prosopo · goastler · Jun 12, 2026 · Jun 12, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -45,21 +45,22 @@ jobs:
           token: ${{ secrets.PROSOPONATOR_PAT }}
           submodules: "recursive"
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: pnpm
 
       # don't restore the cache, otherwise we get artifacts left over from the previous run sit in the cache for eternity. Do a clean build every time.
-      - run: npm cache clean --force
+      - run: pnpm store prune
 
       - uses: prosopo/captcha/.github/actions/npm@gha
         with:
           npm_ci_args: '--include=dev'
 
       # clean the nx cache
       - run: npx nx reset
-      - run: npm run clean:turbo
+      - run: pnpm run clean:turbo
 
       # install cypress so we don't have to do that every time
       - run: npx cypress install

@@ -50,10 +50,11 @@ jobs:
           submodules: 'recursive'
           fetch-depth: 0 # required for comparing changesets to the base branch
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: pnpm
 
       - uses: prosopo/captcha/.github/actions/npm@gha
         with:
@@ -67,9 +68,9 @@ jobs:
       - name: Checkout head ref
         run: git fetch origin ${{ github.head_ref }} && git checkout ${{ github.head_ref }}
 
-      # if this fails, you need to run `npm run changesets:add` (preferred!) or `npm run changesets:empty` for an empty changeset (avoid if possible)
+      # if this fails, you need to run `pnpm run changesets:add` (preferred!) or `pnpm run changesets:empty` for an empty changeset (avoid if possible)
       - name: check changesets
         run: |
 
           # check that the changesets are present for each package which has been modified
-          npm run changesets -- --since ${{ github.base_ref }}
+          pnpm run changesets -- --since ${{ github.base_ref }}
@@ -33,10 +33,11 @@ jobs:
           token: ${{ steps.app_token.outputs.token }}
           fetch-depth: 0
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: pnpm
 
       - name: Setup npm registry
         run: |
@@ -47,7 +48,7 @@ jobs:
           git config user.name "prosoponator[bot]"
           git config user.email "dev@prosopo.io"
 
-      - run: npm ci --ignore-scripts --include=dev
+      - run: pnpm install --frozen-lockfile --ignore-scripts
 
       - name: Detect changesets
         id: detect
@@ -69,13 +70,13 @@ jobs:
       - name: Version bump
         if: steps.detect.outputs.has_changesets == 'true'
         run: |
-          npm i -g @changesets/cli
+          pnpm add -g @changesets/cli
           npx @changesets/cli version --verbose
 
-          npm i --ignore-scripts --include=dev
+          pnpm install --ignore-scripts
 
           # Set the version of root and docker/images/provider to match @prosopo/cli
-          root_version=$(npm -w @prosopo/cli pkg get version | jq -r '.["@prosopo/cli"]')
+          root_version=$(pnpm --filter @prosopo/cli pkg get version | jq -r '.["@prosopo/cli"]')
           echo "root_version=$root_version" >> $GITHUB_ENV
           echo "Setting versions to $root_version"
 
@@ -86,16 +87,16 @@ jobs:
 
           git add -u .
 
-      - run: npm ci --ignore-scripts --include=dev
+      - run: pnpm install --frozen-lockfile --ignore-scripts
 
       - name: Build packages
         run: |
           echo "Building all packages"
-          npm run build:all
+          pnpm run build:all
 
       - name: lint-fix
         run: |
-          npm run lint-fix
+          pnpm run lint-fix
           git add -u .
 
       - name: Create release branch and PR

@@ -46,10 +46,11 @@ jobs:
           token: ${{ secrets.PROSOPONATOR_PAT }}
           submodules: "recursive"
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: pnpm
 
       - uses: prosopo/captcha/.github/actions/npm@gha
         with:
@@ -84,29 +85,29 @@ jobs:
           docker container ls
           sleep 10s
 
-      - run: NODE_ENV="test" npm run setup
+      - run: NODE_ENV="test" pnpm run setup
 
       - run: NODE_ENV="development" npx turbo run @prosopo/procaptcha-bundle#bundle
 
       - name: Regenerate image baselines
         if: contains(inputs.configs, 'image')
         run: |
-          npx concurrently "npm run start:server" "npm run start:provider:admin" "npm run start:bundle" "npm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && npm -w @prosopo/cypress-shared run cypress:baselines:image" --success "first" --kill-others
+          npx concurrently "pnpm run start:server" "pnpm run start:provider:admin" "pnpm run start:bundle" "pnpm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && pnpm --filter @prosopo/cypress-shared run cypress:baselines:image" --success "first" --kill-others
 
       - name: Regenerate frictionless baselines
         if: contains(inputs.configs, 'frictionless')
         run: |
-          npx concurrently "npm run start:server" "npm run start:provider:admin" "npm run start:bundle" "npm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && npm -w @prosopo/cypress-shared run cypress:baselines:frictionless" --success "first" --kill-others
+          npx concurrently "pnpm run start:server" "pnpm run start:provider:admin" "pnpm run start:bundle" "pnpm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && pnpm --filter @prosopo/cypress-shared run cypress:baselines:frictionless" --success "first" --kill-others
 
       - name: Regenerate pow baselines
         if: contains(inputs.configs, 'pow')
         run: |
-          npx concurrently "npm run start:server" "npm run start:provider:admin" "npm run start:bundle" "npm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && npm -w @prosopo/cypress-shared run cypress:baselines:pow" --success "first" --kill-others
+          npx concurrently "pnpm run start:server" "pnpm run start:provider:admin" "pnpm run start:bundle" "pnpm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && pnpm --filter @prosopo/cypress-shared run cypress:baselines:pow" --success "first" --kill-others
 
       - name: Regenerate invisible baselines
         if: contains(inputs.configs, 'invisible')
         run: |
-          npx concurrently "npm run start:server" "npm run start:provider:admin" "npm run start:bundle" "npm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && npm -w @prosopo/cypress-shared run cypress:baselines:invisible" --success "first" --kill-others
+          npx concurrently "pnpm run start:server" "pnpm run start:provider:admin" "pnpm run start:bundle" "pnpm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && pnpm --filter @prosopo/cypress-shared run cypress:baselines:invisible" --success "first" --kill-others
 
       - run: docker compose --file ./docker/docker-compose.test.yml down
         if: always()

@@ -54,10 +54,11 @@ jobs:
           token: ${{ secrets.PROSOPONATOR_PAT }}
           submodules: "recursive"
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: pnpm
 
       - uses: prosopo/captcha/.github/actions/npm@gha
         with:
@@ -102,7 +103,7 @@ jobs:
           sleep 10s
 
       # deploy dapp + protocol and run setup to register, stake and load a dataset for a provider
-      - run: NODE_ENV="test" npm run setup
+      - run: NODE_ENV="test" pnpm run setup
 
       # Build a test version of the procaptcha bundle and run the cypress tests on it and on the React client-example
       # Running using NODE_ENV=development instead of NODE_ENV=production means the bundle will be built with selectors that can be used
@@ -111,19 +112,19 @@ jobs:
 
       - name: Run the cypress tests on client-bundle-example
         run: |
-          npx concurrently "npm run start:server" "npm run start:provider:admin" "npm run start:bundle" "npm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && npm -w @prosopo/cypress-shared run cypress:run:client-bundle-example:image" --success "first" --kill-others
+          npx concurrently "pnpm run start:server" "pnpm run start:provider:admin" "pnpm run start:bundle" "pnpm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && pnpm --filter @prosopo/cypress-shared run cypress:run:client-bundle-example:image" --success "first" --kill-others
 
       - name: Run the cypress tests on client-bundle-example explicit rendering with frictionless captcha
         run: |
-          npx concurrently "npm run start:server" "npm run start:provider:admin" "npm run start:bundle" "npm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && npm -w @prosopo/cypress-shared run cypress:run:client-bundle-example:frictionless" --success "first" --kill-others
+          npx concurrently "pnpm run start:server" "pnpm run start:provider:admin" "pnpm run start:bundle" "pnpm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && pnpm --filter @prosopo/cypress-shared run cypress:run:client-bundle-example:frictionless" --success "first" --kill-others
 
       - name: Run the cypress tests on client-bundle-example explicit rendering with pow captcha
         run: |
-          npx concurrently "npm run start:server" "npm run start:provider:admin" "npm run start:bundle" "npm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && npm -w @prosopo/cypress-shared run cypress:run:client-bundle-example:pow" --success "first" --kill-others
+          npx concurrently "pnpm run start:server" "pnpm run start:provider:admin" "pnpm run start:bundle" "pnpm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && pnpm --filter @prosopo/cypress-shared run cypress:run:client-bundle-example:pow" --success "first" --kill-others
 
       - name: Run the cypress tests on client-bundle-example explicit rendering with invisible captcha
         run: |
-          npx concurrently "npm run start:server" "npm run start:provider:admin" "npm run start:bundle" "npm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && npm -w @prosopo/cypress-shared run cypress:run:client-bundle-example:invisible" --success "first" --kill-others
+          npx concurrently "pnpm run start:server" "pnpm run start:provider:admin" "pnpm run start:bundle" "pnpm run serve:bundle" "npx tsx ./demos/cypress-shared/scripts/wait-for-services.ts && pnpm --filter @prosopo/cypress-shared run cypress:run:client-bundle-example:invisible" --success "first" --kill-others
 
       # after the test run completes store videos and any screenshots
       - uses: actions/upload-artifact@v4

@@ -1,7 +1,7 @@
 # Makes Dependabot PRs pass the `changesets` check (and keeps the lockfile in sync).
 #
 # On every Dependabot PR this:
-#   1. refreshes package-lock.json with `npm i` (safety; Dependabot usually does this itself),
+#   1. refreshes pnpm-lock.yaml with `pnpm install` (safety; Dependabot usually does this itself),
 #   2. derives which *versioned* workspace packages had their package.json changed,
 #   3. writes a patch changeset for them describing the bump,
 #   4. commits the lockfile + changeset back onto the PR branch.
@@ -13,7 +13,7 @@
 # dependabot[bot]), the resulting `synchronize` event is skipped by the actor guard
 # below, so there is no re-trigger loop.
 #
-# `npm run changesets:add` is intentionally NOT used: it is interactive (prompts for
+# `pnpm run changesets:add` is intentionally NOT used: it is interactive (prompts for
 # packages + bump type) and cannot run unattended, so the changeset file is written directly.
 
 name: dependabot-changeset
@@ -55,18 +55,20 @@ jobs:
           submodules: "recursive"
           fetch-depth: 0
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           # Match `engines` (node ^24 / npm ^11) and the tests.yml jobs so the
           # regenerated lockfile is identical to what the rest of CI produces.
           node-version: "24"
 
       # Refresh the lockfile against the bumped package.json files.
-      # --ignore-scripts: --package-lock-only does not install node_modules, so the
-      # root `prepare` hook (husky) would otherwise fail with "husky: not found"
-      # (exit 127) and abort before the lockfile is refreshed.
+      # --lockfile-only: refresh pnpm-lock.yaml without installing node_modules.
+      # --ignore-scripts: without node_modules the root `prepare` hook (husky)
+      # would otherwise fail with "husky: not found" (exit 127) and abort before
+      # the lockfile is refreshed.
       - name: Update lockfile
-        run: npm install --package-lock-only --workspaces --include-workspace-root --ignore-scripts
+        run: pnpm install --lockfile-only --ignore-scripts
 
       - name: Generate changeset
         env:

@@ -51,16 +51,17 @@ jobs:
           token: ${{ secrets.PROSOPONATOR_PAT }}
           submodules: "recursive"
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: pnpm
 
       - uses: prosopo/captcha/.github/actions/npm@gha
         with:
           npm_ci_args: '--include=dev'
 
       - run: npx turbo run @prosopo/lint#build
 
-      - run: npm run lint
+      - run: pnpm run lint
 
@@ -56,10 +56,11 @@ jobs:
         with:
           npm_ci_args: '--include=dev'
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: pnpm
 
       - name: env
         run: |

@@ -15,7 +15,7 @@ permissions:
   contents: write
   packages: write
   # Required so npm CLI can mint an OIDC token for trusted publishing.
-  # Without this, `npm publish` falls back to legacy NPM_TOKEN auth.
+  # Without this, `pnpm publish` falls back to legacy NPM_TOKEN auth.
   # See https://docs.npmjs.com/trusted-publishers
   id-token: write
 
@@ -45,10 +45,11 @@ jobs:
           fetch-depth: 0
           ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/v{0}', inputs.version) || github.ref }}
 
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: pnpm
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
@@ -67,19 +68,19 @@ jobs:
           echo "version=$version" >> $GITHUB_OUTPUT
           echo "Version: $version"
 
-      - run: npm ci --ignore-scripts --include=dev
+      - run: pnpm install --frozen-lockfile --ignore-scripts
 
       - name: Build packages
         run: |
           echo "Building all packages in production mode"
-          NODE_ENV=production npm run build:all:tsc
-          NODE_ENV=production npm run build:all
-          NODE_ENV=production npm run build:all:cjs
+          NODE_ENV=production pnpm run build:all:tsc
+          NODE_ENV=production pnpm run build:all
+          NODE_ENV=production pnpm run build:all:cjs
 
       - name: Bundle the production provider CLI
         run: |
           echo "Bundling provider CLI"
-          NODE_ENV="production" npm run -w @prosopo/cli bundle
+          NODE_ENV="production" pnpm --filter @prosopo/cli run bundle
 
       - name: Verify production build
         run: |
@@ -101,7 +102,7 @@ jobs:
         # be registered as a trusted publisher on npmjs.com pointing at
         # this workflow file.
         #
-        # `npm --workspaces publish` blindly tries every workspace which
+        # `pnpm -r publish` blindly tries every workspace which
         # fails the whole release the moment one package is already at
         # its current version on the registry (the common case in a
         # changeset-driven monorepo — only bumped packages get fresh
@@ -110,7 +111,7 @@ jobs:
         # ahead of npm.
         #
         # NPM_CONFIG_PROVENANCE=true is the env-var form of
-        # `npm publish --provenance`; changeset publish delegates to npm
+        # `pnpm publish --provenance`; changeset publish delegates to npm
         # CLI and inherits the flag, so each tarball gets a Sigstore
         # attestation linking it to this workflow run. Provenance
         # verification requires `repository.url` on every published
@@ -125,21 +126,21 @@ jobs:
         run: |
           echo "Publishing production provider image to Docker Hub"
           cd docker/images/provider
-          NODE_ENV="production" npm run build
-          NODE_ENV="production" npm run publish:docker
+          NODE_ENV="production" pnpm run build
+          NODE_ENV="production" pnpm run publish:docker
           cd -
 
       - name: Bundle the staging provider CLI
         run: |
           echo "Bundling provider CLI"
-          NODE_ENV="staging" npm run -w @prosopo/cli bundle
+          NODE_ENV="staging" pnpm --filter @prosopo/cli run bundle
 
       - name: Publish production image to Docker Hub
         run: |
           echo "Publishing staging provider image to Docker Hub"
           cd docker/images/provider
-          NODE_ENV="staging" npm run build
-          NODE_ENV="staging" npm run publish:docker
+          NODE_ENV="staging" pnpm run build
+          NODE_ENV="staging" pnpm run publish:docker
           cd -
 
       - name: Create GitHub Release