feat: Switch to pnpm for security reasons

[timokoessler]

Type of change

• 🐛 Bug fix
• 🚀 New feature
• ❓ Other (please specify)

Description

Switch to pnpm with additional security settings, mainly minimum package age.

Additional context

[Copilot]

Pull request overview

This PR migrates the frontend and e2e test tooling from npm to pnpm, aiming to improve supply-chain security (e.g., enforcing minimum package age) while updating CI, Docker builds, and contributor docs accordingly.

Changes:

• Switch frontend + e2e dependency installation from npm to pnpm (including lockfile changes and CI cache updates).
• Update hub.Dockerfile frontend build stage to install dependencies with pnpm and add Go build cache mounts.
• Adjust a few frontend imports (Shiki theme/lang imports; Radix component imports) and update documentation references from npm → pnpm.

Reviewed changes

Copilot reviewed 14 out of 18 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
hub.Dockerfile	Adds a pnpm-based dependency install stage for the frontend; adds Go module/build cache mounts.
frontend/src/lib/highlighter.ts	Updates Shiki theme/lang import paths.
frontend/src/components/ui/tabs.tsx	Switches Tabs primitive import to radix-ui.
frontend/src/components/ui/switch.tsx	Switches Switch primitive import to radix-ui.
frontend/src/components/ui/select.tsx	Switches Select primitive import to radix-ui.
frontend/pnpm-workspace.yaml	Adds pnpm-related “security settings” file (currently structured as a workspace file).
frontend/package.json	Adds packageManager: [email protected] and adjusts a few dependency versions.
e2e/pnpm-workspace.yaml	Adds pnpm-related “security settings” file (currently structured as a workspace file).
e2e/pnpm-lock.yaml	Introduces pnpm lockfile for e2e dependencies.
e2e/package.json	Adds packageManager: [email protected].
e2e/package-lock.json	Removes npm lockfile.
docker-compose.yml	Removes the agent service from the compose example.
CONTRIBUTING.md	Updates frontend tooling docs from npm → pnpm.
AGENTS.md	Updates prerequisites/commands from npm → pnpm.
.github/workflows/e2e-tests.yml	Updates e2e workflow to install pnpm, use pnpm cache, and install deps with pnpm.
.github/workflows/ci.yml	Updates frontend CI job to install pnpm, use pnpm cache, and install deps with pnpm (removes Safe Chain step).

Files not reviewed (2)

• e2e/package-lock.json: Language not supported
• e2e/pnpm-lock.yaml: Language not supported

Comments suppressed due to low confidence (1)

docker-compose.yml:15

• This PR is described as switching to pnpm for security, but this change removes the agent service from the example docker-compose.yml. If this is intentional, it should be called out in the PR description because it changes the documented deployment topology; otherwise consider reverting this change or moving it to a dedicated PR.

      - '127.0.0.1:8080:8080'
    volumes:
      - ./data/hub:/app/data

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!