upgrade pnpm to 11.4.0

joeyorlando · joeyorlando · commit cd54a4a95fbe · 2026-05-28T08:17:25.000-04:00
diff --git a/.github/actions/setup-env/action.yml b/.github/actions/setup-env/action.yml
@@ -6,7 +6,7 @@ runs:
     - name: Setup pnpm
       uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
       with:
-        version: 10.33.0
+        version: 11.4.0
 
     - name: Setup Node.js
       uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -39,7 +39,7 @@ This is the Archestra.ai website - a Next.js application that hosts the MCP (Mod
 ### Tech Stack
 
 - **Framework**: Next.js 15 with App Router
-- **Package Manager**: pnpm (v10.14.0)
+- **Package Manager**: pnpm (v11.4.0)
 - **Testing**: Vitest with React Testing Library
 - **Styling**: Tailwind CSS with tailwindcss-animate
 - **UI Components**: Custom components using Radix UI primitives
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ This repository contains the source code for [Archestra.AI](https://archestra.ai
 ### Prerequisites
 
 - Node.js 24+ (Latest LTS recommended)
-- pnpm 10.24.0+
+- pnpm 11.4.0
 
 ### Development
 
diff --git a/app/.npmrc b/app/.npmrc
@@ -1,13 +1,2 @@
-# Enforce Node.js version requirements from package.json engines field
-engine-strict=true
-
-# Security: Prevent automatic execution of install scripts
-# Protects against supply-chain attacks like Shai-Hulud
-# Packages requiring scripts must be manually rebuilt with: pnpm rebuild <package-name>
-ignore-scripts=true
-
-# Security: Delay installation of newly published packages
-# Allows time for community detection of malicious releases
-# 10080 minutes = 7 days (provides strong protection against supply chain attacks)
-# https://daniakash.com/posts/simplest-supply-chain-defense/
-minimum-release-age=10080
+# pnpm v11 reads only auth and registry settings from .npmrc.
+# Project settings live in pnpm-workspace.yaml.
diff --git a/app/package.json b/app/package.json
@@ -80,18 +80,5 @@
     "vite": "^8.0.10",
     "vitest": "^4.1.5"
   },
-  "pnpm": {
-    "overrides": {
-      "axios": "1.14.0",
-      "glob": "11.1.0",
-      "js-yaml": "3.14.2",
-      "mdast-util-to-hast": "13.2.1",
-      "node-forge": "1.3.2",
-      "tmp": "0.2.4",
-      "zod": "^4.3.5",
-      "lodash": "^4.17.23",
-      "lodash-es": "^4.18.1"
-    }
-  },
-  "packageManager": "pnpm@10.33.0"
+  "packageManager": "pnpm@11.4.0"
 }
diff --git a/app/pnpm-workspace.yaml b/app/pnpm-workspace.yaml
@@ -0,0 +1,22 @@
+overrides:
+  axios: 1.14.0
+  glob: 11.1.0
+  js-yaml: 3.14.2
+  mdast-util-to-hast: 13.2.1
+  node-forge: 1.3.2
+  tmp: 0.2.4
+  zod: ^4.3.5
+  lodash: ^4.17.23
+  lodash-es: ^4.18.1
+
+# Enforce Node.js version requirements from package.json engines field.
+engineStrict: true
+
+# Security: Prevent automatic execution of install scripts.
+# Packages requiring scripts must be manually rebuilt with: pnpm rebuild <package-name>
+ignoreScripts: true
+
+# Security: Delay installation of newly published packages.
+# 10080 minutes = 7 days.
+# https://daniakash.com/posts/simplest-supply-chain-defense/
+minimumReleaseAge: 10080
