Migrate project from npm to pnpm v10 with CI updates

[wozniakpl]

Description:

Migrate package management from npm to pnpm (v10)

• Add pnpm-lock.yaml, remove package-lock.json
• Prerequisites and install steps in README now use pnpm (e.g. pnpm run inst)
• CI/workflows and scripts updated to use pnpm where applicable
• Ran the install comparison on my HDD (clean node_modules, then inst): npm ~21s vs pnpm ~9s

Why ref import changed: lit-html → lit

- import { ref } from "lit-html/directives/ref.js";
+ import { ref } from "lit/directives/ref.js";

This was seen:

Cannot find module 'lit-html/directives/ref.js' or its corresponding type declarations.

The project depends on the unified lit package (Lit 3). Imports should come from lit/..., not from the legacy lit-html package.

• lit-html was the old, split package (templating only).
• lit is the main package for Lit 2+/3 and re-exports html, ref, directives, etc. from a single place.

Using lit/directives/ref.js is the correct and supported import for the current lit dependency; lit-html/directives/ref.js is the deprecated path and can cause inconsistencies or break in future Lit versions.

Please complete the following:

• I have added screenshots for all UI updates
• I process any text displayed to the user through translateText() and I've added it to the en.json file
• I have added relevant tests to the test directory
• I confirm I have thoroughly tested these changes and take full responsibility for any bugs introduced

Please put your Discord username so you can be contacted if a bug or regression is found:

.wozniakpl

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Migrates project from npm/npx to pnpm across CI, Docker, docs, VS Code launch, supervisord, and package scripts; updates one lit import path in client code.

Changes

Cohort / File(s)	Summary
CI Workflows ​.github/workflows/ci.yml	Replaces npm steps with pnpm: adds "Setup pnpm", uses pnpm install --frozen-lockfile --ignore-scripts / pnpm run for build and tests, pnpm exec for tooling, and enables cache: "pnpm".
Editor / Launch Config ​.vscode/launch.json	Switches runtimeExecutable from npm → pnpm and updates runtimeArgs to use ["run", "test"] for Jest debugging.
Package config & scripts package.json	Adds packageManager: "pnpm@10.30.3" and updates scripts to use pnpm, pnpm run, or pnpm exec instead of npm/npx; inst uses pnpm install --frozen-lockfile --ignore-scripts.
Documentation CONTRIBUTING.md, README.md	Replaces npm examples with pnpm equivalents; adds pnpm guidance (Corepack recommendation, frozen-lockfile) across install, dev, format, lint, and test instructions.
Docker & Runtime config Dockerfile, supervisord.conf	Multi-stage Docker build and runtime switched to pnpm: copy pnpm-lock.yaml, enable Corepack, use pnpm install/build commands; supervisord start changed to use pnpm.
Source import fix src/client/graphics/layers/PlayerInfoOverlay.ts	Updates import path for the ref directive from lit-html/directives/ref.js → lit/directives/ref.js.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

pnpm steps replace the old,
CI, Docker, docs retold,
launch and supervisor now sing,
one import fixed — a tiny wing,
builds proceed, the repo bold. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: migrating from npm to pnpm v10 with CI updates.
Description check	✅ Passed	The description is directly related to the changeset, clearly explaining the npm-to-pnpm migration and the lit-html import fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

README.md (1)

124-128: ⚠️ Potential issue | 🟡 Minor

Change lint command to pnpm for consistency.

Line 127 in README.md uses npm run lint while all other commands use pnpm. Update it to match the project standard.

Suggested patch

-  npm run lint
+  pnpm run lint

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 124 - 128, Replace the npm lint command in the README
(the line containing "npm run lint") with the project-standard pnpm invocation
(e.g., "pnpm run lint" or "pnpm lint") so the lint entry matches other pnpm
commands in the file; update the exact string "npm run lint" to "pnpm run lint"
within README.md.

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

23-26: Pin pnpm version in CI to match package.json.

Using version: 10 in the workflow while package.json pins pnpm@10.30.3 creates unnecessary differences between local and CI environments. Pin the exact version in all four pnpm/action-setup@v4 blocks.

Suggested patch

-          version: 10
+          version: 10.30.3

(Apply to all four instances: lines 26, 50, 67, and 83.)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 23 - 26, The CI workflow uses
pnpm/action-setup@v4 with a generic version: 10; update each "Setup pnpm" step
(the actions that use "pnpm/action-setup@v4") to pin the exact pnpm version
matching package.json (pnpm@10.30.3) by replacing the with: version: 10 entries
in all four blocks with with: version: 10.30.3 so CI matches local dev; ensure
you update every instance of the pnpm/action-setup@v4 step.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@README.md`:
- Around line 124-128: Replace the npm lint command in the README (the line
containing "npm run lint") with the project-standard pnpm invocation (e.g.,
"pnpm run lint" or "pnpm lint") so the lint entry matches other pnpm commands in
the file; update the exact string "npm run lint" to "pnpm run lint" within
README.md.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 23-26: The CI workflow uses pnpm/action-setup@v4 with a generic
version: 10; update each "Setup pnpm" step (the actions that use
"pnpm/action-setup@v4") to pin the exact pnpm version matching package.json
(pnpm@10.30.3) by replacing the with: version: 10 entries in all four blocks
with with: version: 10.30.3 so CI matches local dev; ensure you update every
instance of the pnpm/action-setup@v4 step.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bd63e5a8-8cf9-4651-95f3-9b0fa4aee559

📥 Commits

Reviewing files that changed from the base of the PR and between e137fca and 7ea2a80.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .vscode/launch.json
• CONTRIBUTING.md
• README.md
• package.json
• src/client/graphics/layers/PlayerInfoOverlay.ts

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

36-47: ⚠️ Potential issue | 🔴 Critical

Missing corepack enable in final stage.

The final production image needs pnpm for supervisord.conf to run pnpm run start:server. Add corepack enable after installing system dependencies.

🐛 Proposed fix

 RUN apt-get update && apt-get install -y \
     nginx \
     curl \
     jq \
     wget \
     supervisor \
     apache2-utils \
     && rm -rf /var/lib/apt/lists/*
+
+# Enable pnpm via corepack for runtime
+RUN corepack enable

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 36 - 47, The final Dockerfile stage installs system
packages but doesn't enable Corepack, so pnpm isn't available for supervisord to
run `pnpm run start:server`; after the apt-get install line in the final image
(the RUN that installs nginx, curl, jq, wget, supervisor, apache2-utils), add a
step to run `corepack enable` (or install/enable corepack before invoking pnpm)
so that pnpm is present when supervisord starts and `supervisord.conf` can
successfully execute `pnpm run start:server`.

🧹 Nitpick comments (1)

Dockerfile (1)

75-75: Update glob pattern to explicit filename.

Since package-lock.json is removed in this PR, package*.json now only matches package.json. Consider using the explicit filename for clarity.

✨ Suggested change

-COPY package*.json ./
+COPY package.json ./

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 75, The Dockerfile currently uses a glob in the COPY step
("COPY package*.json ./") which now only matches package.json after
package-lock.json was removed; update that COPY instruction to explicitly
reference package.json (replace the "package*.json" pattern with "package.json")
so the intent is clear and future changes don't rely on glob behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 23: The "gen-maps" npm script currently runs "cd map-generator && go run
. && pnpm run format" which causes pnpm to run the root formatter; update the
"gen-maps" script (the package.json "gen-maps" entry) to run the Go formatter
directly by replacing the trailing "pnpm run format" with "go fmt ." so it
becomes "cd map-generator && go run . && go fmt ." to format only the Go files
in map-generator.

In `@supervisord.conf`:
- Line 17: The supervisord command uses "pnpm run start:server" but the final
Docker stage never enables Corepack, so pnpm won't be available; modify the
final image setup (the stage that inherits from node:24-slim / "base") to run
"corepack enable" (or "corepack enable && corepack prepare pnpm@latest
--activate") before supervisord is started so the pnpm CLI is provided at
runtime, ensuring the "command=pnpm run start:server" entry in supervisord
works.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 36-47: The final Dockerfile stage installs system packages but
doesn't enable Corepack, so pnpm isn't available for supervisord to run `pnpm
run start:server`; after the apt-get install line in the final image (the RUN
that installs nginx, curl, jq, wget, supervisor, apache2-utils), add a step to
run `corepack enable` (or install/enable corepack before invoking pnpm) so that
pnpm is present when supervisord starts and `supervisord.conf` can successfully
execute `pnpm run start:server`.

---

Nitpick comments:
In `@Dockerfile`:
- Line 75: The Dockerfile currently uses a glob in the COPY step ("COPY
package*.json ./") which now only matches package.json after package-lock.json
was removed; update that COPY instruction to explicitly reference package.json
(replace the "package*.json" pattern with "package.json") so the intent is clear
and future changes don't rely on glob behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 96c188de-26aa-4a8a-a858-1eb41ef2d30b

📥 Commits

Reviewing files that changed from the base of the PR and between 7ea2a80 and 6a14da1.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• Dockerfile
• README.md
• package.json
• supervisord.conf

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if map-generator directory exists and has package.json
echo "=== Checking map-generator directory structure ==="
if [ -d "map-generator" ]; then
    echo "map-generator directory exists"
    if [ -f "map-generator/package.json" ]; then
        echo "✓ map-generator has its own package.json"
        echo ""
        echo "=== Checking for 'format' script in map-generator/package.json ==="
        grep -A 50 '"scripts"' map-generator/package.json | head -30
    else
        echo "✗ No package.json found in map-generator"
    fi
else
    echo "map-generator directory does not exist"
fi

Repository: openfrontio/OpenFrontIO

Length of output: 189

---

🏁 Script executed:

#!/bin/bash
echo "=== Checking map-generator directory contents ==="
ls -la map-generator/ | head -20

echo ""
echo "=== Checking root package.json format script ==="
grep -A 3 '"format"' package.json

echo ""
echo "=== Checking if there are files to format in map-generator ==="
find map-generator -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" -o -name "*.go" \) 2>/dev/null | head -20

Repository: openfrontio/OpenFrontIO

Length of output: 1100

---

Use go fmt . directly instead of pnpm run format in the gen-maps script.

The pnpm run format command after cd map-generator will not find a package.json in that directory. pnpm walks up to the root and runs the root's format script (prettier --ignore-unknown --write .), which formats the entire repository instead of just the map-generator directory. This is likely unintended.

Since map-generator is a Go-only directory, use go fmt . to format the generated Go code:

"gen-maps": "cd map-generator && go run . && go fmt .",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 23, The "gen-maps" npm script currently runs "cd
map-generator && go run . && pnpm run format" which causes pnpm to run the root
formatter; update the "gen-maps" script (the package.json "gen-maps" entry) to
run the Go formatter directly by replacing the trailing "pnpm run format" with
"go fmt ." so it becomes "cd map-generator && go run . && go fmt ." to format
only the Go files in map-generator.

[coderabbitai]

🧹 Nitpick comments (2)

Dockerfile (2)

30-34: Redundant ignore-scripts setting.

Line 30 sets PNPM_IGNORE_SCRIPTS=1 as an environment variable, but line 34 also passes --ignore-scripts as a CLI flag. The CLI flag alone is enough here since you run only one pnpm command in this stage.

🧹 Optional cleanup

 # Production dependencies stage - separate from build
 FROM base AS prod-deps
 ENV HUSKY=0
-ENV PNPM_IGNORE_SCRIPTS=1
 COPY package.json pnpm-lock.yaml ./
 RUN --mount=type=cache,target=/root/.local/share/pnpm/store \
     corepack enable \
     && pnpm install --frozen-lockfile --ignore-scripts --prod

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 30 - 34, Remove the redundant environment variable
and rely on the CLI flag: delete the ENV PNPM_IGNORE_SCRIPTS=1 line so the pnpm
install invocation (the command containing "pnpm install --frozen-lockfile
--ignore-scripts --prod") remains the single source of truth for disabling
lifecycle scripts; this keeps the Dockerfile concise and avoids duplicate
configuration.

---

75-75: Update glob pattern to match the pnpm migration.

The package*.json glob is an npm-era pattern that would copy package-lock.json if present. Since you are removing the npm lockfile in this PR, consider being explicit:

🧹 Clearer copy for pnpm setup

 # Copy production node_modules from prod-deps stage (cached separately from build)
 COPY --from=prod-deps /usr/src/app/node_modules ./node_modules
-COPY package*.json ./
+COPY package.json ./

If pnpm needs the lockfile at runtime (unlikely for just running the server), also copy pnpm-lock.yaml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 75, Replace the npm-era glob COPY package*.json ./ with
explicit copies so the Docker build only pulls files you intend: update the COPY
invocation that currently reads "COPY package*.json ./" to explicitly copy
package.json and, if you want to include the pnpm lock for reproducible
installs, pnpm-lock.yaml (e.g., COPY package.json pnpm-lock.yaml ./); ensure the
Dockerfile still works if pnpm-lock.yaml is absent by either adding it
conditionally to your build context or only listing package.json if you don't
need the lockfile at runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Around line 30-34: Remove the redundant environment variable and rely on the
CLI flag: delete the ENV PNPM_IGNORE_SCRIPTS=1 line so the pnpm install
invocation (the command containing "pnpm install --frozen-lockfile
--ignore-scripts --prod") remains the single source of truth for disabling
lifecycle scripts; this keeps the Dockerfile concise and avoids duplicate
configuration.
- Line 75: Replace the npm-era glob COPY package*.json ./ with explicit copies
so the Docker build only pulls files you intend: update the COPY invocation that
currently reads "COPY package*.json ./" to explicitly copy package.json and, if
you want to include the pnpm lock for reproducible installs, pnpm-lock.yaml
(e.g., COPY package.json pnpm-lock.yaml ./); ensure the Dockerfile still works
if pnpm-lock.yaml is absent by either adding it conditionally to your build
context or only listing package.json if you don't need the lockfile at runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bb4f16f7-d3a5-4290-93c4-93810e034a5e

📥 Commits

Reviewing files that changed from the base of the PR and between 6a14da1 and 449fb99.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• Dockerfile

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

76-77: Pre-activate pnpm during image build to remove runtime network dependency.

Line 77 enables Corepack shims, but the first pnpm execution will still need to download the binary from the network. This fails in restricted runtime networks. Pre-activate the exact pnpm version (pnpm@10.30.3 from package.json) during the image build.

Proposed solution

-# Enable Corepack so pnpm is available for supervisord (command=pnpm run start:server)
-RUN corepack enable
+# Enable and pre-activate pnpm so runtime does not depend on network
+RUN corepack enable \
+    && corepack prepare pnpm@10.30.3 --activate

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 76 - 77, The Dockerfile currently runs "corepack
enable" which leaves the first pnpm invocation to fetch the binary at runtime;
replace or augment that step to pre-activate the exact pnpm version from
package.json (pnpm@10.30.3) during image build by invoking Corepack prepare for
that version and activating it (e.g., use corepack prepare pnpm@10.30.3
--activate after or instead of corepack enable). Update the RUN that contains
"corepack enable" so the build image has the pnpm shim and binary preinstalled
and no longer needs network access at container runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Around line 76-77: The Dockerfile currently runs "corepack enable" which
leaves the first pnpm invocation to fetch the binary at runtime; replace or
augment that step to pre-activate the exact pnpm version from package.json
(pnpm@10.30.3) during image build by invoking Corepack prepare for that version
and activating it (e.g., use corepack prepare pnpm@10.30.3 --activate after or
instead of corepack enable). Update the RUN that contains "corepack enable" so
the build image has the pnpm shim and binary preinstalled and no longer needs
network access at container runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ef3a910a-3e12-42ec-8e82-0347bace5b86

📥 Commits

Reviewing files that changed from the base of the PR and between 449fb99 and 94ff0ae.

📒 Files selected for processing (1)

• Dockerfile