chore: update-pnpm

[ryanbas21]

JIRA Ticket

N/A

Description

Updating pnpm, removing .npmrc file because pnpm settings in .npmrc cause warnings that it will break in the next major version of npm.

We can move these settings to the pnpm-workspace file pnpm now.

Summary by CodeRabbit

• Chores
  • Upgraded the package manager to pnpm 10.17.1 and updated the required engine version.
  • Consolidated workspace configuration into a central workspace file for consistency.
  • Removed redundant local npm configuration to reduce duplication.
  • No changes to runtime behavior or public APIs.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9dea76a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Configuration updates: removed four npm settings from .npmrc, added equivalent settings in pnpm-workspace.yaml, and upgraded pnpm version in package.json (packageManager and engines.pnpm) from 9.15.9 to >=10.17.1.

Changes

Cohort / File(s)	Summary
PNPM config relocation \.npmrc, pnpm-workspace.yaml	Deleted link-workspace-packages, strict-peer-dependencies, save-workspace-protocol, and save-prefix from .npmrc; added the same four settings in pnpm-workspace.yaml (under catalogs/top-level as listed).
Package manager version updates package.json	Updated packageManager to pnpm@10.17.1+… and engines.pnpm to ">=10.17.1".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitch my ears at version ten,
Hop-hop, the workspace hums again.
Flags have moved, the paths are clean,
pnpm’s newer, swift and keen.
In YAML fields I softly prance—
config carrots in a tidy dance. 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “chore: update-pnpm” correctly signals that pnpm is being updated but does not mention the removal of the .npmrc file or the migration of configuration, which are key parts of the changes. It is related to the change but is somewhat broad and could be more descriptive.
Description Check	✅ Passed	The pull request description adheres to the repository’s template by including the JIRA Ticket and Description sections and clearly explains why .npmrc is removed and settings are migrated, but it does not address the template’s prompt about whether a changeset was added.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-npmrc

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ffe533 and 9dea76a.

📒 Files selected for processing (3)

• .npmrc (0 hunks)
• package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• .npmrc

🚧 Files skipped from review as they are similar to previous changes (2)

• pnpm-workspace.yaml
• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 9dea76a

Command	Status	Duration	Result
nx run-many -t build	✅ Succeeded	5s	View ↗
nx affected -t build typecheck lint test e2e-ci	✅ Succeeded	<1s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-25 15:03:41 UTC

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

package.json (2)

125-131: Align devEngines with packageManager pin for clarity.

You pin packageManager to 10.17.1 but allow ^10.17.0 in devEngines.packageManager.version. Consider matching to ^10.17.1 for consistency.

-      "version": "^10.17.0",
+      "version": "^10.17.1",

---

135-136: CI ergonomics: enable Corepack to auto-install the pinned pnpm.

With packageManager set, enabling Corepack in CI/dev reduces drift and avoids relying on npx only-allow pnpm alone.

Add in CI bootstrap:

• corepack enable
• corepack prepare pnpm@10.17.1 --activate

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 96c7d4a and dcc42cf.

📒 Files selected for processing (3)

• .npmrc (0 hunks)
• package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• .npmrc

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-09-23T21:39:19.092Z

Learnt from: CR
PR: ForgeRock/ping-javascript-sdk#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-23T21:39:19.092Z
Learning: Applies to nx.json : Maintain Nx configuration with target defaults, caching for build/test, workspace layout, and limit parallel execution to 1

Applied to files:

• package.json

📚 Learning: 2025-09-23T21:39:19.092Z

Learnt from: CR
PR: ForgeRock/ping-javascript-sdk#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-23T21:39:19.092Z
Learning: Applies to packages/**/package.json : Use workspace:* for internal dependencies and catalog: for shared external dependencies in package manifests

Applied to files:

• pnpm-workspace.yaml

📚 Learning: 2025-09-23T21:39:19.092Z

Learnt from: CR
PR: ForgeRock/ping-javascript-sdk#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-23T21:39:19.092Z
Learning: Applies to packages/**/?(*.)test.@(ts|tsx) : Write unit tests with Vitest for package code

Applied to files:

• pnpm-workspace.yaml

🔇 Additional comments (1)

pnpm-workspace.yaml (1)

28-32: Confirm settings block support in pnpm-workspace.yaml
pnpm v10 may ignore link-workspace-packages, strict-peer-dependencies, save-workspace-protocol, and save-prefix when declared under a settings block in pnpm-workspace.yaml. Verify via the official workspace-yaml docs (https://pnpm.io/workspace_yaml#settings). If unsupported, migrate these settings to a repo-level .npmrc (and gate npm via Corepack/only-allow) or document their location in CONTRIBUTING.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

package.json (2)

124-125: Avoid drift between packageManager and engines.pnpm

You now specify pnpm in three places (packageManager exact, engines.pnpm >=, devEngines caret). This can drift and confuse enforcement.

Apply one of:

• Rely on packageManager only; drop engines.pnpm.
• Or align ranges, e.g., engines.pnpm: ">=10.17.1 <11".

Example:

   "engines": {
     "node": "^20 || ^22",
-    "pnpm": ">=10.17.0"
+    "pnpm": ">=10.17.1 <11"
   },

---

126-131: Delete unused devEngines block in package.json
Node and Corepack ignore devEngines and no references to its onFail semantics were found; remove lines 126–131.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dcc42cf and 0aa36fa.

📒 Files selected for processing (3)

• .npmrc (0 hunks)
• package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• .npmrc

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-23T21:39:19.092Z

Learnt from: CR
PR: ForgeRock/ping-javascript-sdk#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-23T21:39:19.092Z
Learning: Applies to packages/**/package.json : Use workspace:* for internal dependencies and catalog: for shared external dependencies in package manifests

Applied to files:

• pnpm-workspace.yaml

📚 Learning: 2025-09-23T21:39:19.092Z

Learnt from: CR
PR: ForgeRock/ping-javascript-sdk#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-23T21:39:19.092Z
Learning: Applies to packages/**/?(*.)test.@(ts|tsx) : Write unit tests with Vitest for package code

Applied to files:

• pnpm-workspace.yaml

🔇 Additional comments (2)

package.json (1)

121-121: Confirm Corepack is enabled in CI workflows

Workflows call actions/setup-node@v4 and pnpm/action-setup@v4; ensure setup-node runs before pnpm/action-setup (so Corepack is available) or add an explicit corepack enable/corepack prepare step.

pnpm-workspace.yaml (1)

28-32: Verify pnpm workspace settings support
Ensure pnpm ≥ 10 (locally and in CI) supports the settings block in pnpm-workspace.yaml for link-workspace-packages, strict-peer-dependencies, save-workspace-protocol, and save-prefix—no .npmrc remains to override defaults.

[nx-cloud]

Nx Cloud has identified a possible root cause for your failed CI:

The lint task failures are classified as 'environment_state' because they stem from missing dependencies after the pnpm package manager upgrade, not from any code changes made in the pull request.

The core error "Cannot find package '@typescript-eslint/eslint-plugin'" indicates that the node_modules directory is incomplete or missing after the pnpm version upgrade from 9.15.9 to 10.17.1. The warning messages "Local package.json exists, but node_modules missing, did you mean to install?" confirm this environmental issue.

The PR changes are purely administrative - updating pnpm configuration, moving settings from .npmrc to pnpm-workspace.yaml, and updating the package manager version. These changes don't modify any source code, import statements, or dependencies that would cause ESLint module resolution failures.

This type of dependency resolution issue commonly occurs when upgrading package managers and typically requires reinstalling dependencies to rebuild the node_modules directory with the new package manager version. The solution would be to run pnpm install to restore the missing dependencies, but this is an environmental remediation rather than a code fix.

A code change would likely not resolve this issue, so no action was taken.

View in Nx Cloud ↗

_{⚙️ An Nx Cloud workspace admin can disable these reviews in workspace settings.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

59-61: Make nx-cloud invocation style consistent.

Line 59 uses pnpm exec nx-cloud, while Lines 42/61 use pnpm dlx nx-cloud. Prefer one approach:

• If nx-cloud is not a devDependency: use pnpm dlx consistently.
• If you want to vendor it: add it as a devDependency and keep pnpm exec.

If you choose the first option, apply:

-      - run: pnpm exec nx-cloud record -- nx format:check
+      - run: pnpm dlx nx-cloud record -- nx format:check

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0aa36fa and 9ffe533.

📒 Files selected for processing (4)

• .github/workflows/ci.yml (1 hunks)
• .npmrc (0 hunks)
• package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• .npmrc

🚧 Files skipped from review as they are similar to previous changes (2)

• pnpm-workspace.yaml
• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

[coderabbitai]

🛠️ Refactor suggestion

🧩 Analysis chain

Switch to pnpm dlx looks good.

Using pnpm dlx for nx-cloud fix-ci aligns with the pnpm move and avoids npm warnings.

Run this to spot remaining npx/inconsistent nx-cloud invocations across the repo:

---

🏁 Script executed:

#!/bin/bash
# Find remaining npx usages (esp. nx-cloud) and mixed nx-cloud invocations
rg -n -C2 -g '.github/workflows/*.yml' -e '\bnpx\b' -e '\bnx-cloud\b'

Length of output: 148

---

🏁 Script executed:

#!/bin/bash
# Correctly search GitHub Actions workflows for any remaining npx or nx-cloud invocations
rg --glob ".github/workflows/*.yml" -n -C2 -e '\bnpx\b' -e '\bnx-cloud\b'

Length of output: 148

---

🏁 Script executed:

#!/bin/bash
# Search both .yml and .yaml workflow files for any remaining npx or nx-cloud invocations
find .github/workflows -type f \( -name '*.yml' -o -name '*.yaml' \) -print0 | xargs -0 rg -n -C2 -e '\bnpx\b' -e '\bnx-cloud\b'

Length of output: 1771

---

Unify nx-cloud invocation to use pnpm dlx
Change .github/workflows/ci.yml:59 as follows to enforce consistency:

-      - run: pnpm exec nx-cloud record -- nx format:check
+      - run: pnpm dlx nx-cloud record -- nx format:check

No remaining npx invocations found.

🤖 Prompt for AI Agents

In .github/workflows/ci.yml around lines 59–62, ensure all nx-cloud invocations
use pnpm dlx instead of npx; replace any line like "run: npx nx-cloud fix-ci"
with "run: pnpm dlx nx-cloud fix-ci" (and update the surrounding if/conditional
lines as needed) so the workflow consistently invokes nx-cloud via pnpm dlx.

[github-actions]

Deployed 89f05c7 to https://ForgeRock.github.io/ping-javascript-sdk/pr-422/89f05c7a31b34a6416473ebf6576b0a447dcb50d branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🆕 New Packages

🆕 @forgerock/device-client - 9.2 KB (new)
🆕 @forgerock/oidc-client - 23.1 KB (new)
🆕 @forgerock/protect - 150.1 KB (new)
🆕 @forgerock/sdk-utilities - 4.0 KB (new)
🆕 @forgerock/sdk-types - 5.9 KB (new)
🆕 @forgerock/storage - 1.4 KB (new)
🆕 @forgerock/sdk-logger - 1.6 KB (new)
🆕 @forgerock/iframe-manager - 2.4 KB (new)
🆕 @forgerock/sdk-request-middleware - 4.4 KB (new)
🆕 @forgerock/sdk-oidc - 2.5 KB (new)
🆕 @forgerock/davinci-client - 34.5 KB (new)

---

11 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}