chore(deps): update all non-major dependencies#390
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughBump tooling and dependency pins: GitHub Actions tool pins updated (pnpm/action-setup → v6.0.8; zizmor-action pinned to a newer commit), root ChangesDependency and Tool Version Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Comment |
🚀 Changeset Version PreviewNo changeset entries found. Merging this PR will not cause a version bump for any packages. |
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx affected --targets=test:sherif,test:docs,tes... |
❌ Failed | 24s | View ↗ |
nx run-many --target=build |
✅ Succeeded | 9s | View ↗ |
☁️ Nx Cloud last updated this comment at 2026-05-26 21:30:09 UTC
commit: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
9 times, most recently
from
1ef6627 to
e141ecb
Compare
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
9 times, most recently
from
80aaccc to
1bc8a9a
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
1bc8a9a to
59e76cc
Compare
This PR contains the following updates:
^0.18.2→^0.18.3^5.100.10→^5.100.14^19.2.14→^19.2.15^6.0.1→^6.0.2^6.0.6→^6.0.7^10.3.0→^10.4.122.7.1→22.7.511.1.1→11.5.0>=11.0.0→>=11.5.0v6.0.7→v6.0.8^0.3.20→^0.3.21^7.8.0→^7.8.1^0.2.16→^0.2.17^0.22.0→^0.22.1^8.59.3→^8.60.0^8.0.12→^8.0.14^4.1.6→^4.1.7^3.5.34→^3.5.35v0.5.3→v0.5.6Release Notes
arethetypeswrong/arethetypeswrong.github.io (@arethetypeswrong/core)
v0.18.3Patch Changes
14e61d5: Update @types/node, use @typescript/native-preview for local build/check25031aa: - Fix "Cannot read properties of undefined (reading 'filename')" caused by fflate 0.8.3 (#258)TanStack/query (@tanstack/query-core)
v5.100.14Compare Source
v5.100.13Compare Source
Patch Changes
NoInfer<T>re-export and rely on TypeScript's built-inNoInfer(TS ≥ 5.4) soNoInfer<X[K]>stays assignable toX[K]in generic contexts (fixes #9937) (#10593)v5.100.12Compare Source
v5.100.11vitejs/vite-plugin-react (@vitejs/plugin-react)
v6.0.2Compare Source
Allow all options in reactCompilerPreset (#1189)
This is a type only change. Only
compilationModeandtargetoptions were available forreactCompilerPreset.vitejs/vite-plugin-vue (@vitejs/plugin-vue)
v6.0.7Features
@rolldown/pluginutilsversion (#776) (941b651)Bug Fixes
eslint/eslint (eslint)
v10.4.1Compare Source
v10.4.0Compare Source
nrwl/nx (nx)
v22.7.5Compare Source
22.7.5 (2026-05-27)
🩹 Fixes
❤️ Thank You
v22.7.4Compare Source
22.7.4 (2026-05-25)
🩹 Fixes
❤️ Thank You
v22.7.3Compare Source
22.7.3 (2026-05-22)
🚀 Features
🩹 Fixes
projects: 'self'independsOnentries (#35686)$escaping in file paths on windows (#35692)❤️ Thank You
v22.7.2Compare Source
22.7.2 (2026-05-14)
🚀 Features
🩹 Fixes
nx mcpto run outside of an Nx workspace (#35655)❤️ Thank You
pnpm/pnpm (pnpm)
v11.5.0Compare Source
Minor Changes
Added a new
hoistingLimitssetting fornodeLinker: hoistedinstalls, mirroring yarn'snmHoistingLimits. It acceptsnone(the default — hoist as far as possible),workspaces(hoist only as far as each workspace package), ordependencies(hoist only up to each workspace package's direct dependencies). Originally proposed in #6468, closing #6457.Replaced
enquirerwith@inquirer/promptsfor all interactive prompts. Fixes theupdate -iscrolling overflow bug where long choice lists were clipped in the terminal #6643.User-facing changes:
pnpm update -i/pnpm update -i --latest: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination viausePaginationpnpm audit --fix -i: Same scrolling fix for vulnerability selectionpnpm approve-builds: Interactive build approval prompts updatedpnpm patch: Version selection and "apply to all" prompts updatedpnpm patch-remove: Patch removal selection updatedpnpm publish: Branch confirmation prompt updatedpnpm login: Credential prompts updatedpnpm run/pnpm exec(withverifyDepsBeforeRun=prompt): Confirmation prompt updatedVim-style
j/kkeys still work for up/down navigation in all interactive prompts.Internal: The
OtpEnquirerandLoginEnquirerDI interfaces changed from{ prompt }to{ input }/{ input, password }respectively. Plugins or custom builds that inject their own enquirer mock will need to update.Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an
approverfield, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level #11887.Patch Changes
Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example,
pnpm i nuxt@npm:nuxt-nightly@5x). Cycles whose members hit thefindHitcache instead of running their owncalculateDepPathare now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. #11999.Fix
pnpm dist-tag addandpnpm dist-tag rmagainst npmjs.org failing without--otpwith[ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA.". pnpm now sendsnpm-auth-type: webon dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the samewithOtpHandlinghelper used bypnpm publish), so the browser opens, the user authenticates, and the dist-tag is set on retry.--otp=<code>continues to work via the classic flow.Fix
minimumReleaseAgeExcludehandling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently duringpublishedBymetadata selection and cache-mtime shortcuts.Fix the
integrityfield being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent--frozen-lockfileinstalls fail withERR_PNPM_MISSING_TARBALL_INTEGRITY. #12001.Skip dependency re-resolution when
pnpm-lock.yamlis missing butnode_modules/.pnpm/lock.yamlexists and still satisfies the manifest.pnpm installnow reuses the materialized snapshot to regeneratepnpm-lock.yamlinstead of walking the registry to rebuild it from scratch, turning the cache+node_modules variation into a near-no-op for users who deleted the lockfile but kept the install #11993.--frozen-lockfilestill refuses to proceed whenpnpm-lock.yamlis absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI.v11.4.0Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.pnpm runtime set <name> <version>now saves the runtime todevEngines.runtimeby default instead ofengines.runtime. Pass--save-prod(or-P) to save it toengines.runtimeinstead #11948.Patch Changes
Fix a credential disclosure issue where an unscoped
_authToken(or_auth, orusername+_password, ortokenHelper) defined in one source —~/.npmrc,~/.config/pnpm/auth.ini, a workspace.npmrc, CLI flags, etc. — would be sent as anAuthorizationheader to whichever registry a different (potentially untrusted) source named. The same fix extends to client TLS credentials (cert,key) so they aren't presented to a registry their author didn't choose.pnpm now rewrites each unscoped per-registry setting (
_authToken,_auth,username,_password,tokenHelper,cert,key) to its URL-scoped form at load time, using theregistry=value declared in the same source (or the npmjs default registry if the source declares none). A later layer overridingregistry=therefore cannot pull an unscoped credential along, because it is already pinned to the URL its author intended.ca/cafileare intentionally not rescoped — they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally.Every rescope emits a deprecation warning telling the user where the setting was pinned and how to write it directly. npm has rejected unscoped credentials outright since
npm@9, and pnpm intends to remove support in a future major release. To target a specific registry, write the setting URL-scoped (e.g.//registry.example.com/:_authToken=...or//registry.example.com/:cert=...).@pnpm/network.auth-header: removed thedefaultRegistryparameter fromcreateGetAuthHeaderByURIandgetAuthHeadersFromCreds. Now that credentials are URL-scoped at load time, the mergedconfigByUrinever contains the empty-string "default registry" placeholder slot, so re-keying it onto the merged default registry is no longer needed.Fix
pnpm deploycrashing withENOENT: ... lstat '<deployDir>/node_modules'whenconfigDependenciesdeclares pacquet (pacquetor@pnpm/pacquet). The deploy directory never installs config dependencies, so the install engine they designate isn't on disk to invoke; the nested install now skips them.Reject git resolutions whose
commitfield is not a 40-character hexadecimal SHA before invokinggit. A malicious lockfile could otherwise smuggle a value such as--upload-pack=<command>throughgit fetch/git checkout, which on SSH or local-file transports executes the supplied command.Limit concurrent project manifest reads while listing large workspaces to avoid
EMFILEerrors.Reject patch files whose
diff --githeaders reference paths outside the patched package directory. Previously a malicious.patchfile added via a pull request could write, delete, or rename arbitrary files reachable by the user runningpnpm install.Improve the log message that pnpm prints after auto-adding entries to
minimumReleaseAgeExcludewhenminimumReleaseAgeis set withoutminimumReleaseAgeStrict. The message previously referred to the internal "loose mode" terminology, which wasn't searchable in the docs; it now tells the user to setminimumReleaseAgeStricttotrueif they want these updates gated behind a prompt instead #11747.Reject dependency aliases that contain path-traversal segments (such as
@x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them intonode_modules. A malicious registry package could otherwise use a transitive dependency key to makepnpm installcreate symlinks at attacker-chosen paths outside the intendednode_modulesdirectory.Reject
pnpm-lock.yamlentries whose remote tarballresolution:block is missing theintegrityfield. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that stripsintegrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under--frozen-lockfile. pnpm now fails closed at lockfile-read time withERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: trueor a URL on codeload.github.com / bitbucket.org / gitlab.com) andfile:tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.Validate
devEngines.runtimeandengines.runtimeversion ranges fornode,deno, andbunwhenonFailis set toerrororwarn. Previously these settings only had an effect withonFail: 'download'— theerrorandwarnmodes silently did nothing #11818. Violations now throwERR_PNPM_BAD_RUNTIME_VERSION.Require provenance before treating trusted publisher metadata as the strongest trust evidence.
v11.3.0Compare Source
Minor Changes
Added
pnpm stagewithpublish,list,view,approve,reject, anddownloadsubcommands for npm staged publishing.Added a new setting
trustLockfile. Whentrue,pnpm installskips the supply-chain verification pass that re-appliesminimumReleaseAge/trustPolicy='no-downgrade'to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author. Defaults tofalse; verification stays on by default. Set inpnpm-workspace.yaml.Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (
~4klockfile entries withminimumReleaseAge+trustPolicy: no-downgradeenabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (time, per-version_npmUser.trustedPublisher,dist.attestations.provenance). The abbreviated-metadata cache is similarly projected to just the package-levelmodifiedfield and the set of currently-listed version names. Fixes #11860.Implemented
pnpm pkgcommand natively, followingnpm pkgstandards.Implemented
pnpm repocommand natively, followingnpm repostandards.Implemented
pnpm set-script(aliasss) natively. Adds or updates an entry in thescriptsfield of the project manifest, supportingpackage.json,package.json5, andpackage.yamlformats.Add a
skip-manifest-obfuscationoption forpnpm packandpnpm publish. When enabled, the originalpackageManagerfield and publish lifecycle scripts are kept in the packed/published manifest instead of being stripped. The pnpm-specificpnpmfield continues to be omitted.Patch Changes
pnpm dlxfailing withERR_PNPM_NO_IMPORTER_MANIFEST_FOUNDwhen the installed package's CAS slot is missing itspackage.json. Observed in the wild forpnpm dlx node@runtime:<version>when the GVS slot was populated without the synthesized manifest runtime archives need (they don't ship apackage.jsonof their own, so the synthesized one is the only way it gets there; an existing slot from an earlier code path that skipped the synthesis stays incomplete). The bin link itself is wired up from the resolution and remains valid, sodlxnow falls back to the scopeless package name when the slot's manifest is unreadable — for single-bin packages (the dlx common case, including everyruntime:spec) this matches whatmanifest.binwould have named. Multi-bin packages already require--package=<spec> <bin>to disambiguate and don't enter this code path.pnpm dedupeandpnpm installwhen a dependency graph contains packages with transitive peer dependencies on each other (e.g.@aws-sdk/client-stsand@aws-sdk/client-sso-oidc) andauto-install-peersis enabled. The lockfile no longer flips between two equally-valid forms across consecutive runs. The root cause was thatresolveDependenciespushed onto itspkgAddresses/postponedResolutionsQueuearrays from insidePromise.all-spawned callbacks, so completion-order timing leaked into the array order and downstream cyclic-peer suffix assignment. Fixes #8155.pnpm add <github-shorthand>(and any other wanted-dependency whose alias can't be parsed from the user-supplied spec, e.g. tarball URLs orpnpm/test-git-fetch#sha) was silently dropped from the manifest update and frompendingBuilds. The alias-keyed lookup added in that PR couldn't find awantedDependencywhosealiaswasundefinedat parse time but resolved to a package name only after fetching, so the entry never made it intospecsToUpsert. Restored the original index-based pairing betweendirectDependenciesandwantedDependencies; the catalog-protocol preservation that PR was originally fixing is unaffected because it's driven byrdd.catalogLookup.userSpecifiedBareSpecifier, not by the lookup. Fixes the threerebuilds dependencies/rebuilds specific dependencies/rebuild with pending optionfailures inbuilding/commands/test/build/index.ts.pnpm add --configleaving orphan entries inpnpm-lock.env.yaml(the optional subdependencies of the previously resolved version of the updated config dependency).v11.2.2Compare Source
Patch Changes
configDependencies, the user's CLI flags passed topnpm install(e.g.--no-runtime,--prod,--dev,--no-optional,--node-linker,--cpu/--os/--libc,--offline,--prefer-offline) are now forwarded to pacquet'sinstallsubcommand verbatim. Previously pacquet was invoked with a fixed argument list, so flags like--no-runtimewere silently dropped. Flag forwarding is gated on the command beinginstall/i;add,update, anddedupestill don't forward (their flag surface doesn't line up with pacquet'sinstall).pnpm up(andpnpm add/pnpm remove) failing withpacquet_package_manager::outdated_lockfilewhen pacquet is declared inconfigDependencies. pnpm now passes--ignore-manifest-checkto pacquet so its--frozen-lockfilecheck doesn't fire against the (pre-mutation)package.jsonpnpm hasn't written yet #11797. Requires a pacquet release that supports the flag — bumpPACQUET_VERSIONin the e2e tests once it ships.v11.2.1Compare Source
Patch Changes
optional: truein the env lockfile, matching how optional dependencies are recorded elsewhere inpnpm-lock.yaml. Previously, snapshots for the platform-specific subdeps pulled in via a config dep'soptionalDependencieswere written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required.pickRegistryForPackagereturning the wrong registry for an unscopednpm:alias under a scoped local name. A manifest entry like"@​private/foo": "npm:lodash@^1"was routing thelodashfetch throughregistries["@​private"], even thoughlodashis unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (ornullfor an unscoped target, falling through toregistries.default) instead of leaking into the local key's scope.v11.2.0Compare Source
Minor Changes
Experimental: Adding
@pnpm/pacquet(the Rust port of pnpm) toconfigDependenciesinpnpm-workspace.yamlnow delegates the materialization phase ofpnpm installto the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine #11723.To configure pacquet in a project, run:
You'll see changes in
pnpm-workspace.yamlandpnpm-lock.yamlthat should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create.configDependenciesnow resolve and install one level ofoptionalDependenciesdeclared by the config dependency, withos/cpu/libcplatform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries viaoptionalDependencies— a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, sorequire('pkg-platform-arch')from inside the config dependency resolves correctly.The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's
optionalDependenciesmust declare an exact version — ranges and tags are rejected to keep installs reproducible.Implement the documented
pnpm login --scope <scope>flag. The scope is normalized (a leading@is added if missing; blank values are ignored) and an@<scope>:registry=<registry>mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of@<scope>/*packages then route to the chosen registry. Previouslypnpm login --scope fooerrored withUnknown option: 'scope'despite the flag being listed in the online documentation #11716.pnpm outdatedandpnpm update --interactivenow report Node.js, Deno, and Bun runtimes installed as project dependencies (runtime:specifiers). Previously these were silently skipped.Patch Changes
Fix
cafile=<relative-path>in.npmrcbeing read from the wrong directory when pnpm is invoked from a different cwd (e.g.pnpm --dir <project> installfrom a CI wrapper or monorepo script). The path is now resolved against the directory of the.npmrcthat declared it, notprocess.cwd(). Before this fix the CA file silently failed to load — the install proceeded without the configured CA and the user only saw TLS errors against a private registry, with no log line tying back to the wrongly resolved path #11624.Fix
config.registrygetting a trailing slash appended whenregistryis set in.npmrcand noregistries.defaultis provided bypnpm-workspace.yaml. The sync fromregistries.defaulttoconfig.registryintroduced in #11744 now only fires when the workspace manifest actually contributes a different default.Fix global add/update to handle minimumReleaseAge policy violations instead of surfacing an internal resolver guardrail error.
Fix two crashes with
injectWorkspacePackages: truewhen the lockfile has been pruned (e.g. byturbo prune --docker):Cannot use 'in' operator to search for 'directory' in undefined: a peer-dependency-variant injected snapshot inherits itsresolutionfrom the basepackages:entry; when a pruner drops that base entry the readers crash.convertToLockfileObjectnow reconstructs the directory resolution from thefile:depPath at load time — a single normalization point, so every reader sees a fully-formed snapshot.ERR_PNPM_ENOENTonnode_modules/.bin/<tool>: afterprepare/postinstall,runLifecycleHooksConcurrentlyre-imported each injected workspace package; thescanDir-into-filesMapworkaround fed target-internal paths to the importer, which themakeEmptyDirfast path (#11088) then wiped. Drop the workaround and passkeepModulesDir: trueso the importer preserves the target's existingnode_modules(bin links + transitive deps) and source files keep their hardlinks.Fixed
pnpm loginandpnpm logoutignoringregistries.defaultfrompnpm-workspace.yaml#10099.Fix the
minimumReleaseAge(publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whosemodifiedfield equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or aMISSING_TIMEerror when full metadata wasn't permitted). Sincemodifiedis an upper bound on every version's publish time,modified == publishedByalready implies every version passes the per-version<=filter infilterPkgMetadataByPublishDate, so the shortcut now accepts the boundary case directly. Strictly>(was>=) at the rejection branch.Honor
publishConfig.accesswhen publishing packages.v11.1.3Compare Source
Patch Changes
pnpm installnow re-validatespnpm-lock.yamlentries against the activeminimumReleaseAgeandtrustPolicy: 'no-downgrade'policies before any tarball is fetched. Lockfiles resolved elsewhere (committed to the repo, restored from a CI cache, produced by an older pnpm) under a weaker or absent policy can no longer install a freshly-published or trust-downgraded version silently. Violating entries abort the install withERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION,ERR_PNPM_TRUST_DOWNGRADE, or the genericERR_PNPM_LOCKFILE_RESOLUTION_VERIFICATIONwhen both policies trip in the same batch;minimumReleaseAgeExcludeandtrustPolicyExcludeare honored. Verification results are cached so repeat installs against an unchanged lockfile take a fast path, and pnpm shows a transient progress line while the registry round-trip runs.When fresh resolution picks an immature version, the behavior depends on
minimumReleaseAgeStrict:minimumReleaseAgekeeps its built-in 24-hour value — auto-adds the immature picks tominimumReleaseAgeExcludeinpnpm-workspace.yamland lets the install proceed. A single info message lists what was persisted.minimumReleaseAgeExcludeand the install continues; declining aborts before the lockfile,package.json, ornode_modulesis touched.ERR_PNPM_NO_MATURE_MATCHING_VERSIONlisting every offending entry, instead of failing on the first one the resolver hit.minimumReleaseAgeStrictauto-enables whenever the user explicitly setsminimumReleaseAge(CLI flag, env var, globalconfig.yaml, orpnpm-workspace.yaml); setminimumReleaseAgeStrict: falseto keep loose-mode auto-collect even with an explicitminimumReleaseAgevalue. Closes #10438, #10488, #11687.Allow redundant trailing base64 padding in
.npmrcauth values and report invalid auth base64 with a pnpm error.Make
pnpm self-updaterespectminimumReleaseAge(andminimumReleaseAgeExclude) when resolving which pnpm version to install.When the
latestdist-tag points to a version newer than the configured age threshold,self-updatenow selects the newest mature version instead unless excluded byminimumReleaseAgeExclude.Also makes
dlxandoutdatedsurface invalidminimumReleaseAgeExcludepatterns under the sameERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDEerror code already used byinstall, instead of leaking the internalERR_PNPM_INVALID_VERSION_UNION/ERR_PNPM_NAME_PATTERN_IN_VERSION_UNIONcodes.Global installs respect global config build policy (e.g.,
dangerouslyAllowAllBuildsfrom config.yaml) when GVS is enabled #9249.The global virtual-store (GVS) default
allowBuilds = {}was applied before workspace manifest settings were read and before global config values (stripped byextractAndRemoveDependencyBuildOptions) were re-applied viaglobalDepsBuildConfig. This causedhasDependencyBuildOptionsto returntrue(because{}is not null), blocking restoration of global config values likedangerouslyAllowAllBuilds. As a result, global installs skipped all build scripts even when the config explicitly allowed them.This fix moves the GVS default to after workspace manifest reading and
globalDepsBuildConfigre-application, so that:allowBuildstakes precedence (if present)dangerouslyAllowAllBuildsis properly restored (if set and no workspace policy exists){}is only applied as a last resort when no policy is configured anywhereHonor
--silentwhenverifyDepsBeforeRun: installauto-installs dependencies beforepnpm runorpnpm exec, preventing install output from being written to stdout #11636.Fix lockfile parsing failures when
pnpm-lock.yamlcontains CRLF line endings and multiple YAML documents #11612.Anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node —
engines.runtimepin when present, shellnodeotherwise — instead of pnpm's own runtime.ENGINE_NAME(the<platform>;<arch>;node<major>prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed fromprocess.version— the Node that runs pnpm itself. That was wrong in two situations:@pnpm/exeSEA bundle. The bundle has its own embedded Node, not thenodeon the user'sPATHthat actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shellnode.engines.runtime/devEngines.runtimepin. When a project pins a Node version viadevEngines.runtime(pnpm v11+), pnpm downloads that Node intonode_modules/node/and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned NodeConfiguration
📅 Schedule: (UTC)
* 0-3 * * 1)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.