RequestNetwork · aimensahnoun · Jan 2, 2026 · Jan 2, 2026
diff --git a/.github/workflows/build-and-lint.yml b/.github/workflows/build-and-lint.yml
@@ -20,26 +20,27 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: "20"
-          cache: "npm"
+          cache: "pnpm"
 
       - name: Cache node_modules
         uses: actions/cache@v4
         id: node-modules-cache
         with:
-          path: |
-            node_modules
-            ~/.npm
-          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/package-lock.json') }}
+          path: node_modules
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-node-modules-
 
       - name: Install dependencies
         if: steps.node-modules-cache.outputs.cache-hit != 'true'
-        run: npm ci
+        run: pnpm install --frozen-lockfile
 
   lint:
     name: Lint
@@ -48,24 +49,25 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: "20"
-          cache: "npm"
+          cache: "pnpm"
 
       - name: Restore node_modules from cache
         uses: actions/cache@v4
         with:
-          path: |
-            node_modules
-            ~/.npm
-          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/package-lock.json') }}
+          path: node_modules
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-node-modules-
 
       - name: Check formatting and lint
-        run: npm run check
+        run: pnpm run check
 
   build:
     name: Build
@@ -76,21 +78,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: "20"
-          cache: "npm"
+          cache: "pnpm"
 
       - name: Restore node_modules from cache
         uses: actions/cache@v4
         with:
-          path: |
-            node_modules
-            ~/.npm
-          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/package-lock.json') }}
+          path: node_modules
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-node-modules-
 
       - name: Build
-        run: npm run build
+        run: pnpm run build
diff --git a/.gitignore b/.gitignore
@@ -26,6 +26,7 @@
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+pnpm-debug.log*
 
 # local env files
 .env*.local

diff --git a/.npmrc b/.npmrc
@@ -0,0 +1,26 @@
+# pnpm security configurations
+
+# Only install packages that have been published for at least 3 days (259200 seconds)
+# This protects against supply chain attacks using newly published malicious packages
+minimum-age-seconds=259200
+
+# Fail on unmet peer dependencies for better dependency hygiene
+strict-peer-dependencies=true
+
+# Enable strict SSL for registry connections
+strict-ssl=true
+
+# Prevent scripts from running during install by default (can override with --ignore-scripts=false)
+ignore-scripts=false
+
+# Use frozen lockfile in CI to ensure reproducible builds
+# This is set per-environment in CI, not globally here
+
+# Prefer offline mode to reduce network requests when packages are cached
+prefer-offline=true
+
+# Save exact versions to lockfile
+save-exact=true
+
+# Hoist node_modules for compatibility
+shamefully-hoist=true