Support Node 25 with corepack-managed pnpm

[JohnMcLear]

Summary

• route root scripts and startup plugin pnpm calls through Corepack so fresh Node 25 installs use the pinned pnpm version
• bump the Corepack pin to pnpm 11.1.2 and keep the explicit pnpm engine requirement
• move fixed-version CI jobs and PR-default workflow runs to Node 25 while keeping the wider 22/24/25 matrix on push

Testing

• corepack pnpm test-utils
• clean-copy install with corepack pnpm install --frozen-lockfile
• clean-copy startup on Node 25 and HTTP probe on a free port

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Support Node 25 with Corepack-managed pnpm and fix Windows test flakes

✨ Enhancement 🐞 Bug fix

Walkthroughs

Description

• Route pnpm calls through Corepack for Node 25 compatibility
• Update pnpm to 11.1.2 and add explicit engine requirement
• Fix Windows test flakes in updater-integration tests
• Upgrade CI workflows and fixed-version jobs to Node 25

Diagram

flowchart LR
  A["pnpm calls"] -->|"route through Corepack"| B["corepack pnpm"]
  C["package.json scripts"] -->|"prepend corepack"| B
  D["plugin installer"] -->|"use Corepack"| B
  E["Windows test cleanup"] -->|"add retry logic"| F["fs.rm maxRetries"]
  G["rollback polling"] -->|"replace sleep"| H["poll terminal state"]
  I["CI workflows"] -->|"update to"| J["Node 25"]
  K["pnpm version"] -->|"bump to"| L["11.1.2"]

Loading

File Changes

1. src/static/js/pluginfw/installer.ts ✨ Enhancement +2/-1

Route pnpm commands through Corepack

src/static/js/pluginfw/installer.ts

---

2. src/static/js/pluginfw/plugins.ts ✨ Enhancement +4/-3

Use Corepack for pnpm version check

src/static/js/pluginfw/plugins.ts

---

3. src/tests/backend/specs/updater-integration.ts 🐞 Bug fix +22/-7

Fix Windows file cleanup and rollback polling flakes

src/tests/backend/specs/updater-integration.ts

---

View more (16)

4. .github/workflows/backend-tests.yml ⚙️ Configuration changes +2/-2

Update PR matrix to Node 25

.github/workflows/backend-tests.yml

---

5. .github/workflows/build-and-deploy-docs.yml ⚙️ Configuration changes +1/-1

Upgrade Node version to 25

.github/workflows/build-and-deploy-docs.yml

---

6. .github/workflows/docker.yml ⚙️ Configuration changes +1/-1

Upgrade Node version to 25

.github/workflows/docker.yml

---

7. .github/workflows/frontend-admin-tests.yml ⚙️ Configuration changes +1/-1

Update PR matrix to Node 25

.github/workflows/frontend-admin-tests.yml

---

8. .github/workflows/frontend-tests.yml ⚙️ Configuration changes +4/-4

Upgrade Node version to 25 across jobs

.github/workflows/frontend-tests.yml

---

9. .github/workflows/handleRelease.yml ⚙️ Configuration changes +1/-1

Upgrade Node version to 25

.github/workflows/handleRelease.yml

---

10. .github/workflows/installer-test.yml ⚙️ Configuration changes +2/-2

Upgrade Node version to 25

.github/workflows/installer-test.yml

---

11. .github/workflows/load-test.yml ⚙️ Configuration changes +3/-3

Upgrade Node version to 25 across jobs

.github/workflows/load-test.yml

---

12. .github/workflows/perform-type-check.yml ⚙️ Configuration changes +1/-1

Upgrade Node version to 25

.github/workflows/perform-type-check.yml

---

13. .github/workflows/rate-limit.yml ⚙️ Configuration changes +1/-1

Upgrade Node version to 25

.github/workflows/rate-limit.yml

---

14. .github/workflows/release.yml ⚙️ Configuration changes +1/-1

Upgrade Node version to 25

.github/workflows/release.yml

---

15. .github/workflows/releaseEtherpad.yml ⚙️ Configuration changes +1/-1

Upgrade Node version to 25

.github/workflows/releaseEtherpad.yml

---

16. .github/workflows/update-plugins.yml ⚙️ Configuration changes +1/-1

Upgrade Node version to 25

.github/workflows/update-plugins.yml

---

17. .github/workflows/upgrade-from-latest-release.yml ⚙️ Configuration changes +1/-1

Update PR matrix to Node 25

.github/workflows/upgrade-from-latest-release.yml

---

18. CHANGELOG.md 📝 Documentation +1/-1

Update pnpm version to 11.1.2

CHANGELOG.md

---

19. package.json ✨ Enhancement +22/-21

Route scripts through Corepack and update pnpm

package.json

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. bin scripts bypass Corepack 🐞 Bug ⚙ Maintainability

Description

Although the PR shifts repo entrypoints toward a Corepack-managed, pinned pnpm, the
README-recommended ./bin/run.sh flow and the Tier-2 updater (preflight/executor/rollback) still
invoke pnpm directly and even install it via npm install -g pnpm, which can break in
environments without npm and/or without a global pnpm on PATH. This undermines the pinned
packageManager intent and can block startup, upgrades, and update apply/rollback in
Corepack-provisioned deployments (including the documented Docker image).

Code

package.json[R32-34]

+    "build:etherpad": "corepack pnpm --filter admin run build-copy && corepack pnpm --filter ui run build-copy",
+    "build:ui": "corepack pnpm --filter ui run build-copy && corepack pnpm --filter admin run build-copy",
+    "makeDocs": "corepack pnpm --filter bin run makeDocs"

Evidence

The cited changes indicate the repository is moving to Corepack-managed pnpm at the top-level (via
package.json packageManager and updated root scripts), but the operational paths still assume
standalone tooling: the README points to ./bin/run.sh, which calls bin/installDeps.sh that runs
pnpm directly and falls back to npm install -g pnpm, and the updater code path explicitly
preflights with pnpm --version and spawns pnpm during executor/rollback. Because some supported
environments (as documented in repo docs/CHANGELOG and the official Docker image guidance)
intentionally omit npm/npx and rely on Corepack for pnpm provisioning, these direct pnpm/npm
assumptions create a mismatch that will surface as missing-command failures during upgrades or
updates.

package.json[15-35]
bin/installDeps.sh[4-43]
bin/run.sh[29-48]
README.md[235-256]
CHANGELOG.md[17-19]
src/node/hooks/express/updateActions.ts[65-88]
src/node/updater/UpdateExecutor.ts[159-173]
src/node/updater/RollbackHandler.ts[111-134]
CHANGELOG.md[15-19]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
After shifting repo scripts to `corepack pnpm` (pinned via `packageManager`), several operational entrypoints still hard-require a standalone `pnpm` (and even `npm`) binary: the README upgrade/run path (`./bin/run.sh` -> `bin/installDeps.sh`) runs `pnpm` directly and installs pnpm via `npm install -g pnpm`, and the updater subsystem (preflight/executor/rollback) also checks/spawns `pnpm` directly. This bypasses the pinned pnpm version and breaks in environments that rely on Corepack provisioning and/or intentionally omit npm, causing failures in startup/upgrade and in update apply/rollback.

## Issue Context
- `README.md` instructs operators to use `./bin/run.sh` for upgrades.
- `bin/run.sh` calls `bin/installDeps.sh`, which assumes `npm` is available to install pnpm and then executes `pnpm` directly.
- The updater path currently preflights with `pnpm --version` and spawns `pnpm` in executor/rollback, so updates fail if `pnpm` is not on PATH even when Corepack is the intended provisioning method.
- Repo docs/CHANGELOG mention supported environments (notably the official Docker image) that provision pnpm via Corepack and may not ship npm/npx.

## Fix Focus Areas
- bin/installDeps.sh[11-43]
- bin/run.sh[29-48]
- README.md[235-256]
- src/node/hooks/express/updateActions.ts[65-88]
- src/node/updater/UpdateExecutor.ts[159-173]
- src/node/updater/RollbackHandler.ts[111-133]
- src/node/updater/preflight.ts[20-53]

## Suggested approach
- Replace direct `pnpm ...` calls in `bin/run.sh` / `bin/installDeps.sh` with `corepack pnpm ...` so the pinned version declared in `package.json` is respected.
- Remove or redesign the `npm install -g pnpm` fallback to be Corepack-based (e.g., ensure Corepack is enabled and rely on `packageManager`), or at minimum ensure the installed pnpm matches the pinned version.
- Introduce a small helper in the updater code that determines how to invoke pnpm:
 - Prefer `pnpm` if available on PATH.
 - Otherwise fall back to `corepack pnpm`.
- Update updater preflight to accept either `pnpm --version` or `corepack pnpm --version`.
- Update UpdateExecutor/RollbackHandler/install/build steps to use the helper (e.g., invoke `corepack` with `['pnpm', ...]` when needed).
- Keep logging/operator output coherent (e.g., log `pnpm install ...` even if invoked via corepack) so operational logs do not regress.
- Update README upgrade instructions if the intended entrypoint/requirements change, explicitly documenting Corepack-based pnpm usage where appropriate.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[JohnMcLear]

❯ why in this PR is tehre so much pnpm shimming/dancing?

● Because Node 25 wasn’t really the hard part; pnpm resolution was. Etherpad already mostly runs on Node 25. The failures came from different places picking
up different pnpm binaries:

• local/global pnpm could be older than the repo expects
• CI actions were installing one pnpm version while the repo pinned another
• runtime paths like plugin migration, updater, and shell scripts were bypassing the pinned packageManager version entirely

So the “shimmy” is mostly making all those entrypoints converge on the repo-pinned pnpm via Corepack instead of “whatever pnpm happens to be on PATH”.

Without that, a fresh clone on Node 25 could:

• install with one pnpm,
• run scripts with another,
• and hit runtime/update/plugin code with a third.

That’s why the PR touches more than package.json: the point was to make install, CI, startup, plugins, updater, and Docker all use the same pnpm contract.

Short version: the PR is not working around Node 25 so much as removing hidden assumptions that “bare pnpm on PATH is fine.”

[JohnMcLear]

Corepack is dropped in 25. Need to check that.

[JohnMcLear]

Closing — superseded by #7747 (clean Node 25 scope, no corepack shimming), which has merged as 99f8258.