chore: Avoid running postinstall scripts (#13830)

* chore: Avoid running postinstall scripts

These are a security risk, let's not run them if not needed

This might not work because yarn 1 doesn't let us choose what dependencies are allowed to run postinstall scripts. We'll need to migrate to pnpm if we fail to build the app with these changes.

* chore: Migrate to pnpm

yarn is very hard to make it safe after today's supply chain attack, let's use pnpm - same as our main repo

* feat: Add missing dep

This worked when using yarn because a dependency installed this, but this stopped working when using pnpm because it installs files in different places

* chore: Add existing dependencies to list

* fix: Update browserslist

* fix: Fix incorrect advice

* feat: Add all missing deps to package.json

We were previously using yarn and on yarn you can require transitive dependencies because files are installed like this

```
node_modules
  | node
  | posthog-js
  | posthog-js-dependency-i-can-require
```

on pnpm, on the other hand, they're nested, which means we cannot require dependencies we didn't install - which is much saner

This meant we had to install more packages than before to get this to work

* chore: add axios

* chore: sort package.json

* chore: Update pnpm lock

Author: rafaeelaudibert

.cursor/rules/environment-structure.mdc

@@ -12,8 +12,8 @@ It's a static website built on Gatsby and hosted with Vercel.
 
 ## Resources and servers
 
--   Use yarn instead of npm
--   Run the app with `yarn start`. To make sure everything is fresh, run `yarn clean && yarn && yarn start`.
+-   Use pnpm instead of npm
+-   Run the app with `pnpm start`. To make sure everything is fresh, run `pnpm clean && pnpm && pnpm start`.
 -   The site runs on port `8001`. If you need to test something, check if it's already running on that port – no need to spin up a new server if so.
 -   Sometimes the project is run inside a parent folder so a VS Code Workspace can include the squeak-strapi repo in another subfolder. Always verify your directory when searching for files or trying to run commands.
 

.github/workflows/internal-links-check.yml

@@ -32,13 +32,13 @@ jobs:
               uses: actions/setup-node@v4
               with:
                   node-version: '22'
-                  cache: 'yarn'
+                  cache: 'pnpm'
 
             - name: Install dependencies
-              run: yarn install --frozen-lockfile
+              run: pnpm install --frozen-lockfile
 
             - name: Build site
-              run: yarn build
+              run: pnpm build
 
             - name: Check links (console only)
               if: ${{ github.event_name == 'workflow_dispatch' && inputs.save_results == false }}

.gitignore

@@ -1,14 +1,7 @@
 # Project dependencies
 .cache
 node_modules
-yarn-error.log
 .pnp.*
-.yarn/*
-!.yarn/patches
-!.yarn/plugins
-!.yarn/releases
-!.yarn/sdks
-!.yarn/versions
 
 # Build directory
 /public
@@ -27,7 +20,6 @@ static/fonts/MatterSQItalicVF.woff2
 static/fonts/MatterSQVF.woff
 static/fonts/MatterSQVF.woff2
 static/scripts/posthog-init.js
-yarn.lock
 .vercel
 .env
 *Type.ts

.yarnrc

@@ -34,7 +34,7 @@ This is the repository for the PostHog website. It contains:
 
     Install [Node](https://nodejs.org/en/download/) (version 22) - if you installed Node using nvm, you can run `nvm use` to automatically switch to the correct version.
 
-    Install [Yarn](https://yarnpkg.com/getting-started/install). (If you're on a Mac with Apple Silicon and get an error with `-86` in it, you may need to [install Rosetta](https://osxdaily.com/2020/12/04/how-install-rosetta-2-apple-silicon-mac/).)
+    Install `pnpm`. The easiest way to do this is via `corepack use pnpm@latest-10`.
 
 
 2.  **Start developing**
@@ -55,8 +55,8 @@ This is the repository for the PostHog website. It contains:
     Then install the site dependencies, and start it up:
 
     ```bash
-    yarn
-    yarn start
+    pnpm install
+    pnpm start
     ```
 
     > **Tip:** Seeing a discrepancy between local development and staging/production? Preview the production build locally by running `gatsby build && gatsby serve`
@@ -73,15 +73,15 @@ See full instructions on [developing PostHog.com locally in our manual](https://
 
 ### Debugging errors on start
 1. Pull the latest changes from `master`
-2. Run `gatsby clean && yarn start` or delete `node_modules` and `.cache`
+2. Run `gatsby clean && pnpm start` or delete `node_modules` and `.cache`
 3. Check builds are passing in [deployment to Vercel](https://github.com/PostHog/posthog.com/deployments)
 
 ### Working on `/docs/api`?
 
 The site will load the API schema from US Cloud by default. You can override this to use your local PostHog instance with an env var:
 
 ```
-POSTHOG_OPEN_API_SPEC_URL="http://127.0.0.1:8000/api/schema/" yarn start
+POSTHOG_OPEN_API_SPEC_URL="http://127.0.0.1:8000/api/schema/" pnpm start
 ```
 
 
@@ -104,7 +104,7 @@ Currently, these environment variables are excluded from Vercel preview builds t
 
 To develop a dynamic open graph image:
 
-1. Run `yarn build` with both the `ASHBY_API_KEY` and `GITHUB_API_KEY` set.
+1. Run `pnpm build` with both the `ASHBY_API_KEY` and `GITHUB_API_KEY` set.
 1. In `gatsby/onPostBuild.ts`, temporarily comment out the following:
     ```
     if (process.env.VERCEL_GIT_COMMIT_REF !== 'master') return

README.md

@@ -101,7 +101,7 @@ jobs:
                 node-version: 14
 
           - name: Install dependencies
-            run: yarn
+            run: pnpm install
 
           - name: Build and start application
             run: echo "This is where you boot your application for testing"
@@ -150,14 +150,14 @@ jobs:
               with:
                   node-version: 14
 
-            - name: Install package.json dependencies with Yarn
-              run: yarn
+            - name: Install package.json dependencies with Pnpm
+              run: pnpm
 
             - name: Check formatting with prettier
-              run: yarn prettier .
+              run: pnpm prettier .
 
             - name: Lint with ESLint
-              run: yarn eslint .
+              run: pnpm eslint .
 ```
 
 > One thing we've not covered yet is what running jobs on every PR gives us in practice.

contents/blog/automating-a-software-company-with-github-actions.md

@@ -364,7 +364,7 @@ To debug, check for the common issues below:
 You can also try running the formatter script to fix some of the issues:
 
 ```bash
-yarn format:docs
+pnpm format:docs
 ```
 
 This will run the formatter against the current changes.

contents/handbook/content/docs-style-guide.mdx

@@ -31,9 +31,9 @@ Below, we'll explain the two options for option two.
 
     When completed, press any key.
 
-1. In terminal, type `yarn && yarn start` and hit [Enter].
+1. In terminal, type `pnpm install && pnpm start` and hit [Enter].
 
-    ![yarn start](https://res.cloudinary.com/dmukukwp6/image/upload/codespaces_yarn_b02a89ed6b.png)
+    ![pnpm start](https://res.cloudinary.com/dmukukwp6/image/upload/codespaces_yarn_b02a89ed6b.png)
 
     - This will take a while. The last step of the process is "Building development bundle" which will take a few minutes on its own.
     - You may see a dialog that says, "Your application running on port 8001 is available." Don't be enticed by the big green button quite yet.
@@ -89,7 +89,7 @@ In order to run the PostHog website locally, you need the following installed:
 
 -   [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) – version control system
 -   [Node.js](https://nodejs.org/en/download/) (version 22.x) – server runtime
--   [Yarn](https://classic.yarnpkg.com/en/docs/install) (version 1.x) – package manager for Node.js
+-   [pnpm](https://pnpm.io/installation) (version 10.x) – package manager for Node.js
 -   [Apple Rosetta](https://support.apple.com/en-gb/HT211861) (version 2) – dynamic binary translator for Apple silicon
 
 If you are unfamiliar with using Git from the command line (or just prefer graphical interfaces), use the [GitHub Desktop app](https://desktop.github.com/).
@@ -143,7 +143,7 @@ To work on it locally, first you need to clone it to your disk:
 
 ### Running posthog.com locally
 
-If you're using an Apple Silicon Mac (M1+) then you'll need to run the following commands before using yarn:
+If you're using an Apple Silicon Mac (M1+) then you'll need to run the following commands before using pnpm:
 
 ```bash
 rm -rf ./node_modules
@@ -153,27 +153,27 @@ brew install vips
 Type the following into the command line and press return:
 
 ```bash
-yarn
+pnpm install
 ```
 
-This runs the Yarn tool. When run standalone like this, it installs the dependency packages used by posthog.com. This may take a few minutes.
+This installs the dependency packages used by posthog.com. This may take a few minutes.
 
 After initial setup, use the following command to start the development server:
 
 ```bash
-yarn && yarn start
+pnpm install && pnpm start
 ```
 
 This runs the local clone of the website, which you can use to preview changes you make before pushing them live. It takes a bit of time for some file processing and compilation to take place, but once it's completed you can access the locally running version of posthog.com via by visiting `http://localhost:8001` in your web browser.
 
-Any time you want to preview changes you are making to the local version of the website, all you have to do is run the `yarn start` again, wait for the command to finish running and then open `http://localhost:8001` in your web browser.
+Any time you want to preview changes you are making to the local version of the website, all you have to do is run the `pnpm start` again, wait for the command to finish running and then open `http://localhost:8001` in your web browser.
 
 **Troubleshooting**
 
 If the server fails to start, the first troubleshooting step is to clear cache. You can do this (and start the server again) by running:
 
 ```bash
-yarn clean && mkdir .cache && yarn && yarn start
+pnpm clean && mkdir .cache && pnpm install && pnpm start
 ```
 
 ### Environment variables
@@ -538,7 +538,7 @@ After a series of checks are run (to ensure nothing in your pull request breaks
 
 An initial build can take up to 50 minutes to run. After the initial build, subsequent builds should complete in under ~15 minutes. We're limited to two concurrent builds, so if there's a backlog, this process can take longer.
 
-Because Vercel charges per seat, we don't automatically invite all team members to our Vercel account. If your build fails, you can run `yarn build` locally to see what's erroring out. If nothing is erroring locally, it's likely the build timed out in Vercel. The Website & Docs team monitors for failed builds, so they'll re-run it for you. If the build is urgent, give a shout in #team-website-and-docs and someone with Vercel access can trigger a rebuild for you.
+Because Vercel charges per seat, we don't automatically invite all team members to our Vercel account. If your build fails, you can run `pnpm build` locally to see what's erroring out. If nothing is erroring locally, it's likely the build timed out in Vercel. The Website & Docs team monitors for failed builds, so they'll re-run it for you. If the build is urgent, give a shout in #team-website-and-docs and someone with Vercel access can trigger a rebuild for you.
 
 ![Preview branch](https://res.cloudinary.com/dmukukwp6/image/upload/v1710055416/posthog.com/contents/images/docs/contribute/preview-branch.png)
 

contents/handbook/engineering/posthog-com/developing-the-website.md

@@ -37,21 +37,29 @@
         "@amcharts/amcharts5-geodata": "^5.1.5",
         "@dotlottie/react-player": "^1.6.6",
         "@fontsource/source-code-pro": "^4.5.4",
+        "@gatsbyjs/reach-router": "^1.3.9",
         "@headlessui/react": "^1.7.13",
         "@headlessui/tailwindcss": "^0.1.1",
         "@heroicons/react": "^1.0.6",
         "@hubspot/api-client": "^7.1.2",
         "@inkeep/cxkit-react": "^0.5.93",
         "@inkeep/uikit": "^0.3.20",
         "@inkeep/uikit-js": "^0.3.20",
+        "@lexical/utils": "^0.35.0",
+        "@mdx-js/react": "^1.6.22",
         "@mdxeditor/editor": "^3.32.3",
         "@popperjs/core": "^2.11.2",
         "@posthog/hedgehog-mode": "^0.0.41",
         "@posthog/icons": "0.36.0",
         "@radix-ui/react-accordion": "^1.2.3",
+        "@radix-ui/react-collapsible": "^1.1.12",
         "@radix-ui/react-icons": "^1.3.2",
         "@radix-ui/react-menubar": "^1.1.6",
+        "@radix-ui/react-portal": "^1.1.9",
+        "@radix-ui/react-radio-group": "^1.3.8",
+        "@radix-ui/react-scroll-area": "^1.2.10",
         "@radix-ui/react-tabs": "^1.1.4",
+        "@radix-ui/react-toolbar": "^1.1.11",
         "@tailwindcss/container-queries": "^0.1.1",
         "@tanstack/react-virtual": "^3.13.12",
         "@types/lodash.groupby": "^4.6.7",
@@ -61,19 +69,23 @@
         "@wistia/wistia-player-react": "^0.1.17",
         "ahooks": "^3.7.8",
         "algoliasearch": "^4.14.2",
+        "axios": "^1.12.2",
         "chart.js": "^4.3.3",
         "chrome-aws-lambda": "^10.1.0",
         "cloudinary-react": "^1.8.1",
         "clsx": "^2.0.0",
         "cntl": "^1.0.0",
         "core-js": "^3.21.1",
         "dayjs": "^1.11.7",
+        "deepmerge": "^4.3.1",
         "dotenv": "^10.0.0",
         "formik": "^2.2.9",
         "framer-motion": "^4.1.17",
+        "fs-extra": "^10.1.0",
         "fuse.js": "^6.6.2",
         "gatsby": "4.25.9",
         "gatsby-cli": "^4.20.0",
+        "gatsby-link": "^4.25.0",
         "gatsby-plugin-algolia": "^0.26.0",
         "gatsby-plugin-breakpoints": "^1.3.9",
         "gatsby-plugin-feed": "^4.20.0",
@@ -87,7 +99,9 @@
         "gatsby-plugin-react-svg": "^3.1.0",
         "gatsby-plugin-sitemap": "^5.20.0",
         "gatsby-plugin-smoothscroll": "^1.2.0",
+        "gatsby-react-router-scroll": "^5.25.0",
         "gatsby-remark-autolink-headers": "^5.20.0",
+        "gatsby-script": "^1.10.0",
         "gatsby-source-ashby": "^1.0.5",
         "gatsby-source-filesystem": "^4.20.0",
         "gatsby-source-git": "^1.1.0",
@@ -97,6 +111,7 @@
         "glob": "^10.3.10",
         "html-to-image": "^1.11.11",
         "instantsearch.js": "^4.49.1",
+        "is-relative": "^1.0.0",
         "jsdom": "^20.0.0",
         "jspdf": "^3.0.1",
         "kea": "3.1.6",
@@ -105,6 +120,8 @@
         "kea-router": "^3.1.6",
         "kea-typegen": "^3.1.6",
         "keen-slider": "^6.8.6",
+        "lexical": "^0.35.0",
+        "lodash": "^4.17.21",
         "lodash.get": "^4.4.2",
         "lodash.groupby": "^4.6.0",
         "lodash.uniqby": "^4.7.0",
@@ -116,9 +133,12 @@
         "markdown-to-jsx": "^7.4.0",
         "md5": "^2.3.0",
         "mermaid": "^11.4.1",
+        "mitt": "^1.2.0",
         "mobx": "^6.3.13",
         "multiparty": "^4.2.3",
         "node-fetch": "^2.6.1",
+        "node-html-parser": "^5.4.2",
+        "openapi-sampler": "^1.6.1",
         "p-limit": "3.1.0",
         "parse-link-header": "^2.0.0",
         "patch-package": "^8.0.0",
@@ -127,6 +147,7 @@
         "posthog-node": "^4.2.0",
         "prism-react-renderer": "^1.3.5",
         "prismjs": "^1.29.0",
+        "prop-types": "^15.8.1",
         "puppeteer-core": "^13.0.1",
         "qs": "^6.11.1",
         "query-string": "^6.13.1",
@@ -174,6 +195,7 @@
         "request": "^2.88.2",
         "sass": "^1.43.2",
         "scrapingbee": "^1.7.5",
+        "shallow-compare": "^1.2.2",
         "slugify": "^1.6.0",
         "styled-components": "^5.3.3",
         "svg-sprite": "^1.5.0",
@@ -243,13 +265,32 @@
     "resolutions": {
         "undici": "5.26.3"
     },
-    "workspaces": [
-        "plugins/*"
-    ],
     "lint-staged": {
         "*.{html,js,ts,tsx,json,yml,css,scss}": "prettier --write",
         "*.{js,ts,tsx}": "eslint",
         "*.{md,mdx}": "markdownlint-cli2 --fix"
     },
-    "packageManager": "[email protected]"
+    "packageManager": "[email protected]+sha512.21c4e5698002ade97e4efe8b8b4a89a8de3c85a37919f957e7a0f30f38fbc5bbdd05980ffe29179b2fb6e6e691242e098d945d1601772cad0fef5fb6411e2a4b",
+    "pnpm": {
+        "onlyBuiltDependencies": [
+            "@parcel/watcher",
+            "core-js",
+            "core-js-pure",
+            "es5-ext",
+            "esbuild",
+            "fsevents",
+            "gatsby",
+            "gatsby-cli",
+            "gatsby-telemetry",
+            "husky",
+            "lmdb",
+            "msgpackr-extract",
+            "phantomjs-prebuilt",
+            "postinstall-postinstall",
+            "puppeteer",
+            "react-tsparticles",
+            "sharp",
+            "tsparticles-engine"
+        ]
+    }
 }