chore: upgrade pnpm to 11.8.0 and resolve audit vulnerabilities

[sriramveeraghanta]

Summary

• Upgrade pnpm 10.33.0 → 11.8.0 (packageManager field, with corepack integrity hash). pnpm self-switches to this version.
• Move overrides to pnpm-workspace.yaml — relocated overrides and peerDependencyRules out of package.json's pnpm field into the new workspace file (pnpm's recommended location), alongside a new auditConfig.
• Resolve all actionable pnpm audit advisories — was 17 total (1 high, 13 moderate, 3 low).

Vulnerability resolution

Package	Before	After	Fixes
vite	6.4.2	6.4.3	GHSA-fx2h-pf6j-xcff (high) + GHSA-v6wh-96g9-6wx3
dompurify	3.4.0	3.4.11	8 DOMPurify advisories (via mermaid)
postcss	8.5.6	8.5.15	GHSA-qx2v-qp2m-jg93 (new override)
uuid	11.1.0	11.1.1	GHSA-w5hq-g745-h8pq (new override, stays in mermaid's ^11 range)
mermaid	^11.12.2	^11.15.0	4 advisories (direct devDependency)
js-yaml	3.14.2	ignored	see below

js-yaml (GHSA-h67p-54hq-rp68, moderate) — intentionally ignored

gray-matter@4.0.3 hard-pins js-yaml 3.x (uses safeLoad/safeDump, removed in js-yaml 4.x) and has no newer release; the fix only landed in js-yaml >=4.2.0, so 3.x cannot be patched. js-yaml here only parses this repo's own build-time frontmatter (trusted input), so the merge-key DoS is not reachable. Ignored via auditConfig.ignoreGhsas with a documenting comment.

pnpm 11 also surfaced its new allowBuilds approval for esbuild/vue-demi; set to false to match prior pnpm 10 behavior (those build scripts were never approved and the site builds without them).

Verification

• pnpm audit --audit-level low → exit 0 (only the documented js-yaml entry remains, ignored)
• pnpm build ✓ (incl. llms.txt generation — confirms gray-matter/js-yaml 3.x still works)
• pnpm check:format ✓
• pnpm check:types ✓

Summary by CodeRabbit

• Chores
  • Updated development dependencies to latest stable versions
  • Added workspace configuration for improved dependency management

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
developer-docs	Ready	Preview, Comment	Jun 18, 2026 9:43pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bb7aad17-1d45-4566-a43f-c2b1a9553e7e

📥 Commits

Reviewing files that changed from the base of the PR and between f6749a7 and 481e47e.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

Upgrades pnpm from v10.33.0 to v11.8.0 in package.json and bumps the mermaid devDependency from ^11.12.2 to ^11.15.0. Adds a new pnpm-workspace.yaml migrating workspace-level pnpm configuration, including dependency overrides, security patches for transitive deps, peer dependency rules, audit advisory ignores, and build controls.

Changes

pnpm v11 upgrade and workspace configuration

Layer / File(s)	Summary
pnpm and mermaid version bumps package.json	Updates packageManager to pnpm@11.8.0 and bumps the mermaid devDependency to ^11.15.0.
New pnpm workspace config pnpm-workspace.yaml	Introduces pnpm-workspace.yaml with overrides pinning rollup, lodash-es, esbuild, and security-patched versions of dompurify, vite, postcss, and uuid; adds peerDependencyRules limiting vitepress to v2; configures auditConfig.ignoreGhsas to suppress a js-yaml advisory; sets allowBuilds to disable esbuild and vue-demi builds.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hippity hop, pnpm's grown!
From ten to eleven, the workspace has flown.
New overrides pinned, security patched tight,
Mermaid diagrams sparkle with fresh delight.
The rabbit approves — the lockfile looks right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: upgrading pnpm to 11.8.0 and resolving audit vulnerabilities, which are the core objectives of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update/pnpm-11.8-and-audit-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}