Skip to content

chore(deps): migrate documentation site to pnpm + update all deps to latest (PER-15242)#925

Merged
zeevmoney merged 8 commits into
masterfrom
consolidate-dependabot-docs-deps
Jun 24, 2026
Merged

chore(deps): migrate documentation site to pnpm + update all deps to latest (PER-15242)#925
zeevmoney merged 8 commits into
masterfrom
consolidate-dependabot-docs-deps

Conversation

@zeevmoney

@zeevmoney zeevmoney commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Fixes Issue

Linear: PER-15242

Supersedes and closes all open Dependabot PRs for the documentation site:

Changes proposed

Four related changes to the /documentation Docusaurus site, in commit order:

1 — Consolidate + secure the Dependabot bumps

The security-relevant deps are taken past Dependabot's proposed versions so their advisories fully clear (per a per-transition security review):

Package master Dependabot This PR Why beyond Dependabot
axios (direct) 1.12.2 1.13.5 1.18.1 clears proxy MITM, Proxy-Authorization credential leak, no_proxy SSRF, ReDoS
lodash 4.17.21 4.17.23 4.18.1 clears _.template code injection; transitive → override
node-forge 1.3.1 1.3.2 (override 1.4.0) clears signature forgery; not pulled into the latest tree — override kept as a safety net
webpack 5.100.2 5.105.0 5.107.2 clears buildHttp SSRF, then latest
altcha-lib 1.3.0 1.4.1 1.4.1 clears PoW replay (capped at 1.x by @inkeep's ^1.2.0)
mdast-util-to-hast 13.1.0 13.2.1 13.2.1 clears unsanitized class attribute

2 — Update everything else to latest

Package Before After
@docusaurus/* (core, preset-classic, theme-mermaid, module-type-aliases) 3.9.1 3.10.1
react / react-dom 18.3.1 19.2.7 (major)
@inkeep/cxkit-docusaurus 0.5.100 0.5.119
prism-react-renderer 2.3.1 2.4.1
sass 1.93.2 1.101.0

3 — Migrate the package manager from yarn to pnpm

  • packageManagerpnpm@11.9.0 (with corepack integrity hash); yarn.lock removed, pnpm-lock.yaml added.
  • yarn resolutions (node-forge 1.4.0, lodash 4.18.1) → pnpm-workspace.yaml overrides (pnpm v11 no longer reads the package.json pnpm field).
  • The stale npm-style overrides block (got, trim) is dropped — it never applied under yarn (got already resolves to 12.x, well above the old 11.8.5 pin; trim isn't in the tree), so removing it is a no-op on the resolved graph.
  • pnpm-workspace.yaml allowBuilds permits @parcel/watcher (native file-watcher for dev) and blocks core-js (funding-only postinstall), since pnpm blocks dependency build scripts by default.
  • Makefile docs-dev target and documentation/.gitignore updated for pnpm.
  • Added a root netlify.toml pinning the docs deploy to pnpm (base="documentation", command="pnpm build", publish="build"). Netlify auto-installs from pnpm-lock.yaml and provisions pnpm 11.9.0 via the packageManager field, so the production deploy no longer depends on dashboard build settings that still referenced the yarn setup.

4 — Add CI that builds the docs site

Until now no CI built or installed the docs site — the only build was Netlify's production deploy (previews disabled), so docs build breakage was never caught on a PR. Added .github/workflows/docs-build.yml (runs on PRs/pushes touching documentation/** or the workflow itself): corepack enablepnpm install --frozen-lockfilepnpm build. The frozen install also catches lockfile drift. Actions are SHA-pinned to release-tag commits, actions/checkout uses persist-credentials: false, and permissions: contents: read. It runs green on this PR, so the pnpm + React 19 build is now validated on clean CI infrastructure, not just locally.

Blast radius is limited to the documentation site build — none of these ship in the OPAL server/client runtime.

Check List

  • I sign off on contributing this submission to open-source
  • My code follows the code style of this project.
  • My change requires changes to the documentation.
  • I have updated the documentation accordingly.
  • All new and existing tests passed.
  • This PR does not contain plagiarized content.
  • The title of my pull request is a short description of the requested changes.

Screenshots

N/A — dependency / tooling change. Site verified building and running locally (see below).

Note to reviewers

How tested (all with pnpm 11.9.0): the new Docs build CI workflow runs pnpm install --frozen-lockfile + pnpm build on this PR and is green — so the Docusaurus 3.10 + React 19 build (webpack 5.107.2) is validated on a clean CI runner. Locally: pnpm build compiles server + client successfully, and pnpm start serves the dev server at HTTP 200 (<title>OPAL</title>). No unit tests apply — this is a dependency/tooling change.

Contributor-facing change: the docs site now uses pnpm, not yarn. Use corepack pnpm install / pnpm build / pnpm start (or make docs-dev). Corepack is enabled via the packageManager field.

Netlify deploy (docs.opal.ac): deploy previews are disabled for this repo — every PR (including non-docs ones) shows a canceled preview — so the Netlify preview itself can't validate the build. The new Docs build CI workflow now covers that gap (green on this PR), and since it proves Corepack + pnpm 11.9.0 build cleanly on a fresh Linux runner, it also de-risks the production deploy. The added netlify.toml pins the production build to pnpm so the post-merge deploy is reproducible and independent of the dashboard; COREPACK_INTEGRITY_KEYS=0 works around a known Corepack signature-fetch failure for newer pnpm on Netlify's build image (the pnpm version is still hash-pinned by packageManager). Still worth a glance at the first production deploy after merge.

⚠️ React 19 is a major upgrade. Docusaurus 3.10 officially supports React ^18 || ^19 and the static build renders every page, but please smoke-test the client-side bits before marking ready — the @inkeep search widget and a Mermaid diagram page — since hydration is where a React-major would regress, not the build.

altcha-lib stays at 1.4.1 (not latest 2.2.0): it is transitive via @inkeep/cxkit-primitives, which declares ^1.2.0 in both its latest stable and dev builds. 1.4.1 is the security-fixed latest within that range; forcing 2.x would override @inkeep against a version it doesn't support — out of scope and risky.

New deprecation surfaced by Docusaurus 3.10: siteConfig.onBrokenMarkdownLinks should move to siteConfig.markdown.hooks.onBrokenMarkdownLinks (removed in Docusaurus v4). Non-breaking now; worth a follow-up.

Other follow-ups (out of scope):

  • Repo has no .github/dependabot.yml — the pip ecosystem is uncovered, so Python deps in packages/opal-* get no automated security updates (GitHub reports 102 vulnerabilities on the default branch). Consider adding pnpm (npm) + pip ecosystems now that the docs site is pnpm.
  • docformatter v1.7.5 pre-commit hook declares language: python_venv, rejected by current pre-commit/prek — pre-commit fails to initialize repo-wide.

Generated with Claude Code

Consolidate the six open Dependabot updates for the /documentation Docusaurus
site into one change, upgrading the security-relevant deps past the
Dependabot-proposed versions to fully clear their known advisories:

- axios              1.12.2  -> 1.18.1  (direct; clears proxy MITM, proxy
                                         credential leak, SSRF, ReDoS)
- node-forge         1.3.1   -> 1.4.0   (resolutions; clears RSA/Ed25519
                                         signature forgery, basicConstraints
                                         chain bypass)
- lodash             4.17.21 -> 4.18.1  (resolutions; clears _.template code
                                         injection)
- webpack            5.100.2 -> 5.105.0 (clears buildHttp SSRF)
- altcha-lib         1.3.0   -> 1.4.1   (clears PoW challenge replay)
- mdast-util-to-hast 13.1.0  -> 13.2.1  (clears unsanitized class attribute)

Supersedes #879, #877, #868, #854, #851, #849. node-forge and lodash are
transitive deps, pinned via yarn resolutions. yarn.lock regenerated with
yarn 1.22.22; validated with --frozen-lockfile and a successful `yarn build`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@linear-code

linear-code Bot commented Jun 24, 2026

Copy link
Copy Markdown

PER-15242

@netlify

netlify Bot commented Jun 24, 2026

Copy link
Copy Markdown

Deploy Preview for opal-docs canceled.

Name Link
🔨 Latest commit 68bfa8e
🔍 Latest deploy log https://app.netlify.com/projects/opal-docs/deploys/6a3c3fbc332e6f0009c53a06

Bring the rest of the /documentation Docusaurus site dependencies up to
latest, on top of the Dependabot security consolidation:

- @docusaurus/*            3.9.1   -> 3.10.1
- react / react-dom        18.3.1  -> 19.2.7  (major; Docusaurus 3.10 supports React 19)
- @inkeep/cxkit-docusaurus 0.5.100 -> 0.5.119
- prism-react-renderer     2.3.1   -> 2.4.1
- sass                     1.93.2  -> 1.101.0
- webpack                  5.105.0 -> 5.107.2 (transitive)

axios (1.18.1), node-forge (1.4.0) and lodash (4.18.1) are already at latest
from the prior commit. altcha-lib stays at 1.4.1: its consumer @inkeep
declares ^1.2.0, so 2.x cannot be forced without overriding @inkeep.

Validated with yarn install --frozen-lockfile, yarn build, and a local
docusaurus dev server (compiles with webpack 5.107.2, serves HTTP 200).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@zeevmoney zeevmoney changed the title chore(deps): consolidate dependabot bumps for documentation site (PER-15242) chore(deps): update documentation site deps to latest + consolidate Dependabot bumps (PER-15242) Jun 24, 2026
@zeevmoney zeevmoney marked this pull request as ready for review June 24, 2026 12:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the /documentation Docusaurus site dependency set to current versions, consolidating multiple Dependabot bumps and adding Yarn Classic resolutions to force patched transitive versions for security.

Changes:

  • Bump Docusaurus packages to 3.10.1 and update other docs-site deps (e.g., @inkeep/cxkit-docusaurus, sass, prism-react-renderer).
  • Upgrade react/react-dom to 19.2.7.
  • Add Yarn resolutions to pin transitive node-forge and lodash to patched versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread documentation/package.json Outdated
Replace yarn 1.22.22 with pnpm 11.9.0 as the documentation site's package
manager:

- packageManager -> pnpm@11.9.0 (with corepack integrity hash)
- yarn.lock removed; pnpm-lock.yaml generated
- yarn `resolutions` (node-forge 1.4.0, lodash 4.18.1) moved to
  pnpm-workspace.yaml `overrides` (pnpm v11 no longer reads the package.json
  `pnpm` field). The stale npm-style `overrides` block (got/trim) is dropped:
  it never applied under yarn (got resolves to 12.x) and trim is not in the tree.
- pnpm-workspace.yaml `allowBuilds` permits @parcel/watcher (native file
  watcher) and blocks core-js (funding-only postinstall), since pnpm blocks
  dependency build scripts by default.
- Makefile `docs-dev` target and documentation/.gitignore updated for pnpm.

Validated: pnpm install, pnpm build (Docusaurus 3.10 + React 19 compile
cleanly) and pnpm start (dev server serves HTTP 200, webpack 5.107.2).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@zeevmoney zeevmoney changed the title chore(deps): update documentation site deps to latest + consolidate Dependabot bumps (PER-15242) chore(deps): migrate documentation site to pnpm + update all deps to latest (PER-15242) Jun 24, 2026
zeevmoney and others added 3 commits June 24, 2026 15:43
The CONTRIBUTING guide told contributors to use `npm install` / `npm run
start` for the documentation site. Update it to pnpm (via Corepack) to match
the package-manager migration, and fix the step that said "docs directory"
while the command navigates to `documentation`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The codespell hook skipped *.json and *.lock, which covered yarn.lock but not
the new pnpm-lock.yaml. codespell then tripped on false positives inside
package hashes/metadata (e.g. "devlop", "trough"). Add *pnpm-lock.yaml to the
skip list (wildcard prefix so it matches the nested documentation/ path, the
same way *.lock did).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Netlify deploy previews are disabled for the repo, so the pnpm migration was
never exercised on Netlify; the production deploy relied on the dashboard
build command, which still referenced the old (yarn) setup. Add a netlify.toml
that pins the build in-repo: base=documentation, command="pnpm build",
publish=build. Netlify auto-runs `pnpm install` from the lockfile and
provisions pnpm@11.9.0 via the packageManager field. COREPACK_INTEGRITY_KEYS=0
works around Corepack's signature-fetch failure for newer pnpm on Netlify's
build image (the version is still hash-pinned by packageManager).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 9 changed files in this pull request and generated 1 comment.

Comment thread Makefile Outdated
The docs-dev target called `pnpm` directly, which fails on machines that have
Corepack but no globally installed pnpm (and haven't run `corepack enable`).
Use `corepack pnpm start` so the target runs the pnpm version pinned in
documentation/package.json without prior setup.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 9 changed files in this pull request and generated no new comments.

Nothing in CI built or installed the documentation site; the only build was
Netlify's production deploy (previews disabled), so docs build breakage was
not caught on PRs. This matters now that the site uses pnpm and React 19.

Add a documentation/**-scoped workflow that runs on pull requests and pushes
to the default branch: corepack enable -> pnpm install --frozen-lockfile ->
pnpm build. The frozen install also catches lockfile drift. Actions are
SHA-pinned to their release tags, checkout uses persist-credentials: false,
and permissions are contents: read.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated no new comments.

@zeevmoney zeevmoney merged commit 6a851ca into master Jun 24, 2026
13 checks passed
@zeevmoney zeevmoney deleted the consolidate-dependabot-docs-deps branch June 24, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants