From 1c46e9dd30d78a9ffd86b68139781345b997bb75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?= <thomas.mueller@peopleware.com>
Date: Thu, 4 Jun 2026 10:45:17 +0200
Subject: [PATCH 1/4] Rewrite Dependabot config with per-ecosystem security
 groups

Replace multi-ecosystem-groups format with per-ecosystem groups.security
(applies-to: security-updates). Add npm ecosystem. Remove separator: '-'
dead config.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/dependabot.yml | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a824797..0b115dd 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,20 +1,32 @@
 version: 2
 
-multi-ecosystem-groups:
-  security:
+updates:
+  - package-ecosystem: 'bundler'
+    directory: '/'
     schedule:
       interval: 'daily'
-    open-pull-requests-limit: 0 # disables version-update PRs; security PRs unaffected
-    pull-request-branch-name:
-      separator: '-'
+    open-pull-requests-limit: 0
+    groups:
+      security:
+        applies-to: security-updates
+        patterns: ['*']
 
-updates:
-  - package-ecosystem: 'bundler'
+  - package-ecosystem: 'npm'
     directory: '/'
-    patterns: ['*']
-    multi-ecosystem-group: 'security'
+    schedule:
+      interval: 'daily'
+    open-pull-requests-limit: 0
+    groups:
+      security:
+        applies-to: security-updates
+        patterns: ['*']
 
   - package-ecosystem: 'github-actions'
     directory: '/'
-    patterns: ['*']
-    multi-ecosystem-group: 'security'
+    schedule:
+      interval: 'daily'
+    open-pull-requests-limit: 0
+    groups:
+      security:
+        applies-to: security-updates
+        patterns: ['*']

From e5b253bf954bd57123ee6deff302d38eb65286c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?= <thomas.mueller@peopleware.com>
Date: Thu, 4 Jun 2026 10:52:58 +0200
Subject: [PATCH 2/4] fix: complete BE pnpm migration the agent skipped
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The maintenance pass landed Ruby/workflow updates but missed the npm
→ pnpm swap that BE repos with `package.json` + `package-lock.json`
now get during maintenance (per the agent's BE-pnpm-migration rule).

- Add `"packageManager": "pnpm@11.5.1"` to package.json.
- Convert `package-lock.json` → `pnpm-lock.yaml` via `pnpm import`.
- Drop the `--ignore-path=".gitignore"` flag — prettier 3 already
  reads `.gitignore` + `.prettierignore` by default, and the explicit
  flag was suppressing `.prettierignore`.
- Drop the `-- --check` separator from scripts; pnpm passes trailing
  args directly to the script.
- Replace `npm run` → `pnpm run` in Rakefile + package.json scripts.
- Create `.prettierignore` listing `pnpm-lock.yaml` so prettier doesn't
  fight the lockfile format.

pnpm v11+ default `minimumReleaseAge: 1440` (24h) now gives Dependabot
a security cooldown on the npm side, mirroring Bundler 4.0.13's.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .prettierignore   |  1 +
 Rakefile          |  2 +-
 package-lock.json | 71 -----------------------------------------------
 package.json      |  7 +++--
 pnpm-lock.yaml    | 48 ++++++++++++++++++++++++++++++++
 5 files changed, 54 insertions(+), 75 deletions(-)
 create mode 100644 .prettierignore
 delete mode 100644 package-lock.json
 create mode 100644 pnpm-lock.yaml

diff --git a/.prettierignore b/.prettierignore
new file mode 100644
index 0000000..bd5535a
--- /dev/null
+++ b/.prettierignore
@@ -0,0 +1 @@
+pnpm-lock.yaml
diff --git a/Rakefile b/Rakefile
index 15f3b12..04d670d 100644
--- a/Rakefile
+++ b/Rakefile
@@ -19,6 +19,6 @@ RuboCop::RakeTask.new(:rubocop) do |task|
 end
 
 desc 'Run Prettier'
-task(:prettier) { sh 'npm run lint' }
+task(:prettier) { sh 'pnpm run lint' }
 
 task default: %i[spec rubocop prettier]
diff --git a/package-lock.json b/package-lock.json
deleted file mode 100644
index 02a1670..0000000
--- a/package-lock.json
+++ /dev/null
@@ -1,71 +0,0 @@
-{
-  "name": "ears",
-  "lockfileVersion": 2,
-  "requires": true,
-  "packages": {
-    "": {
-      "name": "ears",
-      "devDependencies": {
-        "@invisionag/prettier-config": "^2.1.3",
-        "@prettier/plugin-ruby": "^4.0.4",
-        "prettier": "^3.8.3"
-      }
-    },
-    "node_modules/@invisionag/prettier-config": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@invisionag/prettier-config/-/prettier-config-2.1.3.tgz",
-      "integrity": "sha512-/BRe7iCWtsn43hhYrD2ANla2Qf332EusDjcuuB9xOK/z3lEghp59pkuxNFIvlQ/Y9AFMaT1zOFhvxzYax+fj3g==",
-      "dev": true,
-      "peerDependencies": {
-        "prettier": ">=2.0.0"
-      }
-    },
-    "node_modules/@prettier/plugin-ruby": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/@prettier/plugin-ruby/-/plugin-ruby-4.0.4.tgz",
-      "integrity": "sha512-lCpvfS/dQU5WrwN3AQ5vR8qrvj2h5gE41X08NNzAAXvHdM4zwwGRcP2sHSxfu6n6No+ljWCVx95NvJPFTTjCTg==",
-      "dev": true,
-      "peerDependencies": {
-        "prettier": "^3.0.0"
-      }
-    },
-    "node_modules/prettier": {
-      "version": "3.8.3",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.3.tgz",
-      "integrity": "sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==",
-      "dev": true,
-      "license": "MIT",
-      "bin": {
-        "prettier": "bin/prettier.cjs"
-      },
-      "engines": {
-        "node": ">=14"
-      },
-      "funding": {
-        "url": "https://github.com/prettier/prettier?sponsor=1"
-      }
-    }
-  },
-  "dependencies": {
-    "@invisionag/prettier-config": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@invisionag/prettier-config/-/prettier-config-2.1.3.tgz",
-      "integrity": "sha512-/BRe7iCWtsn43hhYrD2ANla2Qf332EusDjcuuB9xOK/z3lEghp59pkuxNFIvlQ/Y9AFMaT1zOFhvxzYax+fj3g==",
-      "dev": true,
-      "requires": {}
-    },
-    "@prettier/plugin-ruby": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/@prettier/plugin-ruby/-/plugin-ruby-4.0.4.tgz",
-      "integrity": "sha512-lCpvfS/dQU5WrwN3AQ5vR8qrvj2h5gE41X08NNzAAXvHdM4zwwGRcP2sHSxfu6n6No+ljWCVx95NvJPFTTjCTg==",
-      "dev": true,
-      "requires": {}
-    },
-    "prettier": {
-      "version": "3.8.3",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.3.tgz",
-      "integrity": "sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==",
-      "dev": true
-    }
-  }
-}
diff --git a/package.json b/package.json
index 1c559fd..aedf9a8 100644
--- a/package.json
+++ b/package.json
@@ -1,10 +1,11 @@
 {
   "name": "ears",
   "private": true,
+  "packageManager": "pnpm@11.5.1",
   "scripts": {
-    "prettify": "prettier \"**/*.{ru,rb,yml,yaml,md,gemspec,json}\" --ignore-path=\".gitignore\"",
-    "lint": "npm run prettify -- --check",
-    "format": "npm run prettify -- --write"
+    "prettify": "prettier \"**/*.{ru,rb,yml,yaml,md,gemspec,json}\"",
+    "lint": "pnpm run prettify --check",
+    "format": "pnpm run prettify --write"
   },
   "devDependencies": {
     "@invisionag/prettier-config": "^2.1.3",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
new file mode 100644
index 0000000..159aaea
--- /dev/null
+++ b/pnpm-lock.yaml
@@ -0,0 +1,48 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+importers:
+
+  .:
+    devDependencies:
+      '@invisionag/prettier-config':
+        specifier: ^2.1.3
+        version: 2.1.3(prettier@3.8.3)
+      '@prettier/plugin-ruby':
+        specifier: ^4.0.4
+        version: 4.0.4(prettier@3.8.3)
+      prettier:
+        specifier: ^3.8.3
+        version: 3.8.3
+
+packages:
+
+  '@invisionag/prettier-config@2.1.3':
+    resolution: {integrity: sha512-/BRe7iCWtsn43hhYrD2ANla2Qf332EusDjcuuB9xOK/z3lEghp59pkuxNFIvlQ/Y9AFMaT1zOFhvxzYax+fj3g==}
+    peerDependencies:
+      prettier: '>=2.0.0'
+
+  '@prettier/plugin-ruby@4.0.4':
+    resolution: {integrity: sha512-lCpvfS/dQU5WrwN3AQ5vR8qrvj2h5gE41X08NNzAAXvHdM4zwwGRcP2sHSxfu6n6No+ljWCVx95NvJPFTTjCTg==}
+    peerDependencies:
+      prettier: ^3.0.0
+
+  prettier@3.8.3:
+    resolution: {integrity: sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==}
+    engines: {node: '>=14'}
+    hasBin: true
+
+snapshots:
+
+  '@invisionag/prettier-config@2.1.3(prettier@3.8.3)':
+    dependencies:
+      prettier: 3.8.3
+
+  '@prettier/plugin-ruby@4.0.4(prettier@3.8.3)':
+    dependencies:
+      prettier: 3.8.3
+
+  prettier@3.8.3: {}

From 55a7f828035f72e48cda98597ba40b1a41cc6cc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?= <thomas.mueller@peopleware.com>
Date: Thu, 4 Jun 2026 21:41:43 +0200
Subject: [PATCH 3/4] ci(build.yml): migrate the lint step to pnpm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit e5b253b completed the npm → pnpm migration in the repo (deleted
package-lock.json, added pnpm-lock.yaml, set packageManager=pnpm@11.5.1)
but the lint job in build.yml still ran `npm ci && npm run lint`, which
now fails with EUSAGE because the lockfile no longer exists.

Add pnpm/action-setup, point setup-node's cache at pnpm, and swap the
prettier step over.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7dd4991..c89545d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,11 +21,15 @@ jobs:
         with:
           ruby-version: ${{ matrix.ruby-version }}
           bundler-cache: true
+      - uses: pnpm/action-setup@v6
+        with:
+          run_install: false
       - uses: actions/setup-node@v6
         with:
           node-version: '24'
+          cache: pnpm
       - name: Run prettier
-        run: npm ci && npm run lint
+        run: pnpm install --frozen-lockfile && pnpm run lint
       - name: Run Rubocop
         run: bundle exec rubocop
       - name: Run tests

From 643f927ccba97506c7be6e1c5b3158d503e3d6cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?= <thomas.mueller@peopleware.com>
Date: Fri, 5 Jun 2026 10:10:12 +0200
Subject: [PATCH 4/4] =?UTF-8?q?docs(CLAUDE):=20reflect=20npm=20=E2=86=92?=
 =?UTF-8?q?=20pnpm=20migration?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Stack now lists pnpm v11+ (pinned via package.json#packageManager) and
calls out that Node tooling is dev-only (Prettier on Ruby files). Common
commands swap `npm install` / `npm run lint` for `pnpm install --frozen-lockfile`
/ `pnpm run lint` / `pnpm run format`.

Addresses review feedback from @johannesluedke.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CLAUDE.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index a4c6485..3e3d21d 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -9,20 +9,22 @@ Ruby gem for building RabbitMQ consumers using Bunny.
 - **connection_pool** ~> 3.0 — thread-safe channel pools for publishers
 - **json** >= 2.9.0 — JSON serialization in middleware
 - Dev tools: RSpec, RuboCop (rubocop-rspec, rubocop-rake), SimpleCov, YARD, Prettier (via Node)
+- **Node tooling**: pnpm v11+ (pinned in `package.json#packageManager`). The JS toolchain is dev-only (Prettier on Ruby files); nothing JS ships at runtime.
 
 ## Common Commands
 
 ```bash
 # Install deps
 bundle install
-npm install
+pnpm install --frozen-lockfile
 
 # Tests
 bundle exec rspec
 
 # Lint / format
 bundle exec rubocop
-npm run lint          # Prettier on Ruby files
+pnpm run lint         # Prettier on Ruby files
+pnpm run format       # Prettier --write
 
 # Autofix rubocop
 bundle exec rubocop -A