Downgrade `pnpm` so Dependabot can read the lockfile

[fhenrich33]

Dependabot isn't issuing alerts with pnpm v9 lockfile format. See https://github.com/dependabot/dependabot-core/issues/10534

Downgrading to latest pre v9 lockfile `pnpm release until v9 is supported: https://github.com/pnpm/pnpm/releases/tag/v8.15.9

Next steps:

• Make a task to track revisiting v9 compatibility.
• Run Check for updates after this PR is merged to check for Dependabot security alerts that we missed due to the aforementioned issue.

This also address the following Dependabot PRs:

https://github.com/boxwise/boxtribute/pull/1506 https://github.com/boxwise/boxtribute/pull/1502 https://github.com/boxwise/boxtribute/pull/1488 https://github.com/boxwise/boxtribute/pull/1485

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 85.60%. Comparing base (0493992) to head (d534537). Report is 35 commits behind head on master.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## master #1507 +/- ## ========================================== + Coverage 85.59% 85.60% +0.01% ========================================== Files 232 232 Lines 21710 21708 -2 Branches 1916 1942 +26 ========================================== + Hits 18582 18583 +1 + Misses 3088 3085 -3 Partials 40 40 ``` | [Flag](https://app.codecov.io/gh/boxwise/boxtribute/pull/1507/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=boxwise) | Coverage Δ | | |---|---|---| | [backend](https://app.codecov.io/gh/boxwise/boxtribute/pull/1507/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=boxwise) | `99.07% <ø> (ø)` | | | [frontend](https://app.codecov.io/gh/boxwise/boxtribute/pull/1507/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=boxwise) | `82.36% <ø> (+0.01%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=boxwise#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[fhenrich33]

2.0 FE downgrade pnpm due dependabot alert bug

[HaGuesto]

Should we include this in the production deploy on Monday or not @fhenrich33 ?

[fhenrich33]

Should we include this in the production deploy on Monday or not @fhenrich33 ?

Let's hold off and test it a bit more before we pull the trigger to be on the safe side.

[jamescrowley]

@fhenrich33 looks good (and running locally fine for me), thanks! Just a note that if folks don't downgrade pnpm (using corepack use pnpm@8.15.9), they will accidentally upgrade the lock file again, so we're going to have to keep an eye out for that.

I had hoped that

package-manager-strict-version=true

in .npmrc would at least limit fall out if pnpm 9 is installed (supported since v9.2 to enforce the packageManager version), but I couldn't get it working

[fhenrich33]

@fhenrich33 looks good (and running locally fine for me), thanks! Just a note that if folks don't downgrade pnpm (using corepack use pnpm@8.15.9), they will accidentally upgrade the lock file again, so we're going to have to keep an eye out for that.

I had hoped that

package-manager-strict-version=true

in .npmrc would at least limit fall out if pnpm 9 is installed (supported since v9.2 to enforce the packageManager version), but I couldn't get it working

Let's keep a close look at the following PRs to the frontend, and revisit the pnpm issue in the Dependabot tracker. I think it's the best move for now, IMO. @jamescrowley @HaGuesto @pylipp