chore: migrate from yarn to pnpm

[hanabi1224]

Summary of changes

follow up on ChainSafe/forest#6586

Changes introduced in this pull request:

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code
  adheres to the team's
  documentation standards,
• I have added tests that prove my fix is effective or that my feature works
  (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes
  should be reflected in this document.

Summary by CodeRabbit

• Chores

  • Migrated from Yarn to PNPM as the package manager across CI, build tooling, and scripts
  • Updated Node.js minimum requirement from 18 to 20 and added PNPM >=10 requirement
  • Bumped Wrangler dev dependency to 4.69.0
  • Added PNPM supply chain security configuration and ignored pnpm-lock in formatting

• Documentation

  • Updated README and testing guides to use PNPM-based commands

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates the repository from Yarn to PNPM: CI/workflows, docs, Makefile, wrangler build commands, and package metadata are updated to use PNPM, node engine requirement raised to >=20, pnpm-workspace.yaml added, and wrangler dev dependency bumped.

Changes

Cohort / File(s)	Summary
CI / Workflows ​.github/workflows/deploy.yml, ​.github/workflows/e2e.yml	Replaced Yarn steps with PNPM equivalents (enable/install/build/run), updated cache key to pnpm-lock.yaml, preserved existing flow and readiness/wait logic.
Make / Local tooling Makefile	Replaced Yarn invocations with corepack enable pnpm and pnpm commands for fmt/md-lint targets.
Docs / Guides README.md, docs/cors_testing_guide.md, docs/e2e_api_testing_guide.md	Updated CLI examples and dev instructions from yarn/Corepack generic to corepack enable pnpm and pnpm commands (including wrangler dev).
Package config package.json	Removed packageManager: yarn@..., bumped engines.node to >=20, added engines.pnpm: >=10, and bumped devDependencies.wrangler to ^4.69.0.
PNPM workspace / security pnpm-workspace.yaml	Added supply-chain security settings: blockExoticSubdeps: true and minimumReleaseAge: 1440.
Wrangler build config wrangler.toml	Swapped yarn build commands to pnpm while preserving worker-build args and flags.
Formatting ignore .prettierignore	Added pnpm-lock.yaml to ignore list.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• build(deps-dev): bump the patch-versions group with 2 updates #360: related package.json package manager/engines and wrangler changes.
• build(deps-dev): bump wrangler from 4.65.0 to 4.67.0 in the patch-versions group #411: earlier wrangler devDependency bump related to this PR's dependency updates.
• build(deps-dev): bump the patch-versions group with 2 updates #389: another PR that updated wrangler devDependency; overlaps with dependency management here.

Suggested labels

dependencies, javascript

Suggested reviewers

• LesnyRumcajs
• sudo-shashank

Poem

🐰 With nimble paws I hop and mend,

From Yarn to PNPM I swiftly send,
Workflows, docs, and builds align,
Frozen locks keep everything fine,
A happy hop — package peace, divine.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'chore: migrate from yarn to pnpm' accurately and concisely summarizes the main change across all modified files: systematically replacing Yarn package manager commands with PNPM equivalents throughout workflows, configuration files, documentation, and package manifests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hm/yarn-to-pnpm

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (4)

Makefile (1)

19-19: Add --frozen-lockfile to pnpm install in lint/format targets for reproducibility.

The fmt and md-lint targets use pnpm i without --frozen-lockfile, which can mutate the lockfile if dependencies drift. Frozen installs ensure consistent behavior across runs.

Suggested change

-	corepack enable pnpm && pnpm i && pnpm md-fmt
+	corepack enable pnpm && pnpm i --frozen-lockfile && pnpm md-fmt

-	corepack enable pnpm && pnpm i && pnpm md-check
+	corepack enable pnpm && pnpm i --frozen-lockfile && pnpm md-check

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 19, Update the Makefile's format/lint targets to use a
frozen install so the lockfile isn't mutated: replace the plain `pnpm i`
invocation (seen in the command `corepack enable pnpm && pnpm i && pnpm md-fmt`)
with `pnpm i --frozen-lockfile` (and do the same for the md-lint/other lint
targets that call `pnpm i`) so `fmt` and `md-lint` targets perform reproducible
installs.

.github/workflows/deploy.yml (1)

50-52: Pin PNPM version via packageManager field to ensure consistent CI runs.

The packageManager field is not set in package.json. While engines.pnpm: >=10 exists, this is only a version constraint, not a pin—it allows any version ≥10, leaving the CI vulnerable to drift. Using corepack enable pnpm without an explicit pinned packageManager in package.json (e.g., "packageManager": "pnpm@10.0.0") will resolve to unpredictable pnpm versions across CI runs. Update package.json to include a pinned packageManager field for deterministic behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy.yml around lines 50 - 52, CI can pick different
pnpm versions because package.json lacks a pinned packageManager; add a
"packageManager" field to package.json (e.g., "packageManager":"pnpm@10.0.0") to
pin the pnpm version, keeping the existing engines.pnpm entry if desired, then
commit that change so corepack enable pnpm and pnpm i --frozen-lockfile in the
workflow use the pinned version consistently.

.github/workflows/e2e.yml (1)

58-68: Consider using actions/setup-node with cache: pnpm for better dependency caching.

The workflow has migrated to pnpm but continues to cache ~/.npm (npm's cache directory), which won't effectively cache pnpm's store. Use actions/setup-node@v4 (or later) with cache: pnpm to leverage pnpm-aware caching, or manually cache the pnpm store directory for improved CI performance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yml around lines 58 - 68, The "Cache dependencies"
workflow step currently uses actions/cache@v5 and caches ~/.npm (npm cache)
which is ineffective for pnpm; update the workflow's "Cache dependencies" step
(the step with name "Cache dependencies" and uses: actions/cache@v5) to either:
1) replace that step with actions/setup-node@v4 and set cache: 'pnpm' and
cache-dependency-path: '**/pnpm-lock.yaml' (and ensure node-version is set), or
2) if keeping actions/cache, stop caching ~/.npm and instead cache the pnpm
store directory (e.g. ~/.pnpm-store or the distro-specific pnpm store path) and
update the key to include pnpm-lock.yaml; make the change where the current key
uses hashFiles('**/pnpm-lock.yaml','**/Cargo.lock') and remove ~/.npm from the
path list.

package.json (1)

5-6: Adding packageManager field is optional, not required for reproducibility.

The repo already uses corepack enable pnpm in CI combined with pnpm-lock.yaml and --frozen-lockfile, which ensures reproducible builds. Adding "packageManager": "pnpm@<exact-version>" would only provide explicit local consistency for developers; it's not necessary for CI reproducibility. If pursuing this enhancement, first determine the exact pnpm version used in your CI environment and pin it accordingly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 5 - 6, The package.json currently lists engine
constraints ("node": ">=20", "pnpm": ">=10") but omits a packageManager field;
if you want explicit local reproducibility for developers add a
"packageManager": "pnpm@<exact-version>" entry to package.json (pin the exact
pnpm version used in CI), otherwise leave as-is because CI already guarantees
reproducible installs via corepack enable pnpm, pnpm-lock.yaml and
--frozen-lockfile; to implement, determine the exact pnpm version from your CI
environment and add the packageManager field with that pinned version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/deploy.yml:
- Around line 50-52: CI can pick different pnpm versions because package.json
lacks a pinned packageManager; add a "packageManager" field to package.json
(e.g., "packageManager":"pnpm@10.0.0") to pin the pnpm version, keeping the
existing engines.pnpm entry if desired, then commit that change so corepack
enable pnpm and pnpm i --frozen-lockfile in the workflow use the pinned version
consistently.

In @.github/workflows/e2e.yml:
- Around line 58-68: The "Cache dependencies" workflow step currently uses
actions/cache@v5 and caches ~/.npm (npm cache) which is ineffective for pnpm;
update the workflow's "Cache dependencies" step (the step with name "Cache
dependencies" and uses: actions/cache@v5) to either: 1) replace that step with
actions/setup-node@v4 and set cache: 'pnpm' and cache-dependency-path:
'**/pnpm-lock.yaml' (and ensure node-version is set), or 2) if keeping
actions/cache, stop caching ~/.npm and instead cache the pnpm store directory
(e.g. ~/.pnpm-store or the distro-specific pnpm store path) and update the key
to include pnpm-lock.yaml; make the change where the current key uses
hashFiles('**/pnpm-lock.yaml','**/Cargo.lock') and remove ~/.npm from the path
list.

In `@Makefile`:
- Line 19: Update the Makefile's format/lint targets to use a frozen install so
the lockfile isn't mutated: replace the plain `pnpm i` invocation (seen in the
command `corepack enable pnpm && pnpm i && pnpm md-fmt`) with `pnpm i
--frozen-lockfile` (and do the same for the md-lint/other lint targets that call
`pnpm i`) so `fmt` and `md-lint` targets perform reproducible installs.

In `@package.json`:
- Around line 5-6: The package.json currently lists engine constraints ("node":
">=20", "pnpm": ">=10") but omits a packageManager field; if you want explicit
local reproducibility for developers add a "packageManager":
"pnpm@<exact-version>" entry to package.json (pin the exact pnpm version used in
CI), otherwise leave as-is because CI already guarantees reproducible installs
via corepack enable pnpm, pnpm-lock.yaml and --frozen-lockfile; to implement,
determine the exact pnpm version from your CI environment and add the
packageManager field with that pinned version.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2d3a96 and 9da9e77.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (9)

• .github/workflows/deploy.yml
• .github/workflows/e2e.yml
• Makefile
• README.md
• docs/cors_testing_guide.md
• docs/e2e_api_testing_guide.md
• package.json
• pnpm-workspace.yaml
• wrangler.toml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.11%. Comparing base (d2d3a96) to head (5239a3f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #420   +/-   ##
=======================================
  Coverage   41.11%   41.11%           
=======================================
  Files          40       40           
  Lines        2668     2668           
=======================================
  Hits         1097     1097           
  Misses       1571     1571           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/e2e.yml (2)

107-107: Pin PNPM version in CI to avoid toolchain drift.

Line 107 enables pnpm, but the workflow step itself does not pin a concrete pnpm version. Consider explicit pinning (unless already enforced via packageManager in package.json).

♻️ Suggested change

-          corepack enable pnpm
+          corepack enable
+          corepack prepare pnpm@<pinned-version> --activate

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yml at line 107, The CI currently runs the unpinned
command "corepack enable pnpm", which can cause toolchain drift; replace or
supplement that step by preparing and activating a specific pnpm release (e.g.,
use "corepack prepare pnpm@<version> --activate") so the workflow consistently
uses a pinned pnpm version, or alternatively ensure the concrete version is
enforced via the packageManager field in package.json and reference that version
when calling corepack; update the step that contains "corepack enable pnpm" to
call corepack prepare with the chosen semantically pinned version.

---

67-68: Cache PNPM store, not npm cache, for this workflow.

Line 67 still caches ~/.npm; with pnpm installs, caching the pnpm store is usually the meaningful speed-up path.

♻️ Suggested change

           path: |
             ~/.cargo/bin/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
             target/
-            ~/.npm
+            ~/.pnpm-store

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yml around lines 67 - 68, Replace the npm cache path
with the pnpm store path in the workflow cache step: change the cache path from
"~/.npm" to the pnpm store directory (e.g., "~/.pnpm-store" or the
distro-appropriate pnpm store such as "~/.local/share/pnpm") so the cache
actually stores pnpm artifacts; keep the existing cache key expression (key: ${{
runner.os }}-deps-${{ hashFiles('**/pnpm-lock.yaml', '**/Cargo.lock') }}).

Makefile (1)

19-19: Prefer frozen installs in automation-facing lint/format targets.

Line 19 and Line 24 use pnpm i, which can rewrite pnpm-lock.yaml. Use frozen lockfile installs to keep runs deterministic.

♻️ Suggested change

-	corepack enable pnpm && pnpm i && pnpm md-fmt
+	corepack enable pnpm && pnpm install --frozen-lockfile && pnpm md-fmt
...
-	corepack enable pnpm && pnpm i && pnpm md-check
+	corepack enable pnpm && pnpm install --frozen-lockfile && pnpm md-check

Also applies to: 24-24

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 19, The Makefile uses non-frozen installs ("pnpm i") in
automation-facing targets; replace each occurrence of "pnpm i" with a
frozen-lockfile install (e.g., "pnpm install --frozen-lockfile" or "pnpm
--frozen-lockfile install") so runs are deterministic and fail when
pnpm-lock.yaml would be rewritten—update the command instances that currently
read "corepack enable pnpm && pnpm i && pnpm md-fmt" (and the similar occurrence
later) to use the frozen-lockfile flag instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/e2e.yml:
- Line 107: The CI currently runs the unpinned command "corepack enable pnpm",
which can cause toolchain drift; replace or supplement that step by preparing
and activating a specific pnpm release (e.g., use "corepack prepare
pnpm@<version> --activate") so the workflow consistently uses a pinned pnpm
version, or alternatively ensure the concrete version is enforced via the
packageManager field in package.json and reference that version when calling
corepack; update the step that contains "corepack enable pnpm" to call corepack
prepare with the chosen semantically pinned version.
- Around line 67-68: Replace the npm cache path with the pnpm store path in the
workflow cache step: change the cache path from "~/.npm" to the pnpm store
directory (e.g., "~/.pnpm-store" or the distro-appropriate pnpm store such as
"~/.local/share/pnpm") so the cache actually stores pnpm artifacts; keep the
existing cache key expression (key: ${{ runner.os }}-deps-${{
hashFiles('**/pnpm-lock.yaml', '**/Cargo.lock') }}).

In `@Makefile`:
- Line 19: The Makefile uses non-frozen installs ("pnpm i") in automation-facing
targets; replace each occurrence of "pnpm i" with a frozen-lockfile install
(e.g., "pnpm install --frozen-lockfile" or "pnpm --frozen-lockfile install") so
runs are deterministic and fail when pnpm-lock.yaml would be rewritten—update
the command instances that currently read "corepack enable pnpm && pnpm i &&
pnpm md-fmt" (and the similar occurrence later) to use the frozen-lockfile flag
instead.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9da9e77 and 5239a3f.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (10)

• .github/workflows/deploy.yml
• .github/workflows/e2e.yml
• .prettierignore
• Makefile
• README.md
• docs/cors_testing_guide.md
• docs/e2e_api_testing_guide.md
• package.json
• pnpm-workspace.yaml
• wrangler.toml

🚧 Files skipped from review as they are similar to previous changes (6)

• package.json
• .github/workflows/deploy.yml
• docs/cors_testing_guide.md
• README.md
• wrangler.toml
• docs/e2e_api_testing_guide.md

[sudo-shashank]

LGTM