Upgrade pnpm 10 → 11

[lukemelia]

Resolves CS-11100.

Summary

• Ran pnpx codemod run pnpm-v10-to-v11: moved package.json#pnpm.* → pnpm-workspace.yaml, consolidated onlyBuiltDependencies into allowBuilds, migrated .npmrc#use-node-version → package.json#devEngines.runtime (and removed the now-empty .npmrc).
• Manual: bumped .mise.toml to pnpm 11.0.9, bumped engines.pnpm to ^11, regenerated the lockfile.

Things worth flagging in review

• .mise.toml switched from pnpm (aqua) → "npm:pnpm" = "11.0.9". The aqua manifest for pnpm hasn't been updated to handle v11's new GitHub release asset layout (tarballs vs raw binaries, darwin-arm64/linux-arm64.tar.gz vs macos-arm64/linux-arm64). npm:pnpm works today and removes the aqua-manifest dependency for this tool. Trade-off: pnpm now installs through npm rather than from a prebuilt binary — a few seconds slower on first install but otherwise transparent (CI uses jdx/mise-action which sources .mise.toml either way).
• @embroider/compat patch was pinned to 3.9.3 only. Under pnpm 10 this patch was silently a no-op for v4.1.17 — the package was repackaged with sources under dist/src/, so the patch path (src/compat-app.js) missed. v11 makes patch-apply failures fatal, so I scoped the patch to 3.9.3 (the version it actually patches) to preserve v10's effective behavior. The catalog:-aware codepath in v4.1.17 remains unpatched, same as today.
• allowBuilds.core-js: false. v11 turns "ignored build scripts" into a hard install failure (ERR_PNPM_IGNORED_BUILDS). core-js@2.6.12 is the only transitive postinstall not already covered by the migrated onlyBuiltDependencies. It's the classic opencollective banner — explicitly opting out matches v10 behavior.
• minimumReleaseAge: 1440 kept as-is. The Linear ticket recommends 0, but this was deliberately added in Add minimumReleaseAge configuration for pnpm #3255 with an explicit minimumReleaseAgeExclude list — keeping the cooldown matches the team's existing opt-in.
• Lockfile shrinks by ~60 lines. v11's stricter peer-dep resolution prunes unused transitive @glint/environment-ember-loose@1.5.2 (verified nothing in source or build configs imports it). patchedDependencies shape collapsed from object → Record<string, string> (path moved to pnpm-workspace.yaml).
• Orphan patches in patches/ (ember-window-mock@1.0.0.patch, tracked-built-ins.patch) — not referenced in patchedDependencies. Pre-existing on main, not removed in this PR to keep scope tight.

After-merge note for the team

Anyone with a checked-out branch needs to run mise install to pick up pnpm 11 before pnpm install on their branch. Local-dev pnpm will still resolve to whatever your old .mise.toml pinned until you mise install.

Test plan

Verified locally on this branch:

• pnpm install (non-frozen) succeeds; lockfile diff is structural, no resolution shuffles.
• pnpm install --frozen-lockfile (CI mode) succeeds.
• All 12 patches in patches/ apply cleanly (after pinning @embroider/compat to 3.9.3).
• pnpm --filter @cardstack/boxel-icons build
• pnpm --filter @cardstack/boxel-ui build
• pnpm --filter @cardstack/host build (dev) and build:production
• pnpm --filter @cardstack/realm-server lint:types (realm-server has no separate build)
• pnpm --filter @cardstack/eslint-plugin-boxel test (65/65)
• pnpm --filter bot-runner test (38/38, 1 skip)

Relying on CI to exercise:

• ci.yaml, ci-host.yaml, ci-lint.yaml, ci-software-factory.yaml, test-web-assets.yaml
• Full host test suite (memory baseline still applies — flag if any shard OOMs)
• Full realm-server test suite against a fresh test-pg
• Matrix tests
• Observability apply.sh / lint.sh if anything in packages/observability/ changes on this branch

Draft until CI is green.

[Copilot]

Pull request overview

This PR upgrades the repo’s package manager tooling from pnpm v10 to pnpm v11 as part of CS-11100, updating workspace configuration and regenerating the lockfile to match pnpm 11’s formats and behaviors.

Changes:

• Migrate pnpm configuration from package.json#pnpm into pnpm-workspace.yaml, including overrides, patched dependencies, peer rules, and build-script allow/deny settings.
• Bump the repo’s pnpm engine requirement to ^11, move use-node-version to package.json#devEngines.runtime, and remove the now-empty .npmrc.
• Update mise tooling to install pnpm 11.0.9 via npm:pnpm and regenerate pnpm-lock.yaml in pnpm 11 format.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pnpm-workspace.yaml	Adds pnpm v11 workspace-level configuration (overrides, patches, peer rules, allowBuilds).
pnpm-lock.yaml	Regenerated lockfile reflecting pnpm 11 structural changes and peer/patch metadata updates.
package.json	Bumps engines.pnpm to ^11 and records the Node runtime version via devEngines.runtime.
.npmrc	Removes use-node-version since it’s migrated to package.json.
.mise.toml	Switches pnpm install source to npm:pnpm and pins pnpm to 11.0.9.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Host Test Results

    1 files      1 suites   1h 45m 29s ⏱️
2 654 tests 2 639 ✅ 15 💤 0 ❌
2 673 runs  2 658 ✅ 15 💤 0 ❌

Results for commit 6602bbf.

Realm Server Test Results

    1 files      1 suites   13m 1s ⏱️
1 303 tests 1 303 ✅ 0 💤 0 ❌
1 382 runs  1 382 ✅ 0 💤 0 ❌

Results for commit 6602bbf.