feat: migrate pnpm v10 to v11

[anirudhprmar]

Proposed change

Resolves #4747

Migrated pnpm version to 11.4.0(latest) for Frontend.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 69fd32d5-39d0-4a28-9e51-de8749fc10b0

📥 Commits

Reviewing files that changed from the base of the PR and between 4b65d71 and e085db8.

📒 Files selected for processing (1)

• docker/frontend/Dockerfile.local

---

Summary by CodeRabbit

• Chores
  • Upgraded package manager declaration to pnpm 11.4.0.
  • Moved dependency overrides to workspace-level and added an allowlist for selected packages.
  • Enforced stricter peer-dependency and exact-version policies for more consistent builds.
  • Standardized pnpm-related environment variables across build images and adjusted runtime file ownership.
  • Removed redundant local pnpm configuration entries.

Walkthrough

Bumps frontend packageManager to [email protected], removes pnpm.overrides from frontend/package.json, adds workspace-level overrides and allowBuilds in frontend/pnpm-workspace.yaml, and updates frontend Dockerfiles and .pnpmrc to use PNPM-specific env vars and adjust node_modules ownership.

Changes

pnpm v11 Upgrade

Layer / File(s)	Summary
pnpm v11 version bump and package.json configuration cleanup frontend/package.json	packageManager updated to [email protected]; top-level pnpm.overrides block removed from package.json.
Dependency overrides and build allowlist in workspace configuration frontend/pnpm-workspace.yaml	Adds allowBuilds whitelist for selected workspace packages, an overrides block pinning several dependency versions, and workspace pnpm settings (strictPeerDependencies, publicHoistPattern, saveExact).
Dockerfiles and builder/runtime env alignment docker/frontend/Dockerfile, docker/frontend/Dockerfile.a11y.test, docker/frontend/Dockerfile.unit.test, docker/frontend/Dockerfile.local	Replace NPM_CONFIG_* env vars with PNPM_CONFIG_*, add pnpm retry/timeout settings and PNPM_HOME in builder, and change runtime node_modules ownership to node:node.
Frontend .pnpmrc cleanup frontend/.pnpmrc	Removes legacy-peer-deps=true, public-hoist-pattern[]=*import-in-the-middle*, and save-exact=true entries from .pnpmrc.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• OWASP/Nest#1415: Touches frontend .pnpmrc and pnpm configuration handling overlapping with .pnpmrc changes.
• OWASP/Nest#4002: Prior Dockerfile changes for pnpm cache/env variables overlapping with this PR.
• OWASP/Nest#4633: Modifies frontend pnpm overrides; overlaps with relocation of overrides to workspace file.

Suggested labels

ci

Suggested reviewers

• kasya
• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: migrate pnpm v10 to v11' clearly and concisely describes the main change of upgrading the package manager from pnpm v10 to v11.
Description check	✅ Passed	The description is related to the changeset, explaining the pnpm migration to v11.4.0 and listing supporting changes including Dockerfile updates and configuration consolidation.
Linked Issues check	✅ Passed	The PR successfully addresses issue #4747 by upgrading Frontend to pnpm v11.4.0 and implementing necessary changes across Docker, configuration files, and environment variables to ensure compatibility.
Out of Scope Changes check	✅ Passed	All changes are within scope: package.json version update, pnpm-workspace.yaml configuration, Dockerfile environment variable corrections, and .pnpmrc cleanup directly support the pnpm v11 migration objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch feat/migrate-pnpm

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[arkid15r]

@anirudhprmar have you tried to build the app with these changes?

[anirudhprmar]

yes, it worked. Done in 29.5s using pnpm v11.4.0.

[arkid15r]

yes, it worked. Done in 29.5s using pnpm v11.4.0.

what's it in this context?

[anirudhprmar]

ran pnpm build

[arkid15r]

ran pnpm build

could you check make run output?

[anirudhprmar]

ran pnpm build

could you check make run output?

changes are failing make run also added confirmModulesPurge: false in pnpm-workspace.yml because of an error i got previously (If you are running pnpm in CI, set the CI environment variable to "true", or set "confirmModulesPurge" to "false")

[anirudhprmar]

with the latest commit i've addressed missing migrations and fixed errors on make run.

• cleared .pnpmrc as its auth/registry only and moved all its settings to pnpm-workspace.yml
• updated dockerfile env's as pnpm no longer reads npm_config_* environment variables.
• the issue on make run was migration of pnpm created massive changes in lockfile and pnpm tried to delete and then recreate node_modules which caused errors as the user node didn't had permissions to recreate node_modules as it was owned by root which i fixed in DockerFile.local for FE.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/frontend/Dockerfile.a11y.test`:
- Around line 8-10: Replace the invalid pnpm env vars by setting the correct
fetch-related pnpm config names: change PNPM_CONFIG_RETRY to
PNPM_CONFIG_FETCH_RETRIES and PNPM_CONFIG_TIMEOUT to PNPM_CONFIG_FETCH_TIMEOUT
in the ENV declaration that currently includes PNPM_CONFIG_RETRY,
PNPM_CONFIG_TIMEOUT and PATH (the same ENV block that references PNPM_HOME).
Ensure the values remain the same (5 and 30000) and keep PATH="$PNPM_HOME:$PATH"
untouched.

In `@docker/frontend/Dockerfile.local`:
- Around line 55-57: The COPY step currently sets ownership to root then runs
RUN chown -R node:node, creating an extra large layer; change the COPY
--from=builder ... --chown=root:root to use --chown=node:node so node_modules
are copied with final ownership and remove the subsequent RUN chown -R node:node
line (references: COPY --from=builder, node_modules, RUN chown -R node:node).

In `@frontend/pnpm-workspace.yaml`:
- Line 20: Remove the global workspace setting "confirmModulesPurge: false"
(which disables the pnpm confirmation prompt for all environments) and instead
set the CI environment variable to true in your CI pipeline; locate the
"confirmModulesPurge" entry in the pnpm workspace config and delete or revert
that key, and update your CI config to export or set CI=true so pnpm will run in
CI-safe mode without modifying local developer behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: dab7a513-5be2-4f3c-9a64-20d7f340ba12

📥 Commits

Reviewing files that changed from the base of the PR and between d1580f1 and 2a4dfd9.

⛔ Files ignored due to path filters (1)

• frontend/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• docker/frontend/Dockerfile
• docker/frontend/Dockerfile.a11y.test
• docker/frontend/Dockerfile.local
• docker/frontend/Dockerfile.unit.test
• frontend/.pnpmrc
• frontend/pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• frontend/.pnpmrc

[cubic-dev-ai]

2 issues found across 7 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docker/frontend/Dockerfile.local (1)

11-12: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix pnpm v11 env var names in docker/frontend/Dockerfile.local (lines 11-12).

pnpm reads PNPM_CONFIG_* env vars and maps the suffix (snake_case/underscore form) to camelCase config keys; the fetch settings correspond to fetchRetries/fetchTimeout, so the correct env vars are PNPM_CONFIG_FETCH_RETRIES and PNPM_CONFIG_FETCH_TIMEOUT. PNPM_CONFIG_RETRY / PNPM_CONFIG_TIMEOUT won’t set those values (while docker/frontend/Dockerfile.a11y.test already uses the correct names). The COPY ... --chown=node:node change is fine.

🔧 Proposed fix

-ENV PNPM_CONFIG_RETRY=5 \
-    PNPM_CONFIG_TIMEOUT=30000 \
+ENV PNPM_CONFIG_FETCH_RETRIES=5 \
+    PNPM_CONFIG_FETCH_TIMEOUT=30000 \
     PATH="$PNPM_HOME:$PATH"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/frontend/Dockerfile.local` around lines 11 - 12, Replace the incorrect
pnpm env vars PNPM_CONFIG_RETRY and PNPM_CONFIG_TIMEOUT in the Dockerfile ENV
block with the correct pnpm v11 names PNPM_CONFIG_FETCH_RETRIES and
PNPM_CONFIG_FETCH_TIMEOUT so pnpm actually applies fetchRetries/fetchTimeout;
update the ENV line(s) that currently set PNPM_CONFIG_RETRY and
PNPM_CONFIG_TIMEOUT to use PNPM_CONFIG_FETCH_RETRIES and
PNPM_CONFIG_FETCH_TIMEOUT respectively (preserve the values like 5 and 30000).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docker/frontend/Dockerfile.local`:
- Around line 11-12: Replace the incorrect pnpm env vars PNPM_CONFIG_RETRY and
PNPM_CONFIG_TIMEOUT in the Dockerfile ENV block with the correct pnpm v11 names
PNPM_CONFIG_FETCH_RETRIES and PNPM_CONFIG_FETCH_TIMEOUT so pnpm actually applies
fetchRetries/fetchTimeout; update the ENV line(s) that currently set
PNPM_CONFIG_RETRY and PNPM_CONFIG_TIMEOUT to use PNPM_CONFIG_FETCH_RETRIES and
PNPM_CONFIG_FETCH_TIMEOUT respectively (preserve the values like 5 and 30000).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2b197463-dd9b-4aec-892e-4709a89d417b

📥 Commits

Reviewing files that changed from the base of the PR and between 497681c and 4b65d71.

📒 Files selected for processing (3)

• docker/frontend/Dockerfile.a11y.test
• docker/frontend/Dockerfile.local
• frontend/pnpm-workspace.yaml

[cubic-dev-ai]

0 issues found across 3 files (changes from recent commits).

_{Re-trigger cubic}

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Re-trigger cubic}

[arkid15r]

Closing in favor of #4785