Skip to content

chore(web): consolidate on pnpm as the single lockfile#138

Merged
ravirajsinh45 merged 1 commit into
mainfrom
chore-pnpm-consolidation
Jul 9, 2026
Merged

chore(web): consolidate on pnpm as the single lockfile#138
ravirajsinh45 merged 1 commit into
mainfrom
chore-pnpm-consolidation

Conversation

@ravirajsinh45

Copy link
Copy Markdown
Contributor

Context

Follow-up to the dependabot cleanup. The "dependabot can't parse pnpm-lock.yaml" error was not a lockfileVersion-9 limitation — dependabot has bumped apps/web npm deps against this exact v9 lockfile many times (#52/#55/#56/#25/#15). It failed only while the lockfile was corrupted (duplicate keys) by sibling squash-merges, which #136 already fixed. So npm dependabot is already working again.

The real latent risk this addresses: package-lock.json is 100% vestigial (grep finds zero references — Dockerfiles and CI use pnpm install --frozen-lockfile exclusively), yet dependabot maintained both package-lock.json and pnpm-lock.yaml per bump — doubling the lockfile conflict surface that produced the corruption.

Changes

  • Remove apps/web/package-lock.json (10.9k lines) and root package-lock.json (11k lines).
  • Declare "packageManager": "pnpm@10.15.0" in root + apps/web package.json.
  • CI: drop the redundant version: 10 from both pnpm/action-setup@v6 steps — packageManager is now the single source of the pnpm version (v6 errors if both are set), pinning CI to 10.15.0 to match the lockfile.
  • Dockerfiles: pin corepack prepare pnpm@10.15.0 (dev + prod) to match packageManager.
  • .gitignore: ignore package-lock.json so a stray npm install can't reintroduce a competing lockfile.
  • Regenerate the root pnpm-lock.yaml, which had pre-existing drift (it referenced wavesurfer.js@^7.12.4, not a root dep, so root --frozen-lockfile was already failing on main). Now passes.

apps/web/pnpm-lock.yaml — the web build's actual lockfile — is unchanged.

Verified locally

  • pnpm install --frozen-lockfile passes at root (+ turbo 2.10.4) and in apps/web (using pnpm 10.15.0 per the pin, lockfile up to date).
  • grep confirms nothing references package-lock.json.
  • The pnpm/action-setup + Dockerfile changes are validated by this PR's CI (Frontend Build, Lint, Docker web image).

package-lock.json was vestigial — Dockerfiles and CI use pnpm exclusively
(pnpm install --frozen-lockfile), yet dependabot maintained BOTH lockfiles per
bump, doubling the conflict surface (which produced the duplicate-key corruption
fixed in #136).

- Remove apps/web/package-lock.json and root package-lock.json.
- Declare packageManager: pnpm@10.15.0 in root + apps/web package.json.
- Drop the redundant version:10 from pnpm/action-setup in CI (packageManager is
  now the single source of the pnpm version); pin corepack prepare to match.
- gitignore package-lock.json so a stray npm install can't reintroduce it.
- Regenerate the root pnpm-lock.yaml, which had pre-existing drift (it referenced
  wavesurfer.js, not a root dep); root 'pnpm install --frozen-lockfile' now passes.

apps/web/pnpm-lock.yaml (the web build's lockfile) is unchanged. Verified
'pnpm install --frozen-lockfile' passes at root and in apps/web.
@ravirajsinh45 ravirajsinh45 merged commit bf4a0a4 into main Jul 9, 2026
4 checks passed
@ravirajsinh45 ravirajsinh45 deleted the chore-pnpm-consolidation branch July 9, 2026 10:39
ravirajsinh45 added a commit that referenced this pull request Jul 9, 2026
… 's3') (#139)

test_video_stream_returns_hls_proxy_url_with_token asserted "s3" not in url,
where url = /stream/hls/master.m3u8?token=<random JWT>. The token is random and
intermittently contains the substring 's3', failing the check and reddening CI
unpredictably (e.g. on the #138 merge to main). The preceding assertion already
confirms the URL is the HLS proxy path, so scope the guard to the part before
?token=: still catches a leaked presigned S3 URL (host/path carries 's3'), but
ignores the opaque token.

Verified: the s3-in-token case that flaked now passes, a presigned URL is still
rejected, and 12/12 live runs pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant