npm-to-pnpm

This is a legitimate migration guide for converting npm projects to pnpm. It contains standard and expected instructions (pnpm import, pnpm install, workspace changes, CI updates). The primary security concerns are procedural rather than malicious content: (1) the document instructs users to run remote install scripts via curl|sh and PowerShell iwr|iex — a high-risk distribution pattern even when pointing to an official domain; (2) it expands execution/trust surface by enabling lifecycle scripts and recommending third-party GitHub Actions in CI. There is no direct evidence of obfuscated or malicious code, credential harvesting, or exfiltration instructions within the text. Recommended mitigations: prefer installing pnpm through package manager or review the install script before executing, pin action versions and review their code, avoid enabling pre/post scripts unless necessary, and scope CI secrets carefully. Overall the content appears benign but carries moderate supply-chain execution risk due to download-and-execute instructions and CI action recommendations.