Skip to content

Migrate from npm CLI to pnpm#1211

Merged
saulecabrera merged 2 commits into
bytecodealliance:mainfrom
saga-dasgupta:sd.pnpm_migration
May 21, 2026
Merged

Migrate from npm CLI to pnpm#1211
saulecabrera merged 2 commits into
bytecodealliance:mainfrom
saga-dasgupta:sd.pnpm_migration

Conversation

@saga-dasgupta
Copy link
Copy Markdown
Contributor

@saga-dasgupta saga-dasgupta commented May 20, 2026
edited
Loading

Summary

  • Switch the javy npm package and the WPT harness from the npm CLI to pnpm, replacing both package-lock.json files with pnpm-lock.yaml.
  • Pin pnpm@10.28.0 via the packageManager field so local dev and CI use the same version, and add pnpm/action-setup@v4 to the three workflows that touched npm.
  • Update the Makefile test-wpt-ci target and contributor READMEs to use pnpm invocations.

The package continues to publish to the npm registry as javy; only the CLI used to install and run scripts changes. Dependabot's package-ecosystem: npm entry stays — it reads pnpm-lock.yaml natively.

Motivation

Improve supply-chain security for Javy's JS tooling. pnpm mitigates several classes of npm supply-chain risk: it refuses to execute install scripts from transitive dependencies by default, uses a content-addressed store that detects tampered tarballs across projects, and enforces strict dependency isolation so packages can only resolve what they explicitly declared. Pinning packageManager makes the toolchain version part of the lockfile contract so contributors and CI all run the same pnpm.

Tracks #1210.

@saga-dasgupta
Migrate npm/javy package from npm CLI to pnpm
ffbf30b 
Improve supply-chain security for the javy npm package by switching its
install/build/publish flow to pnpm. pnpm refuses to execute install
scripts from transitive dependencies by default, uses a
content-addressed store that detects tampered tarballs, and enforces
strict dependency isolation.

Pins pnpm 10.28.0 via the packageManager field so local dev and CI run
the same version. Replaces package-lock.json with pnpm-lock.yaml. CI
workflows install pnpm via pnpm/action-setup, pointed at npm/javy's
package.json for the version.

Tracks bytecodealliance#1210.
@saga-dasgupta
Migrate wpt harness from npm CLI to pnpm
b713485 
Apply the same supply-chain hardening to the Web Platform Tests harness
so contributors and CI don't need the npm CLI to run WPT. Updates the
Makefile test-wpt-ci target and the WPT step in ci.yml to use pnpm,
switches the inner test script to pnpm run, and pins pnpm 10.28.0 via
the packageManager field.

Tracks bytecodealliance#1210.
@jeffcharles jeffcharles requested a review from saulecabrera May 20, 2026 16:40
saulecabrera
saulecabrera approved these changes May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@saulecabrera saulecabrera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@saulecabrera saulecabrera merged commit 66fd26f into bytecodealliance:main May 21, 2026
4 checks passed
@saulecabrera saulecabrera mentioned this pull request May 21, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saulecabrera saulecabrera saulecabrera approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saga-dasgupta @saulecabrera