enforce pnpm usage and prevent npm installs#2624
Open
Gurkiratcodemaster wants to merge 1 commit intoOWASP:masterfrom
Open
enforce pnpm usage and prevent npm installs#2624Gurkiratcodemaster wants to merge 1 commit intoOWASP:masterfrom
Gurkiratcodemaster wants to merge 1 commit intoOWASP:masterfrom
Conversation
Gurkiratcodemaster
requested review from
cw-owasp,
rewtd and
sydseter
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to enforce pnpm usage in the cornucopia.owasp.org Svelte/TypeScript project to avoid lockfile and dependency-tree inconsistencies caused by mixing package managers (closes #2623).
Changes:
- Pin pnpm via
packageManagerand add an install-time guard to discourage npm/yarn installs. - Update
cornucopia.owasp.orgdocumentation to use pnpm commands. - Bump versions of several
pre-commithooks.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
package-lock.json |
Introduces an npm lockfile at repo root (conflicts with pnpm-enforcement goal). |
cornucopia.owasp.org/package.json |
Adds pnpm pinning and a preinstall guard intended to block other package managers. |
cornucopia.owasp.org/README.md |
Updates developer docs to use pnpm commands and adds pnpm guidance. |
.pre-commit-config.yaml |
Updates hook versions (change not mentioned in PR description). |
| @@ -1,9 +1,11 @@ | |||
| { | |||
| "name": "cornucopia-website", | |||
| "packageManager": "pnpm@10.32.1", | |||
Comment on lines
+5
to
+9
| ## Development server | ||
|
|
||
| This project uses **pnpm** for dependency management. | ||
| Please do **not use npm or yarn**, as mixing package managers can cause dependency conflicts. | ||
|
|
Comment on lines
10
to
12
| - repo: https://github.com/pre-commit/pre-commit-hooks | ||
| rev: v4.4.0 | ||
| rev: v6.0.0 | ||
| hooks: |
| "private": true, | ||
| "scripts": { | ||
| "dev": "vite dev", | ||
| "preinstall": "npx only-allow pnpm", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR prevents mixing npm and pnpm in the project.
Changes
"packageManager": "pnpm@10.32.1"topackage.jsonpreinstallscript usingonly-allowto prevent installs with npm or yarn.Mixing npm and pnpm can create conflicting lock files and inconsistent dependency structures.
Closes #2623