Skip to content

Update pnpm to v10 - autoclosed#101

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pnpm-10.x
Closed

Update pnpm to v10 - autoclosed#101
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pnpm-10.x

Conversation

@renovate

@renovate renovate Bot commented Feb 3, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
pnpm (source) 9.6.010.33.4 age confidence
pnpm (source) ^9.6.0^10.0.0 age confidence

Release Notes

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

  • Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

    A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

  • Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes
  • When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.
Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

  • Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

  • Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

  • Reverted change related to setting explicitly the npm config file path, which caused regressions.
  • Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.31.0

Compare Source

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

  • Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Workleap
Stackblitz Nx

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

  • pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

  • Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
  • Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Workleap
Stackblitz Nx

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

  • The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
  • Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
  • Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

  • Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

  • Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

  • Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

  • Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

  • Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

  • Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

  • Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

  • update tar to version 7.5.7 to fix security issue

    Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

  • Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

  • Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

  • pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

  • Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

  • Security fix: prevent path traversal in directories.bin field.

  • When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

    This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

    Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

  • Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

  • Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

  • Fix installation of Git dependencies using annotated tags #​10335.

    Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

  • Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

  • Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

  • Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
  • Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.26.0

Compare Source

v10.25.0

Compare Source

v10.24.0

Compare Source

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

  • Added --lockfile-only option to pnpm list #​10020.

Patch Changes

  • pnpm self-update should download pnpm from the configured npm registry #​10205.
  • pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
  • Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
  • The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
  • pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:is-odd@3.0.1) #​8660.
  • Don't add an extra slash to the Node.js mirror URL #​10204.
  • pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

  • Added support for trustPolicyExclude #​10164.

    You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

    trustPolicy: no-downgrade
    trustPolicyExclude:
      - chokidar@4.0.3
      - webpack@4.47.0 || 5.102.1
  • Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

  • Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Bit

Gold Sponsors

Discord Mend Renovate. View the repository job log.

@changeset-bot

changeset-bot Bot commented Feb 3, 2025

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 646bcee

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from c64b413 to 2d99f27 Compare February 11, 2025 13:00
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from ff72715 to 642233f Compare February 16, 2025 22:02
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 3 times, most recently from ad45aaa to 28e0314 Compare February 27, 2025 01:57
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 4 times, most recently from 7f3e234 to 6b4be3f Compare March 13, 2025 14:50
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 27943a4 to 678908f Compare March 19, 2025 15:33
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 9568070 to 63e91a3 Compare April 1, 2025 17:19
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 3ead03b to 7ec2a5a Compare April 14, 2025 11:30
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from f6d5c77 to 7ac98a9 Compare April 28, 2025 03:09
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 7ac98a9 to ec27b87 Compare May 13, 2025 20:22
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 508d9cb to 4fe4856 Compare June 8, 2025 18:38
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 3 times, most recently from 92df605 to 2d65567 Compare June 26, 2025 19:08
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 2d65567 to 82b9ef7 Compare July 9, 2025 11:46
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 82b9ef7 to 2af32a8 Compare July 31, 2025 18:38
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 2af32a8 to 6a29628 Compare August 19, 2025 22:08
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 6a29628 to ef8166d Compare September 7, 2025 23:44
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 83818f1 to 911e450 Compare November 27, 2025 15:03
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from f0d7863 to ae9383b Compare December 15, 2025 13:37
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 0e7e3f3 to 5461438 Compare December 23, 2025 16:27
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 5461438 to 3fb3dda Compare December 30, 2025 22:01
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 3fb3dda to 1ef232c Compare January 10, 2026 01:35
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 1ef232c to edb8438 Compare January 19, 2026 12:49
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from edb8438 to 2a84aa4 Compare January 26, 2026 17:28
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 2a84aa4 to 9bf2996 Compare February 7, 2026 21:45
@renovate

renovate Bot commented Feb 7, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
{"level":50,"time":1770500708733,"pid":773,"hostname":"jr-microvm","err":{"type":"HTTPError","message":"Request failed with status code 502 (Bad Gateway or Proxy Error): GET https://github.com/containerbase/node-prebuild/releases/download/20.15.1/node-20.15.1-x86_64.tar.xz","stack":"HTTPError: Request failed with status code 502 (Bad Gateway or Proxy Error): GET https://github.com/containerbase/node-prebuild/releases/download/20.15.1/node-20.15.1-x86_64.tar.xz\n    at _Request._onResponseBase (/snapshot/dist/containerbase-cli.js:38594:25)\n    at _Request._onResponse (/snapshot/dist/containerbase-cli.js:38678:18)\n    at ClientRequest.<anonymous> (/snapshot/dist/containerbase-cli.js:38702:17)\n    at Object.onceWrapper (node:events:634:26)\n    at ClientRequest.emit (node:events:531:35)\n    at ClientRequest.emit (node:domain:489:12)\n    at HTTPParser.parserOnIncomingClient (node:_http_client:772:27)\n    at HTTPParser.parserOnHeadersComplete (node:_http_common:122:17)\n    at TLSSocket.socketOnData (node:_http_client:614:22)\n    at TLSSocket.emit (node:events:519:28)","name":"HTTPError","code":"ERR_NON_2XX_3XX_RESPONSE","timings":{"start":1770500708722,"socket":1770500708723,"lookup":1770500708723,"connect":1770500708723,"secureConnect":1770500708723,"upload":1770500708726,"response":1770500708727,"end":1770500708731,"phases":{"wait":1,"dns":1,"tcp":4,"tls":9,"request":3,"firstByte":1,"download":4,"total":9}},"options":{"agent":{},"decompress":true,"timeout":{},"prefixUrl":"","ignoreInvalidCookies":false,"context":{},"hooks":{"init":[],"beforeRequest":[],"beforeError":[],"beforeRedirect":[],"beforeRetry":[],"beforeCache":[],"afterResponse":[]},"followRedirect":true,"maxRedirects":10,"throwHttpErrors":true,"username":"","password":"","http2":false,"allowGetBody":false,"copyPipedHeaders":true,"headers":{"user-agent":"containerbase/13.26.7 node/22.22.0 (https://github.com/containerbase)","accept-encoding":"gzip, deflate, br, zstd"},"methodRewriting":false,"retry":{"limit":2,"methods":["GET","PUT","HEAD","DELETE","OPTIONS","TRACE"],"statusCodes":[408,413,429,500,502,503,504,521,522,524],"errorCodes":["ETIMEDOUT","ECONNRESET","EADDRINUSE","ECONNREFUSED","EPIPE","ENOTFOUND","ENETUNREACH","EAI_AGAIN"],"backoffLimit":null,"noise":100,"enforceRetryRules":false},"method":"GET","cacheOptions":{},"https":{},"resolveBodyOnly":false,"isStream":true,"responseType":"text","url":"https://github.com/containerbase/node-prebuild/releases/download/20.15.1/node-20.15.1-x86_64.tar.xz","pagination":{"countLimit":null,"backoff":0,"requestLimit":10000,"stackAllItems":false},"setHost":true,"enableUnixSockets":false,"strictContentLength":false}},"run":3,"msg":"download failed"}
{"level":50,"time":1770500708790,"pid":773,"hostname":"jr-microvm","msg":"download failed"}
{"level":60,"time":1770500708791,"pid":773,"hostname":"jr-microvm","msg":"Install tool node failed in 382ms."}

@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 0b13c67 to aa2baa4 Compare February 11, 2026 17:58
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 3 times, most recently from de52b99 to a8702c5 Compare February 24, 2026 02:09
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 0bf3bb8 to 3225b42 Compare March 8, 2026 01:15
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 7a803d4 to 14e3c19 Compare March 11, 2026 03:58
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 14e3c19 to 359c13d Compare April 15, 2026 13:15
@renovate renovate Bot changed the title chore(deps): update pnpm to v10 Update pnpm to v10 Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 16eb10e to ac9dd83 Compare May 4, 2026 22:37
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from ac9dd83 to 646bcee Compare May 6, 2026 18:40
@renovate renovate Bot changed the title Update pnpm to v10 Update pnpm to v10 - autoclosed May 7, 2026
@renovate renovate Bot closed this May 7, 2026
@renovate renovate Bot deleted the renovate/pnpm-10.x branch May 7, 2026 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants