Skip to content

Switch from yarn to pnpm pacakge manager #1428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
flevi29 wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Switch from yarn to pnpm pacakge manager #1428

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
af0bc35
Switch to pnpm, adjust documentation and workflows
flevi29 Dec 13, 2025
a51f0ea
Switch remaining yarn based commands
flevi29 Dec 13, 2025
08d3580
Get rid of unneeded package
flevi29 Dec 13, 2025
a3a92f7
Make dependabot act the same as in core meilisearch package
flevi29 Dec 13, 2025
f0d99c2
Fix CI errors
flevi29 Dec 13, 2025
272c15e
Format code
flevi29 Dec 13, 2025
13e11e0
Patch type and lint errors
flevi29 Dec 13, 2025
84665fb
Remove all references to geo playground
flevi29 Dec 13, 2025
16a218b
Add back removed development dependency
flevi29 Dec 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/actions/set-up-node/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: "Set up Node.js and install dependencies"
description: "Install pnpm, configure Node.js, and install dependencies with pnpm"
inputs:
node-version:
description: "Same as in actions/setup-node"
default: "lts/*"
registry-url:
description: "Same as in actions/setup-node"
default: ""
runs:
using: "composite"
steps:
- name: Install pnpm
uses: pnpm/action-setup@v4
- name: Set up Node.js ${{ inputs.node-version }}
uses: actions/setup-node@v6
with:
node-version: ${{ inputs.node-version }}
registry-url: ${{ inputs.registry-url }}
cache: "pnpm"
- name: Install dependencies
shell: bash
run: pnpm install
Copy link

@coderabbitai coderabbitai bot Dec 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

actions/setup-node current stable version 2024 2025

💡 Result:

As of Dec 13, 2025 the stable actions/setup-node release series is v6 (latest tag v6.1.0). Use it as: uses: actions/setup-node@v6. [1][2]

The action accepts version aliases like latest/current/node and explicit Node versions (e.g., 24, 24.8.0, lts/*). [1]

Sources:
[1] actions/setup-node README.
[2] actions/setup-node Releases (v6.1.0).

🌐 Web query:

pnpm/action-setup current stable version recommendations

💡 Result:

Short answer: use pnpm/action-setup@v4 (the current major maintained release). Prefer pinning the major tag (pnpm/action-setup@v4) or an exact patch/tag for reproducibility, and set the action input "version" (or rely on package.json's packageManager field) to the pnpm version you want. Example:

  • Stable action: uses: pnpm/action-setup@v4. [1]
  • For reproducible CI, pin a specific action tag or commit and specify with: with: version: 10 (or a specific pnpm semver like 10.22.1). [1][2]

Why: the repo/marketplace README explicitly shows and documents v4 as the current supported major and warns v2 is broken on newer Node.js — upgrade to v4 and avoid unpinned "latest" to prevent unexpected breakage. [1][2]

Sources:
[1] pnpm/action-setup README (GitHub).
[2] Setup pnpm — GitHub Marketplace.

🌐 Web query:

GitHub Actions pinning to commit SHA security best practice

💡 Result:

Short best-practice checklist for pinning GitHub Actions to commit SHAs

  1. Pin third‑party actions to the full-length commit SHA (not floating tags like @main or @v1). This is the most reliable way to make the action immutable. [1]
  2. Verify the SHA comes from the action’s original upstream repository (not a fork). Audit the action’s code (especially how it handles your repo/secrets) before pinning. [1][3]
  3. Enforce pinning centrally — use GitHub’s “allowed actions” / policy to require full SHA pins or block unpinned/unauthorized actions at repo/org/enterprise level. [2]
  4. Automate checks and updates:
    • Use tooling (e.g., a workflow that fails if actions aren’t SHA‑pinned) and Dependabot or similar to propose vetted updates. Include a human review step before updating the SHA. [4][3]
  5. Add human-readable metadata: place the original tag/version and release URL in a comment next to the SHA (e.g., “# v1.2.3 — see release”), so reviewers know what the SHA corresponds to. [3][4]
  6. Where available, prefer immutable/attested releases (GitHub’s “immutable actions” / immutable releases) that allow safe tagging; otherwise default to SHA pinning. [2]
  7. Minimize exposure: prefer official/verified creators, maintain an allowlist of trusted action authors, and consider copying critical actions into your org (or using internal reusable workflows) if you must run them without constant re‑audits. [1][2][3]

If you want, I can:

  • scan a repo/workflows and list unpinned actions, or
  • show an example workflow that enforces SHA pinning.

🌐 Web query:

pnpm install --frozen-lockfile CI best practice

💡 Result:

Short best-practices for using pnpm --frozen-lockfile in CI

  1. Commit a single canonical pnpm-lock.yaml for your repo (keep it up-to-date locally). pnpm will fail in CI if the lockfile is missing or out-of-sync. [1]

  2. Pin/activate the pnpm version in CI (Corepack): corepack prepare pnpm@ --activate. Use the same pnpm version locally and in CI to avoid lockfile mismatches. [2][1]

  3. In CI run: pnpm install --frozen-lockfile (or rely on CI default). This guarantees installs use the committed lockfile and prevents implicit lockfile changes during builds. [1]

  4. If you need to update deps, do it outside CI (locally or in a dedicated job) and commit the updated pnpm-lock.yaml (or run pnpm install --lockfile-only in a controlled step/agent) — then open a PR. Avoid using --no-frozen-lockfile in regular CI. [1]

  5. Cache the pnpm store or store-dir to speed CI (optional): configure pnpm_config_store_dir or pnpm config set store-dir and cache that directory per your CI docs. Caching is recommended but not required. [3]

  6. For monorepos/workspaces: ensure all package.json changes and the workspace lockfile are kept in sync; CI will fail if any package manifest differs from the lockfile. Consider running automated pre-merge checks (pnpm install locally or pnpm install --lockfile-only) in PR pipelines. [1]

  7. When debugging unexpected ERR_PNPM_OUTDATED_LOCKFILE errors, confirm pnpm versions and CI detection (env vars) and reproduce the install locally; if necessary run pnpm install to update the lockfile and commit. See known issues/PR guidance in pnpm repo. [4]

Sources
[1] pnpm install docs (frozen-lockfile behaviour and CI default).
[2] pnpm Continuous Integration guide (Corepack + pinning + caching examples).
[3] pnpm CI caching / store guidance.
[4] pnpm GitHub issue about CI/outdated-lockfile (debugging/mismatch context).

If you want, I can produce a minimal CI job (GitHub Actions / GitLab / Azure) that follows these practices.

Harden CI: pin actions to commit SHAs and use pnpm install --frozen-lockfile.

Actions v6 and pnpm/action-setup@v4 are current stable versions. For supply-chain security and reproducibility, pin both actions to their full-length commit SHAs (with version tags in comments) and ensure pnpm install uses --frozen-lockfile to enforce the committed lockfile in CI.

-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@v4
+      # Consider pinning to commit SHA for reproducibility (e.g., v4.0.0 — <release-url>)

@@
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v6
+      # Consider pinning to commit SHA for reproducibility (e.g., v6.1.0 — <release-url>)

@@
-      run: pnpm install
+      run: pnpm install --frozen-lockfile

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In .github/actions/set-up-node/action.yml around lines 13 to 23, the workflow
uses action references by tags which is less secure and currently runs `pnpm
install` without lockfile enforcement; pin both actions to their full commit
SHAs (keep the human-readable version tag in a comment for clarity) for
supply-chain security and replace the `pnpm install` run step with `pnpm install
--frozen-lockfile` so CI fails if lockfile and manifests are out of sync.

Copy link
Collaborator Author

@flevi29 flevi29 Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pnpm uses version from main package.json, Node.js version is specified via input, otherwise it's latest LTS.

Copy link

@coderabbitai coderabbitai bot Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

44 changes: 31 additions & 13 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,41 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: "monthly"
interval: 'monthly'
labels:
- "dependencies"
rebase-strategy: disabled
- 'dependencies'

- package-ecosystem: npm
directory: "/"
directory: '/'
schedule:
interval: weekly
time: "04:00"
open-pull-requests-limit: 10
interval: 'monthly'
labels:
- skip-changelog
- dependencies
versioning-strategy: increase
rebase-strategy: disabled
allow:
- dependency-name: meilisearch
groups:
vite:
patterns:
- 'vite'
- '@vitejs/plugin-vue'
react:
patterns:
- 'react'
- 'react-dom'
- 'react-router-dom'
instantsearch:
patterns:
- '*instantsearch*'
- '@algolia/*'
- 'algoliasearch'
- 'algoliasearch-helper'
- 'search-insights'
eslint:
patterns:
- '*eslint*'
- 'globals'
prettier:
patterns:
- 'prettier'
- 'prettier-plugin-jsdoc'
16 changes: 0 additions & 16 deletions .github/workflows/dependabot-auto-merge.yml
View file
Open in desktop

This file was deleted.

36 changes: 10 additions & 26 deletions .github/workflows/meilisearch-prototype-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,20 +44,14 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
with:
node-version: 18
cache: yarn
- name: Install dependencies
run: yarn
- uses: ./.github/actions/set-up-node
- name: Run local browser tests
uses: cypress-io/github-action@v6
with:
project: ./playgrounds/autocomplete
wait-on: 'http://localhost:7700'
# Tests are only done on one playground to avoid long testing time
start: yarn playground:autocomplete
start: pnpm playground:autocomplete
env: playground=local
- uses: actions/upload-artifact@v5
if: failure()
Expand All @@ -84,20 +78,14 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
with:
node-version: 18
cache: yarn
- name: Install dependencies
run: yarn
- uses: ./.github/actions/set-up-node
- name: Run local browser tests
uses: cypress-io/github-action@v6
with:
project: ./playgrounds/local-react
wait-on: 'http://localhost:7700'
# Tests are only done on one playground to avoid long testing time
start: yarn playground:local-react
start: pnpm playground:local-react
env: playground=local
- uses: actions/upload-artifact@v5
if: failure()
Expand All @@ -123,18 +111,14 @@ jobs:
strategy:
fail-fast: false
matrix:
node: ['18', '20']
name: integration-tests (Node.js ${{ matrix.node }})
node-version: ['20', '22', '24']
name: integration-tests (Node.js ${{ matrix.node-version }})
steps:
- uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
- uses: ./.github/actions/set-up-node
with:
cache: yarn
node-version: ${{ matrix.node }}
- name: Install dependencies
run: yarn install
node-version: ${{ matrix.node-version }}
- name: Run tests
run: yarn test
run: pnpm test
- name: Build project
run: yarn build
run: pnpm build
36 changes: 10 additions & 26 deletions .github/workflows/pre-release-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,20 +42,14 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
with:
node-version: 18
cache: yarn
- name: Install dependencies
run: yarn
- uses: ./.github/actions/set-up-node
- name: Run local browser tests
uses: cypress-io/github-action@v6
with:
project: ./playgrounds/autocomplete
wait-on: 'http://localhost:7700'
# Tests are only done on one playground to avoid long testing time
start: yarn playground:autocomplete
start: pnpm playground:autocomplete
env: playground=local
- uses: actions/upload-artifact@v5
if: failure()
Expand Down Expand Up @@ -83,20 +77,14 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
with:
node-version: 18
cache: yarn
- name: Install dependencies
run: yarn
- uses: ./.github/actions/set-up-node
- name: Run local browser tests
uses: cypress-io/github-action@v6
with:
project: ./playgrounds/local-react
wait-on: 'http://localhost:7700'
# Tests are only done on one playground to avoid long testing time
start: yarn playground:local-react
start: pnpm playground:local-react
env: playground=local
- uses: actions/upload-artifact@v5
if: failure()
Expand All @@ -123,18 +111,14 @@ jobs:
strategy:
fail-fast: false
matrix:
node: ['18', '20']
name: integration-tests (Node.js ${{ matrix.node }})
node-version: ['20', '22', '24']
name: integration-tests (Node.js ${{ matrix.node-version }})
steps:
- uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
- uses: ./.github/actions/set-up-node
with:
cache: yarn
node-version: ${{ matrix.node }}
- name: Install dependencies
run: yarn install
node-version: ${{ matrix.node-version }}
- name: Run tests
run: yarn test
run: pnpm test
- name: Build project
run: yarn build
run: pnpm build
9 changes: 3 additions & 6 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v5
- uses: ./.github/actions/set-up-node
with:
node-version: '18.x'
registry-url: https://registry.npmjs.org/
- name: Install dependencies
run: yarn
- name: Create .npmrc file
run: |
cat << EOF > "$HOME/.npmrc"
Expand All @@ -33,8 +30,8 @@ jobs:
- name: Create Release Pull Request or Publish to npm
uses: changesets/action@v1
with:
publish: yarn release
version: yarn version-packages
publish: pnpm release
version: pnpm version-packages
env:
GITHUB_TOKEN: ${{ secrets.MEILI_BOT_GH_PAT }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
Expand Down
58 changes: 15 additions & 43 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,20 +33,14 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
with:
node-version: 18
cache: yarn
- name: Install dependencies
run: yarn
- uses: ./.github/actions/set-up-node
- name: Run local browser tests
uses: cypress-io/github-action@v6
with:
project: ./playgrounds/autocomplete
wait-on: 'http://localhost:7700,http://localhost:5173'
# Tests are only done on one playground to avoid long testing time
start: yarn playground:autocomplete
start: pnpm playground:autocomplete
env: playground=local
- uses: actions/upload-artifact@v5
if: failure()
Expand Down Expand Up @@ -83,20 +77,14 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
with:
node-version: 18
cache: yarn
- name: Install dependencies
run: yarn
- uses: ./.github/actions/set-up-node
- name: Run local browser tests
uses: cypress-io/github-action@v6
with:
project: ./playgrounds/local-react
wait-on: 'http://localhost:7700'
# Tests are only done on one playground to avoid long testing time
start: yarn playground:local-react
start: pnpm playground:local-react
env: playground=local
- uses: actions/upload-artifact@v5
if: failure()
Expand Down Expand Up @@ -132,37 +120,27 @@ jobs:
strategy:
fail-fast: false
matrix:
node: ['18', '20']
name: integration-tests (Node.js ${{ matrix.node }})
node-version: ['20', '22', '24']
name: integration-tests (Node.js ${{ matrix.node-version }})
steps:
- uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
- uses: ./.github/actions/set-up-node
with:
cache: yarn
node-version: ${{ matrix.node }}
- name: Install dependencies
run: yarn install
node-version: ${{ matrix.node-version }}
- name: Run tests
run: yarn test
run: pnpm test
- name: Build all the playgrounds and the packages
run: yarn build
run: pnpm build
- name: Run the node playground
run: yarn playground:node
run: pnpm playground:node
style_tests:
name: style-check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
with:
node-version: 18
cache: yarn
- name: Install dependencies
run: yarn install
- uses: ./.github/actions/set-up-node
- name: Tests style
run: yarn style
run: pnpm style
- name: Yaml Style
uses: ibiqlik/action-yamllint@v3
with:
Expand All @@ -172,12 +150,6 @@ jobs:
name: types-check
steps:
- uses: actions/checkout@v6
- name: Setup node
uses: actions/setup-node@v5
with:
node-version: 18
cache: yarn
- name: Install dependencies
run: yarn
- uses: ./.github/actions/set-up-node
- name: Run types check
run: yarn test:types
run: pnpm test:types
Loading
Loading