Skip to content

Add CI + bring vercel-node-mongo pnpm setup up to repo standard#45

Merged
Gabrielpanga merged 1 commit into
masterfrom
feat/vercel-mongo-ci
May 17, 2026
Merged

Add CI + bring vercel-node-mongo pnpm setup up to repo standard#45
Gabrielpanga merged 1 commit into
masterfrom
feat/vercel-mongo-ci

Conversation

@Gabrielpanga
Copy link
Copy Markdown
Member

@Gabrielpanga Gabrielpanga commented May 17, 2026

Summary

#37 landed the initial pnpm migration for `examples/vercel-node-mongo` with a minimal config (no preinstall audit, no full safety stack). This PR brings it in line with the same hardening every other migrated project ships with, then adds the CI workflow.

Bundled because: adding CI on top of the weak pnpm setup would either skip the supply-chain guarantees or have CI fail on day one. Doing both together keeps the project in a consistent state.

pnpm setup brought up to standard

`package.json`

  • `engines.node` `>=22.11.0` → `>=24.0.0`
  • `engines.pnpm: >=11.0.0`
  • `devEngines.runtime` with `onFail: error`
  • `scripts.preinstall: pnpm audit && pnpm audit signatures`
  • `scripts.lint:lockfile: pnpm install --frozen-lockfile`

`pnpm-workspace.yaml` — full skill template:

  • `minimumReleaseAge` 10080 → 20160 (7d → 14d)
  • `minimumReleaseAgeIgnoreMissingTime: true`
  • `engineStrict: true`
  • `trustPolicy: no-downgrade` + `trustPolicyIgnoreAfter: 129600` (90d)
  • `blockExoticSubdeps: true`, `savePrefix: ""`, `resolutionMode: highest`
  • `minimumReleaseAgeExclude: ['@pluggyai/*']`

`.gitignore` — blocks `package-lock.json` and `yarn.lock`. `.npmrc` removed.

Required bump

  • `mongodb` 3.6.6 → 3.6.10 — same minor, patches `GHSA-vxvm-qww3-2fh7` (driver may publish events containing auth data). Required for the new `preinstall` audit hook to pass.

Source fixes from strict typecheck

  • `api/notifications.ts` now lazy-constructs `PluggyClient` inside the handler and guards both env vars. Previously it threw at module import time when env was missing, and passed `string | undefined` into `PluggyClient` whose typings require `string`.
  • `lib/db.ts` now guards `MONGO_URI` before passing it to `MongoClient`.

CI plumbing

  • new `tsconfig.json` (ES2022, NodeNext, strict, `isolatedModules`, `noEmit`; includes `api/` and `lib/`)
  • `typescript@5.9.3` devDep
  • `typecheck` / `lint` / `test` / `build` scripts (all → `tsc --noEmit`)

Workflow

`.github/workflows/vercel-mongo-ci.yml` — path-filtered, concurrency-cancelled. Node 24, pnpm 11.1.1, `pnpm install --frozen-lockfile`, then `lint` / `test` / `build`. Same shape as #41#44.

Verification

  • `pnpm install --frozen-lockfile` succeeds (preinstall audit + signatures clean)
  • `pnpm run lint` / `pnpm run test` / `pnpm run build` all pass

@Gabrielpanga
Add CI for vercel-node-mongo + bring pnpm setup up to repo standard
1237495 
PR #37 landed the initial pnpm migration for this project with a
minimal config (no preinstall audit, no full safety stack). This
PR brings it in line with the same hardening every other migrated
project ships with, then adds CI.

pnpm setup brought up to standard:

  package.json
  - engines.node >=22.11.0 -> >=24.0.0
  - engines.pnpm >=11.0.0 added
  - devEngines.runtime with onFail: error
  - scripts.preinstall: pnpm audit && pnpm audit signatures
  - scripts.lint:lockfile: pnpm install --frozen-lockfile

  pnpm-workspace.yaml - full safety stack:
  - minimumReleaseAge 10080 -> 20160 (7d -> 14d)
  - minimumReleaseAgeIgnoreMissingTime: true
  - engineStrict: true
  - trustPolicy: no-downgrade + trustPolicyIgnoreAfter 90d
  - blockExoticSubdeps: true
  - savePrefix: ""
  - resolutionMode: highest
  - minimumReleaseAgeExclude: '@pluggyai/*'
  - allowBuilds: {}
  - overrides: {}

  .gitignore - block package-lock.json and yarn.lock
  .npmrc removed (workspace.yaml is the single source of truth)

Dependency bump required to make preinstall audit pass:
- mongodb 3.6.6 -> 3.6.10 (same minor, patches GHSA-vxvm-qww3-2fh7:
  driver may publish events containing auth data)

Source fixes surfaced by tsc --noEmit in strict mode:
- api/notifications.ts now lazy-constructs PluggyClient inside the
  handler and guards both env vars (was throwing at module import
  time when env was missing, and passing string | undefined into
  PluggyClient which strictly requires string).
- lib/db.ts now guards MONGO_URI before passing it to MongoClient.

Plumbing for CI:
- new tsconfig.json (ES2022, NodeNext, strict, isolatedModules,
  noEmit; includes api/** and lib/**)
- typescript 5.9.3 devDependency
- typecheck / lint / test / build scripts (all -> tsc --noEmit)

CI workflow (.github/workflows/vercel-mongo-ci.yml):
- path-filtered on examples/vercel-node-mongo/** + the workflow
- concurrency-cancels older runs on the same ref
- Node 24, pnpm 11.1.1, install --frozen-lockfile, then lint /
  test / build
@Gabrielpanga Gabrielpanga requested a review from a team as a code owner May 17, 2026 07:51
@Gabrielpanga Gabrielpanga merged commit 532c151 into master May 17, 2026
1 of 2 checks passed
@Gabrielpanga Gabrielpanga mentioned this pull request May 21, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Gabrielpanga