fix: pnpm lock

[sergiofilhowz]

Summary by CodeRabbit

• Chores
  • Updated development configuration files to ensure consistent package manager usage and Git tracking settings.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
workers	Ready	Preview, Comment	May 15, 2026 10:30pm

[coderabbitai]

Warning

Rate limit exceeded

@sergiofilhowz has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 49 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 016f25fd-c0a5-4757-b11e-d5aea22d15aa

📥 Commits

Reviewing files that changed from the base of the PR and between 7179095 and 61da8ed.

📒 Files selected for processing (17)

• .gitignore
• console/web/src/pages/Playground/EventLog.tsx
• console/web/src/pages/Playground/ScenarioPicker.tsx
• console/web/src/pages/Playground/index.tsx
• console/web/src/pages/Playground/scenarios/abort-mid-thought.ts
• console/web/src/pages/Playground/scenarios/error-on-fcall.ts
• console/web/src/pages/Playground/scenarios/fast-tokens.ts
• console/web/src/pages/Playground/scenarios/happy-agent.ts
• console/web/src/pages/Playground/scenarios/happy-ask.ts
• console/web/src/pages/Playground/scenarios/happy-plan.ts
• console/web/src/pages/Playground/scenarios/helpers.ts
• console/web/src/pages/Playground/scenarios/index.ts
• console/web/src/pages/Playground/scenarios/long-markdown.ts
• console/web/src/pages/Playground/scenarios/markdown-stress.ts
• console/web/src/pages/Playground/scenarios/multi-tool-agent.ts
• console/web/src/pages/Playground/scenarios/pending-approval.ts
• console/web/src/pages/Playground/scenarios/slow-tokens.ts

📝 Walkthrough

Walkthrough

This PR pins the pnpm package manager version to 10.18.2 in console/web/package.json and updates .gitignore to exclude the corresponding lock file from version control.

Changes

Package Manager Configuration

Layer / File(s)	Summary
pnpm version pinning and lock file management console/web/package.json, .gitignore	packageManager field pins pnpm@10.18.2; lock file exclusion rule added to .gitignore.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A rabbit hops through config with care,
Pinning pnpm, lock files fair,
Version ten-point-eighteen-two,
Tools aligned, all shiny new! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'fix: pnpm lock' is vague and generic, using non-descriptive language that doesn't clearly convey what specific issue is being fixed or what the changes accomplish.	Use a more descriptive title that explains the actual fix, such as 'fix: pin pnpm version in package.json and update gitignore' or 'fix: enforce pnpm version consistency across console/web'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/pnpm-lock

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

skill-check — worker

0 verified, 25 skipped (no docs/).

Layer	Result
structure	✓
vale	✓
ai	✓

Three for three. Nicely done.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@console/web/package.json`:
- Line 6: The package.json's packageManager field currently pins pnpm@10.18.2
which has known security vulnerabilities; update the "packageManager" value (the
packageManager key in package.json) to "pnpm@11.1.2" (or at minimum
"pnpm@10.28.2") to pull a fixed pnpm version, then regenerate any lockfiles /
run the install (pnpm install) to ensure the updated manager/version is used
across the project.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d681142e-4bc1-45f3-be64-86325c0bdd1b

📥 Commits

Reviewing files that changed from the base of the PR and between 0530b1a and 7179095.

⛔ Files ignored due to path filters (1)

• console/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .gitignore
• console/web/package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify pnpm version exists and check for latest stable version

# Check if version 10.18.2 exists on npm
echo "=== Checking if pnpm@10.18.2 exists ==="
npm view pnpm@10.18.2 version 2>/dev/null || echo "Version not found"

# Get latest pnpm version
echo -e "\n=== Latest pnpm version ==="
npm view pnpm version

# Check for security advisories
echo -e "\n=== Security advisories for pnpm ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: NPM, package: "pnpm") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: iii-hq/workers

Length of output: 1427

---

Upgrade pnpm to version 11.1.2 (or minimum 10.28.2) to address multiple security vulnerabilities.

pnpm@10.18.2 contains five known MODERATE severity path traversal vulnerabilities that allow arbitrary file writes/creation via ZIP extraction, permission modification, and symlink traversal. Fixed in 10.28.1 (for some) and 10.28.2 (for others). Latest stable is 11.1.2, which should be used instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@console/web/package.json` at line 6, The package.json's packageManager field
currently pins pnpm@10.18.2 which has known security vulnerabilities; update the
"packageManager" value (the packageManager key in package.json) to "pnpm@11.1.2"
(or at minimum "pnpm@10.28.2") to pull a fixed pnpm version, then regenerate any
lockfiles / run the install (pnpm install) to ensure the updated manager/version
is used across the project.