chore: upgrade pnpm to 10.33.2 (#1211)

seratch · web-flow · commit a55eb49ca562 · 2026-04-30T07:34:51.000Z
diff --git a/.agents/skills/pnpm-upgrade/SKILL.md b/.agents/skills/pnpm-upgrade/SKILL.md
@@ -13,37 +13,48 @@ Use these steps to update pnpm and CI pins without blunt search/replace.
    - Try `pnpm self-update`; if pnpm is missing or self-update fails, run `corepack prepare pnpm@latest --activate`.
    - Capture the resulting version as `PNPM_VERSION=$(pnpm -v)`.
 
-2. Align package.json
-   - Open `package.json` and set `packageManager` to `pnpm@${PNPM_VERSION}` (preserve trailing newline and formatting).
-
-3. Find latest pnpm/action-setup tag
+2. Resolve pnpm package integrity
+   - Query npm registry for the exact package integrity: `curl -fsSL "https://registry.npmjs.org/pnpm/${PNPM_VERSION}" | jq -r .dist.integrity`.
+   - Store the result as `PNPM_INTEGRITY`.
+   - Abort if the integrity is missing or does not start with `sha512-`.
+   - Convert the base64 digest after `sha512-` to lowercase hex, for example:
+     ```bash
+     printf '%s' "${PNPM_INTEGRITY#sha512-}" | base64 -d | xxd -p -c 256
+     ```
+   - Store the result as `PNPM_SHA512_HEX`.
+
+3. Align package.json
+   - Open `package.json` and set `packageManager` to `pnpm@${PNPM_VERSION}+sha512.${PNPM_SHA512_HEX}` (preserve trailing newline and formatting).
+
+4. Find latest pnpm/action-setup tag
    - Query GitHub API: `curl -fsSL https://api.github.com/repos/pnpm/action-setup/releases/latest | jq -r .tag_name`.
    - Use `GITHUB_TOKEN`/`GH_TOKEN` if available for higher rate limits.
    - Store as `ACTION_TAG` (e.g., `v4.2.0`). Abort if missing.
 
-4. Resolve the action tag to an immutable commit SHA
+5. Resolve the action tag to an immutable commit SHA
    - Run `git ls-remote https://github.com/pnpm/action-setup "refs/tags/${ACTION_TAG}^{}"` and capture the SHA as `ACTION_SHA`.
    - If the dereferenced tag is missing, fall back to `git ls-remote https://github.com/pnpm/action-setup "refs/tags/${ACTION_TAG}"`.
    - Abort if `ACTION_SHA` is empty.
 
-5. Update workflows carefully (no broad regex)
+6. Update workflows carefully (no broad regex)
    - Files: everything under `.github/workflows/` that uses `pnpm/action-setup`.
    - For each file, edit by hand:
      - Set `uses: pnpm/action-setup@${ACTION_SHA}`.
      - If a `with: version:` field exists, set it to `${PNPM_VERSION}` (keep quoting style/indent).
    - Do not touch unrelated steps. Avoid multiline sed/perl one-liners.
 
-6. Verify
-   - Run `pnpm -v` and confirm it matches `packageManager`.
+7. Verify
+   - Run `pnpm -v` and confirm it matches the version portion of `packageManager`.
+   - Confirm `packageManager` keeps the exact `+sha512.${PNPM_SHA512_HEX}` suffix.
    - `git diff` to ensure only intended workflow/package.json changes.
 
-7. Follow-up
+8. Follow-up
    - If runtime code/build/test config was changed (not typical here), run `$code-change-verification`; otherwise, a light check is enough.
    - Commit with `chore: upgrade pnpm toolchain` and open a PR (automation may do this).
 
 ## Notes
 
-- Tools needed: `curl`, `jq`, `node`, `pnpm`/`corepack`. Install if missing.
+- Tools needed: `curl`, `jq`, `base64`, `xxd`, `node`, `pnpm`/`corepack`. Install if missing.
 - Keep edits minimal and readable—prefer explicit file edits over global replacements.
 - GitHub Actions must stay pinned to commit SHAs, not tags. Use the latest release tag only to discover the commit SHA to pin.
 - If GitHub API is rate-limited, retry with a token or bail out rather than guessing the tag.
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -37,7 +37,7 @@ jobs:
           # with:
           # path: . # The root location of your Astro project inside the repository. (optional)
           # node-version: 20 # The specific version of Node that should be used to build your site. Defaults to 20. (optional)
-          package-manager: pnpm@10.33.0 # The Node package manager that should be used to install dependencies and build your site. Automatically detected based on your lockfile. (optional)
+          package-manager: pnpm@10.33.2 # The Node package manager that should be used to install dependencies and build your site. Automatically detected based on your lockfile. (optional)
 
   deploy:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
diff --git a/package.json b/package.json
@@ -92,5 +92,5 @@
       "@types/node": "22.19.13"
     }
   },
-  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
+  "packageManager": "pnpm@10.33.2+sha512.a90faf6feeab71ad6c6e57f94e0fe1a12f5dcc22cd754db40ae9593eb6a3e0b6b12e3540218bb37ae083404b1f2ce6db2a4121e979829b4aff94b99f49da1cf8"
 }

Original file line number	Diff line number	Diff line change
`@@ -92,5 +92,5 @@`
`92`	`92`	`"@types/node": "22.19.13"`
`93`	`93`	`}`
`94`	`94`	`},`
`95`		`- "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"`
	`95`	`+ "packageManager": "pnpm@10.33.2+sha512.a90faf6feeab71ad6c6e57f94e0fe1a12f5dcc22cd754db40ae9593eb6a3e0b6b12e3540218bb37ae083404b1f2ce6db2a4121e979829b4aff94b99f49da1cf8"`
`96`	`96`	`}`