Skip to content

feat: Upgrade pnpm to 10.27.0 and add security settings to generated pnpm-workspace.yaml #733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kingston merged 3 commits into from
Jan 6, 2026
Merged

feat: Upgrade pnpm to 10.27.0 and add security settings to generated pnpm-workspace.yaml #733

kingston merged 3 commits into from
Jan 6, 2026

Conversation

@kingston
Copy link
Collaborator

@kingston kingston commented Jan 6, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Upgraded pnpm to 10.27.0 across the repo (package metadata, tool config and example projects).
    • Added pnpm workspace security/configuration flags (blockExoticSubdeps, linkWorkspacePackages, minimumReleaseAge) to workspace configs.
    • Bumped development dependency chokidar to 5.0.0 in build/dev tooling packages.

✏️ Tip: You can customize this high-level summary in your review settings.

@vercel
Copy link

vercel bot commented Jan 6, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
baseplate-project-builder-web Ready Ready Preview, Comment Jan 6, 2026 3:00pm

@changeset-bot
Copy link

changeset-bot bot commented Jan 6, 2026
edited
Loading

🦋 Changeset detected

Latest commit: a45fd68

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages
Name Type
@baseplate-dev/core-generators Patch
@baseplate-dev/fastify-generators Patch
@baseplate-dev/project-builder-server Patch
@baseplate-dev/react-generators Patch
@baseplate-dev/plugin-auth Patch
@baseplate-dev/plugin-queue Patch
@baseplate-dev/plugin-storage Patch
@baseplate-dev/create-project Patch
@baseplate-dev/project-builder-cli Patch
@baseplate-dev/project-builder-common Patch
@baseplate-dev/project-builder-test Patch
@baseplate-dev/project-builder-web Patch
@baseplate-dev/code-morph Patch
@baseplate-dev/project-builder-lib Patch
@baseplate-dev/sync Patch
@baseplate-dev/tools Patch
@baseplate-dev/ui-components Patch
@baseplate-dev/utils Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai
Copy link

coderabbitai bot commented Jan 6, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Upgrades pnpm from 10.18.3 to 10.27.0 across configs and templates, and adds pnpm workspace settings including blockExoticSubdeps: true plus adjustments to linkWorkspacePackages / minimumReleaseAge in generated and example workspace files.

Changes

Cohort / File(s) Summary
Repository-wide PNPM version bump
mise.toml, package.json, examples/*/package.json, packages/core-generators/src/constants/node.ts		 Bump PNPM version from 10.18.3 → 10.27.0: tool config, packageManager, engines.pnpm, and exported PNPM_VERSION constant updated.
Generator: pnpm-workspace template
packages/core-generators/src/generators/node/pnpm-workspace/pnpm-workspace.generator.ts		 Template updated to emit blockExoticSubdeps: true and to reorder/reintroduce workspace fields (comments updated). Review generated YAML for ordering and new security field.
Example workspace files
pnpm-workspace.yaml, examples/blog-with-auth/pnpm-workspace.yaml, examples/todo-with-auth0/pnpm-workspace.yaml		 Add blockExoticSubdeps: true; examples also now include linkWorkspacePackages: true and minimumReleaseAge: 1440 (positions adjusted).
Example app manifests
examples/blog-with-auth/apps/*/package.json, examples/todo-with-auth0/apps/*/package.json, examples/*/package.json		 Update engines.pnpm and packageManager metadata in example apps to match [email protected].
Tooling dependency updates
packages/project-builder-server/package.json, packages/project-builder-web/package.json		 Upgrade chokidar from 4.0.3 → 5.0.0 in server and web packages (dev deps / tooling).
Changeset
.changeset/upgrade-pnpm-security-settings.md		 New changeset documenting the pnpm upgrade and workspace security setting addition and patch release note for @baseplate-dev/core-generators.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: upgrading pnpm from 10.18.3 to 10.27.0 and adding security settings (blockExoticSubdeps and trustPolicy) to pnpm-workspace.yaml configuration across the codebase.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 04fa839 and a45fd68.

⛔ Files ignored due to path filters (23)
  • examples/blog-with-auth/apps/admin/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/apps/backend/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/baseplate/generated/pnpm-workspace.yaml is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • examples/todo-with-auth0/apps/admin/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-auth0/apps/backend/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-auth0/apps/web/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-auth0/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
  • examples/todo-with-auth0/baseplate/generated/pnpm-workspace.yaml is excluded by !**/generated/**, !**/generated/**
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • tests/simple/apps/backend/baseplate/generated/package.json is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/backend/baseplate/generated/vitest.config.ts is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/backend/package.json is excluded by !tests/**
  • tests/simple/apps/backend/vitest.config.ts is excluded by !tests/**
  • tests/simple/apps/web/baseplate/generated/package.json is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/vitest.config.ts is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/package.json is excluded by !tests/**
  • tests/simple/apps/web/vitest.config.ts is excluded by !tests/**
  • tests/simple/baseplate/generated/package.json is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/baseplate/generated/pnpm-workspace.yaml is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/package.json is excluded by !tests/**
  • tests/simple/pnpm-workspace.yaml is excluded by !tests/**
📒 Files selected for processing (14)
  • .changeset/upgrade-pnpm-security-settings.md
  • examples/blog-with-auth/apps/admin/package.json
  • examples/blog-with-auth/apps/backend/package.json
  • examples/blog-with-auth/package.json
  • examples/blog-with-auth/pnpm-workspace.yaml
  • examples/todo-with-auth0/apps/admin/package.json
  • examples/todo-with-auth0/apps/backend/package.json
  • examples/todo-with-auth0/apps/web/package.json
  • examples/todo-with-auth0/package.json
  • examples/todo-with-auth0/pnpm-workspace.yaml
  • packages/core-generators/src/generators/node/pnpm-workspace/pnpm-workspace.generator.ts
  • packages/project-builder-server/package.json
  • packages/project-builder-web/package.json
  • pnpm-workspace.yaml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@socket-security
Copy link

socket-security bot commented Jan 6, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedchokidar@​5.0.010010010083100

View full report

@kingston kingston merged commit 2d5abd5 into main Jan 6, 2026
14 of 15 checks passed
@kingston kingston deleted the kingston/eng-969-upgrade-pnpm-to-10270 branch January 6, 2026 15:04
@github-actions github-actions bot mentioned this pull request Jan 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kingston