chore: upgrade pnpm to 10.33.2 with security hardening

[nicktrn]

Summary

• Upgrade pnpm from 10.23.0 → 10.33.2 (latest minor)
• Enable blockExoticSubdeps: true for supply-chain defense
• Update all version references across the repo

Security improvements in 10.28.2+

• Path traversal protection in directories.bin
• Symlink-escape protection for file:/git: dependencies (prevents reading /etc/passwd, ~/.ssh/...)
• https://pnpm.io/settings#blockexoticsubdeps

Files updated

• package.json — packageManager field
• docker/Dockerfile — 5 corepack prepare calls
• apps/supervisor/Containerfile — 1 corepack prepare call
• pnpm-workspace.yaml — added blockExoticSubdeps: true
• CLAUDE.md, AGENTS.md, CONTRIBUTING.md, ai/references/repo.md — version references

Verification

• pnpm install --frozen-lockfile succeeds (no lockfile regen needed)
• pnpm install (plain) produces zero lockfile diff
• All CI checks pass

Slack thread: https://triggerdotdev.slack.com/archives/C061L2MHW93/p1777625600974279?thread_ts=1777622248.762639&cid=C061L2MHW93

https://claude.ai/code/session_01G759MUqmjsPh9k1qDxbdjG

[changeset-bot]

⚠️ No Changeset found

Latest commit: bc5fb03

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This pull request updates the pnpm package manager version from 10.23.0 to 10.33.2 across the repository — including many GitHub Actions workflows, the root package.json packageManager field, Docker build files (Dockerfile and Containerfile), and documentation (CLAUDE.md, AGENTS.md, CONTRIBUTING.md, ai/references, etc.). It also enables blockExoticSubdeps: true in pnpm-workspace.yaml and changes one workflow step in .github/workflows/e2e.yml to run build:workers --if-present. No other configuration or logic was modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete against the template. It lacks the Checklist section, Testing section (with verification steps), Screenshots section, and proper Changelog section. Only Summary is present.	Complete the PR description by adding the required Checklist with checkboxes, a Testing section documenting verification steps taken, and ensure the Changelog section is properly formatted per the template.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately describes the main change: upgrading pnpm to 10.33.2 with security hardening via blockExoticSubdeps, which is the primary objective reflected in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/slack-session-FgF8Q

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nicktrn]

ready