chore(deps): upgrade pnpm to 11.1.1

Bumps the corepack-managed pnpm version across the root and the four
Angular example workspaces. pnpm 11 refuses to run install scripts by
default; declare a minimal allowBuilds allowlist in pnpm-workspace.yaml
so only the two packages whose postinstalls the build actually needs
(esbuild, nx) are permitted. The other eight transitively-pulled
postinstalls (sharp, lmdb, workerd, etc.) all fall back to JS paths
or are unused during build, and are explicitly denied.

Also pin the preinstall guard to only-allow@1.2.2 so it no longer
resolves a floating tag from npm on every install.

Author: AlemTuzlak

examples/angular/a11y-devtools/package.json

@@ -9,7 +9,7 @@
     "test": "ng test"
   },
   "private": true,
-  "packageManager": "pnpm@10.24.0",
+  "packageManager": "pnpm@11.1.1",
   "dependencies": {
     "@angular/common": "^21.2.0",
     "@angular/compiler": "^21.2.0",

examples/angular/basic/package.json

@@ -9,7 +9,7 @@
     "test": "ng test"
   },
   "private": true,
-  "packageManager": "pnpm@10.24.0",
+  "packageManager": "pnpm@11.1.1",
   "dependencies": {
     "@angular/common": "^21.2.0",
     "@angular/compiler": "^21.2.0",

examples/angular/panel/package.json

@@ -9,7 +9,7 @@
     "test": "ng test"
   },
   "private": true,
-  "packageManager": "pnpm@10.24.0",
+  "packageManager": "pnpm@11.1.1",
   "dependencies": {
     "@angular/common": "^21.2.0",
     "@angular/compiler": "^21.2.0",

examples/angular/with-devtools/package.json

@@ -9,7 +9,7 @@
     "test": "ng test"
   },
   "private": true,
-  "packageManager": "pnpm@10.24.0",
+  "packageManager": "pnpm@11.1.1",
   "dependencies": {
     "@angular/common": "^21.2.0",
     "@angular/compiler": "^21.2.0",

package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "git+https://github.com/TanStack/devtools.git"
   },
-  "packageManager": "pnpm@10.24.0",
+  "packageManager": "pnpm@11.1.1",
   "type": "module",
   "scripts": {
     "build": "nx affected --targets=build --exclude=examples/** && size-limit",
@@ -22,7 +22,7 @@
     "generate-docs": "node scripts/generate-docs.ts",
     "lint:fix": "nx affected --target=lint:fix --exclude=examples/**",
     "lint:fix:all": "pnpm run format && nx run-many --targets=lint --fix",
-    "preinstall": "node -e \"if(process.env.CI == 'true') {console.log('Skipping preinstall...'); process.exit(1)}\" || npx -y only-allow pnpm",
+    "preinstall": "node -e \"if(process.env.CI == 'true') {console.log('Skipping preinstall...'); process.exit(1)}\" || npx -y only-allow@1.2.2 pnpm",
     "size": "size-limit",
     "test": "pnpm run test:ci",
     "test:build": "nx affected --target=test:build --exclude=examples/**",

pnpm-workspace.yaml

@@ -5,3 +5,32 @@ preferWorkspacePackages: true
 packages:
   - examples/**/*
   - packages/*
+
+# Explicit allowlist of packages whose install scripts may run. pnpm 11
+# refuses to run any postinstall by default; declaring them here is the
+# secure-by-default way to acknowledge them. Keep this list minimal:
+# only packages that are strictly required for the production build.
+#
+# Allowed (strictly required):
+#   - esbuild: vite/tsup pull the platform binary in its postinstall
+#   - nx:      build orchestrator; postinstall sets up native bindings
+#
+# Denied (not required for `pnpm run build` / `pnpm run test:ci`):
+#   - @parcel/watcher: only used for `nx watch`, not for builds
+#   - lmdb / msgpackr-extract: nx cache optimization (JS fallback works)
+#   - protobufjs: postinstall is a perf-only optimization
+#   - sharp: not used by any package in this repo's build
+#   - unrs-resolver: native fast-path resolver (JS fallback works)
+#   - vue-demi: postinstall is a no-op outside Vue 2/3 projects
+#   - workerd: only used by the bundling-repro example (excluded from build)
+allowBuilds:
+  '@parcel/watcher': false
+  esbuild: true
+  lmdb: false
+  msgpackr-extract: false
+  nx: true
+  protobufjs: false
+  sharp: false
+  unrs-resolver: false
+  vue-demi: false
+  workerd: false