Pnpm migration

[Ryang-21]

Summary

This PR migrates the project's package manager from Yarn v1 (Classic) to pnpm

Changes

Package Manager Migration:

• Replaced yarn.lock with pnpm-lock.yaml
• Updated all npm scripts to use pnpm instead of yarn
• Added engines field to specify Node.js ≥18.12 and pnpm ≥9.0
• Updated lint-staged and husky pre-commit hook to use pnpm

CI/CD Updates:

• Updated GitHub Actions workflows to use pnpm/action-setup@v4
• Added OIDC permissions and --provenance flag for npm publish attestation
• Simplified publish workflow by removing deprecated js-xdr package publishing

Compatibility Fixes:

• Added explicit plugins array to karma.conf.js for pnpm's strict node_modules structure

Documentation:

• Consolidated and updated development setup instructions in README.md

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​eslint@​8.57.0 ⏵ 8.57.1	+1		+1
	npm/​eslint-config-prettier@​8.10.0 ⏵ 8.10.2
	npm/​@​babel/​register@​7.24.6 ⏵ 7.28.6				-1
	npm/​@​babel/​preset-env@​7.24.8 ⏵ 7.28.6	+1			-1
	npm/​@​babel/​eslint-parser@​7.24.8 ⏵ 7.28.6			-23	-1
	npm/​@​babel/​core@​7.24.9 ⏵ 7.28.6				-1
	npm/​eslint-plugin-import@​2.29.1 ⏵ 2.32.0	+1
	npm/​karma@​6.4.3 ⏵ 6.4.4	+1
	npm/​babel-loader@​9.1.3 ⏵ 9.2.1	+1
	npm/​terser-webpack-plugin@​5.3.10 ⏵ 5.3.16
	npm/​webpack@​5.93.0 ⏵ 5.104.1	-1	+2	+1
	npm/​chai@​4.4.1 ⏵ 4.5.0
	npm/​mocha@​10.6.0 ⏵ 10.8.2	+1		+1
	npm/​eslint-plugin-prettier@​4.2.1 ⏵ 4.2.5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm @sinonjs/fake-timers under BSD-3-Clause Location: Package overview From: pnpm-lock.yaml → npm/sinon@15.2.0 → npm/@sinonjs/fake-timers@11.3.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sinonjs/fake-timers@11.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @sinonjs/samsam under BSD-3-Clause Location: Package overview From: pnpm-lock.yaml → npm/sinon@15.2.0 → npm/@sinonjs/samsam@8.0.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sinonjs/samsam@8.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm caniuse-lite under CC-BY-4.0 License: CC-BY-4.0 - the applicable license policy does not allow this license (4) (npm metadata) License: CC-BY-4.0 - the applicable license policy does not allow this license (4) (package/LICENSE) License: CC-BY-4.0 - the applicable license policy does not allow this license (4) (package/package.json) From: pnpm-lock.yaml → npm/webpack@5.104.1 → npm/@babel/core@7.28.6 → npm/@babel/preset-env@7.28.6 → npm/caniuse-lite@1.0.30001764 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001764. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm esquery under BSD-3-Clause Location: Package overview From: pnpm-lock.yaml → npm/eslint@8.57.1 → npm/esquery@1.7.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esquery@1.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm fast-uri under BSD-3-Clause AND ISC Location: Package overview From: pnpm-lock.yaml → npm/terser-webpack-plugin@5.3.16 → npm/webpack@5.104.1 → npm/babel-loader@9.2.1 → npm/fast-uri@3.1.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-uri@3.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm qs under BSD-3-Clause Location: Package overview From: pnpm-lock.yaml → npm/karma@6.4.4 → npm/qs@6.14.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/qs@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm tslib under 0BSD Location: Package overview From: pnpm-lock.yaml → npm/lint-staged@13.2.2 → npm/tslib@2.8.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tslib@2.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Copilot]

Pull request overview

This PR migrates the project from Yarn v1 to pnpm, updating package manager references throughout the codebase, CI/CD workflows, and documentation.

Changes:

• Replaced Yarn with pnpm in all npm scripts, GitHub Actions workflows, and pre-commit hooks
• Added Node.js ≥18.12 and pnpm ≥9.0 engine requirements
• Updated karma.conf.js with explicit plugins array for pnpm's strict module resolution
• Consolidated and updated development documentation in README.md
• Added OIDC permissions and provenance flag to npm publish workflow
• Removed deprecated CLA signing reference from CONTRIBUTING.md

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
package.json	Updated all scripts from yarn to pnpm, added engines field, modified lint-staged config and prepare script
karma.conf.js	Added explicit plugins array for pnpm compatibility
README.md	Rewrote development setup section with pnpm-specific instructions
CONTRIBUTING.md	Removed deprecated CLA signing link
.husky/pre-commit	Created husky pre-commit hook using pnpm lint-staged
.github/workflows/tests.yml	Added pnpm setup step and updated all commands to use pnpm
.github/workflows/npm-publish.yml	Added pnpm setup, OIDC permissions, and simplified publish process with provenance

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The prepare script includes "husky install" which may cause issues when users install this package from npm. The prepare script runs during package installation, but husky is a devDependency and won't be available to end users. While modern husky versions handle this gracefully, it's better practice to conditionally run husky install only in development environments. Consider wrapping it in a try-catch or checking for the presence of husky before running, or use a postinstall script that checks if devDependencies exist.

Suggested change

	"prepare": "husky install && pnpm build",
	"prepare": "husky install || true && pnpm build",

[Shaptic]

seems legit

[Ryang-21]

Agreed and removed

[Shaptic]

I think we're on 20

[Shaptic]

ah I guess we're not but we should be

[Ryang-21]

Yea I was on the fence on whether to upgrade in this pr. Its been updated to 20 now. And arguably should be 22 but that can happen when they EOL node 20 in April

[Shaptic]

yeah we'll have to do that comprehensively

[Shaptic]

seems legit

[Shaptic]

I don't see the bump to Node 20 yet but I'll 👍 so you don't have to wait on me once you push that