Update pnpm to v11

[delucis]

Changes

• Updates pnpm to v11
• Removes minimum release age exceptions that are no longer required
• Cleans up deps in a couple of fixtures that were accidentally using npm versions of monorepo packages
• Explicitly disallows postinstall scripts for all dependencies that have them
• Enables pnpm’s trustPolicy which prevents installing versions of packages that have reduced their publishing provenance. This required applying some limited exceptions to continue installing our currently installed packages.

Some semi-user-facing changes:

• Updated deps in the Netlify adapter
• Dropped support for older versions of VS Code so we can test with Node ≥22 which is pnpm 11’s minimum required version

Testing

Existing tests should pass

Docs

n/a — monorepo hardening only

[changeset-bot]

🦋 Changeset detected

Latest commit: c53b7b6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages

Name	Type
@astrojs/netlify	Patch
@astrojs/ts-plugin	Patch
astro-vscode	Patch
@test/netlify-session	Patch
@test/netlify-hosted-astro-project	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[matthewp]

haha, i can't believe we still had this.

[delucis]

These packages used to be used in this fixture but are no longer needed now we don’t have the Lit integration. Removing them allowed me to clean up some pnpm config.

[delucis]

This fixture and a few others were not using workspace:* copies of monorepo packages. This caused them to lag behind and use outdated versions which the newly enable trustPolicy caught.

[delucis]

Ah, smoke test is failing because it clones docs but runs it in the context of the monorepo so trustPolicy needs to apply on docs deps too 😅

I might first make a PR to docs to enable it there and then I’ll come back here knowing what’s needed.

Update: 9050066 should fix this

[ematipico]

The failure is caused by an accidental update of one of netlfy deps, which are buggy and make our tests fail. In fact, the lock file changed some of those deps. Please revert them.

The Netlify team published a fixed a version a few days ago, but I don't know if it matches our minium age policy. The fix is here https://github.com/netlify/primitives/releases/tag/vite-plugin-v2.12.2

[ematipico]

nit: Uhm, not a fan of this. We should probably review our smoke tests.

[delucis]

Yeah agreed. I wondered if instead of cloning to smoke/docs/ and relying on pnpm to autolink astro & co, we should clone as a sibling to the monorepo and npm link packages? If possible? Might be too much to do in this PR though, so went with this as the easiest quick fix.

[delucis]

This hack no longer works: it appears pnpm 11 will run an install if it detects that packages are not installed correctly. This means that this reset caused the subsequent pnpm run build to rerun an install, which fails due to frozen lockfile requirements in CI. There’s no way to pass --no-frozen-lockfile in this scenario though.

I tested this in a small dummy project where I manually added a dep to package.json and tried running a script. pnpm 11 immediately went to install the dep before running the script.

[Princesseuh]

You can update the VS Code engine and types package to 1.101.x and update the CI to run on Node 22.15.1, this will need a vscode changeset too (can be a patch, it's not "breaking" people in the same way a library would)

[delucis]

I think this is ready.

Some follow-ups coming out of this PR:

• Clean up pnpm overrides that may no longer be necessary (see Update pnpm to v11 #16716 (comment))
• Remove minimum release age config that’s no longer necessary (on Friday)
• Figure out if we can better handle the docs smoke test so we’re not maintaining a list of docs deps to exclude in this repo