Migrate to pnpm

[JarnoRFB]

Summary by CodeRabbit

• Chores

  • Migrated project tooling and CI/CD to the pnpm package manager and updated related project scripts and dependencies.

• Performance

  • Optimized component state selection to reduce unnecessary re-renders.

• Compatibility

  • Updated runtime and TypeScript module resolution settings for newer toolchain compatibility.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cash-register-api-example-client	Ready	Preview, Comment	Mar 5, 2026 10:10pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 053f5591-97e7-4147-8db0-adf1e642aaa0

📥 Commits

Reviewing files that changed from the base of the PR and between ba03491 and df22442.

📒 Files selected for processing (5)

• .github/workflows/check-api-spec.yml
• .github/workflows/pages.yml
• .node-version
• example-client/tsconfig.json
• example-client/tsconfig.node.json

---

Walkthrough

This PR migrates the repo from npm to pnpm: GitHub Actions workflows (.github/workflows/check-api-spec.yml and pages.yml) now set up pnpm, cache pnpm lockfile, and run pnpm commands. example-client/package.json adds a pnpm packageManager entry, updates scripts to use pnpm/local tooling, and bumps several deps/devDeps. example-client TypeScript configs switch moduleResolution from "Node" to "Bundler". .node-version is updated from v18 to v22. CashRegisterSimulator.tsx now selects a shallow slice from the zustand store to reduce re-renders.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The CashRegisterSimulator.tsx change introducing useShallow from zustand is unrelated to the pnpm migration objective and appears out of scope.	Consider separating the zustand optimization into a distinct PR focused on render performance improvements rather than mixing it with the package manager migration.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Migrate to pnpm' clearly and concisely summarizes the main change—converting the project to use pnpm as the package manager.
Linked Issues check	✅ Passed	The PR successfully implements the migration to pnpm across CI workflows, package.json configuration, and component code as required by AFC-6663.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[aikido-pr-checks]

3rd party Github Actions should be pinned - medium severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.

Suggested change

	uses: pnpm/action-setup@v4
	uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

3rd party Github Actions should be pinned - medium severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.

Suggested change

	uses: pnpm/action-setup@v4
	uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

19 Open source vulnerabilities detected - critical severity
Aikido detected 19 vulnerabilities across 11 packages, it includes 4 critical, 2 high, 7 medium and 6 low vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/check-api-spec.yml:
- Around line 16-17: The workflow currently uses pnpm/action-setup@v4 which
defaults to the repo root package.json; update the action invocation to point at
the app's package.json so it resolves pnpm@10.20.0 (e.g., add a with:
package-json: example-client/package.json under uses: pnpm/action-setup@v4) so
the correct pnpm version from example-client/package.json is used.

In @.github/workflows/pages.yml:
- Around line 28-29: The pnpm setup step (uses: pnpm/action-setup@v4) doesn’t
specify package_json_file which can cause non-deterministic pnpm version
resolution in this monorepo; update the pnpm/action-setup step to include
package_json_file: example-client/package.json so the action targets the
example-client workspace (matching the job’s working-directory and
cache-dependency-path) and ensures deterministic pnpm version resolution.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d31cfff0-50a9-4cf2-88c1-d38d038f69d7

📥 Commits

Reviewing files that changed from the base of the PR and between bbfd055 and ba03491.

⛔ Files ignored due to path filters (2)

• example-client/package-lock.json is excluded by !**/package-lock.json
• example-client/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• .github/workflows/check-api-spec.yml
• .github/workflows/pages.yml
• example-client/package.json
• example-client/src/CashRegisterSimulator.tsx

📜 Review details

🔇 Additional comments (2)

example-client/src/CashRegisterSimulator.tsx (1)

35-40: Good state-slice subscription optimization.

Line 35-40 reduces rerenders by subscribing to only the required store fields.

example-client/package.json (1)

25-25: Output parsing is necessary in @asyncapi/cli v1.2.35.

The validate command in v1.2.35 does not return a non-zero exit code on validation failure—it always exits with 0 unless a runtime error occurs (file not found, parse crash, etc.). The current grep-based check for "0 errors" is the required approach to detect validation failures. Removing it would silently pass invalid files.

			> Likely an incorrect or invalid review comment.