fix(build): approve pnpm 11 build scripts for native deps

[estyxx]

Summary

• The backend Docker build has been failing with [ERR_PNPM_IGNORED_BUILDS] because npm install -g pnpm in the Dockerfile now installs pnpm v11, which blocks build scripts for native packages by default (a security change introduced in pnpm 10+)
• The affected packages are @parcel/watcher, esbuild, and sharp
• Fix: add pnpm-workspace.yaml with allowBuilds (generated via pnpm approve-builds --all) and update the Dockerfile COPY to include it

Changes

• backend/custom_admin/pnpm-workspace.yaml — new file, pnpm 11's approval mechanism for native build scripts
• backend/Dockerfile — copy pnpm-workspace.yaml into the Docker build context alongside package.json and pnpm-lock.yaml

Test plan

• Verify the Build backend CI job passes on this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pycon	Ready	Preview	May 15, 2026 3:49pm

[claude]

Fixes the pnpm 11 [ERR_PNPM_IGNORED_BUILDS] failure by adding a pnpm-workspace.yaml with an allowBuilds allowlist for native packages (@parcel/watcher, esbuild, sharp) and copying it into the Dockerfile's js-stage.

Unpinned pnpm version (root cause not addressed)

backend/Dockerfile uses RUN npm install -g pnpm, which installs whatever pnpm version npm resolves to at build time — the same pattern that caused this breakage when pnpm 10→11 shipped. The frontend/Dockerfile uses corepack enable pnpm, which respects a packageManager field in package.json and pins to a specific version. The backend should adopt the same approach to prevent this recurring with pnpm 12.

Silent maintenance burden from allowlist

The allowBuilds list is opt-in. Any new native package added to package.json that runs a build script will fail at Docker build time until someone manually updates pnpm-workspace.yaml. There is no CI check, lint rule, or pre-commit hook to detect this gap — failures only surface in Docker/CI, not local dev.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.52%. Comparing base (81ff672) to head (952d685).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4643   +/-   ##
=======================================
  Coverage   92.52%   92.52%           
=======================================
  Files         359      359           
  Lines       10791    10791           
  Branches      821      821           
=======================================
  Hits         9984     9984           
  Misses        696      696           
  Partials      111      111           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.