chore: Update pnpm and dependencies

[stefashkaa]

Description

• What does this PR do?

  • Upgrades pnpm to 11.6.0
  • Upgrades all github actions dependencies
  • Updates project dependencies across the root workspace, demo app, and framework packages

• Why is this change needed?

  • Keeps build, lint, test, and framework dependencies current

Type of Change

• Bug fix (non-breaking)
• New feature (non-breaking)
• Breaking change
• Documentation update
• Tests
• Other (describe below): Dependency maintenance

Testing

• pnpm test:unit

Screenshots (if applicable)

• N/A

Checklist

• Code follows project style guidelines
• Self-review completed
• Comments added for complex code
• Documentation updated
• No new warnings generated
• Tests added/updated
• All tests passing

Manual Coverage (Optional)

Maintainers only (write/maintain/admin access): open the workflow, click Run workflow, and set pr_number to this PR number to post/update a coverage comment on this PR

Summary by CodeRabbit

• Chores
  • Updated package manager (PNPM) to version 11.6.0
  • Updated development dependencies including TypeScript ESLint, Prettier, and formatting plugins
  • Upgraded Nuxt, Vue, and related framework packages across demo and package workspaces
  • Updated GitHub Actions workflows to use the latest PNPM setup action
  • Modified workspace configuration with new package build allowlist and dependency overrides

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
phone-mask	Ready	Preview, Comment	Jun 14, 2026 4:56pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Upgrades the workspace package manager from pnpm v10 to v11.6.0, pins pnpm/action-setup to v6.0.8 in all four CI workflows, migrates glob/vite overrides from package.json to pnpm-workspace.yaml (also switching onlyBuiltDependencies to allowBuilds with vue-demi added), and bumps minor/patch versions for several dev dependencies across the monorepo.

Changes

Tooling and dependency upgrades

Layer / File(s)	Summary
pnpm v11 upgrade and workspace config migration package.json, pnpm-workspace.yaml	packageManager field updated to pnpm@11.6.0; pnpm.overrides block for glob and vite removed from package.json and re-added as an overrides section in pnpm-workspace.yaml; onlyBuiltDependencies replaced with allowBuilds, adding vue-demi to the allowlist.
pnpm/action-setup pin updated to v6.0.8 in all workflows .github/workflows/coverage.yml, .github/workflows/release.yml, .github/workflows/weekly-benchmarks.yml, .github/workflows/weekly-gen.yml	All four CI workflow files update the pinned commit SHA for pnpm/action-setup from v5.0.0 to v6.0.8. No other workflow logic changes.
Dev dependency version bumps across workspace package.json, demo/package.json, packages/phone-mask-nuxt/package.json, packages/phone-mask-svelte/package.json, packages/phone-mask-vue/package.json	Root package.json bumps @types/node, @typescript-eslint/eslint-plugin, @typescript-eslint/parser, prettier, and prettier-plugin-svelte. Package manifests bump nuxt, vue, vue-tsc, @nuxt/kit, svelte, sass, and @nuxtjs/sitemap to latest patch/minor releases.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• DeSource-Labs/phone-mask#84: Also updates the pinned pnpm/action-setup SHA across the same four CI workflow files.
• DeSource-Labs/phone-mask#92: Modifies the same dependency version ranges in demo/package.json and packages/phone-mask-* manifests.
• DeSource-Labs/phone-mask#111: Overlaps with the same-style dependency bumps in demo/package.json and packages/phone-mask-nuxt/package.json.

Poem

🐇 Hop hop, the versions climb,
pnpm eleven, now in prime!
Overrides move, allowBuilds grow,
vue-demi joins the bunny show.
CI pins fresh, the workflows gleam —
a tidy monorepo, the rabbit's dream! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately summarizes the main change: updating pnpm and dependencies across the project, which aligns with all substantive changes in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-pnpm-and-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​typescript-eslint/​parser@​8.61.0
	@​typescript-eslint/​eslint-plugin@​8.61.0
	@​types/​node@​25.9.3
	svelte@​5.56.3
	vue@​3.5.38
	vue-tsc@​3.3.5
	prettier-plugin-svelte@​4.1.0
	sass@​1.100.0 ⏵ 1.101.0
	nuxt@​4.4.8
	@​nuxt/​kit@​4.4.8
	prettier@​3.8.4
	@​nuxtjs/​sitemap@​8.2.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @internationalized/date is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nuxtjs/sitemap@8.2.1 → npm/@internationalized/date@3.12.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@internationalized/date@3.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @tanstack/table-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nuxtjs/sitemap@8.2.1 → npm/@tanstack/table-core@8.21.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/table-core@8.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/@typescript-eslint/eslint-plugin@8.61.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm embla-carousel is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nuxtjs/sitemap@8.2.1 → npm/embla-carousel@8.6.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/embla-carousel@8.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm svelte is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: packages/phone-mask-svelte/package.json → npm/svelte@5.56.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte@5.56.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Copilot]

Pull request overview

This PR performs routine dependency maintenance for the monorepo by upgrading the workspace package manager to pnpm 11.6.0 and bumping framework/tooling dependencies across the root workspace and package subprojects.

Changes:

• Upgraded the repo’s package manager to pnpm@11.6.0.
• Moved dependency overrides and build-allowlist configuration into pnpm-workspace.yaml.
• Updated Nuxt/Vue/Svelte and assorted tooling dependencies across packages and the demo app.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pnpm-workspace.yaml	Centralizes pnpm overrides and build allowlist at the workspace level.
package.json	Bumps pnpm version and updates root dev tooling dependencies.
demo/package.json	Updates Nuxt/Vue and related demo dependencies.
packages/phone-mask-vue/package.json	Updates Vue + vue-tsc dev dependency versions.
packages/phone-mask-svelte/package.json	Updates Svelte dev dependency version.
packages/phone-mask-nuxt/package.json	Updates Nuxt kit/Nuxt/Vue dependency versions for the Nuxt package.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bae7287e72

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 28: The package.json declares pnpm version 11.6.0 as the workspace
packageManager, but the CI workflows are installing an older version 10.33.0,
causing potential lockfile inconsistencies. Update the version field in the pnpm
setup step across all four CI workflow files from version 10.33.0 to 11.6.0: in
.github/workflows/coverage.yml at line 62, in .github/workflows/release.yml at
line 31, in .github/workflows/weekly-benchmarks.yml at line 29, and in
.github/workflows/weekly-gen.yml at line 29. Each of these files contains a
Setup pnpm action with a version field that needs to be changed to match the
declared packageManager version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3f0032f3-0abc-422c-ab4f-0cae9c9256f1

📥 Commits

Reviewing files that changed from the base of the PR and between deca9be and 3a43022.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (10)

• .github/workflows/coverage.yml
• .github/workflows/release.yml
• .github/workflows/weekly-benchmarks.yml
• .github/workflows/weekly-gen.yml
• demo/package.json
• package.json
• packages/phone-mask-nuxt/package.json
• packages/phone-mask-svelte/package.json
• packages/phone-mask-vue/package.json
• pnpm-workspace.yaml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Manual Coverage Report

• Workflow: Coverage
• Run: https://github.com/DeSource-Labs/phone-mask/actions/runs/27505829841
• Ref: refs/pull/113/merge
• Baseline source: Local base run (deca9be37fb3)

Package	Lines	Branches	Baseline line	Delta vs baseline
phone-mask	587/587 (100.00%)	223/230 (96.96%)	100.00%	0.00%
phone-mask-vue	405/405 (100.00%)	234/248 (94.35%)	100.00%	0.00%
phone-mask-react	294/294 (100.00%)	181/186 (97.31%)	100.00%	0.00%
phone-mask-svelte	515/515 (100.00%)	196/209 (93.78%)	100.00%	0.00%
phone-mask-nuxt	23/23 (100.00%)	14/14 (100.00%)	100.00%	0.00%

✅ Unit coverage workflow completed successfully.