chore: migrate to pnpm by paustint · Pull Request #1730 · jetstreamapp/jetstream

paustint · 2026-05-16T19:21:39Z

No description provided.

socket-security · 2026-05-16T19:23:05Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@react-email/components@1.0.12
	@types/gapi.client.drive-v3@0.0.5
	nx@22.7.2
	next@16.2.6
	document.contains@1.0.2
	@tanstack/react-virtual@3.13.24
	@emotion/utils@1.4.2
	eslint-config-next@16.2.1
	@vitest/coverage-v8@4.0.9
	electron-builder@26.10.0
	@types/express-http-proxy@1.6.7
	@jetstreamapp/simple-xml@1.1.1
	@types/react-router-dom@5.3.3
	@types/unzipper@0.10.11
	@tsconfig/node22@22.0.5
	jszip@3.10.1
	webextension-polyfill@0.12.0
	web-ext@8.10.0
	@types/express@4.17.23
	@nx/esbuild@22.7.2
	@typescript-eslint/parser@8.46.2
	@types/js-yaml@4.0.9
	@types/archiver@6.0.4
	@nx/playwright@22.7.2
	@swc/helpers@0.5.18
	@commitlint/cli@20.5.3
	@types/gapi.auth2@0.0.61
	@oslojs/otp@1.1.0
	@types/multer@2.1.0
	@types/pg@8.20.0
	esbuild@0.27.7
	@types/express-session@1.19.0
See 207 more rows in the dashboard

View full report

socket-security · 2026-05-16T19:23:07Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `@react-email/preview-server` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package.json → `npm/@react-email/preview-server@5.2.11` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@react-email/preview-server@5.2.11`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Copilot

Pull request overview

Migrates the workspace from Yarn Classic to pnpm (Corepack-managed). Updates root package.json (engines, packageManager, scripts), introduces pnpm-workspace.yaml and a preinstall package-manager guard, switches CI workflows, Dockerfiles, release configs and docs from yarn/npx to pnpm/corepack pnpm, removes obsolete library package.json shims and Yarn resolutions, and tweaks the Electron build pipeline to stage a pnpm-compatible target package.json. Also bundles a couple of unrelated runtime fallbacks for missing IP addresses.

Changes:

Replace Yarn with pnpm everywhere (root scripts, CI, Docker, docs, release hooks, Electron build) and add a preinstall guard.
Add pnpm-workspace.yaml with pnpm overrides (migrated from Yarn resolutions) and a planning doc.
Promote previously-implicit transitive deps to direct dependencies in root package.json, and remove now-unused per-lib package.json shims.

Reviewed changes

Copilot reviewed 38 out of 43 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
package.json	Switch packageManager, engines, scripts; add several direct deps
pnpm-workspace.yaml	New workspace + overrides + allowBuilds config
PNPM_MIGRATION_PLAN.md	Temporary migration planning doc
scripts/check-package-manager.mjs	New preinstall guard enforcing pnpm
scripts/build-electron.mjs	Convert yarn add/remove to pnpm; new `prepareTargetPackageJson`
scripts/create-hotfix.mjs	Update help text to pnpm
Dockerfile / Dockerfile.e2e / docker-compose.yml	Use Corepack + pnpm install/run
.github/workflows/{ci,release,docs}.yml	Add pnpm/action-setup, switch cache and commands
.release-it-web-ext.json / .release-it-desktop.json	Switch release hooks to pnpm
electron-builder.config.js	Exclude `pnpm-lock.yaml` instead of `yarn.lock`
apps/jetstream-e2e/project.json, apps/jetstream-desktop-client-e2e/playwright.config.ts, apps/jetstream-web-extension-e2e/playwright.config.ts	pnpm command updates
apps/jetstream/vite.config.ts, apps/cron-tasks/src/cloudflare-analytics-archiver.ts, apps/api/Dockerfile, mock-idp/docker-compose.yml	Comment/docs updates from yarn to pnpm
apps/docs/{README.md,package.json,.gitignore}	pnpm docs commands; drop redundant resolutions
apps-sfdx/{package.json,.gitignore}	Drop redundant resolutions; add pnpm log ignore
README.md, CLAUDE.md, .claude/settings.json	Doc/tooling updates for pnpm
.dockerignore, .gitignore	Track pnpm lockfile/store, ignore pnpm logs
libs/{salesforce-api,connected/connected-ui,shared/ui-db,shared/ui-record-form}/package.json	Remove obsolete per-lib package.json stubs
libs/shared/data/src/lib/client-socket-data.ts	Convert to `import type` (pnpm strictness)
libs/auth/server/src/lib/auth.utils.ts	Behavior change: fall back IP to `unknown-<ts>`
apps/api/src/app/utils/route.utils.ts	Behavior change: default `req.ip` to `'unknown'`

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 42 out of 47 changed files in this pull request and generated 11 comments.

    "unzipper": "^0.12.3",
    "update-electron-app": "^3.1.2",
-    "uuid": "^9.0.1",
+    "uuid": "^14.0.0",


+COPY --link package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+RUN pnpm install --frozen-lockfile --prod=false


+COPY ./pnpm-lock.yaml .
+COPY ./pnpm-workspace.yaml .
 COPY ./.env .
 COPY ./ecosystem.config.js .
 COPY ./prisma ./prisma/

 # Install core dependencies
-RUN yarn
+RUN pnpm install --prod --no-frozen-lockfile


Copilot

Pull request overview

Copilot reviewed 42 out of 47 changed files in this pull request and generated 7 comments.

+    "icons:build:action": "pnpm dlx @svgr/cli@5.5.0 --config-file .svgo-config.json -d ./libs/icon-factory/src/lib/icons/action ./node_modules/@salesforce-ux/design-system/assets/icons/action",
+    "icons:build:custom": "pnpm dlx @svgr/cli@5.5.0 --config-file .svgo-config.json -d ./libs/icon-factory/src/lib/icons/custom ./node_modules/@salesforce-ux/design-system/assets/icons/custom",
+    "icons:build:doctype": "pnpm dlx @svgr/cli@5.5.0 --config-file .svgo-config.json -d ./libs/icon-factory/src/lib/icons/doctype ./node_modules/@salesforce-ux/design-system/assets/icons/doctype",
+    "icons:build:standard": "pnpm dlx @svgr/cli@5.5.0 --config-file .svgo-config.json -d ./libs/icon-factory/src/lib/icons/standard ./node_modules/@salesforce-ux/design-system/assets/icons/standard",
+    "icons:build:utility": "pnpm dlx @svgr/cli@5.5.0 --config-file .svgo-config.json -d ./libs/icon-factory/src/lib/icons/utility ./node_modules/@salesforce-ux/design-system/assets/icons/utility",


Copilot AI review requested due to automatic review settings May 16, 2026 19:21

Copilot started reviewing on behalf of paustint May 16, 2026 19:21 View session

Copilot AI reviewed May 16, 2026

View reviewed changes

paustint force-pushed the chore/migrate-to-pnpm branch from 953e4c1 to 7c6b0dd Compare May 16, 2026 22:11

Copilot AI review requested due to automatic review settings May 17, 2026 16:10

paustint force-pushed the chore/migrate-to-pnpm branch from 7c6b0dd to 3c6b87d Compare May 17, 2026 16:10

Copilot started reviewing on behalf of paustint May 17, 2026 16:10 View session

Copilot AI reviewed May 17, 2026

View reviewed changes

paustint added 2 commits May 17, 2026 11:50

chore: migrate to pnpm

6fbfb08

chore: upgrade nx to latest version

f176737

paustint force-pushed the chore/migrate-to-pnpm branch from 3c6b87d to f176737 Compare May 17, 2026 18:51

Copilot AI review requested due to automatic review settings May 18, 2026 15:05

Copilot AI reviewed May 18, 2026

View reviewed changes

Copilot started reviewing on behalf of paustint May 18, 2026 15:18 View session

fix: fix pnpm for ci and docs build

7b0740d

paustint force-pushed the chore/migrate-to-pnpm branch from 09b7e63 to 7b0740d Compare May 18, 2026 15:34

		COPY --link package.json pnpm-lock.yaml pnpm-workspace.yaml ./
		RUN pnpm install --frozen-lockfile --prod=false

Uh oh!

Conversation

paustint commented May 16, 2026

Uh oh!

socket-security Bot commented May 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented May 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

socket-security Bot commented May 16, 2026 •

edited

Loading

socket-security Bot commented May 16, 2026 •

edited

Loading