores package-lock.json, but package-lock.json files still exist under ui/, lambdas/, and tests/, so Prettier/pre-commit may start reformatting them and create noisy diffs; consider keeping package-lock.json ignored until those files are removed.

Suggested change

	pnpm-lock.yaml
	pnpm-lock.yaml
	package-lock.json

[lewisbirks]

Do you think it worth looking into https://pnpm.io/workspaces