chore: upgrade pnpm to version 11.5.1 across all configurations by paustint · Pull Request #1762 · jetstreamapp/jetstream

paustint · 2026-06-02T13:47:20Z

Add script to automate pnpm upgrades

socket-security · 2026-06-02T13:48:36Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@16.2.7
	@types/gapi.client.drive-v3@0.0.5
	nx@22.7.2
	husky@9.1.7
	document.contains@1.0.2
	@emotion/utils@1.4.2
	eslint-config-next@16.2.6
	electron-builder@26.13.1
	@types/express-http-proxy@1.6.7
	@jetstreamapp/simple-xml@1.1.1
	@types/react-router-dom@5.3.3
	@types/unzipper@0.10.11
	@tsconfig/node22@22.0.5
	jszip@3.10.1
	webextension-polyfill@0.12.0
	web-ext@8.10.0
	@types/express@5.0.6
	@nx/esbuild@22.7.2
	@babel/preset-react@7.29.7
	@typescript-eslint/parser@8.46.2
	@types/js-yaml@4.0.9
	@types/archiver@6.0.4
	@nx/playwright@22.7.2
	@swc/helpers@0.5.18
	@commitlint/cli@20.5.3
	@babel/preset-typescript@7.29.7
	@types/gapi.auth2@0.0.61
	@oslojs/otp@1.1.0
	@types/multer@2.1.0
	@types/pg@8.20.0
	@contentful/rich-text-types@17.2.7
	esbuild@0.27.7
See 209 more rows in the dashboard

View full report

Add script to automate pnpm upgrades

Copilot

Pull request overview

This PR upgrades the repository’s pinned pnpm version to 11.5.1 across the monorepo and automation surfaces, and adds a helper script to keep all pnpm pins in sync going forward.

Changes:

Bump pnpm version pins to 11.5.1 in package.json (engines/devEngines/packageManager) and apps/docs/package.json.
Update CI/workflow pnpm setup (pnpm/action-setup) and Docker build ARGs to 11.5.1.
Add scripts/update-pnpm.mjs plus a root update-pnpm npm script, and refresh pnpm-lock.yaml.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
scripts/update-pnpm.mjs	New automation to update pnpm pins across repo files and optionally refresh the lockfile.
package.json	Pins pnpm to 11.5.1 and adds an `update-pnpm` script entry.
apps/docs/package.json	Updates docs app pnpm engine/devEngine version to 11.5.1 (preserving `~`).
pnpm-lock.yaml	Lockfile refresh reflecting pnpm 11.5.1 package manager dependencies.
Dockerfile	Updates `ARG PNPM_VERSION` to 11.5.1 for Corepack prepare.
Dockerfile.e2e	Updates `ARG PNPM_VERSION` to 11.5.1 for E2E image.
.github/workflows/ci.yml	Updates pnpm/action-setup version to 11.5.1 in CI and E2E jobs.
.github/workflows/docs.yml	Updates pnpm/action-setup version to 11.5.1 for docs workflow.
.github/workflows/release.yml	Updates pnpm/action-setup version to 11.5.1 for release workflow.

Files not reviewed (1)

pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

+ * Pin sites kept in sync:
+ *   - package.json            -> engines.pnpm, devEngines.packageManager.version, packageManager (with corepack hash)
+ *   - apps/docs/package.json  -> engines.pnpm (any range prefix like `~` is preserved), devEngines.packageManager.version
+ *   - .github/workflows/*.yml -> the `version:` passed to pnpm/action-setup
+ *   - Dockerfile / Dockerfile.e2e -> ARG PNPM_VERSION


+  console.log('\nRefreshing pnpm-lock.yaml via `pnpm install --lockfile-only`...');
+  try {
+    execFileSync('pnpm', ['install', '--lockfile-only'], { cwd: repoRoot, stdio: 'inherit' });
+  } catch {
+    console.warn('\n⚠ Could not run `pnpm install` automatically. Run it manually to refresh pnpm-lock.yaml.');
+  }


socket-security · 2026-06-02T13:51:33Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `@react-email/ui` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package.json → `npm/@react-email/ui@6.4.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@react-email/ui@6.4.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `next` is 80.0% likely obfuscated Confidence: 0.80 Location: Package overview From: package.json → `npm/next@16.2.7` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@16.2.7`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `next` is 85.0% likely obfuscated Confidence: 0.85 Location: Package overview From: package.json → `npm/next@16.2.7` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@16.2.7`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `next` is 85.0% likely obfuscated Confidence: 0.85 Location: Package overview From: package.json → `npm/next@16.2.7` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@16.2.7`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Copilot AI review requested due to automatic review settings June 2, 2026 13:47

Copilot started reviewing on behalf of paustint June 2, 2026 13:47 View session

chore: upgrade pnpm to version 11.5.1 across all configurations

5ec87a3

Add script to automate pnpm upgrades

paustint force-pushed the chore/pnpm-upgrade-script branch from 58f43f0 to 5ec87a3 Compare June 2, 2026 13:50

Copilot AI reviewed Jun 2, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: upgrade pnpm to version 11.5.1 across all configurations#1762

chore: upgrade pnpm to version 11.5.1 across all configurations#1762
paustint wants to merge 1 commit into
mainfrom
chore/pnpm-upgrade-script

paustint commented Jun 2, 2026

Uh oh!

socket-security Bot commented Jun 2, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

socket-security Bot commented Jun 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

paustint commented Jun 2, 2026

Uh oh!

socket-security Bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

socket-security Bot commented Jun 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

socket-security Bot commented Jun 2, 2026 •

edited

Loading