chore(workspace): remove orphan lockfiles + add vault#20
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR cleans up pnpm workspace plumbing after the repo’s workspace adoption by removing unused per-package lockfiles, fixing CI’s pnpm cache key to use the root lockfile, and ensuring vault/ is actually part of the workspace so @notme/vault can resolve as a workspace dependency.
Changes:
- Deleted orphan
worker/pnpm-lock.yamlandaction/pnpm-lock.yamland removed their stale allowlist entries from.gitignore. - Updated GitHub Actions pnpm caching to hash
pnpm-lock.yaml(root) instead of the removedworker/pnpm-lock.yaml. - Added
vaulttopnpm-workspace.yamland regeneratedpnpm-lock.yamlto includevaultas an importer.
Reviewed changes
Copilot reviewed 2 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| worker/pnpm-lock.yaml | Removed unused package-level lockfile now superseded by the root workspace lockfile. |
| action/pnpm-lock.yaml | Removed unused package-level lockfile now superseded by the root workspace lockfile. |
| .gitignore | Dropped stale allowlist entries for deleted lockfiles. |
| .github/workflows/ci.yml | Fixed pnpm cache dependency path to use the root lockfile. |
| pnpm-workspace.yaml | Added vault to workspace packages so @notme/vault resolves via workspace. |
| pnpm-lock.yaml | Regenerated lockfile to add vault to the importers map. |
Files not reviewed (3)
- action/pnpm-lock.yaml: Language not supported
- pnpm-lock.yaml: Language not supported
- worker/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
Copilot summary acknowledged — no action items, summary matches the changeset. Ready for human review + merge. |
jamestexas
added a commit
that referenced
this pull request
May 18, 2026
…y::collapsible_match)
The outer 'contains("..")' check was strictly redundant — the inner
's == ".."' check (the only one that returned) implies it. Collapse
the pair into a match guard. No behavior change; UDS paths containing
'..' as a substring (e.g. 'foo..bar.sock') are still permitted, only
exact '..' components reject.
CI for the whole repo couldn't pass while this lint was hot under
-D warnings. Unblocks PRs #20/#21/#22 once #23 merges and they rebase.
jamestexas
added a commit
that referenced
this pull request
May 18, 2026
* chore(deps): comprehensive workspace dep update sweep Workspace-wide dependency update sweep across root + action + worker. Clears all 6 pnpm audit advisories (was 2 high / 4 moderate). | Workspace | Package | From | To | |-----------|----------------------------------|--------------|--------------| | root | @vitest/coverage-v8 | ^4.1.2 | ^4.1.6 | | root | tsx | ^4.21.0 | ^4.22.2 | | root | zod | ^4.3.6 | ^4.4.3 | | root | pnpm.overrides undici | — | <6.24.0 → ^6.24.0 | | root | pnpm.overrides ws | — | <8.20.1 → ^8.20.1 | | action | @types/node | ^25.5.0 | ^25.9.0 | | action | esbuild | ^0.25.0 | ^0.25.12 | | action | typescript | ^5.8.0 | ^5.9.3 | | worker | @cloudflare/workers-types | ^4.20260329.1| ^4.20260518.1| | worker | @cloudflare/vitest-pool-workers | ^0.13.5 | 0.13.5 (PIN) | | worker | @playwright/test | ^1.59.1 | ^1.60.0 | | worker | @types/node | ^25.6.0 | ^25.9.0 | | worker | prettier | ^3.8.1 | ^3.8.3 | | worker | vitest | ^4.1.2 | ^4.1.6 | | worker | wrangler | ^4.78.0 | ^4.92.0 | | worker | zod | ^3.25.0 | ^4.4.3 | | worker | oslo | ^1.2.1 | REMOVED | Notable: - wrangler 4.78 → 4.92: aligns with notme.bot PR #2 baseline; Node 22 runtime - zod 3 → 4 in worker: only one file (gha-oidc.ts) uses zod; uses safeParse + .error.message which are stable across v3/v4. Aligns with root manifest (was already ^4.3.6 there). - oslo removed: deprecated meta-package; zero imports in src/. Worker already uses the successor @oslojs/crypto + @oslojs/encoding directly. - @cloudflare/vitest-pool-workers pinned to exact 0.13.5 (no caret): per rosary-8ae6ab, 0.13.5 has the CF API 10375 issue; we don't yet know if 0.14+ fixes it. Pin makes the constraint explicit. - pnpm.overrides force undici≥6.24.0 and ws≥8.20.1: clears all 5 undici advisories (transitive via @actions/http-client v2) and the ws advisory (transitive via miniflare). Avoids taking the @actions/* major bumps (4.0 is ESM-only — separate refactor). Deferred (need code change or evidence — separate beads): - @actions/core 1 → 3 / @actions/http-client 2 → 4: ESM-only migration; action is currently bundled via esbuild but the ESM-only constraint is a real refactor. Advisories handled via pnpm.overrides instead. - @peculiar/x509 1 → 2: security-sensitive cert API surface; cert-authority.ts + signing-authority.ts need careful review of v2's extension/generator API. - typescript 5 → 6 (action): major TS bump warrants its own pass across the workspace, not bundled in deps sweep. - esbuild 0.25 → 0.28 (action): 0.x bumps frequently change defaults; aligned worker is already at 0.28 — leaving action at 0.25 line for now to avoid bundling-flag drift. Test status: - worker: 425 passed | 6 todo (28 files) — matches baseline - task worker:check: typecheck + tests both green - task schema:check: green - action: pnpm build green, dist/index.js rebuilt and node --check clean - pnpm audit: 0 advisories (was 2 high / 4 moderate) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci: trigger run after Actions re-enabled * fix(proxy): collapse redundant nested if in UDS path validator (clippy::collapsible_match) The outer 'contains("..")' check was strictly redundant — the inner 's == ".."' check (the only one that returned) implies it. Collapse the pair into a match guard. No behavior change; UDS paths containing '..' as a substring (e.g. 'foo..bar.sock') are still permitted, only exact '..' components reject. CI for the whole repo couldn't pass while this lint was hot under -D warnings. Unblocks PRs #20/#21/#22 once #23 merges and they rebase. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
… to workspace - Delete worker/pnpm-lock.yaml + action/pnpm-lock.yaml (workspace root owns the lockfile post-#18) - .gitignore: drop dead `!*/pnpm-lock.yaml` allowlist entries - .github/workflows/ci.yml: cache-dependency-path -> root pnpm-lock.yaml (was silently hashing a dead file) - pnpm-workspace.yaml: add vault (re-incorporated in #19, now @notme/vault) Reviewers of #18 + #19 flagged these as immediate follow-ups.
jamestexas
force-pushed
the
chore/lockfile-cleanup-vault-workspace
branch
from
b4a7af8 to
bd49f1e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to merged #18 (workspace adoption of
@notme/contract) and #19 (vault re-incorporation). Reviewers of both PRs independently flagged the same cluster — one small PR addresses everything.Tracking bead:
rosary-546e83.Changes
worker/pnpm-lock.yaml+action/pnpm-lock.yaml. The root workspace lockfile has owned all transitive deps since feat(workspace): pnpm-workspace.yaml + @notme/contract workspace adoption in worker/ #18. The per-package files were dead weight — no tool reads them, but they accumulate churn on dependency bumps..gitignore: drop the now-stale!worker/pnpm-lock.yamland!action/pnpm-lock.yamlallowlist entries. The repo uses default-deny gitignore; these lines now allowlist non-existent files..github/workflows/ci.yml:cache-dependency-path: worker/pnpm-lock.yaml->pnpm-lock.yaml. CI was silently hashing the dead file for its pnpm cache key; once that file vanished the cache hit rate would have collapsed. Reviewer of feat(workspace): pnpm-workspace.yaml + @notme/contract workspace adoption in worker/ #18 flagged the exact line (workflows/ci.yml:68).pnpm-workspace.yaml: addvaulttopackages:. Vault was re-incorporated in feat(vault): re-incorporate cloister hardenings (Apache headers, round-trip relicense) #19 with@notme/vaultin itspackage.json, but the workspace file was never updated to include it — so@notme/vaultwas not resolvable as a workspace dep. This wires it up.pnpm-lock.yaml: regenerated. The only meaningful diff isvault: {}added to theimporters:map.Test plan
pnpm install --frozen-lockfile— clean (5 workspace projects: action, packages/contract, vault, worker, root)cd worker && pnpm test— 425 passed | 6 todo (431 total)cd vault && pnpm exec vitest run— 134 passed (7 test files)Reviewer context
rosary-546e83.github/workflows/ci.yml:68, PR feat(vault): re-incorporate cloister hardenings (Apache headers, round-trip relicense) #19 review comment onpnpm-workspace.yamlmissing vault entry