refactor: migrate from npm to pnpm

[mabry1985]

Summary

• Migrates package manager from npm to pnpm for stricter dependency resolution
• Updates all CI workflows (test, lint, typecheck, build-desktop, test-linux-app) to use corepack enable + pnpm install --frozen-lockfile
• Updates Dockerfile and docker/Dockerfile to install and use pnpm
• Updates Makefile npm references to pnpm
• Converts lockfiles (package-lock.json → pnpm-lock.yaml)
• Adds packageManager field to package.json

Test plan

• Verify pnpm install succeeds locally
• Verify CI workflows pass with pnpm
• Verify Docker builds succeed
• Verify blog-site builds correctly

🤖 Generated with protoLabs Studio

Summary by CodeRabbit

• Chores

  • Migrated from npm to pnpm (v9.15.9) as the primary package manager across development workflows, CI/CD pipelines, and Docker builds
  • Updated all build scripts and automation configuration files to use pnpm equivalents

• Dependencies

  • Added @deck.gl/extensions library

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: aae33ff8-941d-4dbb-940b-1f37ffa13487

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Switch package manager from npm to pnpm across all CI workflows, Docker builds, Makefile, and package.json configurations. Updated all dependency installation and script execution commands to use pnpm throughout the project.

Changes

Cohort / File(s)	Summary
CI Workflow Updates .github/workflows/build-desktop.yml, .github/workflows/lint-code.yml, .github/workflows/test-linux-app.yml, .github/workflows/test.yml, .github/workflows/typecheck.yml	Added pnpm/action-setup@v4, switched Node.js caching from npm to pnpm, replaced npm ci with pnpm install --frozen-lockfile, and updated all npm/npx commands to pnpm/pnpm exec equivalents.
Container Build Configurations Dockerfile, docker/Dockerfile	Globally installed pnpm, replaced package-lock.json with pnpm-lock.yaml, switched dependency installation from npm ci to pnpm install --frozen-lockfile, and updated build commands to use pnpm exec for tool invocation.
Project Configuration Makefile, package.json, blog-site/package.json	Renamed Makefile target from install-npm to install-pnpm, added packageManager field specifying pnpm@9.15.9 to root package.json, updated all npm-based scripts to pnpm equivalents, and added @deck.gl/extensions as a project dependency.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description covers the main migration objectives and includes a test plan, but does not follow the required template structure with Type of change, Affected areas, or Checklist sections.	Follow the repository's description template by adding explicit sections for Type of change (Refactor), Affected areas, and completing the standardized Checklist.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'refactor: migrate from npm to pnpm' clearly and concisely summarizes the main objective of the changeset across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/migrate-from-npm-to-pnpm-gqozk7z

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

blog-site/package.json (1)

1-24: ⚠️ Potential issue | 🔴 Critical

CI is failing: lockfile out of sync with package.json.

The pipeline failures (ERR_PNPM_OUTDATED_LOCKFILE) indicate that pnpm-lock.yaml does not match the current package.json specifiers. This blocks all CI workflows.

Run pnpm install locally to regenerate the lockfile, then commit the updated pnpm-lock.yaml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@blog-site/package.json` around lines 1 - 24, The CI is failing because
pnpm-lock.yaml is out of sync with package.json (the dependencies and scripts in
package.json like "dev", "build", and the listed packages such as
"@astrojs/rss", "astro", "sharp" have changed); fix it by running pnpm install
locally to regenerate pnpm-lock.yaml, verify the lockfile updates include the
current specifiers and engine constraints, and commit the updated pnpm-lock.yaml
alongside the package.json changes so the CI no longer errors with
ERR_PNPM_OUTDATED_LOCKFILE.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build-desktop.yml:
- Around line 270-272: Two full-variant build steps are missing an explicit
tauriScript setting and rely on auto-detection; add tauriScript: pnpm tauri to
those full variant job definitions (the same key used in the tech variant) so
each build step that has args: --config ... and retryAttempts: 1 also includes
tauriScript: pnpm tauri, ensuring consistency across all variants and preventing
implicit tauri-action detection differences.

In `@docker/Dockerfile`:
- Around line 8-9: The Dockerfile currently runs "RUN npm install -g pnpm" which
installs an unpinned pnpm; update the Dockerfile to pin pnpm for reproducible
builds: either replace that line with "RUN npm install -g pnpm@9.15.9" to match
the packageManager field (pnpm@9.15.9), or prefer Corepack by removing the npm
install and adding "RUN corepack enable && corepack prepare pnpm@9.15.9
--activate" (or use "pnpm@stable" if you want the version read from
package.json) so the container uses the pinned/managed pnpm version.

In `@Dockerfile`:
- Around line 12-13: The Dockerfile currently installs pnpm without a pinned
version (the RUN npm install -g pnpm line); update this to pin pnpm to the
repo's packageManager version (pnpm@9.15.9) or, preferably, enable corepack and
run corepack prepare pnpm@9.15.9 --activate so builds are reproducible; ensure
the pinned version exactly matches the packageManager field (pnpm@9.15.9) in
package.json and remove the unpinned RUN npm install -g pnpm entry or replace it
with the corepack-based commands.

In `@Makefile`:
- Around line 43-44: The Make target install-pnpm currently runs `pnpm install`
which can update the lockfile silently; change the command in the install-pnpm
target to use a frozen lockfile (e.g., `pnpm install --frozen-lockfile`) so
dependency drift fails fast locally and CI catches mismatches earlier—update the
install-pnpm recipe to include the `--frozen-lockfile` flag.

In `@package.json`:
- Line 24: The "build:pro" script in package.json runs "pnpm install" in the
pro-test folder without a frozen lockfile, allowing non-deterministic installs;
update the script referenced as "build:pro" to run "pnpm install
--frozen-lockfile" (i.e., replace the pnpm install call inside the pro-test
step) so CI/builds fail on lockfile drift and produce deterministic installs.

---

Outside diff comments:
In `@blog-site/package.json`:
- Around line 1-24: The CI is failing because pnpm-lock.yaml is out of sync with
package.json (the dependencies and scripts in package.json like "dev", "build",
and the listed packages such as "@astrojs/rss", "astro", "sharp" have changed);
fix it by running pnpm install locally to regenerate pnpm-lock.yaml, verify the
lockfile updates include the current specifiers and engine constraints, and
commit the updated pnpm-lock.yaml alongside the package.json changes so the CI
no longer errors with ERR_PNPM_OUTDATED_LOCKFILE.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 30a68fa8-2f9b-4538-a69e-300259fe9ecb

📥 Commits

Reviewing files that changed from the base of the PR and between 9b2c944 and 3ee178c.

⛔ Files ignored due to path filters (4)

• blog-site/package-lock.json is excluded by !**/package-lock.json
• blog-site/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• package-lock.json is excluded by !**/package-lock.json
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (10)

• .github/workflows/build-desktop.yml
• .github/workflows/lint-code.yml
• .github/workflows/test-linux-app.yml
• .github/workflows/test.yml
• .github/workflows/typecheck.yml
• Dockerfile
• Makefile
• blog-site/package.json
• docker/Dockerfile
• package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if tauriScript is specified for full variant builds
rg -n 'tauriScript' .github/workflows/build-desktop.yml
echo "---"
echo "Full variant build steps (lines ~207 and ~232) should be checked for missing tauriScript"

Repository: protoLabsAI/worldmonitor

Length of output: 236

---

🏁 Script executed:

# View the workflow file around the mentioned lines to verify the claim
sed -n '200,240p' .github/workflows/build-desktop.yml
echo "---"
sed -n '265,295p' .github/workflows/build-desktop.yml

Repository: protoLabsAI/worldmonitor

Length of output: 3648

---

🌐 Web query:

tauri-action default tauriScript npx

💡 Result:

In the tauri-apps/tauri-action GitHub Action, the tauriScript input specifies the command to run the Tauri CLI (without 'build' or args). If not explicitly set (default is empty string ''), the action automatically determines it by detecting the package manager in the project (npm, pnpm, yarn, bun) and uses formats like "npm run tauri", "yarn tauri", etc. If no suitable project CLI is found or it needs to install the CLI globally, it falls back to just "tauri" (after installing @tauri-apps/cli globally via npm). This auto-detection supports npx usage internally for projects without a local tauri script, but users typically set tauriScript explicitly for custom needs like "npx tauri" to avoid issues in npm workspaces.

Citations:

• 1: https://github.com/tauri-apps/tauri-action
• 2: https://linkedin.com/company/mr-default
• 3: When the action uses the Npx action it uses "tauri" instead of "@tauri-apps/cli" tauri-apps/tauri-action#367
• 4: https://github.com/marketplace/actions/tauri-action-custom-repo
• 5: ability to specify a target tauri-apps/tauri-action#252

---

Add explicit tauriScript: pnpm tauri to full variant build steps for consistency.

The full variant builds (lines 207, 232) omit tauriScript and rely on tauri-action's auto-detection, while the tech variant builds (lines 270, 290) explicitly specify tauriScript: pnpm tauri. Although auto-detection should handle pnpm correctly, being explicit ensures consistency across all build variants and avoids relying on implicit behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-desktop.yml around lines 270 - 272, Two full-variant
build steps are missing an explicit tauriScript setting and rely on
auto-detection; add tauriScript: pnpm tauri to those full variant job
definitions (the same key used in the tech variant) so each build step that has
args: --config ... and retryAttempts: 1 also includes tauriScript: pnpm tauri,
ensuring consistency across all variants and preventing implicit tauri-action
detection differences.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Pin the pnpm version for reproducible builds.

The repo specifies pnpm@9.15.9 in package.json's packageManager field, but this Dockerfile installs an unpinned version. This could cause version drift between CI and Docker builds.

Option 1: Pin via npm (quick fix)

 # Install pnpm
-RUN npm install -g pnpm
+RUN npm install -g pnpm@9.15.9

Option 2: Use corepack (preferred, reads version from package.json)

-# Install pnpm
-RUN npm install -g pnpm
+# Enable corepack to use pnpm version from package.json
+RUN corepack enable

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Install pnpm
	RUN npm install -g pnpm
	# Install pnpm
	RUN npm install -g pnpm@9.15.9

Suggested change

	# Install pnpm
	RUN npm install -g pnpm
	# Enable corepack to use pnpm version from package.json
	RUN corepack enable

🧰 Tools

🪛 Hadolint (2.14.0)

[warning] 9-9: Pin versions in npm. Instead of npm install <package> use npm install <package>@<version>

(DL3016)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/Dockerfile` around lines 8 - 9, The Dockerfile currently runs "RUN npm
install -g pnpm" which installs an unpinned pnpm; update the Dockerfile to pin
pnpm for reproducible builds: either replace that line with "RUN npm install -g
pnpm@9.15.9" to match the packageManager field (pnpm@9.15.9), or prefer Corepack
by removing the npm install and adding "RUN corepack enable && corepack prepare
pnpm@9.15.9 --activate" (or use "pnpm@stable" if you want the version read from
package.json) so the container uses the pinned/managed pnpm version.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Pin the pnpm version for reproducible builds.

Same issue as docker/Dockerfile: the pnpm version should be pinned to match the repo's packageManager field (pnpm@9.15.9).

Option 1: Pin via npm

 # Install pnpm
-RUN npm install -g pnpm
+RUN npm install -g pnpm@9.15.9

Option 2: Use corepack (preferred)

-# Install pnpm
-RUN npm install -g pnpm
+# Enable corepack to use pnpm version from package.json
+RUN corepack enable

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Install pnpm
	RUN npm install -g pnpm
	# Install pnpm
	RUN npm install -g pnpm@9.15.9

🧰 Tools

🪛 Hadolint (2.14.0)

[warning] 13-13: Pin versions in npm. Instead of npm install <package> use npm install <package>@<version>

(DL3016)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 12 - 13, The Dockerfile currently installs pnpm
without a pinned version (the RUN npm install -g pnpm line); update this to pin
pnpm to the repo's packageManager version (pnpm@9.15.9) or, preferably, enable
corepack and run corepack prepare pnpm@9.15.9 --activate so builds are
reproducible; ensure the pinned version exactly matches the packageManager field
(pnpm@9.15.9) in package.json and remove the unpinned RUN npm install -g pnpm
entry or replace it with the corepack-based commands.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Use frozen lockfile in the Make target to catch drift earlier

Line [44] uses pnpm install without --frozen-lockfile, which can mask dependency drift locally and defer failures to CI.

Suggested diff

 install-pnpm: ## Install pnpm dependencies
-	pnpm install
+	pnpm install --frozen-lockfile

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 43 - 44, The Make target install-pnpm currently runs
`pnpm install` which can update the lockfile silently; change the command in the
install-pnpm target to use a frozen lockfile (e.g., `pnpm install
--frozen-lockfile`) so dependency drift fails fast locally and CI catches
mismatches earlier—update the install-pnpm recipe to include the
`--frozen-lockfile` flag.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Prefer frozen install in build:pro for deterministic builds

Line [24] runs pnpm install in pro-test without a frozen lockfile, which can produce non-reproducible builds across environments.

Suggested diff

-    "build:pro": "cd pro-test && pnpm install && pnpm run build",
+    "build:pro": "cd pro-test && pnpm install --frozen-lockfile && pnpm run build",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"build:pro": "cd pro-test && pnpm install && pnpm run build",
	"build:pro": "cd pro-test && pnpm install --frozen-lockfile && pnpm run build",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 24, The "build:pro" script in package.json runs "pnpm
install" in the pro-test folder without a frozen lockfile, allowing
non-deterministic installs; update the script referenced as "build:pro" to run
"pnpm install --frozen-lockfile" (i.e., replace the pnpm install call inside the
pro-test step) so CI/builds fail on lockfile drift and produce deterministic
installs.