chore: switch to pnpm and upgrade non-breaking packages

[AnujChhikara]

Date: 20 Aug 2025

Developer Name: @AnujChhikara

---

Issue Ticket Number

• Migrate from Yarn to PNPM and Upgrade Non-Breaking Packages #2470

Description

• This PR migrates the project from Yarn to PNPM as the package manager and upgrades all packages that do not introduce breaking changes.

• Successfully deployed to railway https://triumphant-love-production.up.railway.app/

Documentation Updated?

• Yes
• No

Under Feature Flag

• Yes
• No

Database Changes

• Yes
• No

Breaking Changes

• Yes
• No

Development Tested?

• Yes
• No

Screenshots

Screenshot 1

screen-recording-2025-08-20-at-64322-pm_nfGFdzNM.mp4

Test Coverage

Screenshot 1

Additional Notes

Description by Korbit AI

What change is being made?

Switch from using Yarn to pnpm as the package manager, and upgrade several non-breaking package dependencies in the project.

Why are these changes being made?

Switching to pnpm aims to optimize package management with improved performance and disk space efficiency. Package upgrades ensure compatibility, security compliance, and access to new features, all without introducing breaking changes.

Is this description stale? Ask me to generate a new description by commenting /korbit-generate-pr-description

[korbit-ai]

Based on your review schedule, I'll hold off on reviewing this PR until it's marked as ready for review. If you'd like me to take a look now, comment /korbit-review.

Your admin can change your review schedule in the Korbit Console

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbit review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Summary by CodeRabbit

• Chores
  • Switched project tooling to PNPM, updating scripts and CI to use PNPM commands.
  • Updated Node version to 22.18.0 and aligned engines/Volta config.
  • Upgraded dependencies and added @google-cloud/firestore for runtime.
• Documentation
  • Replaced Yarn references with PNPM across README and CONTRIBUTING.
  • Updated command examples, lockfile references, and TDD guidance.
• Tests
  • Updated test commands to PNPM and adjusted related notes in scripts.

Walkthrough

CI workflow updated to Node 22.18.0 and switched from Yarn to PNPM. Documentation replaced Yarn commands with PNPM equivalents. package.json migrated to PNPM (packageManager set), Node/Volta versions updated, scripts changed to PNPM, and multiple dependencies upgraded, including adding @google-cloud/firestore. A test script comment was corrected.

Changes

Cohort / File(s)	Summary
CI Workflow (PNPM + Node bump) .github/workflows/test.yml	Updated Node matrix to 22.18.0; replaced Yarn setup/install/test with PNPM (pnpm/action-setup@v2, v10.14.0) and pnpm install/test steps.
Documentation (PNPM migration) CONTRIBUTING.md, README.md	Rewrote command references from Yarn to PNPM across install/test/lint/dev flows; updated lockfile references and instructions (including Windows/test guidance and TDD notes).
Package Management and Dependencies package.json	Set packageManager to [email protected]; engines/Volta updated to Node 22.18.0 and PNPM; scripts switched to PNPM; added @google-cloud/firestore; numerous dependency/devDependency version bumps; added devDependency lodash.
Scripts (comment-only tweak) scripts/tests/tdd.sh	Updated a comment: yarn test → pnpm test; typo fix (“commiting” → “committing”); no behavioral change.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

Thump-thump goes my coder’s heart, so spry,
We hopped from Yarn to PNPM, oh my!
Node grew a tad, dependencies too,
A lock changed name, the pipeline flew.
With paws on keys and tests that sing,
I nibble carrots—ship the thing! 🥕✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/package-manager-upgrade

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[korbit-ai]

Korbit doesn't automatically review large (3000+ lines changed) pull requests such as this one. If you want me to review anyway, use /korbit-review.

[coderabbitai]

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/test.yml (1)

16-32: Upgrade core Actions versions and harden PNPM install (actionlint failures, cache, frozen lockfile).
actionlint flags v3 actions as too old; also add caching and a frozen lockfile to avoid accidental lock updates.

Apply this diff:

   strategy:
     matrix:
       node-version: [22.18.0]

   steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: 'pnpm'
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
         with:
           version: 10.14.0
-      - run: pnpm install
+      - run: pnpm install --frozen-lockfile
       - run: pnpm test

CONTRIBUTING.md (1)

128-136: Update Node.js prerequisite in CONTRIBUTING.md
The CONTRIBUTING.md file still specifies “Node.js version 8.0 or higher,” but our package.json (engines.node at line 85) and CI workflows (22.18.0 in .github/workflows/test.yml) require Node.js 22.18.0. Please update both instances under “Pre-requisites” to match:

• CONTRIBUTING.md line 128
• CONTRIBUTING.md line 135

Suggested diff:

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -128,7 +128,7 @@ Pre-requisites:
-  - Node.js version 8.0 or higher.
+  - Node.js version 22.18.0 or higher.
   - Java version 1.8 or higher.

@@ -135,7 +135,7 @@ Pre-requisites:
-  - Node.js version 8.0 or higher.
+  - Node.js version 22.18.0 or higher.
   - Java version 1.8 or higher.

package.json (1)

1-94: Critical Security Vulnerabilities Detected — Urgent Dependency Updates Required

After running pnpm audit --prod && pnpm audit --dev, multiple high-severity issues were uncovered in both production and development dependencies. These must be addressed before merging:

• jsonwebtoken (prod)
– Current: ^8.5.1 (vulnerable to legacy key usage, signature bypass, forgeable tokens)
– Upgrade to ^9.0.0 (patched in GHSA-8cf7-32gw-wr33, GHSA-hjrf-2m68-5959, GHSA-qwph-4952-7xr6)

• express (prod)
– Current: ~4.18.3 (open-redirect, XSS via redirect() and malformed URLs)
– Upgrade to ^4.20.0 or later (patched in GHSA-rv95-896h-c2vc, GHSA-qw6h-vgh9-j6wx)

• body-parser (transitive)
– Vulnerable in versions <1.20.3 (Denial-of-Service via URL encoding)
– Ensure >=1.20.3 by bumping Express or adding a direct override (GHSA-qwcr-r2fm-qrc7)

• path-to-regexp (transitive)
– Vulnerable in versions <0.1.12 (ReDoS, backtracking regex)
– Ensure >=0.1.12 via Express bump or direct override (GHSA-9wv6-86v2-598j, GHSA-rhx6-c78j-4q9w)

• express-boom → boom → hoek (transitive)
– hoek <=6.1.3 is subject to prototype pollution
– Upgrade to a boom release that uses a safe hoek, or replace with @hapi/boom (GHSA-c429-5p7v-vgjp)

• cross-spawn (dev via pre-commit)
– Versions <6.0.6 vulnerable to ReDoS
– Upgrade to >=6.0.6 (GHSA-3xgq-45jj-v275)

• Other dev-tool transitive issues
– firebase-tools (express/body-parser/path-to-regexp/send/serve-static/cookie)
– Ensure send >=0.19.0, serve-static >=1.16.0, cookie >=0.7.0, and bump firebase-tools to a release with patched deps

Please update your package.json accordingly and rerun:

pnpm audit --prod && pnpm audit --dev

until no high- or moderate-severity vulnerabilities remain.

Diff example (package.json):

--- a/package.json
+++ b/package.json
@@ dependencies
-"jsonwebtoken": "^8.5.1",
+"jsonwebtoken": "^9.0.0",
-"express": "~4.18.3",
+"express": "^4.20.0",
@@ devDependencies
- // ensure pre-commit’s cross-spawn is ≥6.0.6, or update pre-commit/tooling

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cd129fb and bd9e122.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/test.yml (1 hunks)
• CONTRIBUTING.md (4 hunks)
• README.md (5 hunks)
• package.json (1 hunks)
• scripts/tests/tdd.sh (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

23-23: the runner of "actions/setup-node@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 LanguageTool

README.md

[grammar] ~31-~31: Use correct spacing
Context: ... Development Please install pnpm and volta [Why Volta?](https://docs.volta.sh/guide/...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~44-~44: Make sure you are using the right part of speech
Context: ...ure that the pnpm-lock.yaml file is not update, you will need to use the --frozen-lock...

(QB_NEW_EN_OTHER_ERROR_IDS_21)

---

[grammar] ~44-~44: Use correct spacing
Context: ... need to use the --frozen-lockfile flag. shell pnpm install --frozen-lockfile #### Confirm correct configuration setup Thi...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~71-~71: Use correct spacing
Context: ...h #### Running a server in Dev mode shell pnpm dev ``` ## What happens in production: - Install p...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~77-~77: Use correct spacing
Context: ... dev ## What happens in production: - Install packages pnpm install ``` ...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~79-~79: There might be a mistake here.
Context: ...ppens in production: - Install packages pnpm install - Run tests pnpm test - Prune de...

(QB_NEW_EN_OTHER)

---

[grammar] ~85-~85: There might be a mistake here.
Context: ...kages pnpm install - Run tests pnpm test - Prune dev dependencies ``` npm prune --...

(QB_NEW_EN_OTHER)

CONTRIBUTING.md

[grammar] ~4-~4: There might be a mistake here.
Context: ...tting-started) - pnpm Command Reference - Project Structure -...

(QB_NEW_EN)

---

[grammar] ~15-~15: Use correct spacing
Context: ...](README.md). ## pnpm Command Reference ##### pnpm install Installs all dependencies listed in th...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~19-~19: Use correct spacing
Context: ...cieslisted in the rootpackage.json. ##### pnpm test The script associated withpnpm test` w...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~23-~23: Make sure you are using the right part of speech
Context: ...ith pnpm test will run all tests that ensures that your commit does not break anythin...

(QB_NEW_EN_OTHER_ERROR_IDS_21)

---

[grammar] ~23-~23: There might be a mistake here.
Context: ...ur commit does not break anything in the repository. This will run the lint, inte...

(QB_NEW_EN)

---

[grammar] ~24-~24: There might be a mistake here.
Context: ...the repository. This will run the lint, integration and unit tests. ##### pnpm lint Run...

(QB_NEW_EN_OTHER)

---

[grammar] ~24-~24: Use correct spacing
Context: ...un the lint, integration and unit tests. ##### pnpm lint Runs the lint checks in the project. ##...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~28-~28: Use correct spacing
Context: ...t Runs the lint checks in the project. #####pnpm generate-api-schema Generates the API schema in the filepu...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~32-~32: Use correct spacing
Context: ...ema in the file public/apiSchema.json. ##### pnpm validate-setup Runs the test for checking local develop...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~166-~166: There might be a mistake here.
Context: ...re done, the java process is not killed automatically and when our integration test run it gi...

(QB_NEW_EN_OTHER)

---

[grammar] ~166-~166: Make sure you are using the right part of speech
Context: ...matically and when our integration test run it gives error. - Error: connect ECONNR...

(QB_NEW_EN_OTHER_ERROR_IDS_21)

---

[grammar] ~166-~166: There might be a mistake here.
Context: ...ly and when our integration test run it gives error. - Error: connect ECONNREFUSED ::...

(QB_NEW_EN)

---

[grammar] ~166-~166: There might be a mistake here.
Context: ...our integration test run it gives error. - Error: connect ECONNREFUSED ::1:8081 ##...

(QB_NEW_EN)

🪛 markdownlint-cli2 (0.17.2)

README.md

43-43: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

77-77: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

---

81-81: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

87-87: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

CONTRIBUTING.md

17-17: Heading levels should only increment by one level at a time
Expected: h3; Actual: h5

(MD001, heading-increment)

🔇 Additional comments (9)

scripts/tests/tdd.sh (1)

33-33: Doc tweak aligns with PNPM migration — looks good.
The note now correctly points to pnpm. No functional impact.

.github/workflows/test.yml (1)

18-18: Single-version matrix is fine; confirm alignment with engines/Volta.
Matrix pinned to 22.18.0 matches package.json engines and Volta. If you intend to keep multi-version CI in the future, consider adding LTS-1 as a second entry.

CONTRIBUTING.md (1)

149-150: Windows commands updated to PNPM — looks good.
Matches package.json scripts and README guidance.

package.json (6)

5-5: packageManager + Volta pin are consistent.
[email protected] matches Volta and CI config. Good.

---

9-9: Postinstall compiles TypeScript — confirm intended for production builds.
This will compile during install, before devDependencies are pruned. Fine for Heroku-like flows; ensure build environments with NODE_ENV=production still allow tsc to run.

---

16-16: test script chains lint/unit/integration — confirm emulator lifecycle.
Since integration follows unit, ensure emulator lifecycle (start/stop) is handled to avoid port conflicts (also referenced in CONTRIBUTING).

---

85-86: Engines match CI matrix.
Node 22.18.0 is aligned with GitHub Actions workflow and Volta pin.

---

90-93: Volta pin includes pnpm — nice.
This ensures contributors get the correct toolchain automatically.

---

20-48: Action Required: Confirm Behavior for Major Dependency Bumps (Helmet 8, Joi 18, Multer 2, Firebase-Admin 13)

Please manually verify that none of these major upgrades introduced unintended behavioral changes in our codebase:

• Helmet (upgraded to v8) is configured in middlewares/index.js via

app.use(helmet({
  contentSecurityPolicy: false,
  dnsPrefetchControl: false,
  /* …other options… */
}));

– Ensure the options you’ve disabled still exist and that no new default headers (or removed ones) affect API surface.
– Confirm that Helmet’s CommonJS import (require('helmet')) remains valid in v8.

• Joi (upgraded to v18) is used extensively in /middlewares/validators/** with patterns like:

const schema = joi.object({
  foo: joi.string().required().messages({ /* … */ }),
  bar: joi.boolean().optional(),
  /* … */
});

– Verify that default validation behavior (e.g. abortEarly, casting, date parsing) remains the same or is adjusted as expected.
– Spot-check a representative validator (e.g. middlewares/validators/events.js) to confirm custom messages still fire correctly.

• Multer (upgraded to v2) is instantiated in utils/multer.js and applied in routes (routes/users.js, routes/badges.js):

const multer = require('multer');
const upload = multer({
  storage: multer.memoryStorage(),
  limits: { fileSize: profileFileSize }
});

– Confirm memoryStorage() and limits.fileSize options are untouched in v2.
– Ensure your instanceof multer.MulterError checks and manually thrown new multer.MulterError('TYPE_UNSUPPORTED_FILE') still work as intended.

• Firebase-Admin (upgraded to v13) is initialized in utils/firestore.js and imported elsewhere:

const admin = require('firebase-admin');
const { Timestamp } = require('firebase-admin/firestore');
/* … */

– Verify that the Firestore initialization (credentials, admin.initializeApp()) and use of Timestamp remain compatible.
– Spot­-check a service (e.g. services/impersonationRequests.ts) that uses Timestamp to ensure no namespace or constructor changes.

If you haven’t already, add or update unit/integration tests covering:
– API response headers generated by Helmet
– Joi validation failures (with custom messages)
– File‐upload errors (Multer limits and unsupported file types)
– Firestore reads/writes involving Timestamp

[MayankBansal12]

@google-cloud/firestore package wasn't present before, how was it working?

[AnujChhikara]

`@google-cloud/firestore` package wasn't present before, how was it working?

`@google-cloud/firestore` package wasn't present before, how was it working?

We need to install @google-cloud/firestore because the latest version of Firestore Admin no longer includes it automatically, and pnpm requires all used packages to be listed directly in your project

[Suvidh-kaushik]

we do not need to prune dev dependencies we can directly install packages using pnpm install --prod in prod environment