Update pnpm configuration

[anomiex]

Closes MONOREP-233

Proposed changes:

Pnpm 11 will move most configuration from .npmrc to pnpm-workspace.yaml. We may as well get a head start on that.

Then let's make some changes too:

• save-exact - We stopped having Renovate pin in Update renovatebot/github-action action to v34 #27087. May as well have this match.
• minimumReleaseAge - New setting in 10.16, intended to help avoid installing compromised packages by waiting a day before upgrading.
• trustPolicy - New setting in 10.21, intended to help avoid installing compromised packages by rejecting installation when the new version has no provenance and an older version does.
• trustPolicyExclude - New setting in 10.22, to override trustPolicy when there's a legitimate reason.

This also takes the opportunity to clean up a few things:

• public-hoist-pattern was set to the default value.
• resolution-mode was only changed from 8.0.0–8.6.12. The current value is the default since then.
• use-lockfile-v6 is obsolete.
• Versions of swiper we use no longer have a build script.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

pdWQjU-1tL-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

• Build artifacts shouldn't change due to this.
• We should try running renovate on a fork to check that that doesn't break things either.
  • Looks reasonable. It created Update dependency tsup to v8.5.1 - abandoned anomiex/jetpack#46 without issue, and Update dependency svelte to v4.2.20 anomiex/jetpack#45 had an expected artifact update failure.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack or WordPress.com Site Helper), and enable the update/pnpm-configs branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack update/pnpm-configs

bin/jetpack-downloader test jetpack-mu-wpcom-plugin update/pnpm-configs

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[jp-launch-control]

Code Coverage Summary

This PR did not change code coverage!

That could be good or bad, depending on the situation. Everything covered before, and still is? Great! Nothing was covered before? Not so great. 🤷

Full summary · PHP report · JS report

[tbradsha]

Artifacts look unchanged and CI is happy. A few inline questions for my own education.

[tbradsha]

How will this work with Calypso packages? Does this just mean we need to explicitly state the update version?

[anomiex]

We can set minimumReleaseAgeExclude for them if we want.

I haven't tested, but my guess is that trying to set the minimum version to a less-than-1440-minute old dep will make pnpm raise an error.

[tbradsha]

Yeah, I wonder if we should do this:

minimumReleaseAgeExclude:
- '@automattic/*'

[anomiex]

May as well do it preemptively, I suppose.

[simison]

Added a couple more:

• PNPM config: exclude wp and woo packages from minimum age limit #46124