chore: upgrade to pnpm 11 via corepack with defense-in-depth workspace

[jaredwray]

Summary

• Upgrades the package manager from pnpm 10 to pnpm 11 via corepack
• Pins packageManager to pnpm@11.1.3 and sets engines.node to ^22.13.0 (pnpm 11 requires Node >= 22.13)
• Replaces every pnpm/action-setup@v4 step with corepack enable so the version comes from package.json rather than each workflow
• Bumps the test matrix in tests.yaml from [20, 22, 24] to [22, 24, 26] (Node 20 dropped because pnpm 11 no longer supports it)
• Applies the agentic defense-in-depth pnpm-workspace baseline from defense-in-depth-nodejs.md §4:
  • minimumReleaseAge: 10080 (7 days, was 2880 = 2 days)
  • minimumReleaseAgeStrict: true (fail closed instead of falling back)
  • minimumReleaseAgeIgnoreMissingTime: false (missing publish-time fails closed)
  • blockExoticSubdeps: true
  • strictDepBuilds: true
  • dangerouslyAllowAllBuilds: false
  • trustPolicy: no-downgrade
• Migrates onlyBuiltDependencies (array) to allowBuilds (map of name: true) as required by pnpm 11
• Consolidates pnpm settings (overrides, allowed builds) out of package.json and into pnpm-workspace.yaml, so the security policy lives in one reviewed file

Test plan

• corepack enable + pnpm install --frozen-lockfile succeeds with pnpm 11.1.3
• pnpm build succeeds (tsdown target now resolves to node22.13.0 from engines)
• pnpm test:ci passes — 413 tests, 100% line coverage
• CI matrix passes on Node 22, 24, 26

Notes

The lockfile changed because:

• The glob@<=11.1.0 override is now recorded in pnpm-lock.yaml (it was in pnpm-workspace.yaml already but the lockfile was generated before pnpm enforced it).
• A few transitive deps drop out under pnpm 11's stricter resolution (acorn, buffer-from, @jridgewell/source-map).

Sources:

• pnpm 11.0 release notes
• pnpm settings reference

---

Generated by Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (6b4c4fa) to head (8bf7cd1).

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #141   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           37        37           
  Lines         1089      1089           
  Branches       222       221    -1     
=========================================
  Hits          1089      1089           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request updates the project's package management and security configurations by specifying Node.js and pnpm versions, strengthening pnpm workspace policies, and removing the terser dependency. Feedback suggests further improving security by adding an override for the vulnerable @ungap/structured-clone package and pruning the allowBuilds list to remove unnecessary script execution permissions for core-js, protobufjs, and unrs-resolver.

[gemini-code-assist]

The pnpm-lock.yaml file (line 1337) indicates that @ungap/structured-clone@1.3.0 is deprecated due to a potential security vulnerability (CWE-502). Since this PR is consolidating security policies and overrides, it is recommended to add an override to ensure a safe version (1.3.1 or higher) is used.

  set-cookie-parser: 2.7.2
  '@ungap/structured-clone': '>=1.3.1'

[gemini-code-assist]

To align with the defense-in-depth strategy of minimizing script execution, consider removing unnecessary packages from the allowBuilds list:

• core-js: Its postinstall script is primarily for display messages and is not required for functionality.
• protobufjs: Version 7.x does not have a postinstall script.
• unrs-resolver: This package is no longer present in the dependency tree (pnpm-lock.yaml).

allowBuilds:
  '@swc/core': true
  esbuild: true
  vue-demi: true

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1d93b64edd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Run Corepack after selecting the job's Node version

corepack enable is executed before actions/setup-node, but Corepack installs shims next to the currently resolved corepack binary; after setup-node switches PATH to the matrix Node, that Node installation may not have the pnpm shim enabled. In this workflow, pnpm can therefore resolve to a shim from the runner’s preinstalled Node (or be missing), which can bypass the intended matrix version or fail entirely when pnpm 11 requires a newer runtime. Move corepack enable to after actions/setup-node (same issue appears in the other updated workflows).

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Widen Node engine range to include supported newer majors

Setting engines.node to ^22.13.0 restricts the package to <23.0.0, which excludes Node 24 and 26 even though the CI matrix explicitly tests those versions. Users with engine-strict enabled (common in CI and some org defaults) will get install failures on newer supported Node majors; use a minimum range like >=22.13.0 if newer majors are intended to be supported.

Useful? React with 👍 / 👎.