fix: migrate pnpm config to pnpm-workspace.yaml and resolve 85 CVEs across 7 packages

[Luciferxy]

Summary

This PR does two things:

1. Migrates pnpm workspace configuration from package.json to pnpm-workspace.yaml (required for pnpm v10 compatibility)
2. Resolves 85 security vulnerabilities across 7 transitive dependency packages via overrides

---

Problem

Running pnpm install emitted:

The "pnpm" field in package.json is no longer read by pnpm

This meant three critical config keys were being silently ignored under pnpm v10:

• patchedDependencies — 10 package patches were not being applied
• onlyBuiltDependencies — lifecycle script permissions for @prisma/engines, better-sqlite3, esbuild were not being enforced
• overrides — all dependency overrides (including security patches) were inactive

Additionally, pnpm audit showed 386 vulnerabilities before this change.

---

Changes

1. Migrated pnpm-workspace.yaml

Moved the following keys from package.json → pnpm-workspace.yaml:

• patchedDependencies (10 patches re-enabled)
• onlyBuiltDependencies
• overrides (existing + new security overrides)

2. Security overrides added

Package	Override	CVEs Fixed	Issues
hono	>=4.12.18	7	Middleware bypass, HTML/CSS injection, cache leakage, JWT validation, bodyLimit bypass
@hono/node-server	>=1.19.13	1	Middleware bypass via repeated slashes
protobufjs	>=7.5.8	4	Prototype injection, DoS via field names, overlong UTF-8, recursive JSON expansion
mermaid	>=11.15.0	4	CSS injection via classDefs/config, HTML injection, infinite loop DoS
axios	>=1.15.2	1	Prototype pollution gadget in parseReviver
ws	>=8.20.1	1	Uninitialized memory disclosure

3. Direct dependency bump

• turbo bumped to ^2.9.14 in root package.json
  • Fixes CSRF/session fixation (GHSA-hcf7-66rw-9f5r)
  • Fixes unexpected local code execution during Yarn Berry detection (GHSA-3qcw-2rhx-2726)

---

Validation

Before: 386 vulnerabilities (8 critical, 139 high, 193 moderate, 46 low)
After:  301 vulnerabilities
Net:    85 vulnerabilities resolved ✅

pnpm install runs cleanly with no warnings. All patches and lifecycle scripts are correctly applied.

---

Remaining vulnerabilities

The following could not be resolved in this PR due to deeper transitive chains or required major framework upgrades:

• next — used as a transitive dep inside react-email and reference apps; bumping requires testing Next.js 15 compatibility across the monorepo
• qs / uuid / @kubernetes/client-node chain — requires upstream @kubernetes/client-node to update their locked deps
• langsmith — references/nextjs-realtime specific, can be addressed separately

These are tracked and can be addressed in follow-up PRs.

---

Related

Closes #3365

[changeset-bot]

⚠️ No Changeset found

Latest commit: f1d1f76

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Hi @Luciferxy, thanks for your interest in contributing!

This project requires that pull request authors are vouched, and you are not in the list of vouched users.

This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 399bf974-dd01-40f9-9f20-66da51b33425

📥 Commits

Reviewing files that changed from the base of the PR and between 5083d16 and f1d1f76.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• package.json
• pnpm-workspace.yaml
• turbo.json

---

Walkthrough

This PR updates build and dependency tooling configuration across the monorepo. The turbo devDependency is upgraded from ^1.10.3 to ^2.9.14, and the turbo.json configuration is migrated from the version 1.x "pipeline" key to version 2.x "tasks" key. Concurrently, pnpm configuration (patchedDependencies, overrides, and onlyBuiltDependencies) is relocated from package.json to pnpm-workspace.yaml, centralizing workspace-level dependency constraints and patch directives.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 1 potential issue.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🚩 Unbounded override specifiers could resolve to future major versions

Several overrides were changed from scoped+capped format (e.g., "axios@>=1.0.0 <1.15.0": "^1.15.0") to unscoped+unbounded format (e.g., "axios": ">=1.15.2"). The >= specifier without an upper bound means that when a new major version of these packages is released (axios 2.x, protobufjs 8.x, hono 5.x, ws 9.x, etc.), a fresh pnpm install could resolve to that breaking major version. The lockfile (pnpm-lock.yaml) currently pins safe versions (e.g., axios@1.16.1), so this is not an immediate issue, but it removes the safety net that ^ provided against major version bumps. This affects: axios, protobufjs, hono, @hono/node-server, mermaid, and ws at pnpm-workspace.yaml:47,62,72-75.

---

Was this helpful? React with 👍 or 👎 to provide feedback.