chore(node, pnpm, skills): bump to Node v26.0.0 + pnpm 11.0.6 + sync updating-xport#1299
Merged
John-David Dalton (jdalton) merged 4 commits intomainfrom May 5, 2026
Merged
Conversation
Root engines.node: >=25.9.0 → >=26.0.0; pnpm range: >=11.0.0-rc.3 → >=11.0.6. The packageManager field carries an integrity hash in the corepack-mandated hex form (RFC 2018), so corepack verifies the downloaded pnpm tarball before trusting it. Subpackage engines drop: build-infra and package-builder are private workspace-only packages with no published surface — their engines.node fields were drift-prone (>=25.5.0 vs root >=25.9.0) without serving any consumer. Per the new socket-repo-template CLAUDE.md rule "monorepo-internal subpackages don't need engines", the field is removed entirely. The root package.json's engines is the single source of truth for the workspace. Tracks the SocketDev/socket-registry/external-tools.json bump (commit 9246c28b) which moved pnpm to 11.0.6 in the canonical CI pin and migrated the schema from per-platform sha256 fields to SRI-format integrity strings.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue. You can view the agent here.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 5218f6e. Configure here.
The /updating umbrella's Phase 3 was read-only (just `pnpm run xport`) while Phase 4 claimed drift was already auto-bumped. It wasn't — locked rows would get flagged as drift but nothing would record why we held. This sync brings the canonical fix from socket-repo-template + socket-registry: Phase 3 classifies, Phase 4 invokes updating-xport which auto-bumps track-latest/major-gate version-pins and emits advisory notes for everything else. - updating/SKILL.md: synced from socket-registry canonical. - updating-xport/SKILL.md: new in this repo — synced from socket-registry canonical.
John-David Dalton (jdalton)
changed the title
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 5, 2026
The cascade bump in this PR pulls socket-registry@51f34ffb's setup-and-install action, which installs pnpm 11.0.6 from external-tools.json. Without this matching package.json bump, pnpm refuses to run with `[ERROR] This project is configured to use 11.0.0-rc.5 of pnpm. Your current pnpm is v11.0.6`. Independent of #1299's Node 26 + engines.node bump — that PR can land separately. This PR only widens engines.pnpm to >=11.0.6 and sets the integrity-checked packageManager string.
The packageManager bump in this PR sets pnpm@11.0.6, but the workflow files were still pinned to socket-registry@ea1986b8 — which installs pnpm 11.0.0-rc.5 from external-tools.json. Bump the cascade to @51f34ffb so the runner pnpm matches the package.json declaration. @51f34ffb includes: - 4c4b12cc — pnpm 11.0.6 GA + Rust toolchain pin + SRI integrity migration - e5f83c31 — wire updating-xport into the umbrella drift flow - 51f34ffb — release-workflow-guard quote-mask false-positive fix
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 5, 2026
The cascade bump in this PR pulls socket-registry@51f34ffb's setup-and-install action, which installs pnpm 11.0.6 from external-tools.json. Without this matching package.json bump, pnpm refuses to run with `[ERROR] This project is configured to use 11.0.0-rc.5 of pnpm. Your current pnpm is v11.0.6`. Independent of #1299's Node 26 + engines.node bump — that PR can land separately. This PR only widens engines.pnpm to >=11.0.6 and sets the integrity-checked packageManager string.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
engines.node:>=25.9.0→>=26.0.0engines.pnpm:>=11.0.0-rc.3→>=11.0.6packageManager:pnpm@11.0.0-rc.5→pnpm@11.0.6+sha512.<hex>enginesfrom internal-onlypackages/build-infra+packages/package-builderWhy
Tracks the
SocketDev/socket-registryexternal-tools.json bump (commit9246c28b) which moved pnpm to 11.0.6 in the canonical CI pin and migrated the schema from per-platform sha256 fields to SRI-format integrity strings.The root packageManager now carries the corepack hex integrity hash (RFC 2018) so corepack verifies the downloaded pnpm tarball before trusting it. Different encoding from external-tools.json's SRI form because corepack's parser only accepts hex.
The two private subpackages were drift-prone (
>=25.5.0vs root>=25.9.0) without serving any consumer — they're workspace-only and never published. Per the new socket-repo-template CLAUDE.md rule "monorepo-internal subpackages don't need engines", the field is removed.Test plan
pnpm installsucceeds with corepack hash verificationNote
Low Risk
Low risk: this only updates toolchain requirements/pins and removes redundant
enginesfields, but may break installs/CI for environments not yet on Node 26/pnpm 11.0.6.Overview
Bumps the monorepo toolchain requirements to Node
>=26.0.0and pnpm>=11.0.6, and updates the rootpackageManagertopnpm@11.0.6with a pinnedsha512integrity string for corepack verification.Removes
enginesconstraints from the internal workspace-only packagesbuild-infraandpackage-builderto avoid per-package version drift.Reviewed by Cursor Bugbot for commit 5218f6e. Configure here.