migrate to pnpm

[infeo]

This PR improves the development security.

It follows suggestions of https://github.com/lirantal/npm-security-best-practices.

The main change is to use pnpm instead of npm for the following reasons:

• disabling post-install scripts
• disabling of non-registry transitive dependencies
• cooldown period for dependency updates
• pnpm-lock.yaml records integrity per package
• non-flat node_modules layout prevents phantom dependencies, so a
  compromised transitive cannot be require()-d directly by app code

Changes:

• pnpm-lock.yaml replacing package-lock.json
• pnpm-workspace.yaml config added
• setting packageManager field in package file for corepack setup
• pre-build check for strange direct dependencies (git or http sources)
• pre-execution check if npm is still used

Additional changes:

• add dependabot file
• update README

Remarks:

• End of April pnpm 11 was released. The pnpm version will be updated in a later PR.

(Relates to cryptomator/docs#145)

[coderabbitai]

Walkthrough

This pull request migrates the build system from npm to pnpm across the frontend and Keycloak theme, adding package manager enforcement and lockfile validation. Two enforcement scripts verify pnpm usage and lockfile integrity before install. Package.json files declare pnpm@10.33.4 via the packageManager field and run pre-checks in preinstall/dev/build scripts. pnpm-workspace.yaml files establish policies for dependency builds, release age, and registry-only sources. GitHub Actions workflows in build.yml and keycloak.yml switch to pnpm with lockfile checks and frozen-lockfile installs. Dependabot is configured for frontend npm updates. Documentation and gitignore files are updated to reflect pnpm usage.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type:enhancement, ci

Suggested reviewers

• SailReal

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description is directly related to the changeset, explaining the rationale for switching to pnpm, detailing specific security benefits, listing all major changes, and referencing external sources.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'migrate to pnpm' accurately summarizes the main change—switching the project's package manager from npm to pnpm with associated security improvements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/improve-security

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[infeo]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/package.json`:
- Line 10: The package.json packageManager entry is pointing to a non-existent
pnpm version; update the "packageManager" field value (in package.json) from
"pnpm@10.33.4" to a valid release such as "pnpm@10.33.0" (or to "pnpm@11.x" if
you intend to upgrade), then commit the change so Corepack can install the
correct pnpm version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 04ecc916-5f35-4962-8813-ff651b3c2c69

📥 Commits

Reviewing files that changed from the base of the PR and between 0e75d1f and 025f608.

⛔ Files ignored due to path filters (4)

• frontend/package-lock.json is excluded by !**/package-lock.json
• frontend/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• keycloak/themes/cryptomator/common/resources/package-lock.json is excluded by !**/package-lock.json
• keycloak/themes/cryptomator/common/resources/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (14)

• .github/dependabot.yml
• .github/workflows/build.yml
• .github/workflows/keycloak.yml
• frontend/.gitignore
• frontend/README.md
• frontend/package.json
• frontend/pnpm-workspace.yaml
• frontend/scripts/check-lockfile.sh
• frontend/scripts/check-pm.js
• keycloak/themes/cryptomator/common/resources/.gitignore
• keycloak/themes/cryptomator/common/resources/package.json
• keycloak/themes/cryptomator/common/resources/pnpm-workspace.yaml
• keycloak/themes/cryptomator/common/resources/scripts/check-lockfile.sh
• keycloak/themes/cryptomator/common/resources/scripts/check-pm.js

[overheadhunter]

is this the topmost thing we need to tell people in the readme? 😅

[infeo]

oi, right, will move the section

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/README.md`:
- Around line 50-52: Update the README wording to refer to "GitHub Dependabot"
instead of just "Dependabot" where the file `.github/dependabot.yml` is
mentioned; edit the sentence that currently reads "Routine bumps land through
Dependabot (monthly grouped minor/patch PRs, configured in
`.github/dependabot.yml`)." to use "GitHub Dependabot" so the reference is
clearer and aligns with platform naming.
- Around line 43-45: The sentence "older than the 3 days" is ambiguous and
grammatically incorrect; update the README text (the sentence referencing the
cooldown rule near "minimumReleaseAgeExclude") to use explicit wording such as
"at least 3 days old" (or similar clear phrasing) so it reads: if the package
version is required, pnpm will resolve to the most recent version that is at
least 3 days old; mention "minimumReleaseAgeExclude" unchanged as the config to
bypass this rule.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9bdc98d3-df7e-4489-b64f-f53cddc6dc5c

📥 Commits

Reviewing files that changed from the base of the PR and between 025f608 and 536b219.

📒 Files selected for processing (1)

• frontend/README.md