chore: migrate to pnpm and enable minimum release age#616
Open
chore: migrate to pnpm and enable minimum release age#616
Conversation
github-actions
Bot
added
the
t-tooling
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
a71dcdd to
ea34945
Compare
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
ea34945 to
a74838e
Compare
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
cd33001 to
d1ec78b
Compare
Migrates from npm workspaces to pnpm workspaces and adds a 1-day minimum release age supply-chain guard at the package-manager layer (pnpm-workspace.yaml) and at the Renovate layer. Internal `@apify/*` and `@crawlee/*` packages are whitelisted at both layers for immediate updates. Notable changes: - package.json: drop "workspaces" (moved to pnpm-workspace.yaml); set packageManager to pnpm@10.24.0; add rimraf as explicit devDep (was previously relying on npm transitive hoisting) - lerna.json: npmClient: "pnpm" - .npmrc: node-linker=hoisted (flat node_modules layout) - packages/*/package.json scripts: "npm run X" -> "pnpm X" - CI workflows: add pnpm/action-setup, use pnpm install --frozen-lockfile and pnpm/pnpm exec in place of npm/npx; drop Node 16 from matrix (pnpm 10 requires Node 18+) - renovate.json: minimumReleaseAge "1 day", internalChecksFilter "strict", @apify/* and @crawlee/* whitelist; drop npm constraint - Docs: CONTRIBUTING.md and CLAUDE.md updated for pnpm commands Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adopts the caching pattern from apify/apify-cli#1068: a reusable composite action at .github/actions/pnpm-install that handles pnpm setup, pnpm store caching (keyed by year-month + lockfile hash), and the install. Workflows now delegate their install step to `uses: ./.github/actions/pnpm-install` instead of inlining each piece. setup-node remains in workflows (without the cache: pnpm parameter, since caching is handled inside the composite). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaces the local .github/actions/pnpm-install composite copy with the shared one from apify/workflows@main. Identical behavior, less duplication.
…m release-age gate
Silences npm warnings about unknown options like node-linker; pnpm reads the same keys from pnpm-workspace.yaml in camelCase form.
Block accidental npm/yarn install — npm 10.5+ and pnpm 10.x both honor devEngines.packageManager and refuse to run when it doesn't match.
…-workspace exclusions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devEngines.packageManager breaks pnpm commands that delegate to npm (pnpm version, pnpm pkg set, etc). Use the battle-tested only-allow approach instead (same as Vite, Vue, Astro).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
788d2ee to
4e704f0
Compare
barjin
pushed a commit
to apify/camoufox-js
that referenced
this pull request
Apr 22, 2026
## Summary Migrates camoufox-js from Yarn 4 to pnpm and adds a 1-day minimum release age supply-chain guard at both the package-manager layer (`pnpm-workspace.yaml`) and the Renovate layer. Internal `@apify/*` and `@crawlee/*` packages are whitelisted at both layers. Part of the org-wide pnpm migration; follows the same pattern as apify/apify-shared-js#616, apify/actor-scraper#273, and apify/got-scraping#175. ## Changes - `package.json`: set `packageManager` to `pnpm@10.24.0` (was `yarn@4.13.0`); replace `npm run copy-files` with `pnpm copy-files` in the build script - Removed Yarn artifacts: `yarn.lock`, `.yarnrc.yml` - Removed `.yarn/` and `.npmrc` entries from `.gitignore` so pnpm's `.npmrc` is committed - `pnpm-workspace.yaml`: non-monorepo `minimumReleaseAge: 1440` with `@apify/*` + `@crawlee/*` exclusions - `.npmrc`: `node-linker=hoisted`, `link-workspace-packages=true`, `prefer-workspace-packages=true`, `public-hoist-pattern[]=*` - New `.github/actions/pnpm-install` composite action (cached pnpm store, year-month + lockfile hash key) - CI workflows (`test.yml`, `release.yml`): delegate install to the composite; corepack step removed; `yarn X` -> `pnpm X`; `npx camoufox fetch` -> `pnpm exec camoufox fetch`; `npm publish` -> `pnpm publish --no-git-checks`; Node matrix `[20, 22, 24]` (engines.node requires `>=20`, so Node 18 is intentionally omitted) - `renovate.json`: add `minimumReleaseAge: "1 day"`, `internalChecksFilter: "strict"`, and a packageRule whitelisting `@apify/*` + `@crawlee/*` at `0 days` 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
barjin
pushed a commit
to apify/fingerprint-suite
that referenced
this pull request
Apr 22, 2026
## Summary Migrates fingerprint-suite from npm to pnpm as part of an org-wide supply-chain hardening effort, aligning with the patterns established in apify/apify-shared-js#616, apify/actor-scraper#273 and apify/got-scraping#175. Enables a 24-hour `minimumReleaseAge` for third-party packages both at install time (via `pnpm-workspace.yaml`) and at dependency-update time (via `renovate.json`). `@apify/*` and `@crawlee/*` are excluded so our own releases can still be consumed immediately. ## Changes - Replace `package-lock.json` with `pnpm-lock.yaml`. - Move `workspaces` config from `package.json` to `pnpm-workspace.yaml` and add `minimumReleaseAge` settings with an exclude list for `@apify/*` and `@crawlee/*`. - Switch internal cross-package dependencies (`generative-bayesian-network`, `header-generator`, `fingerprint-generator`) to the `workspace:*` protocol so pnpm links the local copies rather than fetching from the registry. - Add `.npmrc` with `node-linker=hoisted`, `link-workspace-packages=true`, `prefer-workspace-packages=true`, `public-hoist-pattern[]=*`; drop `.npmrc` from `.gitignore`. - Add reusable composite action `.github/actions/pnpm-install` and use it from every workflow that installs deps (`test-and-sync`, `publish-to-npm`, `e2e-benchmark`, `model-updater`). - Replace all `npm run X` / `npx` with `pnpm X` / `pnpm exec` in root and package scripts and in workflows. - Bump `engines.node` to `>=18.0.0` in every workspace package and update the CI test matrix to `[18, 20, 22, 24]`. - Bump `packageManager` to `pnpm@10.24.0`. - `scripts/publish.sh` uses `pnpm publish --no-git-checks`. - Update `renovate.json`: add `"minimumReleaseAge": "1 day"` and `"internalChecksFilter": "strict"`, remove the legacy `"constraints": { "npm": "^7.0.0" }`, and add a package rule that sets `minimumReleaseAge: 0 days` for `@apify/*` and `@crawlee/*`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pilot of the org-wide supply-chain hardening + pnpm migration plan (first of ~14 repos). This PR migrates
apify-shared-jsfrom npm workspaces to pnpm workspaces and adds a 1-day minimum release age guard at two layers so newly-published package versions cannot be installed for 24h after they hit the registry.minimumReleaseAge: 1440inpnpm-workspace.yamlblockspnpm installon versions < 1 day oldminimumReleaseAge: "1 day"delays PR creation until the version has aged@apify/*and@crawlee/*are excluded at both layers so internal releases ship immediatelyChanges
package.json: drop"workspaces"(moved topnpm-workspace.yaml); setpackageManagertopnpm@10.24.0; addrimrafas explicit devDep (was previously relying on npm transitive hoisting — pnpm's hoisted linker does not link undeclared transitive bins)lerna.json:npmClient: "pnpm"solerna run ...invokes pnpm.npmrc:node-linker=hoisted— keeps flatnode_modulesfor the same debugging ergonomics as npmpackages/*/package.jsonscripts:npm run X→pnpm X.github/actions/pnpm-installcomposite with pnpm-store caching (keyed by year-month + lockfile hash); workflows delegate install touses: ./.github/actions/pnpm-install. Node matrix: drop 16 (pnpm 10 needs Node ≥ 18), add 24 to cover current LTSrenovate.json:minimumReleaseAge: "1 day",internalChecksFilter: "strict", whitelistpackageRulefor@apify/*and@crawlee/*; drop old npm constraintCONTRIBUTING.md+CLAUDE.md: updated command examplesOpened as draft — pilot for the remaining ~13 repos in the same migration.
🤖 Generated with Claude Code