feat: migrate frontend pnpm to v11

[hassaansaleem28]

Proposed change

Resolves #4747

Upgrades pnpm from v10.33.3 to v11.4.0 for the frontend.

• pnpm v11 no longer reads settings from the pnpm field in package.json or from .pnpmrc for non-auth settings, so the overrides, publicHoistPattern and saveExact config moved into pnpm-workspace.yaml.
• The allowBuilds map is also new since v11 blocks all post-install scripts by default unless explicitly allowed.
• The NPM_CONFIG_RETRY and NPM_CONFIG_TIMEOUT env vars in the frontend Dockerfiles were renamed to their pnpm v11 equivalents

(PNPM_CONFIG_NETWORK_RETRY_COUNT and PNPM_CONFIG_NETWORK_TIMEOUT) since
v11 dropped npm_config_* passthrough for its own config.

make check passes -- also app runs without error logs

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Upgrade frontend to pnpm v11, move PNPM settings into workspace config, update Dockerfiles to use PNPM fetch retry/timeout and PNPM_HOME, and adjust Docker build COPY sets to include framework config files while removing .pnpmrc.

Changes

PNPM v11 Migration

Layer / File(s)	Summary
Package manager and workspace configuration frontend/package.json, frontend/pnpm-workspace.yaml	packageManager updated to [email protected]; workspace adds allowBuilds, overrides, publicHoistPattern, and saveExact: true.
Docker ENV: PNPM network and verification settings docker/frontend/Dockerfile.local, docker/frontend/Dockerfile.a11y-tests, docker/frontend/Dockerfile.unit-tests	Builder-stage ENV replaces NPM_CONFIG_RETRY/NPM_CONFIG_TIMEOUT with PNPM_CONFIG_FETCH_RETRIES and PNPM_CONFIG_FETCH_TIMEOUT, prepends PNPM_HOME to PATH, and adds PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=false where present.
Docker build inputs: configuration file adjustments docker/frontend/Dockerfile, docker/frontend/Dockerfile.a11y-tests, docker/frontend/Dockerfile.unit-tests	Remove .pnpmrc from COPY commands and add framework/config files (next.config.ts, postcss.config.js, tailwind.config.mjs, tsconfig.json, jest.config.ts) into the build context.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• OWASP/Nest#4633: touches frontend/package.json's pnpm.overrides configuration.
• OWASP/Nest#1452: earlier frontend Docker pnpm/PNPM_HOME and build cache adjustments.
• OWASP/Nest#4681: related frontend test execution and CI Docker changes.

Suggested reviewers

• kasya
• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: migrate frontend pnpm to v11' accurately and specifically describes the main change in the changeset: upgrading pnpm from v10 to v11 for the frontend.
Description check	✅ Passed	The description clearly explains the pnpm v11 migration, configuration changes, Docker updates, and verification that the changes work; it is directly related to the changeset.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #4747: updated package.json pnpm version, moved config to pnpm-workspace.yaml with allowBuilds map, and updated Dockerfile environment variables to pnpm v11 equivalents.
Out of Scope Changes check	✅ Passed	All changes are directly related to the pnpm v11 migration objective; no out-of-scope modifications detected beyond the documented configuration and Dockerfile updates required for the upgrade.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/frontend/Dockerfile.a11y.test`:
- Around line 8-10: The ENV block uses PNPM_CONFIG_NETWORK_RETRY_COUNT and
PNPM_CONFIG_NETWORK_TIMEOUT which are not the documented pnpm request variables;
update the ENV declaration that sets PNPM_HOME on the PATH to replace
PNPM_CONFIG_NETWORK_RETRY_COUNT and PNPM_CONFIG_NETWORK_TIMEOUT with
PNPM_CONFIG_FETCH_RETRIES=5 and PNPM_CONFIG_FETCH_TIMEOUT=30000 so pnpm's
fetchRetries/fetchTimeout are honored (leave PNPM_HOME and PATH handling
unchanged).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 60fe8e7f-2036-4160-9dd2-8008724ad7c5

📥 Commits

Reviewing files that changed from the base of the PR and between 6f7ae1e and 555d876.

📒 Files selected for processing (6)

• docker/frontend/Dockerfile.a11y.test
• docker/frontend/Dockerfile.local
• docker/frontend/Dockerfile.unit.test
• frontend/.pnpmrc
• frontend/package.json
• frontend/pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• frontend/.pnpmrc

[cubic-dev-ai]

3 issues found across 6 files

Confidence score: 3/5

• There is a concrete reliability risk: in docker/frontend/Dockerfile.unit.test and docker/frontend/Dockerfile.a11y.test, PNPM_CONFIG_NETWORK_RETRY_COUNT and PNPM_CONFIG_NETWORK_TIMEOUT appear to be invalid for pnpm v11, so retry/timeout tuning may silently not apply.
• docker/frontend/Dockerfile.local has the same configuration-pattern issue for pnpm fetch retry/timeout, which raises regression risk for local/dev build stability under flaky networks.
• Given the medium-high severity (6–7/10) and high confidence, this is not a hard blocker but does add meaningful merge risk until the env var names are corrected.
• Pay close attention to docker/frontend/Dockerfile.unit.test, docker/frontend/Dockerfile.a11y.test, docker/frontend/Dockerfile.local - pnpm network retry/timeout env vars may be no-ops due to incorrect key names.

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

0 issues found across 5 files (changes from recent commits).

_{Re-trigger cubic}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/frontend/Dockerfile.a11y-tests`:
- Around line 8-13: The Dockerfile sets PNPM_CONFIG_FETCH_RETRIES,
PNPM_CONFIG_FETCH_TIMEOUT and disables PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN which
avoids lockfile verification at runtime; ensure lockfile integrity by either
enabling verification during the build step that runs pnpm install (e.g., use a
frozen lockfile or run `pnpm install --frozen-lockfile` in the earlier install
step) or move verification to a build stage that runs as root/with a TTY; update
the Dockerfile build steps around the pnpm install phase to enforce lockfile
validation while keeping PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=false for the
non-root test runtime.

In `@docker/frontend/Dockerfile.local`:
- Around line 41-43: The Dockerfile sets ENV
PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=false to disable pnpm v11's
verifyDepsBeforeRun behavior; scope this env var so it only applies to the
development image/workflow (e.g., keep it in Dockerfile.local or the dev stage)
and add a short comment next to the ENV line explaining the integrity tradeoff
and that package integrity is still enforced during the install/build stage
using trusted inputs and lockfile verification (i.e., document that this setting
avoids runtime verification but does not skip install-time integrity checks).

In `@docker/frontend/Dockerfile.unit-tests`:
- Around line 8-13: The Docker test images currently disable pnpm's dependency
verification by setting PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=false; remove that
override (or set it to true) so pnpm will validate node_modules against
pnpm-lock.yaml, and keep PNPM_CONFIG_FETCH_RETRIES and PNPM_CONFIG_FETCH_TIMEOUT
as-is; make the same change in the counterpart Dockerfile (the a11y-tests
variant) and if EACCES during `pnpm run` was the reason for disabling
verification, instead fix the underlying permission/installation flow in the
image (run installs as the same user who will run tests, preserve node_modules
from the build stage, or adjust ownership) rather than suppressing
PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 79248849-de38-438e-8856-88cabd7124b5

📥 Commits

Reviewing files that changed from the base of the PR and between 8c74909 and abf2050.

📒 Files selected for processing (4)

• docker/frontend/Dockerfile.a11y-tests
• docker/frontend/Dockerfile.local
• docker/frontend/Dockerfile.unit-tests
• frontend/pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• frontend/pnpm-workspace.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

pnpm v11 environment variables PNPM_CONFIG_FETCH_RETRIES PNPM_CONFIG_FETCH_TIMEOUT PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN

💡 Result:

In pnpm v11, configuration is managed through specific files (such as pnpm-workspace.yaml or a global config.yaml) or via environment variables [1][2]. pnpm now explicitly requires the use of the pnpm_config_ prefix for environment variables; it no longer reads npm_config_* variables [1][2]. Environment variables starting with pnpm_config_ (case-insensitive) are loaded into the configuration and override settings defined in configuration files, though they do not override command-line arguments [1]. The specific environment variables you inquired about are used as follows: PNPM_CONFIG_FETCH_RETRIES This corresponds to the fetchRetries setting [3]. It defines the number of retries for network requests when fetching packages from the registry (default: 2) [3]. PNPM_CONFIG_FETCH_TIMEOUT This corresponds to the fetchTimeout setting [3]. It defines the timeout (in milliseconds) for network requests when fetching packages [3]. PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN This corresponds to the verifyDepsBeforeRun setting [3]. It allows for the verification of the state of dependencies before executing scripts with commands like pnpm run or pnpm exec [3]. Supported values include install, warn, error, prompt, or false [3]. Note that because pnpm v11 has deprecated the use of npm_config_* environment variables, you must update any existing CI/CD pipelines, shell scripts, or environment configurations to use the pnpm_config_ prefix to ensure they are correctly recognized by pnpm [1][2][4]. Settings should ideally be moved to pnpm-workspace.yaml (for project-specific config) or the global config.yaml (for global settings) where possible [1][3][2].

Citations:

• 1: https://pnpm.io/configuring
• 2: https://pnpm.io/blog/releases/11.0
• 3: https://pnpm.io/settings
• 4: NPM 11 complains about extraneous (PNPM) settings inside ~/.npmrc pnpm/pnpm#9232

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant ENV block in Dockerfile.unit-tests
echo "=== docker/frontend/Dockerfile.unit-tests (lines 1-60) ==="
sed -n '1,60p' docker/frontend/Dockerfile.unit-tests

# Find a11y-tests Dockerfile and show relevant section
echo
echo "=== Candidate a11y Dockerfiles under docker/frontend ==="
fd -t f 'Dockerfile.*a11y*' docker/frontend -H || true

echo
if [ -f docker/frontend/Dockerfile.a11y-tests ]; then
  echo "=== docker/frontend/Dockerfile.a11y-tests (lines 1-60) ==="
  sed -n '1,60p' docker/frontend/Dockerfile.a11y-tests
else
  echo "docker/frontend/Dockerfile.a11y-tests not found; listing candidates above only."
fi

# Also search for the specific env var name in the docker/frontend dir to see all occurrences.
echo
echo "=== Occurrences of PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN in docker/frontend ==="
rg -n "PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN" docker/frontend || true

Repository: OWASP/Nest

Length of output: 2683

---

Revisit disabling pnpm dependency verification in test images

PNPM_CONFIG_FETCH_RETRIES, PNPM_CONFIG_FETCH_TIMEOUT, and PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=false use the correct pnpm v11 pnpm_config_* environment-variable mappings (case-insensitive) and are set identically in both docker/frontend/Dockerfile.unit-tests and docker/frontend/Dockerfile.a11y-tests.

Disabling verifyDepsBeforeRun skips pnpm’s check that the installed node_modules matches pnpm-lock.yaml before pnpm run, which can hide dependency/lockfile drift (even if you pin with --frozen-lockfile during the image build).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/frontend/Dockerfile.unit-tests` around lines 8 - 13, The Docker test
images currently disable pnpm's dependency verification by setting
PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=false; remove that override (or set it to
true) so pnpm will validate node_modules against pnpm-lock.yaml, and keep
PNPM_CONFIG_FETCH_RETRIES and PNPM_CONFIG_FETCH_TIMEOUT as-is; make the same
change in the counterpart Dockerfile (the a11y-tests variant) and if EACCES
during `pnpm run` was the reason for disabling verification, instead fix the
underlying permission/installation flow in the image (run installs as the same
user who will run tests, preserve node_modules from the build stage, or adjust
ownership) rather than suppressing PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN.

[cubic-dev-ai]

0 issues found across 4 files (changes from recent commits).

_{Re-trigger cubic}

[cubic-dev-ai]

0 issues found across 3 files (changes from recent commits).

_{Re-trigger cubic}

[hassaansaleem28]

@coderabbitai review this pull

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== frontend/pnpm-workspace.yaml ==="
cat frontend/pnpm-workspace.yaml

echo ""
echo "=== frontend/package.json ==="
cat frontend/package.json

echo ""
echo "=== frontend/.pnpmrc ==="
cat frontend/.pnpmrc

echo ""
echo "=== docker/frontend/Dockerfile ==="
cat docker/frontend/Dockerfile

echo ""
echo "=== docker/frontend/Dockerfile.local ==="
cat docker/frontend/Dockerfile.local

echo ""
echo "=== docker/frontend/Dockerfile.unit-tests ==="
cat docker/frontend/Dockerfile.unit-tests

echo ""
echo "=== docker/frontend/Dockerfile.a11y-tests ==="
cat docker/frontend/Dockerfile.a11y-tests

Length of output: 16502

---

---

The PR description image shows a terminal output with all pre-commit checks passing — CSpell (1829 files, 0 issues), hadolint, yamllint, ruff, mypy, pnpm run lint, pnpm run graphql-codegen, and 30+ other checks — all marked green "Passed".

After reviewing the file contents, here is my full assessment:

---

Review of PR #4785 — Migrate frontend pnpm to v11

✅ What's done well

• Config correctly migrated to pnpm-workspace.yaml: overrides, publicHoistPattern, and saveExact are all properly moved from package.json/.pnpmrc per pnpm v11's requirement.
• allowBuilds list is appropriate: All 7 packages (@sentry/cli, @swc/core, sharp, protobufjs, unrs-resolver, core-js, @heroui/shared-utils) legitimately require post-install scripts (native binaries, CLI downloads).
• PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=false is well-reasoned and the inline comments clearly explain why it's needed (frozen-lockfile at build time + non-root user EACCES).
• legacy-peer-deps=true removal is correct — this was an npm-specific flag with no effect on pnpm; removing it is the right call.

---

🔴 Issues

1. Production Dockerfile is missing fetch retry/timeout settings

docker/frontend/Dockerfile.local, Dockerfile.unit-tests, and Dockerfile.a11y-tests all define:

PNPM_CONFIG_FETCH_RETRIES=5
PNPM_CONFIG_FETCH_TIMEOUT=30000

But docker/frontend/Dockerfile (the production image builder stage) does not. Network-flaky CI/CD production builds won't benefit from the same resilience. Suggest adding to the builder stage ENV block:

ENV APK_CACHE_DIR="/app/.cache/apk" \
    APK_SYMLINK_DIR="/etc/apk/cache" \
    COREPACK_ENABLE_DOWNLOAD_PROMPT=0 \
    FORCE_COLOR=1 \
    NPM_CONFIG_CACHE="/app/.npm" \
    PNPM_CONFIG_FETCH_RETRIES=5 \
    PNPM_CONFIG_FETCH_TIMEOUT=30000 \
    PNPM_HOME="/pnpm"

---

2. PR description mentions different env var names than what's implemented

The PR description states:

"Renamed … NPM_CONFIG_RETRY and NPM_CONFIG_TIMEOUT to PNPM_CONFIG_NETWORK_RETRY_COUNT and PNPM_CONFIG_NETWORK_TIMEOUT"

But the actual Dockerfiles use PNPM_CONFIG_FETCH_RETRIES and PNPM_CONFIG_FETCH_TIMEOUT. Please update the PR description to match the implementation — or confirm which names are correct for pnpm v11.

---

⚠️ Minor observations

• Dockerfile.local final stage: No PNPM_HOME or PATH update, but this is fine since corepack enable pnpm provides shims. No change needed.
• pnpm-workspace.yaml has no packages: key: Correct for a single-package (non-monorepo) setup.
• minimumReleaseAge/minimumReleaseAgeExclude in pnpm-workspace.yaml are pre-existing Renovate annotations — pnpm ignores them. No issue.

---

Summary

Item	Severity	Status
Production Dockerfile missing PNPM_CONFIG_FETCH_RETRIES/PNPM_CONFIG_FETCH_TIMEOUT	🔴 Medium	Needs fix
PR description env var names don't match implementation	⚠️ Minor	Update description
Config migration from .pnpmrc/package.json → pnpm-workspace.yaml	✅	Correct
allowBuilds list	✅	Appropriate
PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=false usage	✅	Well-justified
All pre-commit checks passing	✅	Confirmed

The overall approach is solid. Please address the production Dockerfile inconsistency before merging.

[arkid15r]

Could you also cover other cases where pnpm is used?

[arkid15r]

This comment is too long for a single line of code. Please make it shorter and use full length words (I mean the deps case)

[arkid15r]

We don't use in file ignores. Moreover the comment again has 4 lines to explain 1 line of code.

[cubic-dev-ai]

0 issues found across 8 files (changes from recent commits).

_{Re-trigger cubic}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

0 issues found across 14 files (changes from recent commits).

_{Re-trigger cubic}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.88%. Comparing base (bf6e69b) to head (8fe8a1f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4785   +/-   ##
=======================================
  Coverage   98.88%   98.88%           
=======================================
  Files         538      538           
  Lines       17143    17143           
  Branches     2405     2457   +52     
=======================================
  Hits        16951    16951           
  Misses        103      103           
  Partials       89       89           

Flag	Coverage Δ
backend	99.47% <ø> (ø)
frontend	97.26% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bf6e69b...8fe8a1f. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkid15r]

cspell and e2e also use pnpm

x