chore(pnpm): migrate recce to pnpm v11 + Node ≥24 (DRC-3439)

[gcko]

Summary

Migrates recce from pnpm v10.30.3 → pnpm v11.1.1, baselines Node ≥24 everywhere, and adopts the v11 config layout. Follows recce-cloud-infra's migration (PR #1316).

Linear: DRC-3439

Changes

Configuration migration

• js/package.json#pnpm block removed — content moved to js/pnpm-workspace.yaml
• js/pnpm-workspace.yaml: gains overrides (46 entries, verbatim from the prior package.json block) and a unified allowBuilds map
• js/package.json#packageManager: pinned to exact pnpm@11.1.1+sha512.<integrity> (corepack rejects bare pnpm@11; the separator between sha512 and the hash is a ., not :)
• js/pnpm-lock.yaml: regenerated under pnpm 11.1.1. Direct dep resolved versions unchanged (react@19.2.6, next@16.2.6, @mui/material@9.0.1, @sentry/nextjs@10.53.1). Transitive deps refreshed within their caret ranges as a side-effect of the regeneration — see "Lockfile drift" below.

Lockfile drift (transitive deps)

Regenerating under pnpm 11 picked up the latest within-range versions for transitive deps that pnpm 10 had been freezing. Notable changes:

Package	From	To	Notes
@sentry/react / @sentry-internal/* / @sentry/{browser,core}	10.49.0	10.53.1	Resolution now matches the direct @sentry/nextjs@10.53.1 pin
@amplitude/rrweb	2.1.1	2.1.0	Downgrade — @amplitude/unified@1.1.5 pinned this transitive lower
@amplitude/experiment-{core,js-client}	0.13.0 / 1.21.0	0.13.1 / 1.21.1	Patch bumps
vite	7.3.2	7.3.3	Patch bump
@babel/{compat-data,helper-string-parser,parser}	7.29.0 / 8.0.0-rc.3 / 7.29.2	7.29.3 / 8.0.0-rc.4 / 7.29.3	Patch / rc bumps
@codemirror/{autocomplete,lint,search}	6.20.1 / 6.9.5 / 6.6.0	6.20.2 / 6.9.6 / 6.7.0	Patch / minor bumps
@inquirer/{confirm,core}	6.0.12 / 11.1.9	6.0.13 / 11.1.10	Patch bumps (transitive of storybook)
@mswjs/interceptors	0.41.4	0.41.9	Patch bumps
New: @rolldown/binding-*@1.0.0 (16 platform pkgs), @rolldown/pluginutils@1.0.0, @oxc-project/types@0.129.0	—	added	Pulled in transitively

All within their declared caret ranges; the quality gates (pnpm lint / type:check / test 3708 passed / build) cover them. Listing here so reviewers can see the actual change surface.

allowBuilds decisions

Package	Decision	Reason
@tailwindcss/oxide	true	Inherited from prior onlyBuiltDependencies
msw	true	Inherited
sharp	true	Inherited
unrs-resolver	true	Inherited
@parcel/watcher	false	pnpm 10 was silently skipping; tests pass without it. Ships pre-built binaries via platform-specific optional deps, so false is safe. Flip to true if regressions appear.
@sentry/cli	false	Same — @sentry/cli-{darwin,linux,…} packages ship Mach-O / ELF binaries directly.
esbuild	false	Same — @esbuild/<platform>-<arch> packages ship native binaries directly.

CI workflows (6 bumped + 1 deleted)

File	Change
tests-js.yaml	pnpm/action-setup@v4 → @v6, version: 10 → 11 (2 jobs)
tests-python.yaml	Same (2 jobs)
nightly.yaml	Same
release.yaml	Same
release-ui.yaml	Same
address-dependabot.yaml	Same
build-statics.yaml	Deleted (past its 2026-02-01 deprecation date; nightly.yaml is the replacement)

Documentation

• AGENTS.md: new "pnpm v11 — strictDepBuilds + allowBuilds" section cross-referencing recce-cloud-infra's canonical examples

Verification

• CI=true pnpm install --frozen-lockfile → clean (no ignored builds, no placeholder lines appended)
• pnpm lint / pnpm type:check → clean
• pnpm test → 3708 passed / 5 skipped / 156 files (matches pre-migration baseline)
• pnpm run build → static export OK
• make format / make flake8 → clean
• python3 -m pytest tests → 1206 passed (matches baseline)

Out of scope

• recce-landing (separate work; the issue notes "leave on npm unless there's a concrete reason to migrate")
• @vitejs/plugin-react 6.0 (deferred via Dependabot chore(deps): bump @vitejs/plugin-react from 5.2.0 to 6.0.1 in /js #1340 — requires Vite 8)

Test plan

• CI=true pnpm install --frozen-lockfile exits 0
• No placeholder : set this to true or false lines in pnpm-workspace.yaml
• Direct dep resolved versions in pnpm-lock.yaml match pre-migration (transitive deps refreshed within caret ranges — see Lockfile drift table)
• Frontend quality gate green
• Backend quality gate green
• CI green on this PR (under pnpm 11 + Node 24 with the updated workflow actions)

[gcko]

Code Review: PR #1374

SHA 5750b913 · Verdict NO-GO

Issues

1. js/pnpm-lock.yaml:58,130,260,293,312,321,330,351,360,399,408,537-685 — PR body claims "resolved versions unchanged" but the regenerated lockfile pulled in transitive drift across at least 11 packages.
   Evidence: @amplitude/rrweb 2.1.1 → 2.1.0 (downgrade), @sentry/react 10.49.0 → 10.53.1, vite 7.3.2 → 7.3.3, @codemirror/{autocomplete,lint,search} patch bumps, @babel/{compat-data,helper-string-parser,parser} patch bumps. These were not surfaced in the description so reviewers cannot judge the change surface.
   Pass F.

2. AGENTS.md:142 (and PR body line "pinned to exact pnpm@11.1.1+sha512:<integrity>") — documents the packageManager integrity separator as : (colon), but the actual js/package.json:11 value uses . (dot): pnpm@11.1.1+sha512.d1fdf5f....
   Evidence: grep 'sha512' js/package.json AGENTS.md shows the mismatch. A future agent copying the docs verbatim will produce a corepack-rejected packageManager field — exactly the failure mode this section was added to prevent.
   Pass A.

Notes

1. js/pnpm-workspace.yaml:54-60 — @parcel/watcher, @sentry/cli, esbuild set to false is safe in this config because all three ship pre-built native binaries via platform-specific optional packages (verified @sentry/cli-darwin@2.58.5 ships a Mach-O binary; @esbuild/darwin-arm64@0.27.7 ships a native binary). The inline "flip to true if regressions appear" comment is correctly defensive.

2. .github/workflows/*.yaml pnpm/action-setup@v6 floats the major (current latest v6.0.8, released 2026-05-12). CI runs may pick up unreviewed v6.0.9+ automatically. Mirrors recce-cloud-infra precedent — consistent, but worth flagging that the migration explicitly relies on pnpm/action-setup tag hygiene from a third party.

3. js/pnpm-workspace.yaml — minimumReleaseAge not explicitly set; pnpm 11 default of 1440 (24h) now applies. Matches the captain's stated decision.

4. js/pnpm-workspace.yaml — overrides ordering preserved verbatim from the prior package.json block (46 entries, 1:1 byte-diff diff of sorted keys = identical). No grouping/sectioning yet; deferring per the migration's minimum-diff principle is reasonable.

[Copilot]

Pull request overview

Migrates the frontend toolchain to pnpm v11 (with Node.js ≥24) and updates repo/CI configuration accordingly, including moving pnpm workspace configuration into pnpm-workspace.yaml and regenerating the lockfile under pnpm 11.

Changes:

• Move pnpm overrides and build allowlisting to js/pnpm-workspace.yaml and pin js/package.json#packageManager to pnpm@11.1.1.
• Regenerate js/pnpm-lock.yaml under pnpm 11.
• Update GitHub Actions workflows to use pnpm/action-setup@v6 and delete the deprecated build-statics.yaml workflow.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
js/pnpm-workspace.yaml	Adds workspace-level overrides and allowBuilds configuration for pnpm v11.
js/pnpm-lock.yaml	Regenerated lockfile under pnpm 11 (includes resolution changes).
js/package.json	Pins Corepack packageManager to pnpm@11.1.1 and removes the old pnpm config block.
AGENTS.md	Documents pnpm v11 behaviors (strict dep builds + allowBuilds workflow).
.github/workflows/tests-python.yaml	Updates pnpm setup action/version for CI jobs that build frontend assets.
.github/workflows/tests-js.yaml	Updates pnpm setup action/version for JS lint/test/build CI.
.github/workflows/release.yaml	Updates pnpm setup action/version for release builds.
.github/workflows/release-ui.yaml	Updates pnpm setup action/version for UI publishing workflow.
.github/workflows/nightly.yaml	Updates pnpm setup action/version for nightly builds.
.github/workflows/address-dependabot.yaml	Updates pnpm setup action/version for dependabot consolidation workflow.
.github/workflows/build-statics.yaml	Deletes deprecated workflow in favor of the nightly replacement.

Files not reviewed (1)

• js/pnpm-lock.yaml: Language not supported

Comments suppressed due to low confidence (2)

.github/workflows/tests-js.yaml:66

• pnpm/action-setup is configured with version: 11, which can float to different pnpm 11.x releases over time and diverge from the repo’s pinned packageManager (pnpm@11.1.1). Pin this to the exact version used by the workspace to keep CI installs reproducible and prevent lockfile churn.

      - uses: pnpm/action-setup@v6
        with:
          version: 11
          run_install: false

.github/workflows/tests-python.yaml:123

• pnpm/action-setup is configured with version: 11, which can float to different pnpm 11.x releases over time and diverge from the repo’s pinned packageManager (pnpm@11.1.1). Pin this to the exact version used by the workspace to keep CI installs reproducible and prevent lockfile churn.

      - uses: pnpm/action-setup@v6
        with:
          version: 11
          run_install: false

[gcko]

Both ISSUEs addressed.

Comment	File:line	Action	Commit	Status
Issue 1: PR body claims "resolved versions unchanged" but transitive drift across ≥11 packages	PR description	Rewrote the lockfile section to clarify "direct dep resolved versions unchanged" and added a "Lockfile drift" table enumerating the actual transitive bumps (@sentry/* 10.49.0→10.53.1, @amplitude/rrweb 2.1.1→2.1.0 downgrade, vite 7.3.2→7.3.3, multiple @babel/* and @codemirror/* patch bumps, new @rolldown/binding-* platform packages pulled in transitively). Updated the test plan checkbox accordingly.	— (PR body edit)	Fixed
Issue 2: AGENTS.md:142 documents sha512:<integrity> but actual format uses .	AGENTS.md:142 and PR body	Changed both occurrences to sha512.<integrity> and added a parenthetical clarifying the separator	8eabdb70	Fixed

Notes 3 (allowBuilds false decisions verified safe) and 4 (pnpm/action-setup@v6 floating tag) were informational; no changes.

[wcchang1115]

Code Review: PR #1374 (re-review)

SHA b058a4d3 · Verdict GO · Incremental (since 9f52cbc8)

All four Issues from the prior re-review are resolved by b058a4d3
(docs-only, 4 files, +13/-13). Cross-referenced each cited line against
the new tree:

1. AGENTS.md:127 — now Node.js 24+. ✓
2. .github/copilot-instructions.md:87,123,219 — pnpm 11 install hint,
   Node >=24 build-error hint, and the package.json layout comment
   all updated. ✓
3. .github/instructions/frontend-instructions.md:25,87-88,109,127-128,226,269
   — package-manager directive, tech-stack list (Node.js >=24 / pnpm
   11), file-structure layout, config notes (now Uses pnpm@11.1.1 as package manager (pinned via Corepack)), CI checklist, and the
   Node upgrade fix hint all updated. ✓
4. docs/architecture.md:12 — now Node.js 24+. ✓

Sweep for residual pnpm 10 / Node >=20 / Node 20+ references
across *.md, *.yml, *.yaml, *.json returns only one hit —
js/pnpm-workspace.yaml:59 (# Disallowed: pnpm 10 was silently skipping these...) — which the commit message correctly flags as
intentional preservation of the pre-migration baseline. CI workflows
all use node-version: 24; js/package.json:9 engines pin
"node": ">=24".

Cross-reference on new "pnpm@11.1.1 (pinned via Corepack)" claim in
frontend-instructions.md:128: matches js/package.json:11
(pnpm@11.1.1+sha512.d1fdf5f...) and the packageManager /
corepack contract documented in AGENTS.md.

Quality gates skipped on this incremental: change is pure markdown,
no executable surface affected. Prior 9f52cbc8 review confirmed
CI=true pnpm install --frozen-lockfile clean and full Python /
frontend test gates green at HEAD~1.

Notes from the prior review (@sentry/cli, @parcel/watcher allowBuilds
decisions; build-statics.yaml deletion correct) remain valid and
non-blocking.

[wcchang1115]

See review comment for details. NO-GO: stale Copilot/agent docs (AGENTS.md:127, .github/copilot-instructions.md, .github/instructions/frontend-instructions.md, docs/architecture.md:12) still pin pnpm 10 / Node ≥20, contradicting the PR's 'Node ≥24 everywhere' invariant. Core pnpm v11 mechanics LGTM.

[gcko]

All four stale-doc issues addressed in b058a4d3.

Comment	File:line	Action	Commit	Status
Issue 1: Tech-stack table still pins Node.js 20+	AGENTS.md:127	Node.js 20+ → Node.js 24+	b058a4d3	Fixed
Issue 2: Copilot instructions still pin pnpm 10 / Node ≥20	.github/copilot-instructions.md:87,123,219	pnpm install # Uses pnpm 10… → pnpm 11…; Node version is >=20 → >=24; package.json layout comment pnpm 10, Node >=20 → pnpm 11, Node >=24	b058a4d3	Fixed
Issue 3: Frontend Copilot instructions still pin pnpm 10 / Node ≥20	.github/instructions/frontend-instructions.md:28,87,88,109,130,131,226,269	Package-manager directive pnpm (version 10) → version 11; tech-stack list Node.js >=20/pnpm 10 → >=24/pnpm 11; file-structure layout Node >=20 required → >=24; config notes Requires Node.js >=20 / Uses pnpm@10.26.x → >=24 / pnpm@11.1.1 (pinned via Corepack); CI checklist pnpm 10 installation → pnpm 11 installation; Node upgrade hint Node.js 20 or later → Node.js 24 or later	b058a4d3	Fixed
Issue 4: Architecture doc still pins Node.js 20+	docs/architecture.md:12	Node.js 20+ → Node.js 24+	b058a4d3	Fixed

Verification:

• CI=true pnpm install --frozen-lockfile clean on the new HEAD (b058a4d3), no allowBuilds placeholder lines appended.
• Repo-wide sweep for remaining pnpm 10 / Node >=20 references returned only intentional historical context: js/pnpm-workspace.yaml:59 ("Disallowed: pnpm 10 was silently skipping these") and the docs/plans/2026-05-13-drc-3439-* migration plans describing the pre-migration baseline. Left those untouched.

Notes 1–3 from the re-review are informational; no changes needed. Note 1 (@sentry/cli: false blocking future Sentry sourcemap upload) is worth a follow-up issue if/when we wire next build sourcemap upload — flag it then, flip the entry to true.

[wcchang1115]

Re-review for SHA b058a4d — all four prior NO-GO Issues resolved. Updated review comment: #1374 (comment)