Use pnpm catalogs for shared versions

[venables]

This allows us to update package versions in lockstep without updating
many package.json files at once

Summary by CodeRabbit

• Chores
  • Centralized dependency management across monorepo packages using catalog references for consistent version control.
  • Updated development tools including ESLint, TypeScript, and build utilities to newer versions.
  • Upgraded documentation generation tool and package manager for improved stability and features.
  • Replaced validation library integration with a newer standard approach.

[coderabbitai]

Walkthrough

This pull request introduces a mono-repository dependency management migration using pnpm catalog references. Most package.json files transition from fixed version pins to catalog placeholders. Additionally, validator implementations migrate from valibot to standard-validator across several files, dependency versions are upgraded in root and docs configurations, and configuration files are updated.

Changes

Cohort / File(s)	Summary
Demo package dependency migration demos/e2e/package.json, demos/identity-a2a/package.json, demos/identity/package.json, demos/payments/package.json, demos/skyfire-kya/package.json	Replaced fixed version pins with catalog: placeholders for dependencies (valibot, viem, jose, uuid, safe-stable-stringify, @a2a-js/sdk, zod).
Example package dependency migration examples/issuer/package.json, examples/local-did-host/package.json, examples/verifier/package.json	Replaced fixed version pins with catalog: placeholders for dependencies (@hono/node-server, hono, valibot, bit-buffers). Renamed @hono/valibot-validator to @hono/standard-validator (catalog:).
Library package dependency migration packages/ack-id/package.json, packages/ack-pay/package.json, packages/agentcommercekit/package.json, packages/caip/package.json, packages/did/package.json, packages/jwt/package.json, packages/vc/package.json	Replaced fixed version pins with catalog: placeholders for dependencies and devDependencies (valibot, zod, @a2a-js/sdk, standard-parse, bit-buffers).
Validator migration to standard-validator demos/identity/src/serve-agent.ts, examples/local-did-host/src/index.ts, examples/verifier/src/routes/verify.ts	Replaced @hono/valibot-validator imports and vValidator usage with @hono/standard-validator imports and sValidator. Removed explicit ValiError handling in verify.ts.
Tool package configuration updates tools/api-utils/package.json, tools/cli-tools/package.json, tools/eslint-config/package.json	Updated dependency versions and removed/consolidated devDependencies. tools/api-utils migrated hono and valibot to catalog:. tools/cli-tools removed eslint, typescript, vitest, @types/node. tools/eslint-config updated to newer ESLint ecosystem versions.
Root and documentation configuration package.json, docs/package.json	Upgraded devDependencies across multiple tools (@changesets/cli, @types/node, dotenv-cli, eslint, prettier-plugin-jsdoc, tsdown, tsx, turbo, typescript, vitest). Updated pnpm packageManager version.
Workspace configuration and logging pnpm-workspace.yaml, demos/identity-a2a/src/utils/server-utils.ts	Added catalog section to workspace configuration with versioned package entries. Updated onlyBuiltDependencies to include sharp and unrs-resolver. Changed logged URL from req.url.toString() to req.url in server-utils.ts.
Build and ESLint configuration examples/local-did-host/tsconfig.json, tools/eslint-config/base.js	Expanded tsconfig.json include pattern from narrowly scoped list to "\\/\*" with explicit node_modules and dist exclusions. Replaced tseslint.config with defineConfig in ESLint configuration and added tsconfigRootDir configuration.
Async-to-sync server handler migration examples/local-did-host/bin/serve.ts	Replaced Promise.all-based asynchronous initialization with synchronous direct assignment of identity DIDs. Removed await operations and changed control flow from promise chain to immediate logging.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Areas requiring extra attention:

• examples/local-did-host/bin/serve.ts — Significant control flow change from asynchronous (Promise.all with awaits) to synchronous assignment; verify that DIDs are properly resolved before use and that the removal of awaits does not introduce timing issues.
• examples/verifier/src/routes/verify.ts — Removal of explicit ValiError handling after validator migration; ensure error handling is correctly delegated to sValidator and no error cases are unhandled.
• tools/eslint-config/base.js — Introduction of defineConfig and tsconfigRootDir configuration changes; validate that ESLint parsing behavior is correct with new TypeScript configuration path.
• Validator migration cohort — Multiple files switching from valibot-validator to standard-validator; confirm that both validators produce equivalent validation results and error behavior across demos/identity, examples/local-did-host, and examples/verifier.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Use pnpm catalogs for shared versions" directly and accurately describes the main change in the changeset. The raw summary confirms that the primary modifications involve introducing pnpm catalogs by adding a catalog section to pnpm-workspace.yaml and systematically replacing specific version pins with "catalog:" placeholders across multiple package.json files in demos/, examples/, packages/, and tools/ directories. This aligns perfectly with the PR objective of enabling package version updates in lockstep without modifying individual package.json files. The title is concise, clear, and specific without vague terminology or noise.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch venables/catalogs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

examples/issuer/package.json (1)

30-37: Inconsistency: Some dependencies use catalog while others use fixed versions.

Four runtime dependencies reference the catalog (@hono/node-server, bit-buffers, hono, valibot), but better-sqlite3 (11.10.0) and drizzle-orm (0.43.1) use fixed pinned versions. For consistency and easier version management across the monorepo, these should either be moved to the catalog or explicitly documented as exceptions.

Consider adding better-sqlite3 and drizzle-orm to pnpm-workspace.yaml catalog, or document why they are intentionally excluded.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a01a914 and 1b30d5b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (28)

• demos/e2e/package.json (1 hunks)
• demos/identity-a2a/package.json (1 hunks)
• demos/identity-a2a/src/utils/server-utils.ts (1 hunks)
• demos/identity/package.json (1 hunks)
• demos/identity/src/serve-agent.ts (3 hunks)
• demos/payments/package.json (1 hunks)
• demos/skyfire-kya/package.json (1 hunks)
• docs/package.json (1 hunks)
• examples/issuer/package.json (1 hunks)
• examples/local-did-host/bin/serve.ts (1 hunks)
• examples/local-did-host/package.json (1 hunks)
• examples/local-did-host/src/index.ts (3 hunks)
• examples/local-did-host/tsconfig.json (1 hunks)
• examples/verifier/package.json (1 hunks)
• examples/verifier/src/routes/verify.ts (2 hunks)
• package.json (1 hunks)
• packages/ack-id/package.json (1 hunks)
• packages/ack-pay/package.json (1 hunks)
• packages/agentcommercekit/package.json (1 hunks)
• packages/caip/package.json (1 hunks)
• packages/did/package.json (1 hunks)
• packages/jwt/package.json (1 hunks)
• packages/vc/package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)
• tools/api-utils/package.json (1 hunks)
• tools/cli-tools/package.json (1 hunks)
• tools/eslint-config/base.js (3 hunks)
• tools/eslint-config/package.json (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

examples/local-did-host/bin/serve.ts (1)

examples/local-did-host/src/lib/identity.ts (1)

• getIdentityDid (23-25)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: check

🔇 Additional comments (31)

demos/identity-a2a/src/utils/server-utils.ts (1)

49-49: LGTM! Redundant .toString() removed.

In Express, req.url is already a string property, so calling .toString() is unnecessary. This change makes the code cleaner and more idiomatic.

tools/cli-tools/package.json (1)

39-43: LGTM!

The cleanup of unused devDependencies is good, and keeping @types/figlet at a fixed version is reasonable since it's not a shared dependency. The package migration to catalogs for dependencies is appropriate—tools/cli-tools doesn't use catalog references, which is correct for non-shared utilities.

demos/e2e/package.json (1)

30-31: Catalog references verified.

Both valibot and viem correctly reference the default catalog with matching entries in pnpm-workspace.yaml (valibot: 1.1.0, viem: 2.29.4). Catalogs are a workspace feature for defining dependency version ranges as reusable constants that can later be referenced in package.json files.

pnpm-workspace.yaml (1)

8-20: Catalog entries comprehensive; verify onlyBuiltDependencies scope.

The catalog definition is well-structured with 12 entries covering shared runtime and build dependencies. However, two additions to onlyBuiltDependencies (sharp and unrs-resolver) aren't in the catalog—verify this is intentional, as native build dependencies typically don't need catalog entries.

examples/local-did-host/tsconfig.json (1)

9-10: Verify that include: ["**/*"] doesn't unintentionally broaden type-checking scope.

Changing from a specific include list (["bin", "src", "vitest.config.ts"]) to ["**/*"] significantly expands what TypeScript processes. While the exclude list (["node_modules", "dist"]) mitigates most issues, this pattern could include configuration files, dotfiles, and other non-source artifacts, potentially increasing build times or causing false type errors.

Consider reverting to a more specific include if type-checking scope was intentionally constrained before. If the broader scope is desired for local development, document this intent.

packages/agentcommercekit/package.json (1)

87-91: Catalog references with compatible peer dependencies.

All three devDependencies correctly map to catalog entries. Version alignment with peer dependencies is sound: @a2a-js/sdk (0.2.2) satisfies ^0.2.2, valibot (1.1.0) satisfies ^1.0.0, and zod (3.25.4) satisfies ^3.25.0.

docs/package.json (1)

22-24: Version updates present but unrelated to catalog PR objectives.

This file's changes—mintlify bump (4.0.538 → 4.2.183) and pnpm upgrade (10.11.0 → 10.20.0)—fall outside the stated PR objectives of implementing pnpm catalogs. While minor, these changes should be separately justified or moved to a distinct PR to keep concerns separated.

Verify that these version updates are intentional and tested, particularly the mintlify non-trivial bump (4.0 → 4.2).

packages/did/package.json (1)

63-71: Catalog references properly configured.

All three dependencies correctly reference the catalog: valibot (1.1.0), standard-parse (0.4.0), and zod (3.25.4). Peer dependency for zod (^3.25.0) is satisfied by the cataloged version.

packages/jwt/package.json (1)

64-65: LGTM! Catalog migration for dev dependencies.

The migration of valibot and zod to catalog references in devDependencies aligns with the PR objectives. Note that peerDependencies correctly remain unchanged, as they specify compatibility ranges for package consumers.

demos/payments/package.json (1)

29-35: LGTM! Catalog migration for demo dependencies.

The migration of runtime dependencies (@hono/node-server, hono, valibot, viem) to catalog references is appropriate for demo packages, enabling centralized version management across the monorepo.

tools/eslint-config/base.js (4)

11-11: LGTM! Improved type safety with defineConfig.

The addition of defineConfig from eslint/config provides better type checking for the ESLint configuration.

---

14-16: LGTM! Added documentation for config parameter.

The JSDoc comment improves code documentation and IDE support.

---

29-29: Appropriate use of ts-expect-error.

The suppression correctly addresses a type incompatibility with cspell.recommended in the extends array.

---

120-120: LGTM! Explicit tsconfigRootDir improves TypeScript resolution.

Setting tsconfigRootDir explicitly ensures TypeScript correctly resolves the project root for parsing, which is particularly important in monorepo contexts.

packages/ack-pay/package.json (1)

62-62: LGTM! Catalog migration for validator dependencies.

The migration of valibot (dependency) and zod (devDependency) to catalog references is consistent with the monorepo-wide version management strategy. The zod peerDependency correctly remains unchanged.

Also applies to: 67-67

packages/caip/package.json (1)

57-59: LGTM! Catalog migration for dev dependencies.

The migration of standard-parse, valibot, and zod to catalog references in devDependencies is appropriate. The peerDependencies correctly remain unchanged to ensure compatibility with package consumers.

packages/ack-id/package.json (1)

82-84: LGTM! Catalog migration for multiple dependencies.

The migration of safe-stable-stringify, uuid, valibot (dependencies) and @a2a-js/sdk, zod (devDependencies) to catalog references enables centralized version management. The peerDependencies correctly remain unchanged for consumer compatibility.

Also applies to: 87-87, 90-90

tools/eslint-config/package.json (1)

24-32: LGTM! ESLint tooling modernization.

The update to newer ESLint ecosystem packages (@eslint/js, @eslint/json, @eslint/markdown, @cspell/eslint-plugin, typescript-eslint 8.46.2, etc.) complements the defineConfig refactoring in base.js. Using fixed versions for tooling dependencies is appropriate for reproducible builds.

packages/vc/package.json (1)

61-61: LGTM! Catalog migration for validator and utility dependencies.

The migration of bit-buffers, valibot (dependencies) and zod (devDependency) to catalog references is consistent with the monorepo-wide version management strategy. The zod peerDependency correctly remains unchanged.

Also applies to: 63-63, 68-68

tools/api-utils/package.json (2)

54-57: LGTM: DevDependencies cleanup.

The removal of eslint, typescript, and vitest from devDependencies is appropriate for a monorepo setup where these tools are managed at the root level. The scripts still reference these tools, which will be resolved through workspace hoisting.

---

51-52: Catalog definitions verified successfully.

Both hono (4.7.10) and valibot (1.1.0) are properly defined in the workspace catalog. The package.json migration to catalog references is correctly configured.

examples/verifier/package.json (1)

29-30: LGTM: Consistent catalog migration.

The migration pattern matches other files in the PR, maintaining consistency across the workspace. The validator package replacement from @hono/valibot-validator to @hono/standard-validator aligns with the broader migration strategy.

Also applies to: 33-34

package.json (2)

44-44: LGTM: Minor and patch version upgrades.

The minor and patch version upgrades for @changesets/cli, eslint, prettier-plugin-jsdoc, tsdown, tsx, turbo, typescript, and pnpm are reasonable and unlikely to introduce breaking changes.

Also applies to: 50-50, 52-52, 54-57, 60-60

---

48-48: Verify breaking changes and test compatibility for vitest 4.0 and Node.js 24 runtime.

After verification:

1. dotenv-cli 11.0.0 — Safe. Only documented breaking change is Node v10 support dropped; no CLI behavior changes found.

2. vitest 4.0.5 — Requires testing. Mock API breaking changes detected:

   • vi.fn().getMockName() now returns "vi.fn()" (was "spy") — snapshots may break
   • vi.restoreAllMocks() no longer restores automocks — cleanup behavior changed
   • mockReset() semantics changed (original implementation restored, not empty)
   • Extensive mock usage found in packages/jwt, packages/vc, packages/did test files
   • Config migration not needed (no deprecated options used)

3. @types/node 24.9.2 — Verify Node.js 24 runtime compatibility. Codebase uses fetch() in multiple places (VC verification, DID resolution, demos) which may be affected by Undici 7.x changes in Node.js 24; no type-level breaking changes, but runtime behavior should be tested.

Run the full test suite after upgrade to confirm mock API and fetch compatibility.

examples/local-did-host/package.json (1)

32-33: LGTM: Consistent catalog migration.

The catalog migration for Hono and validator packages is consistent with other files in the PR and aligns with the source code changes in examples/local-did-host/src/index.ts.

Also applies to: 35-36

demos/skyfire-kya/package.json (1)

29-30: Catalog definitions verified for jose and zod.

Both packages have valid catalog entries in pnpm-workspace.yaml (jose: 6.0.11, zod: 3.25.4). The migration to catalog references is correctly configured.

demos/identity/package.json (1)

32-33: All catalog entries are defined and available. The four packages migrated to catalog references (@hono/node-server, @hono/standard-validator, hono, and valibot) have corresponding definitions in pnpm-workspace.yaml.

examples/local-did-host/src/index.ts (1)

2-2: No issues found — @hono/standard-validator fully supports valibot schemas.

@hono/standard-validator supports valibot through the Standard Schema specification, confirming that the migration from vValidator to sValidator is compatible with your existing valibot schema definitions. The code is correct as written.

demos/identity/src/serve-agent.ts (1)

2-34: Standard validator swap looks good

Both handlers now rely on sValidator with the existing Valibot schemas, so validation stays intact while matching the catalog-wide migration.

examples/local-did-host/bin/serve.ts (1)

12-29: Synchronous onListen handler reads clearly

Deriving both DID URIs inline keeps the startup log identical and removes the unnecessary Promise plumbing.

examples/verifier/src/routes/verify.ts (1)

1-52: Validator migration keeps verifier flow intact

Switching to sValidator preserves the typed body access while aligning with the repo-wide catalog dependency.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify catalog definitions for all migrated packages.

Five packages have been migrated to catalog references: @a2a-js/sdk, jose, safe-stable-stringify, uuid, and valibot. Ensure all catalog entries are defined in pnpm-workspace.yaml.

Also applies to: 31-34

---

🏁 Script executed:

#!/bin/bash
# Description: Verify catalog definitions for identity-a2a packages

if [ -f "pnpm-workspace.yaml" ]; then
  echo "=== Checking for catalog definitions ==="
  cat pnpm-workspace.yaml | grep -E "@a2a-js/sdk:|jose:|safe-stable-stringify:|uuid:|valibot:"
else
  echo "ERROR: pnpm-workspace.yaml not found"
fi

Length of output: 118

---

Add missing catalog definition for @a2a-js/sdk to pnpm-workspace.yaml.

The package @a2a-js/sdk in demos/identity-a2a/package.json (line 27) references catalog: but has no corresponding entry in pnpm-workspace.yaml. The other four migrated packages (jose, safe-stable-stringify, uuid, valibot) are properly defined in the catalog, but @a2a-js/sdk is missing its definition.

🤖 Prompt for AI Agents

In demos/identity-a2a/package.json around line 27, the dependency "@a2a-js/sdk":
"catalog:" references a catalog entry that is missing from pnpm-workspace.yaml;
add a corresponding catalog item in pnpm-workspace.yaml mapping "@a2a-js/sdk" to
its local package path (same style as the existing entries for jose,
safe-stable-stringify, uuid, valibot), commit the change, and run pnpm install
to verify the workspace resolves the package correctly.

[venables]

It is referenced in pnpm-workspace.yaml. Check again.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the full catalog section in pnpm-workspace.yaml
echo "=== Full pnpm-workspace.yaml content ==="
cat pnpm-workspace.yaml

Length of output: 503

---

@venables, you're absolutely right—I apologize for the error! Looking at the full pnpm-workspace.yaml, I can confirm that @a2a-js/sdk is indeed properly defined in the catalog section at version 0.2.2, along with all the other packages (jose, safe-stable-stringify, uuid, and valibot). The migration to catalog references is correctly configured. Thank you for the correction!

    (\\_/)
    (o.o)
    />📋< oops, my mistake!