chore(build): migrate core-web from yarn 1 to pnpm#35429
chore(build): migrate core-web from yarn 1 to pnpm#35429
Conversation
Replaces Yarn Classic 1.22.22 with pnpm 10.17.1 as the package manager for core-web. Local benchmarks: ~36% faster installs on warm cache (28s vs 44s) and ~38% smaller node_modules (1.9 GB vs 3.1 GB); shared pnpm store deduplicates across projects on dev machines and CI runners. Package / lockfile - core-web/package.json: packageManager -> pnpm@10.17.1; resolutions -> pnpm.overrides; add pnpm.onlyBuiltDependencies (native postinstall allowlist) and pnpm.ignoredOptionalDependencies: [canvas] (matches yarn's implicit skip when the native build fails). - core-web/.yarnrc + yarn.lock removed. - core-web/.npmrc added: registry=https://dotcms-npm.b-cdn.net, fetch-timeout, auto-install-peers, engine-strict. - core-web/pnpm-lock.yaml generated via pnpm import. Phantom dependencies declared explicitly (yarn 1 hoisted them; pnpm does not): prosemirror-model, prosemirror-state, prosemirror-transform, prosemirror-view, tippy.js, @tiptap/extension-heading, prismjs, and @material/{base,dom,mwc-base,mwc-icon,mwc-list,mwc-ripple,ripple}. Maven - nodejs-parent/pom.xml: frontend-maven-plugin goal changed to install-node-and-npm; two exec-maven-plugin executions via the bundled corepack activate pnpm and install its shim into installs/node. - core-web/pom.xml: the 7 default + 2 format-profile yarn goals are now exec-maven-plugin executions that invoke ${node.install.dir}/pnpm directly; yarn.install.cmd -> pnpm.install.args. CI - .github/actions/core-cicd/maven-job/action.yml: yarn cache steps replaced with pnpm/action-setup@v4 + pnpm store cache keyed on core-web/pnpm-lock.yaml. - .github/actions/core-cicd/deployment/deploy-javascript-sdk/action.yml: yarn install -> pnpm install --frozen-lockfile; npx -> pnpm exec. Project-level yarn invocations - libs/dotcms-webcomponents/project.json: yarn stencil build -> pnpm exec stencil build. - apps/dotcms-ui-e2e/playwright.config.ts: yarn nx run ... serve -> pnpm exec nx run ... serve. Husky removed - Deleted core-web/.husky/pre-commit (~540 lines of shell) and core-web/prepare.js. Dropped the prepare script and husky devDep from package.json. The hook duplicated CI checks (lint, format, build) on every commit, added 15-30s of local friction, and was hard to keep in sync with the toolchain. CI continues to enforce these checks. - docs/core/GIT_WORKFLOWS.md: replaced the pre-commit section with a short list of optional local commands. Docs sweep (yarn -> pnpm): core-web/CLAUDE.md, .github/copilot-instructions.md, .github/instructions/frontend.instructions.md. Verification (local, worktree) - pnpm install --frozen-lockfile: 15.8s (vs yarn 44.2s on same repo). - pnpm exec nx run-many -t build --exclude='tag:skip:build': 15/15 projects built successfully. - ./mvnw -DskipTests install -pl :dotcms-core-web --am -Dmaven.build.cache.enabled=false from a clean state (no node_modules, no installs/, no caches): BUILD SUCCESS in 1m13s.
❌ Issue Linking RequiredThis PR could not be linked to an issue. All PRs must be linked to an issue for tracking purposes. How to fix this:Option 1: Add keyword to PR body (Recommended - auto-removes this comment)
Why is this required?Issue linking ensures proper tracking, documentation, and helps maintain project history. It connects your code changes to the problem they solve.--- This comment was automatically generated by the issue linking workflow |
github-actions
Bot
added
Area : CI/CD
|
Claude finished @oidacra's task in 4m 16s —— View job PR Review: pnpm migration
Security: direct dependencies below CVE fix versionsThree direct dependencies in
Also worth adding to "pnpm": {
"overrides": {
...
"axios": ">=1.15.0",
"vite": ">=7.3.2"
}
}Misleading comment in
|
The action runs from the repo root where there is no package.json, so it cannot resolve the pnpm version from `packageManager`. Passing package_json_file tells it to look at core-web/package.json, where the field lives. Failure observed on PR #35429 / Initial Artifact Build: Error: No pnpm version is specified.
The Node Binary Cache key was `node-binary-${hashFiles(core-web/.nvmrc)}`,
so runs on this branch restored an installs/ directory produced by the
previous yarn-era pipeline (install-node-and-yarn). That layout has
node but does not populate node_modules/corepack/ the way
install-node-and-npm does, and the plugin sees 'Node v22.15.0 is
already installed' and skips re-downloading. The follow-up
exec-maven-plugin step then fails with:
Cannot find module '.../installs/node/node_modules/corepack/dist/corepack.js'
Include nodejs-parent/pom.xml in the cache key so the pnpm-era layout
doesn't share a slot with the yarn-era one.
Medium
- core-web/pom.xml: lint-test and unit-test executions now use the
${git.origin.branch} property instead of hardcoded --base=origin/main,
so the is_pr profile and any future branch config applies.
- maven-job/action.yml: save-cache-pnpm now has the same requires-node
guard as restore-cache-pnpm, avoiding an empty path when a job runs
with requires-node=false and generate-artifacts=true.
Low
- deploy-javascript-sdk/action.yml: removed the standalone
'Enable Corepack' step; pnpm/action-setup@v4 handles pnpm activation
on its own, so the explicit corepack enable was redundant and could
introduce a different pnpm version from the system corepack.
- .npmrc: dropped auto-install-peers=true. Phantom deps are declared
explicitly in package.json now, so the pnpm default (strict) gives us
tighter hygiene. Added a comment explaining why
strict-peer-dependencies=false is still needed (pre-existing conflicts
like codelyzer, ng-mocks, ngx-markdown).
Info
- apps/dotcms-ui-e2e/CLAUDE.md: yarn nx e2e -> pnpm nx e2e.
- nodejs-parent/pom.xml: clarified via comment that
frontend-maven-plugin normalises the Node tarball layout on both
Linux and macOS to ${node.install.dir}/node_modules/corepack, so the
direct node-driven corepack.js path works cross-platform (confirmed
by the earlier CI error message itself referencing the same path).
Legal RiskThe following dependencies were released under a license that RecommendationWhile merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue. GPL-2.0 MPL-2.0
|
|
Semgrep found 2 Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise. Fix: Upgrade this library to at least version 1.15.0 at core/core-web/pnpm-lock.yaml:7316. Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 2 Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying Manual Review Advice: A vulnerability from this advisory is reachable if you have Fix: Upgrade this library to at least version 1.15.0 at core/core-web/pnpm-lock.yaml:7316. Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of next are vulnerable to Allocation of Resources Without Limits or Throttling. A specially crafted HTTP request to a Next.js App Router Server Function endpoint can trigger excessive CPU consumption during React Server Components deserialization, leading to denial of service. Fix: Upgrade this library to at least version 15.5.15 at core/core-web/pnpm-lock.yaml:11218. Reference(s): GHSA-q4gf-8mx6-v5v3 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 2 Risk: Affected versions of vite are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Missing Authentication for Critical Function. This occurs because the Vite Dev Server WebSocket improperly exposes the fetchModule method, allowing unauthenticated remote attackers to bypass filesystem restrictions and read arbitrary files from the host machine Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using Fix: Upgrade this library to at least version 7.3.2 at core/core-web/pnpm-lock.yaml:14067. Reference(s): GHSA-p9ff-h696-f583, CVE-2026-39363 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 2 Risk: Affected versions of vite are vulnerable to Improper Access Control / Incorrect Behavior Order. Vite's dev server can bypass Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using Fix: Upgrade this library to at least version 7.3.2 at core/core-web/pnpm-lock.yaml:14067. Reference(s): GHSA-v2wj-q39q-566r, CVE-2026-39364 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 2 Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's runtime/compiler can be vulnerable to XSS when a security-sensitive attribute (e.g., Manual Review Advice: A vulnerability from this advisory is reachable if you enable internationalization for the sensitive attribute by adding i18n- while it receives untrusted data Fix: Upgrade this library to at least version 21.2.4 at core/core-web/pnpm-lock.yaml:1064. Reference(s): GHSA-g93w-mfhg-p222, CVE-2026-32635 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of storybook are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') / Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') / Missing Origin Validation in WebSockets. Storybook's dev server WebSocket endpoint does not validate the Manual Review Advice: A vulnerability from this advisory is reachable if you visit a malicious website while your local Storybook dev server is running Fix: Upgrade this library to at least version 10.2.10 at core/core-web/pnpm-lock.yaml:13236. Reference(s): GHSA-mjf5-7g4m-gx5w, CVE-2026-27148 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of rollup are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Rollup is vulnerable to arbitrary file write via path traversal: chunk/asset names derived from user-controlled inputs (e.g., CLI named inputs, manual chunk aliases, or malicious plugins) are insufficiently sanitized, allowing Manual Review Advice: A vulnerability from this advisory is reachable if you are running Fix: Upgrade this library to at least version 4.59.0 at core/core-web/pnpm-lock.yaml:12710. Reference(s): GHSA-mw96-cpmx-2vgc, CVE-2026-27606 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of next are vulnerable to Deserialization of Untrusted Data / Uncontrolled Resource Consumption. A flaw in React Server Components' deserialization allows an attacker to send a specially crafted HTTP request to any App Router Server Function endpoint in Next.js, triggering excessive CPU usage, out-of-memory conditions, or a server crash and resulting in a denial of service. Fix: Upgrade this library to at least version 15.0.8 at core/core-web/pnpm-lock.yaml:11218. Reference(s): GHSA-h25m-26qc-wcjf, CVE-2026-23864 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of next are vulnerable to Dependency on Vulnerable Third-Party Component / Deserialization of Untrusted Data / Uncontrolled Resource Consumption. An attacker can send a specially crafted HTTP request to any Server Function endpoint (as used by Next.js' App Router) that, when deserialized by the React Server Components runtime, enters an infinite loop—hanging the server process, exhausting CPU, and resulting in a denial-of-service. Fix: Upgrade this library to at least version 14.2.35 at core/core-web/pnpm-lock.yaml:11218. Reference(s): GHSA-5j59-xgg2-r9c4, CVE-2025-67779 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of next are vulnerable to Dependency on Vulnerable Third-Party Component / Deserialization of Untrusted Data / Uncontrolled Resource Consumption. A flaw in Next.js's App Router deserialization allows an attacker to send a specially crafted HTTP request body that, when parsed by the server, triggers excessive CPU work or an infinite loop. By targeting any App Router endpoint with this malicious payload, the server process can hang and become unresponsive, resulting in a denial-of-service. Fix: Upgrade this library to at least version 14.2.34 at core/core-web/pnpm-lock.yaml:11218. Reference(s): GHSA-mwv6-3258-q52c If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of rollup are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Manual Review Advice: A vulnerability from this advisory is reachable if you use Rollup to bundle JavaScript with Fix: Upgrade this library to at least version 4.22.4 at core/core-web/pnpm-lock.yaml:12710. Reference(s): GHSA-gcx4-mw62-g8wm, CVE-2024-47068 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: webpack 5.x before 5.76.0 is vulnerable to Improper Access Control due to ImportParserPlugin.js mishandling the magic comment feature. Due to this, webpack does not avoid cross-realm object access and an attacker who controls a property of an untrusted object can obtain access to the real global object. Manual Review Advice: A vulnerability from this advisory is reachable if you host an application utilizing webpack and an attacker can control a property of an untrusted object Fix: Upgrade this library to at least version 5.76.0 at core/core-web/pnpm-lock.yaml:14340. Reference(s): GHSA-hc6q-2mpp-qw7j, CVE-2023-28154 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. |
pnpm's corepack shim installs at installs/node/pnpm as a symlink to
node_modules/corepack/dist/pnpm.js. That script starts with:
#!/usr/bin/env node
On GitHub-hosted runners the default PATH has Node 20, which gets
picked up first and fails the engines.node >=22 check in package.json
with ERR_PNPM_UNSUPPORTED_ENGINE. Prepend ${node.install.dir} to PATH
in exec-maven-plugin so the installed Node 22 is used instead.
Observed on PR #35429 / Initial Artifact Build:
Expected version: >=v22.15.0
Got: v20.20.2
`nx format:check` (the format-test Maven execution) fails on the generated pnpm-lock.yaml because prettier's YAML formatting differs from pnpm's output. Ignore it the same way yarn-error.log.json / package-lock.json are already ignored. Observed on PR #35429 CI: > nx format:check pnpm-lock.yaml Command execution failed. Process exited with an error: 1
dotcms-postman, core-web/apps/dotcms-ui-e2e and e2e/dotcms-e2e-node still use frontend-maven-plugin's yarn goal. They were explicitly out-of-scope for the core-web → pnpm migration but broke because nodejs-parent stopped installing yarn. Add install-node-and-yarn as a second execution alongside install-node-and-npm. Both share the same installed Node 22, yarn lands at installs/node/yarn/dist/bin/yarn, and pnpm at installs/node/pnpm via corepack. The three modules continue to work without change. Observed on PR #35429 after core-web install succeeded: Failed to execute goal frontend-maven-plugin:1.12.1:yarn (install) on project dotcms-postman: Cannot run program ".../installs/node/yarn/dist/bin/yarn"
dotcms-ui-e2e reuses core-web's node_modules via
workingDirectory=../../ (the e2e.frontend.dir property). After the
core-web migration, that directory has pnpm-lock.yaml instead of
yarn.lock, so the old yarn goal failed with 'info No lockfile found'
and the frozen-lockfile constraint broke the build.
Replace the four frontend-maven-plugin yarn executions (install,
install-playwright, run node script, run post node script) with
exec-maven-plugin executions that invoke ${node.install.dir}/pnpm
directly, mirroring core-web's setup. PATH is prepended with
installs/node so the pnpm shim's Node 22 is used instead of the
runner's default Node 20.
Observed on PR #35429 after core-web build succeeded:
Failed to execute goal frontend-maven-plugin:1.12.1:yarn (install)
on project dotcms-ui-e2e:
Running 'yarn install --frozen-lockfile' in .../core-web
info No lockfile found.
- e2e pom: install libasound2t64 in CI; drop --with-deps (Playwright 1.36 maps it to libasound2, no longer in noble) - bump @angular/* 21.2.1->21.2.4 (XSS GHSA-g93w-mfhg-p222) - bump axios 1.13.6->1.15.0 (CRLF/SSRF CVE-2026-40175, CVE-2025-62718) - bump vite 7.2.7->7.3.2, storybook 10.2.9->10.2.10 - maven-job: enforce pnpm version sync (package.json packageManager vs nodejs-parent/pom.xml pnpm.version) so cache key cannot drift from the pnpm Maven actually invokes - deploy-javascript-sdk: add pnpm store cache (restore + save)
- e2e pom: replace bracketed conditional (sh: 1: [: missing ]) with a fault-tolerant single-quoted apt-get install of libasound2t64; on non-Linux or missing-package the install is skipped via || true, then pnpm exec playwright install runs unconditionally - declare @jest/globals 30.2.0 in devDependencies (sdk-uve and other workspaces import it explicitly; pnpm strict layout did not hoist the transitive copy)
Under yarn the path was node_modules/gridstack/..., but pnpm nests via
node_modules/.pnpm/gridstack@8.4.0/node_modules/gridstack/.... The
existing negative-lookahead only matched the package name immediately
after node_modules/, so pnpm paths slipped through and Jest refused to
parse the ESM source ("Cannot use import statement outside a module").
Wrap the package alternates in (?:...) and prefix with .* so they match
anywhere after node_modules/, mirroring the pattern already used in
edit-ema/{ui,portlet} jest configs.
1 participant
Summary
Replaces Yarn Classic 1.22.22 with pnpm 10.17.1 as the package manager for
core-web. The Dockerfile of the dotCMS image is untouched — the relevant bottleneck is the Maven stage (frontend-maven-plugin) that runsyarn install+nx run-many build, which is now driven by pnpm viaexec-maven-plugin.This PR is draft: please review the migration approach before we promote it to ready.
Local image generated successfully
Why
node_modulesdrops from 3.1 GB to 1.9 GB on disk; pnpm's shared store deduplicates across projects and branches on CI runners.pnpm installis familiar and first-class in Nx/Angular tooling.What changed
packageManager->pnpm@10.17.1;resolutions->pnpm.overrides; addedpnpm.onlyBuiltDependencies(native postinstall allowlist) andpnpm.ignoredOptionalDependencies: [canvas]yarn.lock+.yarnrcremoved;pnpm-lock.yamlgenerated viapnpm import;.npmrcwith the dotCMS registry,fetch-timeout,auto-install-peersprosemirror-{model,state,transform,view},tippy.js,@tiptap/extension-heading,prismjs,@material/{base,dom,mwc-base,mwc-icon,mwc-list,mwc-ripple,ripple}nodejs-parent/pom.xml:install-node-and-npm+ corepack activation of pnpm;core-web/pom.xml: all 7+2yarngoals ->exec-maven-plugincalling${node.install.dir}/pnpmdirectlymaven-job/action.yml: yarn cache steps ->pnpm/action-setup@v4+ pnpm store cache keyed oncore-web/pnpm-lock.yaml;deploy-javascript-sdk/action.yml:yarn install->pnpm install --frozen-lockfile,npx->pnpm execlibs/dotcms-webcomponents/project.json:yarn stencil->pnpm exec stencil;apps/dotcms-ui-e2e/playwright.config.ts:yarn nx run ... serve->pnpm exec nx run ... servecore-web/CLAUDE.md,.github/copilot-instructions.md,.github/instructions/frontend.instructions.mdcore-web/.husky/pre-commit(~540 lines of shell) andcore-web/prepare.js. The hook duplicated CI checks (lint, format, build) on every commit and added 15-30s of local friction. CI continues to enforce these.docs/core/GIT_WORKFLOWS.mdupdated with a short list of optional local commandsLocal verification
Test plan
cd core-web && pnpm install; confirms no surprises with the custom registry../mvnw clean install -DskipTestssucceeds from a clean working tree.deploy-javascript-sdkdry-run (or the next SDK release) completes with the newpnpm install --frozen-lockfilestep.package.jsonphantom-dep additions and confirm each version matches what yarn had pinned.Notes / follow-ups
.claude/worktrees/…) should be aware of an upstream@nx/rollup@22.5.4bug where its internal postcss filter usespicomatch(..., {dot:false})and rejects CSS files under hidden-dir paths. It does not affect normal clones at paths like~/Work/core/core-web. Worth reporting upstream as a separate issue.preparehook was removed,pnpm-lock.yamlchanges must be staged manually (CI will still fail on drift via--frozen-lockfile).