chore: v1.39.0 release

.devcontainer/devcontainer.json

@@ -15,7 +15,7 @@
 	// "forwardPorts": [],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
-	// "postCreateCommand": "yarn install",
+	// "postCreateCommand": "pnpm install",
 
 	// Configure tool-specific properties.
 	// "customizations": {},

.env.test

@@ -1,7 +1,5 @@
 # We use these images during sim and e2e tests
-# This is the last version which supports pre/post merge chains in the same network
-# All newer versions only work with post merge chains
-GETH_DOCKER_IMAGE=ethereum/client-go:v1.16.2
+GETH_DOCKER_IMAGE=ethereum/client-go:v1.16.7
 # Use either image or local binary for the testing
 GETH_BINARY_DIR=
 LIGHTHOUSE_DOCKER_IMAGE=ethpandaops/lighthouse:unstable-d235f2c

.github/actions/setup-and-build/action.yml

@@ -8,14 +8,17 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - uses: pnpm/action-setup@v4
+
     - name: Setup Node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: ${{inputs.node}}
         check-latest: true
-        # The hash of yarn.lock file will be used as cache key
-        # So unless our dependencies change, we can reuse the cache
-        cache: yarn
+        # Due to a known issue we have to disable package caching for now
+        # https://github.com/pnpm/pnpm/issues/6234
+        # cache: pnpm
+        package-manager-cache: false
 
     - name: Node.js version
       id: node
@@ -40,19 +43,19 @@ runs:
 
     - name: Install & build
       shell: bash
-      run: yarn install --frozen-lockfile && yarn build
+      run: pnpm install --frozen-lockfile && pnpm build
 
     - name: Check Build
       shell: bash
-      run: yarn check-build
+      run: pnpm check-build
 
     - name: Build bundle
       shell: bash
-      run: yarn build:bundle
+      run: pnpm build:bundle
 
     - name: Check bundle
       shell: bash
-      run: yarn check-bundle
+      run: pnpm check-bundle
 
     - name: Cache build artifacts
       uses: actions/cache@v4

.github/workflows/benchmark.yml

@@ -31,28 +31,9 @@ jobs:
     steps:
       # <common-build> - Uses YAML anchors in the future
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: "./.github/actions/setup-and-build"
         with:
-          node-version: 24
-          check-latest: true
-          cache: yarn
-      - name: Node.js version
-        id: node
-        run: echo "v8CppApiVersion=$(node --print "process.versions.modules")" >> $GITHUB_OUTPUT
-      - name: Restore dependencies
-        uses: actions/cache@v4
-        id: cache-deps
-        with:
-          path: |
-            node_modules
-            packages/*/node_modules
-          key: ${{ runner.os }}-${{ steps.node.outputs.v8CppApiVersion }}-${{ hashFiles('**/yarn.lock', '**/package.json') }}
-      - name: Install & build
-        if: steps.cache-deps.outputs.cache-hit != 'true'
-        run: yarn install --frozen-lockfile && yarn build
-      - name: Build
-        run: yarn build
-        if: steps.cache-deps.outputs.cache-hit == 'true'
+          node: 24
       # </common-build>
 
       # Restore performance downloaded states
@@ -63,7 +44,7 @@ jobs:
           key: perf-states-${{ hashFiles('packages/state-transition/test/perf/params.ts') }}
 
       - name: Run benchmarks
-        run: yarn benchmark
+        run: pnpm benchmark
         env:
           # To download content for tests
           INFURA_ETH2_CREDENTIALS: ${{ secrets.INFURA_ETH2_CREDENTIALS }}

.github/workflows/binaries.yml

@@ -31,12 +31,8 @@ jobs:
       - name: Install arm64 specifics
         if: matrix.arch == 'arm64'
         run: |-
-          # Install missing yarn
-          # See https://github.com/github-early-access/arm-runners-beta/issues/5
-          curl -fsSL --create-dirs -o $HOME/bin/yarn \
-          https://github.com/yarnpkg/yarn/releases/download/v1.22.22/yarn-1.22.22.js
-          chmod +x $HOME/bin/yarn
-          echo "$HOME/bin" >> $GITHUB_PATH
+          # Install missing pnpm
+          curl -fsSL https://get.pnpm.io/install.sh | sh -
           # Install missing build-essential
           sudo apt-get update
           sudo apt-get install -y build-essential python3
@@ -45,8 +41,8 @@ jobs:
           node: 24
       - run: |
           mkdir -p dist
-          yarn global add @chainsafe/caxa@3.0.6
-          npx caxa -m "Unpacking Lodestar binary, please wait..." -e "dashboards/**" -e "docs/**" -D -p "yarn install --frozen-lockfile --production" --input . --output "lodestar" -- "{{caxa}}/node_modules/.bin/node" "--max-old-space-size=8192" "{{caxa}}/node_modules/.bin/lodestar"
+          pnpm add -g @chainsafe/caxa@3.0.6
+          npx caxa -m "Unpacking Lodestar binary, please wait..." -e "dashboards/**" -e "docs/**" -D -p "pnpm clean:nm && pnpm install --frozen-lockfile --prod" --input . --output "lodestar" -- "{{caxa}}/node_modules/.bin/node" "--max-old-space-size=8192" "{{caxa}}/packages/cli/bin/lodestar.js"
           tar -czf "dist/lodestar-${{ inputs.version }}-${{ matrix.platform }}-${{ matrix.arch }}.tar.gz" "lodestar"
       - name: Upload binaries
         uses: actions/upload-artifact@v4

.github/workflows/docs-check.yml

@@ -13,37 +13,19 @@ jobs:
     steps:
       # <common-build> - Uses YAML anchors in the future
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: "./.github/actions/setup-and-build"
         with:
-          node-version: 24
-          cache: yarn
-      - name: Node.js version
-        id: node
-        run: echo "v8CppApiVersion=$(node --print "process.versions.modules")" >> $GITHUB_OUTPUT
-      - name: Restore dependencies
-        uses: actions/cache@v4
-        id: cache-deps
-        with:
-          path: |
-            node_modules
-            packages/*/node_modules
-          key: ${{ runner.os }}-${{ steps.node.outputs.v8CppApiVersion }}-${{ hashFiles('**/yarn.lock', '**/package.json') }}
-      - name: Install & build
-        if: steps.cache-deps.outputs.cache-hit != 'true'
-        run: yarn install --frozen-lockfile && yarn build
-      - name: Build
-        run: yarn build
-        if: steps.cache-deps.outputs.cache-hit == 'true'
+          node: 24
 
       - name: Check wordlist is sorted
         run: scripts/wordlist_sort_check.sh
 
       - name: Build and collect docs
-        run: yarn docs:build
+        run: pnpm docs:build
 
       # Run prettier check after generating the docs
       - name: Check docs format
-        run: yarn docs:lint
+        run: pnpm docs:lint
 
       # Run spellcheck AFTER building docs, in case the CLI reference has issues
       - name: Spellcheck

.github/workflows/docs.yml

@@ -29,11 +29,14 @@ jobs:
         with:
           ref: ${{ env.DEPLOY_REF }}
 
-      - uses: actions/setup-node@v4
+      - name: Install pnpm before setup node
+        uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v6
         with:
           node-version: 24
           check-latest: true
-          cache: yarn
+          cache: pnpm
 
       - name: Node.js version
         id: node
@@ -46,25 +49,25 @@ jobs:
           path: |
             node_modules
             packages/*/node_modules
-          key: ${{ runner.os }}-${{ steps.node.outputs.v8CppApiVersion }}-${{ hashFiles('**/yarn.lock', '**/package.json') }}
+          key: ${{ runner.os }}-${{ steps.node.outputs.v8CppApiVersion }}-${{ hashFiles('**/pnpm-lock.yaml', '**/package.json') }}
 
       - name: Install & build
         if: steps.cache-deps.outputs.cache-hit != 'true'
-        run: yarn install --frozen-lockfile && yarn build
+        run: pnpm install --frozen-lockfile && pnpm build
 
       - name: Build
-        run: yarn build
+        run: pnpm build
         if: steps.cache-deps.outputs.cache-hit == 'true'
 
       - name: Build and collect docs
-        run: yarn docs:build
+        run: pnpm docs:build
 
       - name: Lint built docs
-        run: yarn docs:lint:fix
+        run: pnpm docs:lint:fix
 
       - name: Build docs
         working-directory: docs
-        run: yarn && yarn build
+        run: pnpm && pnpm build
 
       - name: Deploy
         uses: peaceiris/actions-gh-pages@v3

.github/workflows/publish-dev.yml

@@ -22,12 +22,16 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+
+      - name: Install pnpm before setup node
+        uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v6
         with:
           node-version: 24
           registry-url: "https://registry.npmjs.org"
           check-latest: true
-          cache: yarn
+          cache: pnpm
       - name: Node.js version
         id: node
         run: echo "v8CppApiVersion=$(node --print "process.versions.modules")" >> $GITHUB_OUTPUT
@@ -38,12 +42,12 @@ jobs:
           path: |
             node_modules
             packages/*/node_modules
-          key: ${{ runner.os }}-${{ steps.node.outputs.v8CppApiVersion }}-${{ hashFiles('**/yarn.lock', '**/package.json') }}
+          key: ${{ runner.os }}-${{ steps.node.outputs.v8CppApiVersion }}-${{ hashFiles('**/pnpm-lock.yaml', '**/package.json') }}
       - name: Install & build
         if: steps.cache-deps.outputs.cache-hit != 'true'
-        run: yarn install --frozen-lockfile && yarn build
+        run: pnpm install --frozen-lockfile && pnpm build
       - name: Build
-        run: yarn build
+        run: pnpm build
         if: steps.cache-deps.outputs.cache-hit == 'true'
       # </common-build>
       - name: Get version
@@ -61,7 +65,7 @@ jobs:
         # This "temp" commit doesn't change the actually release commit which is captured above.
         # git-data is also correct, since it's generated at build time, before `lerna version` run.
         run: |
-          yarn lerna version ${{ steps.version.outputs.version }} \
+          pnpm lerna version ${{ steps.version.outputs.version }} \
           --force-publish \
           --exact \
           --yes \
@@ -96,7 +100,7 @@ jobs:
         #
         # NOTE: Using --preid dev.$(git rev-parse --short=7 HEAD) results in `0.24.3-dev.3ddb91d.0+3ddb91d`
         run: |
-          yarn lerna publish from-package \
+          pnpm lerna publish from-package \
           --yes \
           --no-verify-access \
           --dist-tag next \

.github/workflows/publish-nextfork.yml

@@ -25,12 +25,14 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - name: Install pnpm before setup node
+        uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: 24
           registry-url: "https://registry.npmjs.org"
           check-latest: true
-          cache: yarn
+          cache: pnpm
       - name: Node.js version
         id: node
         run: echo "v8CppApiVersion=$(node --print "process.versions.modules")" >> $GITHUB_OUTPUT
@@ -41,12 +43,12 @@ jobs:
           path: |
             node_modules
             packages/*/node_modules
-          key: ${{ runner.os }}-${{ steps.node.outputs.v8CppApiVersion }}-${{ hashFiles('**/yarn.lock', '**/package.json') }}
+          key: ${{ runner.os }}-${{ steps.node.outputs.v8CppApiVersion }}-${{ hashFiles('**/pnpm-lock.yaml', '**/package.json') }}
       - name: Install & build
         if: steps.cache-deps.outputs.cache-hit != 'true'
-        run: yarn install --frozen-lockfile && yarn build
+        run: pnpm install --frozen-lockfile && pnpm build
       - name: Build
-        run: yarn build
+        run: pnpm build
         if: steps.cache-deps.outputs.cache-hit == 'true'
       # </common-build>
       - name: Get version
@@ -64,7 +66,7 @@ jobs:
         # This "temp" commit doesn't change the actually release commit which is captured above.
         # git-data is also correct, since it's generated at build time, before `lerna version` run.
         run: |
-          yarn lerna version ${{ steps.version.outputs.version }} \
+          pnpm lerna version ${{ steps.version.outputs.version }} \
           --force-publish \
           --exact \
           --yes \
@@ -99,7 +101,7 @@ jobs:
         #
         # NOTE: Using --preid dev.$(git rev-parse --short=7 HEAD) results in `0.24.3-dev.3ddb91d.0+3ddb91d`
         run: |
-          yarn lerna publish from-package \
+          pnpm lerna publish from-package \
           --yes \
           --no-verify-access \
           --dist-tag next \

.github/workflows/publish-rc.yml

@@ -95,7 +95,7 @@ jobs:
         # This "temp" commit doesn't change the actually release commit which is captured above.
         # git-data is also correct, since it's generated at build time, before `lerna version` run.
         run: |
-          yarn lerna version ${{ needs.tag.outputs.version }} \
+          pnpm lerna version ${{ needs.tag.outputs.version }} \
           --force-publish \
           --exact \
           --yes \
@@ -106,7 +106,7 @@ jobs:
           git commit -am "${{ needs.tag.outputs.version }}"
 
       - name: Publish to npm registry
-        run: yarn run release:publish --dist-tag rc
+        run: pnpm run release:publish --dist-tag rc
 
       # In case of failure
       - name: Rollback on failure

.github/workflows/publish-stable.yml

@@ -96,7 +96,7 @@ jobs:
           prerelease: false
 
       - name: Publish to npm registry (release)
-        run: yarn run release:publish
+        run: pnpm run release:publish
 
       # In case of failure
       - name: Rollback on failure

.github/workflows/scripts/reject_yarn_lock_changes.sh → .github/workflows/scripts/reject_pnpm_lock_changes.sh

@@ -1,19 +1,19 @@
-# yarn.lock can be easily modified to plant a backdoor. A regular yarn.lock diff is never audited.
+# pnpm-lock.yaml can be easily modified to plant a backdoor. A regular pnpm-lock.yaml diff is never audited.
 # Article below details the risks and ease of implementation.
 # See https://dev.to/kozlovzxc/injecting-backdoors-to-npm-packages-a0k
 #
-# This script will exit 1 if yarn.lock was modified.
+# This script will exit 1 if pnpm-lock.yaml was modified.
 # A Github action should only run this script for non-high trust contributors.
-# TODO: Mechanism to allow changes once the yarn.lock changes have been audited by the team
+# TODO: Mechanism to allow changes once the pnpm-lock.yaml changes have been audited by the team
 
 
 # From https://stackoverflow.com/questions/10641361/get-all-files-that-have-been-modified-in-git-branch
 MERGE_BASE=$(git merge-base $GITHUB_REF unstable)
 CHANGED_FILES=$(git diff --name-only $GITHUB_REF $MERGE_BASE)
 
 
-if [[ $CHANGED_FILES == *"yarn.lock"* ]]; then
+if [[ $CHANGED_FILES == *"pnpm-lock.yaml"* ]]; then
   AUTHOR_EMAIL=$(git show -s --format='%ae' $GITHUB_REF)
-  echo "yarn.lock modified by external contributor $AUTHOR_EMAIL"
+  echo "pnpm-lock.yaml modified by external contributor $AUTHOR_EMAIL"
   exit 1
 fi