From 95322f7e9aaa2a026d469fce11fa3cf9ba4c61d4 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 1 May 2026 08:54:19 +0000
Subject: [PATCH 1/5] chore: upgrade pnpm to 10.28.2 for security fixes

Addresses path traversal in directories.bin and symlink-escape protection
for file:/git: dependencies (CVE protections for reading sensitive files).

https://pnpm.io/settings#blockexoticsubdeps

Slack thread: https://triggerdotdev.slack.com/archives/C061L2MHW93/p1777625600974279?thread_ts=1777622248.762639&cid=C061L2MHW93

https://claude.ai/code/session_01G759MUqmjsPh9k1qDxbdjG
---
 CLAUDE.md    | 2 +-
 package.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 79d931a4548..ad1d7bb14b9 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -4,7 +4,7 @@ This file provides guidance to Claude Code when working with this repository. Su
 
 ## Build and Development Commands
 
-This is a pnpm 10.23.0 monorepo using Turborepo. Run commands from root with `pnpm run`.
+This is a pnpm 10.28.2 monorepo using Turborepo. Run commands from root with `pnpm run`.
 
 ```bash
 pnpm run docker              # Start Docker services (PostgreSQL, Redis, Electric)
diff --git a/package.json b/package.json
index ac4290e9236..16d0d927a84 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,7 @@
     "vite-tsconfig-paths": "^4.0.5",
     "vitest": "3.1.4"
   },
-  "packageManager": "pnpm@10.23.0",
+  "packageManager": "pnpm@10.28.2",
   "dependencies": {
     "@changesets/cli": "2.26.2",
     "@remix-run/changelog-github": "^0.0.5",

From a62ac0c70a007bc0d1069e7929786608a55f3b13 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 1 May 2026 08:57:45 +0000
Subject: [PATCH 2/5] fix: upgrade pnpm to 10.33.2 (actual latest) in all
 locations

Updates pnpm from 10.23.0 to 10.33.2 in:
- package.json packageManager field
- CLAUDE.md version reference
- All GitHub Actions workflows (10 files)

Security fixes include path traversal protection and symlink-escape
protection for file:/git: dependencies.

Slack thread: https://triggerdotdev.slack.com/archives/C061L2MHW93/p1777625600974279?thread_ts=1777622248.762639&cid=C061L2MHW93

https://claude.ai/code/session_01G759MUqmjsPh9k1qDxbdjG
---
 .github/workflows/changesets-pr.yml       | 2 +-
 .github/workflows/claude.yml              | 2 +-
 .github/workflows/e2e-webapp.yml          | 2 +-
 .github/workflows/e2e.yml                 | 2 +-
 .github/workflows/release.yml             | 4 ++--
 .github/workflows/sdk-compat.yml          | 8 ++++----
 .github/workflows/typecheck.yml           | 2 +-
 .github/workflows/unit-tests-internal.yml | 4 ++--
 .github/workflows/unit-tests-packages.yml | 4 ++--
 .github/workflows/unit-tests-webapp.yml   | 4 ++--
 CLAUDE.md                                 | 2 +-
 package.json                              | 2 +-
 12 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/changesets-pr.yml b/.github/workflows/changesets-pr.yml
index 1e18cd65742..3ca5aaaeb06 100644
--- a/.github/workflows/changesets-pr.yml
+++ b/.github/workflows/changesets-pr.yml
@@ -88,7 +88,7 @@ jobs:
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index cadbe31773f..9ce0cf5d283 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -33,7 +33,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/e2e-webapp.yml b/.github/workflows/e2e-webapp.yml
index 9a58aa58c7b..893f43445a8 100644
--- a/.github/workflows/e2e-webapp.yml
+++ b/.github/workflows/e2e-webapp.yml
@@ -48,7 +48,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 9518ca6157c..e1885424d3d 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -31,7 +31,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bfb57061ace..2ed73c14c3b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -81,7 +81,7 @@ jobs:
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: Setup node
         uses: buildjet/setup-node@v4
@@ -250,7 +250,7 @@ jobs:
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/sdk-compat.yml b/.github/workflows/sdk-compat.yml
index eb347c0f771..bb012a50076 100644
--- a/.github/workflows/sdk-compat.yml
+++ b/.github/workflows/sdk-compat.yml
@@ -25,7 +25,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
@@ -63,7 +63,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
@@ -104,7 +104,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
@@ -149,7 +149,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
index 665d54b2563..7be00a26acc 100644
--- a/.github/workflows/typecheck.yml
+++ b/.github/workflows/typecheck.yml
@@ -19,7 +19,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/unit-tests-internal.yml b/.github/workflows/unit-tests-internal.yml
index 92b951e8aa0..5c026daf916 100644
--- a/.github/workflows/unit-tests-internal.yml
+++ b/.github/workflows/unit-tests-internal.yml
@@ -53,7 +53,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
@@ -122,7 +122,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/unit-tests-packages.yml b/.github/workflows/unit-tests-packages.yml
index 78474e03f27..4fe566384e2 100644
--- a/.github/workflows/unit-tests-packages.yml
+++ b/.github/workflows/unit-tests-packages.yml
@@ -53,7 +53,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
@@ -122,7 +122,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
diff --git a/.github/workflows/unit-tests-webapp.yml b/.github/workflows/unit-tests-webapp.yml
index 523a1887db8..1dc9f3c47c3 100644
--- a/.github/workflows/unit-tests-webapp.yml
+++ b/.github/workflows/unit-tests-webapp.yml
@@ -53,7 +53,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
@@ -130,7 +130,7 @@ jobs:
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
         uses: buildjet/setup-node@v4
diff --git a/CLAUDE.md b/CLAUDE.md
index ad1d7bb14b9..53348d012a2 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -4,7 +4,7 @@ This file provides guidance to Claude Code when working with this repository. Su
 
 ## Build and Development Commands
 
-This is a pnpm 10.28.2 monorepo using Turborepo. Run commands from root with `pnpm run`.
+This is a pnpm 10.33.2 monorepo using Turborepo. Run commands from root with `pnpm run`.
 
 ```bash
 pnpm run docker              # Start Docker services (PostgreSQL, Redis, Electric)
diff --git a/package.json b/package.json
index 16d0d927a84..6003cf5fdc7 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,7 @@
     "vite-tsconfig-paths": "^4.0.5",
     "vitest": "3.1.4"
   },
-  "packageManager": "pnpm@10.28.2",
+  "packageManager": "pnpm@10.33.2",
   "dependencies": {
     "@changesets/cli": "2.26.2",
     "@remix-run/changelog-github": "^0.0.5",

From e584fa5a91b09212acf812bebadd6f862093ebea Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 1 May 2026 09:01:52 +0000
Subject: [PATCH 3/5] fix: update pnpm version in docker/Dockerfile to 10.33.2

Missed 5 hardcoded corepack prepare pnpm@10.23.0 references in the
production Dockerfile.

https://claude.ai/code/session_01G759MUqmjsPh9k1qDxbdjG
---
 docker/Dockerfile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 49b14bcc54a..bd280879419 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -25,7 +25,7 @@ COPY --chown=node:node patches ./patches
 FROM base AS dev-deps
 WORKDIR /triggerdotdev
 # Corepack is used to install pnpm with the exact version from packageManager
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 ENV NODE_ENV=development
 RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store pnpm install --no-frozen-lockfile
 # Generate Prisma client here where all deps are installed
@@ -36,7 +36,7 @@ RUN pnpx prisma@6.14.0 generate --schema /triggerdotdev/internal-packages/databa
 FROM base AS production-deps
 WORKDIR /triggerdotdev
 # Corepack is used to install pnpm with the exact version from packageManager
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 ENV NODE_ENV=production
 RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store pnpm install --prod --no-frozen-lockfile
 
@@ -46,7 +46,7 @@ FROM base AS builder
 RUN apt-get update && apt-get install -y openssl dumb-init ca-certificates
 WORKDIR /triggerdotdev
 # Corepack is used to install pnpm with the exact version from packageManager
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 
 ARG SENTRY_RELEASE
 ARG SENTRY_ORG
@@ -106,11 +106,11 @@ ENV BUILD_APP_VERSION=${BUILD_APP_VERSION} \
 EXPOSE 3000
 
 # Add global pnpm shims and install pnpm during build (root user)
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 
 USER node
 
 # Ensure pnpm is installed during build and not silently downloaded at runtime (node user)
-RUN corepack prepare pnpm@10.23.0 --activate
+RUN corepack prepare pnpm@10.33.2 --activate
 
 CMD ["./scripts/entrypoint.sh"]
\ No newline at end of file

From d90e9ded09fa679df730e0d25dcd7dcf02de55e4 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 1 May 2026 09:10:42 +0000
Subject: [PATCH 4/5] fix: address remaining 10.23.0 refs and e2e build:workers
 step

- AGENTS.md, CONTRIBUTING.md, ai/references/repo.md, apps/supervisor/
  Containerfile: bump remaining 10.23.0 refs to 10.33.2 (caught by
  Devin review)
- .github/workflows/e2e.yml: add --if-present to the build:workers
  step. The script doesn't exist in cli-v3; pnpm 10.23.0 silently
  passed when running a missing script, but pnpm 10.33.2 exits 1
  with ERR_PNPM_RECURSIVE_RUN_NO_SCRIPT. --if-present preserves the
  existing no-op behavior under the new pnpm.

https://claude.ai/code/session_01G759MUqmjsPh9k1qDxbdjG
---
 .github/workflows/e2e.yml     | 2 +-
 AGENTS.md                     | 2 +-
 CONTRIBUTING.md               | 4 ++--
 ai/references/repo.md         | 2 +-
 apps/supervisor/Containerfile | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index e1885424d3d..6d50e4854bf 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -48,7 +48,7 @@ jobs:
         run: pnpm run build --filter trigger.dev^...
 
       - name: 🔧 Build worker template files
-        run: pnpm --filter trigger.dev run build:workers
+        run: pnpm --filter trigger.dev run --if-present build:workers
 
       - name: Enable corepack
         run: corepack enable
diff --git a/AGENTS.md b/AGENTS.md
index 99496f91bde..1332fef844a 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -13,7 +13,7 @@ This repository is a pnpm monorepo managed with Turbo. It contains multiple apps
 See `ai/references/repo.md` for a more complete explanation of the workspaces.
 
 ## Development setup
-1. Install dependencies with `pnpm i` (pnpm `10.23.0` and Node.js `20.20.0` are required).
+1. Install dependencies with `pnpm i` (pnpm `10.33.2` and Node.js `20.20.0` are required).
 2. Copy `.env.example` to `.env` and generate a random 16 byte hex string for `ENCRYPTION_KEY` (`openssl rand -hex 16`). Update other secrets if needed.
 3. Start the local services with Docker:
    ```bash
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 4d54b0df9d4..2d80f02db45 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -30,7 +30,7 @@ branch are tagged into a release periodically.
 ### Prerequisites
 
 - [Node.js](https://nodejs.org/en) version 20.20.0
-- [pnpm package manager](https://pnpm.io/installation) version 10.23.0
+- [pnpm package manager](https://pnpm.io/installation) version 10.33.2
 - [Docker](https://www.docker.com/get-started/)
 - [protobuf](https://github.com/protocolbuffers/protobuf)
 
@@ -51,7 +51,7 @@ branch are tagged into a release periodically.
    ```
 3. Ensure you are on the correct version of Node.js (20.20.0). If you are using `nvm`, there is an `.nvmrc` file that will automatically select the correct version of Node.js when you navigate to the repository.
 
-4. Run `corepack enable` to use the correct version of pnpm (`10.23.0`) as specified in the root `package.json` file.
+4. Run `corepack enable` to use the correct version of pnpm (`10.33.2`) as specified in the root `package.json` file.
 
 5. Install the required packages using pnpm.
    ```
diff --git a/ai/references/repo.md b/ai/references/repo.md
index 4f67bde2b4b..6e0ff056716 100644
--- a/ai/references/repo.md
+++ b/ai/references/repo.md
@@ -1,6 +1,6 @@
 ## Repo Overview
 
-This is a pnpm 10.23.0 monorepo that uses turborepo @turbo.json. The following workspaces are relevant
+This is a pnpm 10.33.2 monorepo that uses turborepo @turbo.json. The following workspaces are relevant
 
 ## Apps
 
diff --git a/apps/supervisor/Containerfile b/apps/supervisor/Containerfile
index d5bb5862e96..5b3b148a7cb 100644
--- a/apps/supervisor/Containerfile
+++ b/apps/supervisor/Containerfile
@@ -16,7 +16,7 @@ COPY --from=pruner --chown=node:node /app/out/json/ .
 COPY --from=pruner --chown=node:node /app/out/pnpm-lock.yaml ./pnpm-lock.yaml
 COPY --from=pruner --chown=node:node /app/out/pnpm-workspace.yaml ./pnpm-workspace.yaml
 
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 
 FROM base AS deps-fetcher
 RUN apk add --no-cache python3-dev py3-setuptools make g++ gcc linux-headers

From bc5fb039dda014ccc064037064b5d4779d6fee0c Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 1 May 2026 09:19:18 +0000
Subject: [PATCH 5/5] chore: enable blockExoticSubdeps for security

Blocks transitive deps using file:/git: protocols at install time.
Audited the lockfile and all package.json files: zero non-link
exotic protocols in the graph, so this is a no-op for resolution
today and provides defense-in-depth against future supply-chain
attacks via compromised transitive deps.

https://pnpm.io/settings#blockexoticsubdeps

https://claude.ai/code/session_01G759MUqmjsPh9k1qDxbdjG
---
 pnpm-workspace.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 25f679f6bf0..2bfb60d56d5 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -19,3 +19,4 @@ publicHoistPattern:
   - "*prisma*"
 preferWorkspacePackages: true
 sideEffectsCache: false
+blockExoticSubdeps: true