chore: upgrade pnpm to v11

[comatory]

Upgrades pnpm to version 11. This version comes with good security defaults via minimumReleaseAge
which can help avoid installing latest versions if somehow supply chain attack happens.

We also need to strictly approve post-install scripts and some of the settings must have been
migrated from .npmrc to pnpm-workspace.yaml.

This version requires Node 22, so docker images have been bumped to newer node versions as well.
Our CI scripts read our package version so they will automatically pick up this new version

Note

To upgrade your local machine, install corepack with npm i --global corepack if you don't
have it. Then on the branch run pnpm clean and make which will take a while because
the new version uses different lock file format and new path, so it will need to re-download
the deps.

Important changes:

• overrides stay in pnpm-workspace.yaml instead of a field in package.json

Summary by CodeRabbit

• Chores
  • Updated package manager version requirements across the project
  • Refreshed workspace dependency configurations and build environment specifications

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/docs-website.
• I have read the Contributors Guide.

Open Source AI Manifesto

This project follows the principles of the Open Source AI Manifesto. Please ensure your contribution aligns with its principles.

[coderabbitai]

Walkthrough

pnpm is upgraded from version 9 to 11.1.2 throughout the repository. Root configuration in .npmrc is simplified, package.json engine and packageManager fields are updated, pnpm-workspace.yaml gains workspace-level settings including dependency overrides and patches, and all service and test Dockerfiles are updated to use the new pnpm version in their build stages.

Changes

pnpm 11.1.2 upgrade

Layer / File(s)	Summary
Root configuration and workspace settings .npmrc, package.json, pnpm-workspace.yaml	.npmrc is reduced to provenance=true and registry URL, removing peer dependency and workspace-specific settings. Root package.json engine requirement and packageManager field are updated to 11.1.2. pnpm-workspace.yaml gains workspace-level pnpm configuration including fetchRetries, ignoreWorkspaceRootCheck, dedupePeerDependents toggles, broad dependency overrides for pinned versions, patchedDependencies for graphql@16.9.0, and an allowBuilds allowlist for specific native packages.
Docker build image updates admission-server/Dockerfile, cdn-server/Dockerfile, client-tests/apollo-js/Dockerfile, controlplane/Dockerfile, studio/Dockerfile	All service Dockerfiles update their builder-stage global pnpm installation from version 9 to 11.1.2, with trailing whitespace adjustments in apollo-js test configuration.
Workspace package manager specifications client-tests/apollo-js/package.json, client-tests/mcp-ts/package.json	Client-test workspace package.json files update their packageManager field from pnpm@9.12.3 to pnpm@11.1.2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• wundergraph/cosmo#2818: GitHub Action that derives pnpm version from the repository's packageManager field to ensure consistent CI builds with the pinned pnpm 11.1.2 version.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: upgrade pnpm to v11' clearly and concisely summarizes the main change across all modified files, which consistently upgrade pnpm from v9 to v11.1.2.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

playground - uncommitted changes detected

Seems like you forgot to commit some code. Possible causes:

• Generated code not part of the PR, fix with: make generate and commit the changes
• Dependency mismatch for tools (protoc, etc). Ensure your local machine has same versions of tools as CI does
• Formatting drift, fix with make format playground / pnpm format playground

---

Dirty files

• router/internal/graphiql/graphiql.html

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.36%. Comparing base (4c91d4f) to head (9ba14f2).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2872      +/-   ##
==========================================
- Coverage   46.44%   40.36%   -6.08%     
==========================================
  Files        1085      787     -298     
  Lines      146038   105325   -40713     
  Branches     9389     5480    -3909     
==========================================
- Hits        67830    42518   -25312     
+ Misses      76454    61057   -15397     
+ Partials     1754     1750       -4     

see 341 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-cdddbae05bc1dbefea626bc40359a4383c99d55d

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@client-tests/apollo-js/Dockerfile`:
- Line 5: The Dockerfile currently activates pnpm@11.1.2 on a Node 20 base which
is incompatible; update the Dockerfile base image from Node 20 (e.g.,
node:20-alpine) to Node 22 (e.g., node:22-alpine) so the existing RUN corepack
enable && corepack prepare pnpm@11.1.2 --activate works correctly; keep the RUN
line as-is but ensure the FROM line references Node 22 so pnpm 11 is supported.

In `@pnpm-workspace.yaml`:
- Around line 31-44: The override entries using constraint ranges (e.g., debug:
<4.4.2, supports-color: <10.2.1, wrap-ansi: <9.0.1, etc.) are malformed and will
be ignored; update the override block so each package key maps to an exact
version or use the range-selector syntax. Replace each line like debug: <4.4.2
with either debug: 4.4.2 (exact version) or the selector format "debug@<4.4.2":
"4.4.2", and do the same for supports-color, wrap-ansi, color-convert,
color-name, is-arrayish, slice-ansi, color, color-string, simple-swizzle,
supports-hyperlinks, has-ansi, chalk-template, backslash to ensure pnpm applies
the overrides.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c84dbdc0-7014-4a20-aa99-468bc618a1b1

📥 Commits

Reviewing files that changed from the base of the PR and between dfd3089 and 9ba14f2.

⛔ Files ignored due to path filters (2)

• client-tests/apollo-js/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (10)

• .npmrc
• admission-server/Dockerfile
• cdn-server/Dockerfile
• client-tests/apollo-js/Dockerfile
• client-tests/apollo-js/package.json
• client-tests/mcp-ts/package.json
• controlplane/Dockerfile
• package.json
• pnpm-workspace.yaml
• studio/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the minimum supported Node.js version for pnpm 11.x, and does pnpm 11.1.2 support Node 20?

💡 Result:

The minimum supported Node.js version for pnpm 11.x is Node.js 22 [1][2][3]. pnpm 11.x, including version 11.1.2, does not support Node.js 20 [1][2][3]. Support for Node.js 18, 19, 20, and 21 was dropped in the pnpm 11.0.0 release, as pnpm transitioned to being a pure ESM (ECMAScript Module) package [1][2]. Consequently, you must use Node.js 22 or newer to run pnpm 11.x [2][3].

Citations:

• 1: https://github.com/pnpm/pnpm/releases/tag/v11.0.0-rc.0
• 2: https://pnpm.io/blog/releases/11.0
• 3: https://pnpm.io/installation

---

pnpm 11 is incompatible with Node 20; update the Dockerfile base image to Node 22.

The Dockerfile activates pnpm v11.1.2 on a Node 20-alpine base image, but pnpm 11.x requires Node.js 22 or newer (support for Node 18–21 was dropped in pnpm 11.0.0 due to the transition to pure ESM). Update the base image to Node 22 to ensure the test environment is compatible.

Proposed fix

-FROM node:20-alpine
+FROM node:22-alpine

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@client-tests/apollo-js/Dockerfile` at line 5, The Dockerfile currently
activates pnpm@11.1.2 on a Node 20 base which is incompatible; update the
Dockerfile base image from Node 20 (e.g., node:20-alpine) to Node 22 (e.g.,
node:22-alpine) so the existing RUN corepack enable && corepack prepare
pnpm@11.1.2 --activate works correctly; keep the RUN line as-is but ensure the
FROM line references Node 22 so pnpm 11 is supported.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

In pnpm v11 overrides, does a constraint like debug: <4.4.2 force versions lower than 4.4.2? What is the correct override pattern to enforce patched minimum versions?

💡 Result:

In pnpm v11, the overrides configuration must be defined in pnpm-workspace.yaml rather than package.json [1][2]. Regarding your specific question about the constraint debug: <4.4.2: 1. Does it force versions lower than 4.4.2? No. An override definition like debug: <4.4.2 does not "force" versions lower than 4.4.2; rather, it instructs pnpm to replace any version of debug that matches the range <4.4.2 with the version specified in the value side of the override [3][4]. If you provide a range as the value (e.g., debug: <4.4.2: ^4.4.2), you are telling pnpm to replace any version of debug that is less than 4.4.2 with a version that satisfies the ^4.4.2 range [3][4]. 2. What is the correct pattern to enforce patched minimum versions? To enforce a minimum version (e.g., ensuring debug is at least 4.4.2), you should use an override that targets the vulnerable or outdated range and replaces it with a secure version [3][4]. The recommended pattern is: yaml # pnpm-workspace.yaml overrides: "debug@<4.4.2": "4.4.2" This tells pnpm: "For any dependency on debug where the requested version is less than 4.4.2, force the installation of version 4.4.2 instead" [3][4]. Important considerations: - Configuration Location: Ensure your overrides block is in pnpm-workspace.yaml. pnpm v11 silently ignores overrides defined in the pnpm field of package.json [1][2]. - Range Matching: pnpm's override logic requires the original dependency's requested range to intersect with the range defined in the override key for the override to trigger [5]. If you find an override is not being applied, ensure the selector (e.g., debug@<4.4.2) correctly captures the versions currently being resolved in your dependency tree [5][6]. - Alternatives: If you need to modify the contents of a package rather than just its version, use pnpm patch instead of overrides [7].

Citations:

• 1: pnpm 11 silently ignores pnpm.overrides and pnpm.patchedDependencies in package.json (no deprecation warning, security-critical) pnpm/pnpm#11536
• 2: https://pnpm.io/package_json
• 3: https://pnpm.io/11.x/settings
• 4: https://pnpm.io/settings
• 5: Dependency override ranges not working as expected pnpm/pnpm#6878
• 6: Overrides not working for some packages pnpm/pnpm#6774
• 7: https://pnpm.io/cli/patch

---

🏁 Script executed:

fd -name "pnpm-workspace.yaml" -type f

Repository: wundergraph/cosmo

Length of output: 292

---

🏁 Script executed:

fd "pnpm-workspace.yaml" -type f

Repository: wundergraph/cosmo

Length of output: 232

---

🏁 Script executed:

fd "pnpm-workspace.yaml"

Repository: wundergraph/cosmo

Length of output: 81

---

🏁 Script executed:

cat -n pnpm-workspace.yaml

Repository: wundergraph/cosmo

Length of output: 3353

---

Override values on lines 31-44 are malformed and won't apply.

These entries use constraint ranges (e.g., debug: <4.4.2) as override values, but pnpm requires either exact versions (like debug: 4.4.2 on line 26) or the range-selector syntax (e.g., "debug@<4.4.2": "4.4.2"). Using a bare range as the value is invalid and these overrides will be ignored. To enforce patched minimum versions, replace lines 31-44 with exact versions (matching your security floor intent) or use the quoted selector format.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` around lines 31 - 44, The override entries using
constraint ranges (e.g., debug: <4.4.2, supports-color: <10.2.1, wrap-ansi:
<9.0.1, etc.) are malformed and will be ignored; update the override block so
each package key maps to an exact version or use the range-selector syntax.
Replace each line like debug: <4.4.2 with either debug: 4.4.2 (exact version) or
the selector format "debug@<4.4.2": "4.4.2", and do the same for supports-color,
wrap-ansi, color-convert, color-name, is-arrayish, slice-ansi, color,
color-string, simple-swizzle, supports-hyperlinks, has-ansi, chalk-template,
backslash to ensure pnpm applies the overrides.