chore(deps): migrate documentation site to pnpm + update all deps to latest (PER-15242)#925
Merged
Merged
Conversation
Consolidate the six open Dependabot updates for the /documentation Docusaurus
site into one change, upgrading the security-relevant deps past the
Dependabot-proposed versions to fully clear their known advisories:
- axios 1.12.2 -> 1.18.1 (direct; clears proxy MITM, proxy
credential leak, SSRF, ReDoS)
- node-forge 1.3.1 -> 1.4.0 (resolutions; clears RSA/Ed25519
signature forgery, basicConstraints
chain bypass)
- lodash 4.17.21 -> 4.18.1 (resolutions; clears _.template code
injection)
- webpack 5.100.2 -> 5.105.0 (clears buildHttp SSRF)
- altcha-lib 1.3.0 -> 1.4.1 (clears PoW challenge replay)
- mdast-util-to-hast 13.1.0 -> 13.2.1 (clears unsanitized class attribute)
Supersedes #879, #877, #868, #854, #851, #849. node-forge and lodash are
transitive deps, pinned via yarn resolutions. yarn.lock regenerated with
yarn 1.22.22; validated with --frozen-lockfile and a successful `yarn build`.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for opal-docs canceled.
|
This was referenced Jun 24, 2026
Bring the rest of the /documentation Docusaurus site dependencies up to latest, on top of the Dependabot security consolidation: - @docusaurus/* 3.9.1 -> 3.10.1 - react / react-dom 18.3.1 -> 19.2.7 (major; Docusaurus 3.10 supports React 19) - @inkeep/cxkit-docusaurus 0.5.100 -> 0.5.119 - prism-react-renderer 2.3.1 -> 2.4.1 - sass 1.93.2 -> 1.101.0 - webpack 5.105.0 -> 5.107.2 (transitive) axios (1.18.1), node-forge (1.4.0) and lodash (4.18.1) are already at latest from the prior commit. altcha-lib stays at 1.4.1: its consumer @inkeep declares ^1.2.0, so 2.x cannot be forced without overriding @inkeep. Validated with yarn install --frozen-lockfile, yarn build, and a local docusaurus dev server (compiles with webpack 5.107.2, serves HTTP 200). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the /documentation Docusaurus site dependency set to current versions, consolidating multiple Dependabot bumps and adding Yarn Classic resolutions to force patched transitive versions for security.
Changes:
- Bump Docusaurus packages to
3.10.1and update other docs-site deps (e.g.,@inkeep/cxkit-docusaurus,sass,prism-react-renderer). - Upgrade
react/react-domto19.2.7. - Add Yarn
resolutionsto pin transitivenode-forgeandlodashto patched versions.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Zivxx
approved these changes
Jun 24, 2026
Replace yarn 1.22.22 with pnpm 11.9.0 as the documentation site's package manager: - packageManager -> pnpm@11.9.0 (with corepack integrity hash) - yarn.lock removed; pnpm-lock.yaml generated - yarn `resolutions` (node-forge 1.4.0, lodash 4.18.1) moved to pnpm-workspace.yaml `overrides` (pnpm v11 no longer reads the package.json `pnpm` field). The stale npm-style `overrides` block (got/trim) is dropped: it never applied under yarn (got resolves to 12.x) and trim is not in the tree. - pnpm-workspace.yaml `allowBuilds` permits @parcel/watcher (native file watcher) and blocks core-js (funding-only postinstall), since pnpm blocks dependency build scripts by default. - Makefile `docs-dev` target and documentation/.gitignore updated for pnpm. Validated: pnpm install, pnpm build (Docusaurus 3.10 + React 19 compile cleanly) and pnpm start (dev server serves HTTP 200, webpack 5.107.2). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The CONTRIBUTING guide told contributors to use `npm install` / `npm run start` for the documentation site. Update it to pnpm (via Corepack) to match the package-manager migration, and fix the step that said "docs directory" while the command navigates to `documentation`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The codespell hook skipped *.json and *.lock, which covered yarn.lock but not the new pnpm-lock.yaml. codespell then tripped on false positives inside package hashes/metadata (e.g. "devlop", "trough"). Add *pnpm-lock.yaml to the skip list (wildcard prefix so it matches the nested documentation/ path, the same way *.lock did). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Netlify deploy previews are disabled for the repo, so the pnpm migration was never exercised on Netlify; the production deploy relied on the dashboard build command, which still referenced the old (yarn) setup. Add a netlify.toml that pins the build in-repo: base=documentation, command="pnpm build", publish=build. Netlify auto-runs `pnpm install` from the lockfile and provisions pnpm@11.9.0 via the packageManager field. COREPACK_INTEGRITY_KEYS=0 works around Corepack's signature-fetch failure for newer pnpm on Netlify's build image (the version is still hash-pinned by packageManager). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The docs-dev target called `pnpm` directly, which fails on machines that have Corepack but no globally installed pnpm (and haven't run `corepack enable`). Use `corepack pnpm start` so the target runs the pnpm version pinned in documentation/package.json without prior setup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 24, 2026
Nothing in CI built or installed the documentation site; the only build was Netlify's production deploy (previews disabled), so docs build breakage was not caught on PRs. This matters now that the site uses pnpm and React 19. Add a documentation/**-scoped workflow that runs on pull requests and pushes to the default branch: corepack enable -> pnpm install --frozen-lockfile -> pnpm build. The frozen install also catches lockfile drift. Actions are SHA-pinned to their release tags, checkout uses persist-credentials: false, and permissions are contents: read. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes Issue
Linear: PER-15242
Supersedes and closes all open Dependabot PRs for the documentation site:
@babel/core7.29.7,form-data4.0.6,dompurify3.4.11,launch-editor2.14.1,http-proxy-middleware2.0.10,webpack-dev-server5.2.5): Bump @babel/core from 7.28.4 to 7.29.7 in /documentation #931, Bump form-data from 4.0.0 to 4.0.6 in /documentation #930, Bump dompurify from 3.3.0 to 3.4.11 in /documentation #929, Bump launch-editor from 2.11.1 to 2.14.1 in /documentation #928, Bump http-proxy-middleware from 2.0.9 to 2.0.10 in /documentation #927, Bump webpack-dev-server from 5.2.2 to 5.2.5 in /documentation #926Changes proposed
Four related changes to the
/documentationDocusaurus site, in commit order:1 — Consolidate + secure the Dependabot bumps
The security-relevant deps are taken past Dependabot's proposed versions so their advisories fully clear (per a per-transition security review):
axios(direct)Proxy-Authorizationcredential leak,no_proxySSRF, ReDoSlodash_.templatecode injection; transitive → overridenode-forgewebpackbuildHttpSSRF, then latestaltcha-lib@inkeep's^1.2.0)mdast-util-to-hastclassattribute2 — Update everything else to latest
@docusaurus/*(core, preset-classic, theme-mermaid, module-type-aliases)react/react-dom@inkeep/cxkit-docusaurusprism-react-renderersass3 — Migrate the package manager from yarn to pnpm
packageManager→ pnpm@11.9.0 (with corepack integrity hash);yarn.lockremoved,pnpm-lock.yamladded.resolutions(node-forge1.4.0,lodash4.18.1) →pnpm-workspace.yamloverrides(pnpm v11 no longer reads thepackage.jsonpnpmfield).overridesblock (got,trim) is dropped — it never applied under yarn (gotalready resolves to 12.x, well above the old 11.8.5 pin;trimisn't in the tree), so removing it is a no-op on the resolved graph.pnpm-workspace.yamlallowBuildspermits@parcel/watcher(native file-watcher for dev) and blockscore-js(funding-only postinstall), since pnpm blocks dependency build scripts by default.Makefiledocs-devtarget anddocumentation/.gitignoreupdated for pnpm.netlify.tomlpinning the docs deploy to pnpm (base="documentation",command="pnpm build",publish="build"). Netlify auto-installs frompnpm-lock.yamland provisions pnpm 11.9.0 via thepackageManagerfield, so the production deploy no longer depends on dashboard build settings that still referenced the yarn setup.4 — Add CI that builds the docs site
Until now no CI built or installed the docs site — the only build was Netlify's production deploy (previews disabled), so docs build breakage was never caught on a PR. Added
.github/workflows/docs-build.yml(runs on PRs/pushes touchingdocumentation/**or the workflow itself):corepack enable→pnpm install --frozen-lockfile→pnpm build. The frozen install also catches lockfile drift. Actions are SHA-pinned to release-tag commits,actions/checkoutusespersist-credentials: false, andpermissions: contents: read. It runs green on this PR, so the pnpm + React 19 build is now validated on clean CI infrastructure, not just locally.Blast radius is limited to the documentation site build — none of these ship in the OPAL server/client runtime.
Check List
Screenshots
N/A — dependency / tooling change. Site verified building and running locally (see below).
Note to reviewers
How tested (all with pnpm 11.9.0): the new Docs build CI workflow runs
pnpm install --frozen-lockfile+pnpm buildon this PR and is green — so the Docusaurus 3.10 + React 19 build (webpack 5.107.2) is validated on a clean CI runner. Locally:pnpm buildcompiles server + client successfully, andpnpm startserves the dev server at HTTP 200 (<title>OPAL</title>). No unit tests apply — this is a dependency/tooling change.Contributor-facing change: the docs site now uses pnpm, not yarn. Use
corepack pnpm install/pnpm build/pnpm start(ormake docs-dev). Corepack is enabled via thepackageManagerfield.Netlify deploy (docs.opal.ac): deploy previews are disabled for this repo — every PR (including non-docs ones) shows a canceled preview — so the Netlify preview itself can't validate the build. The new Docs build CI workflow now covers that gap (green on this PR), and since it proves Corepack + pnpm 11.9.0 build cleanly on a fresh Linux runner, it also de-risks the production deploy. The added
netlify.tomlpins the production build to pnpm so the post-merge deploy is reproducible and independent of the dashboard;COREPACK_INTEGRITY_KEYS=0works around a known Corepack signature-fetch failure for newer pnpm on Netlify's build image (the pnpm version is still hash-pinned bypackageManager). Still worth a glance at the first production deploy after merge.^18 || ^19and the static build renders every page, but please smoke-test the client-side bits before marking ready — the @inkeep search widget and a Mermaid diagram page — since hydration is where a React-major would regress, not the build.altcha-libstays at 1.4.1 (not latest 2.2.0): it is transitive via@inkeep/cxkit-primitives, which declares^1.2.0in both its latest stable and dev builds. 1.4.1 is the security-fixed latest within that range; forcing 2.x would override @inkeep against a version it doesn't support — out of scope and risky.New deprecation surfaced by Docusaurus 3.10:
siteConfig.onBrokenMarkdownLinksshould move tositeConfig.markdown.hooks.onBrokenMarkdownLinks(removed in Docusaurus v4). Non-breaking now; worth a follow-up.Other follow-ups (out of scope):
.github/dependabot.yml— thepipecosystem is uncovered, so Python deps inpackages/opal-*get no automated security updates (GitHub reports 102 vulnerabilities on the default branch). Consider adding pnpm (npm) + pip ecosystems now that the docs site is pnpm.docformatterv1.7.5 pre-commit hook declareslanguage: python_venv, rejected by currentpre-commit/prek— pre-commit fails to initialize repo-wide.Generated with Claude Code