Upgrade pnpm to v11 📦🆙

[wotschofsky]

Summary

• Bump pnpm/action-setup version in the Testing workflow from 9 to 11
• Pin pnpm 11.1.1 via the packageManager field in package.json (Corepack-compatible)
• Regenerate pnpm-lock.yaml with pnpm 11
• Allow build scripts for esbuild, sharp, and unrs-resolver via a new pnpm-workspace.yaml, since pnpm 11 no longer runs postinstall scripts by default

Test plan

• pnpm install --frozen-lockfile succeeds with pnpm 11
• pnpm run test:format passes
• pnpm run lint passes (no new errors)
• pnpm run test passes (97/97 tests)
• pnpm run build succeeds end-to-end
• CI (Testing workflow) runs green on the new pnpm 11 setup

---

Summary by cubic

Upgrade project to pnpm v11 with a pinned pnpm@11.1.1. CI uses Node 24, and Vercel runs install and build with the pinned pnpm to avoid pnpm@9.

• Dependencies

  • Pin pnpm@11.1.1 via packageManager in package.json; pnpm/action-setup@v5 reads it (no version input).
  • CI: bump Node to 24 for pnpm 11.
  • Add pnpm-workspace.yaml to allow builds for esbuild, sharp, and unrs-resolver.
  • Vercel: set installCommand and buildCommand to npx -y pnpm@11.1.1 ... to force the pinned pnpm.

• Migration

  • Use Node 24 and run pnpm install --frozen-lockfile.

^{Written for commit 3447f78. Summary will update on new commits. Review in cubic}

Summary by CodeRabbit

• Chores
  • CI workflows updated to use pnpm v11 and Node.js 24 for jobs.
  • Project declares pnpm@11.1.1 as the package manager.
  • Workspace builds enabled for additional packages (esbuild, sharp, unrs-resolver).
  • Deployment configured to run pnpm install with a frozen lockfile and pnpm run build.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
domain-digger	Ready	Preview, Comment	May 18, 2026 11:25am

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 29ce9aba-de45-4d11-a244-ed74a0f67a41

📥 Commits

Reviewing files that changed from the base of the PR and between 5672603 and 4798c4c.

📒 Files selected for processing (1)

• vercel.json

---

📝 Walkthrough

Walkthrough

Pin pnpm@11 in package.json, update GitHub Actions jobs to use pnpm v11 and Node.js 24, enable workspace builds for esbuild/sharp/unrs-resolver, and add Vercel installCommand/buildCommand that invoke npx -y pnpm@11.1.1 with --frozen-lockfile for install.

Changes

pnpm Upgrade to Version 11

Layer / File(s)	Summary
Version pinning and CI workflow updates package.json, .github/workflows/test.yml, vercel.json	Adds packageManager pin for pnpm@11.1.1, updates the formatting, linting, and tests jobs to use pnpm/action-setup v11 and actions/setup-node Node.js 24, and adds Vercel installCommand/buildCommand that invoke npx -y pnpm@11.1.1 (install uses --frozen-lockfile).
Workspace build configuration pnpm-workspace.yaml	Adds allowBuilds entries enabling builds for esbuild, sharp, and unrs-resolver.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I swapped a nine for eleven bright,
Tiny hops across CI's night.
Workspaces flex and builds take flight,
Node at twenty-four — a nimble sight.
Paws clap, the repo feels just right.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: upgrading pnpm to version 11. It directly reflects the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upgrade/pnpm-11

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 4 files

[pullfrog]

Important

Two follow-ups before merging: (a) package.json still carries a pnpm.overrides block that no longer appears in the regenerated lockfile — likely to trip --frozen-lockfile in CI, and (b) the workflow's version: 11 input duplicates the Corepack packageManager pin. Both are easy to resolve; the allowBuilds syntax itself is correct for pnpm v11.

TL;DR — Bumps pnpm from v9 to v11 across CI, pins the exact version via the packageManager field, regenerates the lockfile, and adds pnpm-workspace.yaml to opt three native packages back into running their install scripts (pnpm v10+ skips them by default).

Key changes

• Pin pnpm@11.1.1 via Corepack — adds packageManager field with sha512 integrity so all environments resolve to the same patch.
• Bump pnpm/action-setup input from 9 to 11 — three CI jobs updated in lockstep.
• Regenerate pnpm-lock.yaml — new lockfile under pnpm 11, with libc: annotations on Linux variants and a refreshed vitest peer-key signature.
• Add pnpm-workspace.yaml — uses the v11 allowBuilds: map to permit esbuild, sharp, and unrs-resolver install scripts (these replaced the legacy onlyBuiltDependencies array in v11).

_{Summary ｜ 4 files ｜ 1 commit ｜ base: main ← upgrade/pnpm-11}

Lockfile drops overrides while package.json still declares them

Before: pnpm-lock.yaml carried an overrides: preamble matching package.json#pnpm.overrides for @types/react and @types/react-dom.
After: the lockfile's overrides: block is gone (grep returns zero matches), but package.json:93-98 still declares the same pnpm.overrides.

pnpm classically rejects this mismatch with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH under --frozen-lockfile. The PR's local test plan reports success, but the CI checkbox is still unchecked. Since @types/react@19.2.14 and @types/react-dom@19.2.3 are already pinned to those exact versions as direct devDependencies (no caret) on package.json:80-81, the cleanest resolution is to delete the now-redundant pnpm.overrides block entirely rather than re-run regeneration.

package.json · pnpm-lock.yaml

Action version input duplicates the Corepack pin

Before: workflow specified pnpm/action-setup@v5 with: version: 9 and there was no packageManager field.
After: the packageManager field pins pnpm@11.1.1+sha512..., but the workflow still passes version: 11.

Per the pnpm/action-setup README, the version input is optional when packageManager is set in package.json. Keeping both means the action installs whatever floats at 11.x instead of the exact pinned 11.1.1, defeating the integrity-checked pin. Drop the version line from all three jobs.

.github/workflows/test.yml

---

Note: 1 inline comment(s) dropped because they did not anchor to lines inside the PR diff:

• package.json:93-98 (RIGHT) — line 98 (RIGHT) is not inside a diff hunk

  ^{｜ Fix all ➔ ｜ Fix 👍s ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

With packageManager: pnpm@11.1.1+sha512... now pinned in package.json, the version input here is redundant and can resolve to a different 11.x patch than the integrity-checked pin. Per the pnpm/action-setup README the field is optional when packageManager is set — drop it (here and in the two other jobs at lines 48 and 73) so Corepack consumes the exact pinned version.

Suggested change

	version: 11
	uses: pnpm/action-setup@v5

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1a3cd00525

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Migrate pnpm overrides before pinning pnpm 11

Pinning pnpm to v11 here changes how configuration is loaded, but this commit leaves the existing package.json pnpm.overrides in place; pnpm 11 no longer reads settings from the pnpm field in package.json, so those overrides are silently ignored. That means future installs/updates can resolve dependency versions differently than intended (and drift from previous behavior under pnpm 9), especially for the @types/react and @types/react-dom constraints currently kept as overrides. Move these overrides into pnpm-workspace.yaml under overrides: as part of the upgrade.

Useful? React with 👍 / 👎.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/test.yml (1)

25-29: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update Node.js version to match package.json requirement.

The workflow uses Node.js 20, but package.json specifies "node": "24" in the engines field. Testing with a different Node version than required could hide compatibility issues.

Update all three jobs (formatting, linting, tests) to use Node.js 24.

📦 Proposed fix

-      - name: Setup Node.js 20
+      - name: Setup Node.js 24
         uses: actions/setup-node@v6
         with:
-          node-version: 20
+          node-version: 24
           cache: pnpm

Apply the same change to the linting job (lines 50-54) and tests job (lines 75-79).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 25 - 29, CI is using Node.js 20 in
the workflow's setup-node step; update the node-version from 20 to 24 for all
three jobs (formatting, linting, tests) by changing the uses:
actions/setup-node@v6 block where node-version: 20 to node-version: 24 so the
workflow matches the package.json "engines" requirement and runs under Node 24
across the formatting, linting and tests jobs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/test.yml:
- Around line 25-29: CI is using Node.js 20 in the workflow's setup-node step;
update the node-version from 20 to 24 for all three jobs (formatting, linting,
tests) by changing the uses: actions/setup-node@v6 block where node-version: 20
to node-version: 24 so the workflow matches the package.json "engines"
requirement and runs under Node 24 across the formatting, linting and tests
jobs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2d88a1a5-d335-4717-a40e-428227547424

📥 Commits

Reviewing files that changed from the base of the PR and between 5289068 and 1a3cd00.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .github/workflows/test.yml
• package.json
• pnpm-workspace.yaml

[pullfrog]

Note

Incremental review of 1ab62b9 and 6ccae46. Both follow-ups look clean: dropping the duplicate version: input lets Corepack consume the pinned packageManager field directly, and the Node 24 bump aligns CI with engines.node. The lockfile/overrides concern from my previous review is still outstanding (no related changes in these commits), so re-flagging it once here rather than as a new inline comment.

TL;DR — Two follow-up commits address the action-setup pinning feedback and align CI Node.js with engines.node: 24. No new issues introduced; the previously raised pnpm.overrides vs lockfile mismatch in package.json:93-98 remains the only outstanding concern.

Key changes since last review

• Drop redundant version: input from pnpm/action-setup — three jobs updated; Corepack now resolves pnpm strictly from packageManager.
• Bump CI Node.js from 20 to 24 — matches engines.node and unblocks pnpm v11 runtime requirements.

_{Summary ｜ 1 file (incremental) ｜ 2 new commits ｜ base: main ← upgrade/pnpm-11}

  ^{｜ Fix it ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

Note

Worth verifying a Vercel preview deploy before merging. Corepack signature-verification failures (cannot find matching keyid) are a known failure mode on build images shipping older Corepack — they reproduce anywhere Corepack runs, including Vercel. The pinned integrity hash in packageManager does not rescue you from missing registry signing keys for pnpm@11.x. If the build image's bundled Corepack predates the keys that signed pnpm@11.1.1, every deploy will fail. Sources: Vercel KB on Corepack errors, vercel/vercel#12930. Node 24 itself is GA on Vercel, so engines.node: 24 is honored.

Reviewed the following changes:

• Added vercel.json with corepack enable && pnpm install --frozen-lockfile to pin Vercel deploys to the same pnpm@11.1.1 Corepack resolves locally and in CI.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

Note

Incremental review of 5672603. Swapping Vercel's install command from corepack enable && pnpm install to npx -y pnpm@11.1.1 install removes the Corepack dependency on prod deploys, resolving the signing-keyid risk I flagged on 47ba86c. The pinned 11.1.1 keeps version resolution deterministic; npm's own registry integrity covers the tarball. The previously raised pnpm.overrides vs lockfile mismatch in package.json:93-98 is untouched by this commit and remains the only outstanding concern.

Reviewed the following changes:

• Replaced the Corepack-based Vercel installCommand with npx -y pnpm@11.1.1 install --frozen-lockfile, bypassing Corepack on deploy.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

Note

Incremental review of 4798c4c. Adding buildCommand: npx -y pnpm@11.1.1 run build extends the same pinning strategy from install to build, so Vercel runs both phases under pnpm 11.1.1 instead of falling back to its auto-detected bundled pnpm (historically v9) for the build step. npx tarball caching means the second invocation reuses the pnpm install from the first call, so there's no meaningful overhead. The previously raised pnpm.overrides vs lockfile mismatch in package.json:93-98 is untouched by this commit and remains the only outstanding concern.

Reviewed the following changes:

• Pinned Vercel's buildCommand to npx -y pnpm@11.1.1 run build, matching the install command and removing the last path where Vercel could pick a non-pinned pnpm version.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}