chore: switch from npm to pnpm (0.2.4)#16
Merged
Merged
Conversation
Motivated by recent npm supply-chain incidents; pnpm's content-addressable store and stricter dependency isolation reduce blast radius. Changes: - Root + scripts/ now use pnpm-lock.yaml (replaces package-lock.json). - `packageManager: "pnpm@10.9.0"` added to both package.json files so Corepack auto-resolves the right pnpm version. Node >= 16.13 ships Corepack, so users don't need pnpm globally installed. - .github/workflows/ci.yml uses pnpm/action-setup@v4 + setup-node with cache: "pnpm", then `pnpm install --frozen-lockfile` + `pnpm run` for build/test/smoke. - Plugin `postinstall` uses `corepack pnpm install --prod --frozen-lockfile` so end-users installing via Claude Code's /plugin install get a deterministic pnpm-backed dep tree. - README + AGENTS.md + src/AGENTS.md updated to reference pnpm. No runtime behavior change: spans, hooks, and plugin attributes are unchanged. Build/distribution-system migration only. Local verification: pnpm run ci passes (415/415 tests + tsc + smoke). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Joshkop
added a commit
that referenced
this pull request
May 20, 2026
The Conversations view stayed empty even after 0.2.2 added gen_ai.conversation.id to every span. Root cause: Sentry's Conversations data pipeline only ingests gen_ai.* spans when the SDK's streamGenAiSpans option is enabled, and that option was added in @sentry/node 10.53.0 (we were on 9.47.1). - Bump @sentry/node from ^9.0.0 to ^10.53.1 (root + scripts/). - Add streamGenAiSpans: true to Sentry.init. - Version bump to 0.2.5 in all three files per release-version-files memory. Rebased onto pnpm-based main (0.2.4 already shipped via #16). Verified: pnpm run ci passes (typecheck + 415/415 vitest + smoke). Ref: getsentry/sentry-javascript#20785 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Joshkop
added a commit
that referenced
this pull request
May 20, 2026
The Conversations view stayed empty even after 0.2.2 added gen_ai.conversation.id to every span. Root cause: Sentry's Conversations data pipeline only ingests gen_ai.* spans when the SDK's streamGenAiSpans option is enabled, and that option was added in @sentry/node 10.53.0 (we were on 9.47.1). - Bump @sentry/node from ^9.0.0 to ^10.53.1 (root + scripts/). - Add streamGenAiSpans: true to Sentry.init. - Version bump to 0.2.5 in all three files per release-version-files memory. Rebased onto pnpm-based main (0.2.4 already shipped via #16). Verified: pnpm run ci passes (typecheck + 415/415 vitest + smoke). Ref: getsentry/sentry-javascript#20785 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Recent npm supply-chain incidents motivate moving to pnpm for:
What changes
npm install+package-lock.jsonpnpm install+pnpm-lock.yamlscripts/depsnpm install+scripts/package-lock.jsonpnpm install+scripts/pnpm-lock.yamlnpm ci,npm test,npm run buildpnpm/action-setup@v4→pnpm install --frozen-lockfile→pnpm test/pnpm run buildcd scripts && npm installcd scripts && corepack pnpm install --prod --frozen-lockfilepackageManagerfield"pnpm@10.9.0"in bothpackage.jsonfilesEnd-users don't need pnpm globally installed: Corepack (bundled with Node ≥ 16.13) auto-resolves the version declared in
packageManager.What doesn't change
/plugin install ...) is unchanged; just the underlying dep manager swaps.Test Plan
Local (green):
pnpm installclean at root + scripts/pnpm run ci— typecheck + 415/415 vitest tests + smoke all passPost-merge:
v0.2.4/plugin updateon a real machine → postinstall runscorepack pnpm installsuccessfullyFollow-up
PR #15 (
streamGenAiSpansfor Conversations view) is held until this lands, then rebased on top of pnpm-based main. The two changes touch the same lockfile space and shouldn't share a PR.🤖 Generated with Claude Code