chore: Update pnpm and project dependencies

[stefashkaa]

Description

I've updated the pnpm itself and project dependencies to utilize the latest tools

Works done

• Update pnpm to 11.6.0
• Update dependencies

Summary by CodeRabbit

• Chores
  • Updated dependencies to latest versions, including Nuxt, PostHog, Vue, and Sass.
  • Updated package manager to pnpm 11.6.0.
  • Modified workspace build configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
desource-labs-web	Ready	Preview, Comment	Jun 14, 2026 3:41pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f22b9338-c326-4591-acac-4dd15ec8036e

📥 Commits

Reviewing files that changed from the base of the PR and between 8340152 and 0a8bda0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

Upgrades packageManager to pnpm@11.6.0 in package.json, removes the pnpm.overrides glob entry, and bumps several dependency versions. In pnpm-workspace.yaml, the onlyBuiltDependencies list is replaced with an overrides block that uses the pnpm v11 allowBuilds syntax.

Changes

pnpm v11 Upgrade and Dependency Updates

Layer / File(s)	Summary
Dependency version bumps and packageManager upgrade package.json	Removes the pnpm.overrides glob block, updates nuxt, posthog-js, vue, sass, and @nuxtjs/sitemap version specifiers, and sets packageManager to pnpm@11.6.0.
Workspace build permissions migration pnpm-workspace.yaml	Replaces the onlyBuiltDependencies list with an overrides block targeting glob@^13.0.6 that sets allowBuilds for @parcel/watcher, core-js, esbuild, sharp, and vue-demi.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

• DeSource-Labs/desource-labs-web#13: Also modifies package.json dependency versions (nuxt, posthog-js, vue, sass) and the packageManager field, directly overlapping with this PR's dependency-update work.

Poem

🐇 Hop, hop, hooray for pnpm eleven!
Old onlyBuiltDeps flew off to heaven.
allowBuilds now guards the warren gate,
While nuxt and vue upgrade their state.
The glob override? Gone without a trace —
A cleaner workspace, tidy as a burrow base! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: Update pnpm and project dependencies' accurately summarizes the main changes: pnpm upgrade to 11.6.0 and dependency version bumps across package.json and pnpm-workspace.yaml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-pnpm-and-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	posthog-js@​1.386.6
	vue@​3.5.38
	sass@​1.100.0 ⏵ 1.101.0
	nuxt@​4.4.8
	@​nuxtjs/​sitemap@​8.2.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @internationalized/date is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nuxtjs/sitemap@8.2.1 → npm/@internationalized/date@3.12.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@internationalized/date@3.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @tanstack/table-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nuxtjs/sitemap@8.2.1 → npm/@tanstack/table-core@8.21.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/table-core@8.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm embla-carousel is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nuxtjs/sitemap@8.2.1 → npm/embla-carousel@8.6.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/embla-carousel@8.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/posthog-js@1.386.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.386.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Copilot]

Pull request overview

Updates the project’s package manager version and dependency set to align with newer tooling (pnpm 11.6.0) and refreshed Nuxt/Vue ecosystem packages.

Changes:

• Bump packageManager to pnpm@11.6.0 and update several runtime/dev dependencies (Nuxt, Vue, Sass, etc.).
• Move glob override from package.json into pnpm-workspace.yaml.
• Replace the prior build-allowlist configuration (onlyBuiltDependencies) with the new workspace-level build allowlist configuration.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
pnpm-workspace.yaml	Centralizes pnpm workspace config (overrides + build allowlist) at the workspace level.
package.json	Updates dependency versions and pins the repo to pnpm 11.6.0 via packageManager.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.