chore: update pnpm to v10.14.0 and configure build dependencies

[sehyunchung]

Summary

• Updated pnpm package manager from v9.15.5 to v10.14.0
• Maintained consistent package manager version across the monorepo
• Fixed code formatting in mobile auth configuration

Test plan

• All existing tests pass
• Build process works correctly with new pnpm version
• No breaking changes in package management

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Upgraded workspace package manager for improved tooling reliability.
  • Updated workspace configuration to prebuild selected dependencies, improving build stability and performance.
  • Standardized project indentation settings for consistent formatting across files.
  • Minor formatting cleanup in the mobile authentication screen with no functional changes.

No user-facing features or bug fixes are included in this release.

[coderabbitai]

Walkthrough

Reformatted a Google OAuth config check in the mobile auth screen; bumped packageManager in package.json to pnpm@10.14.0; unquoted workspace globs and added onlyBuiltDependencies in pnpm-workspace.yaml; reduced indent_size/tab_width from 4 to 2 in multiple .editorconfig blocks.

Changes

Cohort / File(s)	Summary
Mobile Auth Formatting apps/mobile/app/auth.tsx	Reformatted the hasGoogleConfig boolean expression; no behavioral or logic change.
Package Manager Bump package.json	Updated packageManager from pnpm@9.15.5 to pnpm@10.14.0.
Workspace Config Updates pnpm-workspace.yaml	Unquoted workspace globs (apps/*, packages/*) and added onlyBuiltDependencies: core-js, esbuild, msw, sharp, unrs-resolver.
EditorConfig Indentation .editorconfig	Reduced indent_size and tab_width from 4 to 2 in multiple blocks ([*], *.json, *.{ts,tsx,js,jsx,mjs,cjs}, *.{css,scss,sass,less}, *.{html,htm,xml,svg}); other blocks unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I twitch my whiskers, nibble a line,
Tidy the boolean, make spacing fine.
PNPM grows new paws to roam,
Workspace paths find a tidy home.
I thump my foot — the repo hums — hop on! 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Free

💡 Knowledge Base configuration:

• Jira integration is disabled
• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5969b6e and cd8930e.

📒 Files selected for processing (1)

• .editorconfig (2 hunks)

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rite	Ready	Preview	Comment	Aug 17, 2025 5:06am
rite-expo-web	Ready	Preview	Comment	Aug 17, 2025 5:06am

[claude]

Claude finished @sehyunchung's task —— View job

---

PR Review Complete ✅

I've reviewed this pull request and provide feedback on code quality, potential issues, performance, security, and test coverage.

Review Tasks:

• Read repository guidelines (CLAUDE.md)
• Examine package.json changes for pnpm version update
• Review pnpm-workspace.yaml configuration changes
• Analyze auth.tsx formatting fixes
• Assess potential breaking changes and security implications
• Provide comprehensive review feedback

---

📋 Review Summary

This is a clean maintenance PR that updates pnpm from v9.15.5 to v10.14.0 with appropriate security configurations. The changes are minimal and well-executed.

✅ Positive Aspects

1. Security Enhancement: The addition of onlyBuiltDependencies in pnpm-workspace.yaml is a security best practice that restricts which packages can run build scripts, preventing potential supply chain attacks.

2. Appropriate Package Selection: The listed packages (core-js, esbuild, msw, sharp, unrs-resolver) are legitimate tools that require build scripts:

   • core-js: Polyfill library needing postinstall scripts
   • esbuild: Bundler requiring native binary setup
   • msw: Service worker generation
   • sharp: Image processing with native dependencies
   • unrs-resolver: Build tooling

3. Code Formatting Improvement: The auth.tsx fix properly aligns the OR conditions, improving readability:

   // Before (inconsistent indentation)
   process.env.EXPO_PUBLIC_GOOGLE_OAUTH_CLIENT_ID_IOS ||
       process.env.EXPO_PUBLIC_GOOGLE_ANDROID_CLIENT_ID ||
       process.env.EXPO_PUBLIC_GOOGLE_WEB_CLIENT_ID
   
   // After (consistent alignment)
   process.env.EXPO_PUBLIC_GOOGLE_OAUTH_CLIENT_ID_IOS ||
   process.env.EXPO_PUBLIC_GOOGLE_ANDROID_CLIENT_ID ||
   process.env.EXPO_PUBLIC_GOOGLE_WEB_CLIENT_ID

4. Clean YAML Format: Removing unnecessary quotes in workspace.yaml follows modern YAML best practices.

🔍 Minor Observations

1. Migration Compatibility: pnpm v10 is a major version bump from v9, but the changes appear to handle this appropriately. The workspace configuration follows the new security model.

2. Code Style Consistency: The auth.tsx change follows the project's code formatting guidelines mentioned in CLAUDE.md.

🧪 Test Coverage Assessment

• Claimed Testing: PR description states "All existing tests pass" and "Build process works correctly"
• Test Requirements: Repository has strict TDD requirements (80% overall, 90% new code)
• Assessment: Since this is primarily a package manager update with minimal code changes, the existing test suite should adequately cover regression testing

🔒 Security Review

• onlyBuiltDependencies: Excellent security addition that prevents unauthorized packages from running build scripts
• Package Manager Update: Moving to pnpm v10 includes security improvements and bug fixes
• No Credential Exposure: No environment variables or secrets exposed in the changes

🚀 Performance Considerations

• pnpm v10 includes performance improvements over v9
• Build dependency restrictions may slightly improve install times by reducing script execution
• No negative performance impact expected

📝 Recommendations

1. ✅ Approved for Merge: This PR implements security best practices and maintains code quality
2. Consider Documentation: If this is the first use of onlyBuiltDependencies, consider documenting the security model in CLAUDE.md
3. Monitor Build Process: After merge, verify that all build processes work correctly with the new pnpm version

🎯 Overall Assessment

LGTM - This is a well-executed maintenance PR that enhances security while updating to the latest pnpm version. The changes are minimal, focused, and follow best practices.

Risk Level: Low
Code Quality: High
Security Impact: Positive (improved)

---

[claude]

Claude finished @sehyunchung's task —— View job

---

PR Review Tasks

• Read repository guidelines (CLAUDE.md)
• Examine package.json changes for pnpm version update
• Review pnpm-workspace.yaml configuration changes
• Analyze .editorconfig modifications
• Review auth.tsx formatting fixes
• Assess potential breaking changes and security implications
• Provide comprehensive review feedback

---

PR Review Complete ✅

I've reviewed this pull request and provide feedback on code quality, potential issues, performance, security, and test coverage.

📋 Review Summary

This is a clean maintenance PR that updates pnpm from v9.15.5 to v10.14.0 with appropriate security configurations. The changes are minimal and well-executed.

✅ Positive Aspects

1. Security Enhancement: The addition of onlyBuiltDependencies in pnpm-workspace.yaml is a security best practice that restricts which packages can run build scripts, preventing potential supply chain attacks.

2. Appropriate Package Selection: The listed packages (core-js, esbuild, msw, sharp, unrs-resolver) are legitimate tools that require build scripts:

   • core-js: Polyfill library needing postinstall scripts
   • esbuild: Bundler requiring native binary setup
   • msw: Service worker generation
   • sharp: Image processing with native dependencies
   • unrs-resolver: Build tooling

3. Code Formatting Improvement: The auth.tsx fix properly aligns the OR conditions, improving readability:

   // Before (inconsistent indentation)
   process.env.EXPO_PUBLIC_GOOGLE_OAUTH_CLIENT_ID_IOS ||
       process.env.EXPO_PUBLIC_GOOGLE_ANDROID_CLIENT_ID ||
       process.env.EXPO_PUBLIC_GOOGLE_WEB_CLIENT_ID
   
   // After (consistent alignment)
   process.env.EXPO_PUBLIC_GOOGLE_OAUTH_CLIENT_ID_IOS ||
   process.env.EXPO_PUBLIC_GOOGLE_ANDROID_CLIENT_ID ||
   process.env.EXPO_PUBLIC_GOOGLE_WEB_CLIENT_ID

4. Clean YAML Format: Removing unnecessary quotes in workspace.yaml follows modern YAML best practices.

5. EditorConfig Standardization: Updates to use 2-space tab width consistently improves development experience across the team.

🔍 Minor Observations

1. Migration Compatibility: pnpm v10 is a major version bump from v9, but the changes appear to handle this appropriately. The workspace configuration follows the new security model.

2. Code Style Consistency: The auth.tsx change follows the project's code formatting guidelines mentioned in CLAUDE.md.

🧪 Test Coverage Assessment

• Claimed Testing: PR description states "All existing tests pass" and "Build process works correctly"
• Test Requirements: Repository has strict TDD requirements (80% overall, 90% new code)
• Assessment: Since this is primarily a package manager update with minimal code changes, the existing test suite should adequately cover regression testing

🔒 Security Review

• onlyBuiltDependencies: Excellent security addition that prevents unauthorized packages from running build scripts
• Package Manager Update: Moving to pnpm v10 includes security improvements and bug fixes
• No Credential Exposure: No environment variables or secrets exposed in the changes

🚀 Performance Considerations

• pnpm v10 includes performance improvements over v9
• Build dependency restrictions may slightly improve install times by reducing script execution
• No negative performance impact expected

📝 Recommendations

1. ✅ Approved for Merge: This PR implements security best practices and maintains code quality
2. Consider Documentation: If this is the first use of onlyBuiltDependencies, consider documenting the security model in CLAUDE.md
3. Monitor Build Process: After merge, verify that all build processes work correctly with the new pnpm version

🎯 Overall Assessment

LGTM - This is a well-executed maintenance PR that enhances security while updating to the latest pnpm version. The changes are minimal, focused, and follow best practices.

Risk Level: Low
Code Quality: High
Security Impact: Positive (improved)

---