chore: migrate to pnpm and enable minimum release age#273
Open
chore: migrate to pnpm and enable minimum release age#273
Conversation
This was referenced Apr 14, 2026
Migrates actor-scraper from npm workspaces to pnpm workspaces and adds a 1-day minimum release age supply-chain guard at the package manager layer (pnpm-workspace.yaml) and at the Renovate layer. Internal `@apify/*` and `@crawlee/*` packages are whitelisted at both layers for immediate updates. Notable changes: - package.json: drop "workspaces" (moved to pnpm-workspace.yaml); set packageManager to pnpm@10.24.0; add @isaacs/brace-expansion as explicit root devDep (pnpm 10 doesn't pull it transitively for minimatch@10 which actor-scraper-sitemap depends on) - lerna.json: npmClient: "pnpm" - .npmrc: node-linker=hoisted + link-workspace-packages=true + prefer-workspace-packages=true (flat layout for debugging + prefer workspace packages over registry) - packages/actor-scraper/*/package.json: use "workspace:*" protocol for @apify/scraper-tools so pnpm links the workspace copy instead of fetching the identical version from npm (required for consistent peer-dep resolution across workspace and registry types) - packages/scraper-tools/src/browser_tools.ts: relax Page interface exposeFunction return type from Promise<void> to Promise<unknown> so it accepts both Puppeteer (Promise<void>) and newer Playwright (Promise<Disposable>) page types. Return value is unused. - New .github/actions/pnpm-install composite action adopts the caching pattern from apify/apify-cli#1068 (pnpm store cache keyed by year-month + lockfile hash) - CI workflows: delegate install to the composite; drop the separate npm cache config on setup-node - renovate.json: minimumReleaseAge "1 day", internalChecksFilter "strict", @apify/* and @crawlee/* whitelist; drop npm constraint Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
c01c1ec to
7828f01
Compare
pnpm 10 blocks install scripts by default; these are needed to download the browser binaries for CI tests.
Replaces the local .github/actions/pnpm-install composite copy with the shared one from apify/workflows@main. Identical behavior, less duplication.
…m release-age gate
Silences npm warnings about unknown options like node-linker; pnpm reads the same keys from pnpm-workspace.yaml in camelCase form.
npx invokes npm which now refuses to run because of devEngines.
… with pnpm-workspace exclusions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devEngines.packageManager breaks pnpm commands that delegate to npm (pnpm version, pnpm pkg set, etc). Use the battle-tested only-allow approach instead (same as Vite, Vue, Astro).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Part of the org-wide supply-chain hardening + pnpm migration. Migrates actor-scraper from npm workspaces to pnpm and adds a 1-day minimum release age guard at two layers:
minimumReleaseAge: 1440inpnpm-workspace.yamlblocks installs of versions < 1 day oldminimumReleaseAge: "1 day"delays PR creation@apify/*and@crawlee/*excluded at both layers so internal releases ship immediatelyChanges
package.json: dropworkspaces; setpackageManagertopnpm@10.24.0; add@isaacs/brace-expansionas root devDep (pnpm 10 misses this transitive for minimatch@10 which sitemap-scraper pulls in)lerna.json:npmClient: "pnpm".npmrc:node-linker=hoisted+link-workspace-packages=true+prefer-workspace-packages=truepackages/actor-scraper/*/package.json:@apify/scraper-tools→workspace:*so pnpm links the local copy instead of fetching the identical version from npm (consistent peer-dep resolution)packages/scraper-tools/src/browser_tools.ts: relaxPage.exposeFunctionreturn toPromise<unknown>so it accepts both Puppeteer (Promise<void>) and newer Playwright (Promise<Disposable>) page types. Return value was already discarded at all call sites..github/actions/pnpm-installcomposite action (cached pnpm store, keyed by year-month + lockfile hash — pattern from chore: move to pnpm from yarn apify-cli#1068)renovate.json:minimumReleaseAge "1 day",internalChecksFilter "strict",@apify/*+@crawlee/*whitelist🤖 Generated with Claude Code