chore: migrate to pnpm, bump Node matrix to 22/24/26, fix audit vulns

[matt-evervault]

Summary

Migrates the repo from npm to pnpm 11.9.0, refreshes the CI Node matrix to 22 / 24 / 26, and clears all pnpm audit findings. Also adds a Nix flake for a reproducible dev toolchain.

Changes

npm → pnpm

• Add packageManager: "pnpm@11.9.0"; replace package-lock.json with pnpm-lock.yaml.
• All workflows now use pnpm/action-setup@v4 (before setup-node, with cache: 'pnpm') and pnpm install --frozen-lockfile.
• Release workflow: pnpm publish --no-git-checks (the --no-git-checks replaces npm's lack of branch checks, since the publish job runs on a detached tag). The existing OIDC trusted publishing flow is preserved — pnpm 11.9.0 includes the fix from pnpm#11526 (merged 15 May 2026, before the 11.9.0 release) that drops the unresolved ${NODE_AUTH_TOKEN} placeholder and falls back to OIDC.
• Husky hook and CONTRIBUTING.md updated to pnpm.

Nix flake

• flake.nix / flake.lock provide a pinned Node.js + pnpm 11.9.0 dev shell (nix develop). Contributors without Nix can use Corepack (pinned via the packageManager field).

Node matrix

• 18, 20, 22 → 22, 24, 26. Dropped versions are all EOL (18, 20 since Mar 2026; 23, 25 also EOL). 22 & 24 are Active LTS, 26 is Current.

pnpm audit --fix

• 0 vulnerabilities after the fix (was 1 high + 3 moderate: serialize-javascript, uuid, js-yaml).
• Overrides consolidated into pnpm-workspace.yaml (pnpm's native location, where audit --fix writes). The old package.json overrides were removed — its js-yaml@4.1.1 pin had itself become the flagged vulnerable version; the lodash override was carried over.

Test/CI fixes required for green CI on current Node

• Regenerated tests/utilities/ssl-cert-snakeoil.{key,pem} as a 2048-bit self-signed cert (was 1024-bit, expired Jul 2025). Modern OpenSSL rejects the 1024-bit key with ERR_SSL_EE_KEY_TOO_SMALL, which broke the HttpsProxyAgent before all hook and silently disabled ~16 tests. Suite now reports 208 passing (was 190 + 2 failing). Same CN; no test pins its identity.
• Attestation CI step runs mocha directly instead of via pnpm run under LD_PRELOAD=libfaketime. pnpm run … hangs indefinitely when launched under libfaketime (CI log showed apt-get completing, then 30 min of silence); pnpm is a heavier Node process than the npm it replaced. Invoking ./node_modules/.bin/mocha … --grep attestGA wraps only the test process.

Verification — CI green ✅

• ✅ Test workflow: pnpm install --frozen-lockfile, pnpm run lint, pnpm run test:coverage (208 passing) and the libfaketime attestation step all pass on Node 22, 24 and 26.
• ✅ E2E workflow: passes on Node 22, 24 and 26.
• ✅ Locally verified the full suite on Node 22 & 24 (208 passing), pnpm run generate-types, and pnpm audit (clean) via the flake.

Notes for reviewers

• No consumer-facing change / no changeset. audit --fix hardened the dev tree via overrides (which don't propagate to consumers); dependencies.uuid is intentionally left at ^8.1.0. uuid is only used in e2e/ ({ v4 }, stable v8→v11), never in lib/, so consumers have no real exposure. Bumping/moving uuid to devDependencies is a reasonable separate follow-up.
• First release on this branch should be watched to confirm the pnpm publish OIDC path (and provenance) behaves like the previous npm publish.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7c2acbd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	uuid@​8.3.2 ⏵ 11.1.1	+1	+2	+1	+42
	msgpackr@​1.11.12 ⏵ 1.12.1	+1		+1
	axios@​1.16.1 ⏵ 1.18.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm caniuse-lite under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (npm metadata) License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/package.json) License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: pnpm-lock.yaml → npm/nyc@17.1.0 → npm/caniuse-lite@1.0.30001799 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001799. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@changesets/cli@2.31.0 → npm/rewire@7.0.0 → npm/nyc@17.1.0 → npm/mocha@10.8.2 → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report