Skip to content

chore(deps): update dependency pnpm to v10.34.3#49

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pnpm-10.x
Open

chore(deps): update dependency pnpm to v10.34.3#49
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pnpm-10.x

Conversation

@renovate

@renovate renovate Bot commented Dec 15, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
pnpm (source) 10.23.010.34.3 age confidence

Release Notes

pnpm/pnpm (pnpm)

v10.34.3

Compare Source

v10.34.2

Compare Source

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

  • Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

  • Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

    pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

    The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

    --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

  • Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
  • Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
  • Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
  • Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
  • Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
  • Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

  • Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

    A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

  • Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes
  • When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.
Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

  • Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

  • Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

  • Reverted change related to setting explicitly the npm config file path, which caused regressions.
  • Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.31.0

Compare Source

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

  • Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Workleap
Stackblitz Nx

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

  • pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

  • Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
  • Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Workleap
Stackblitz Nx

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

  • The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
  • Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
  • Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

  • Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

  • Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

  • Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

  • Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

  • Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

  • Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

  • Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

  • update tar to version 7.5.7 to fix security issue

    Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

  • Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

  • Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

  • pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

  • Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

  • Security fix: prevent path traversal in directories.bin field.

  • When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

    This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

    Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

  • Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

  • Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") [#​10307](https://redirect.gi

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • "every 2 weeks on Monday before 7am"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@netlify

netlify Bot commented Dec 15, 2025

Copy link
Copy Markdown

👷 Deploy Preview for p5-easing processing.

Name Link
🔨 Latest commit ee4c31a
🔍 Latest deploy log https://app.netlify.com/projects/p5-easing/deploys/6a3d790214da2800082e75b6

@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from e1c0df6 to 0cb421f Compare December 22, 2025 18:31
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.24.0 chore(deps): update dependency pnpm to v10.25.0 Dec 22, 2025
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 0cb421f to 096a886 Compare December 29, 2025 14:14
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.25.0 chore(deps): update dependency pnpm to v10.26.0 Dec 29, 2025
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 096a886 to b20ff2a Compare January 2, 2026 04:48
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.26.0 chore(deps): update dependency pnpm to v10.26.1 Jan 2, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from b20ff2a to cd33f05 Compare January 6, 2026 18:14
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.26.1 chore(deps): update dependency pnpm to v10.26.2 Jan 6, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from cd33f05 to af04b46 Compare January 13, 2026 22:05
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.26.2 chore(deps): update dependency pnpm to v10.27.0 Jan 13, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from f5a8496 to 50262aa Compare January 24, 2026 00:41
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.27.0 chore(deps): update dependency pnpm to v10.28.0 Jan 24, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 50262aa to 82812cf Compare February 2, 2026 14:02
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.28.0 chore(deps): update dependency pnpm to v10.28.1 Feb 2, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 82812cf to 79d395e Compare February 9, 2026 18:31
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.28.1 chore(deps): update dependency pnpm to v10.28.2 Feb 9, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 79d395e to 1ee6987 Compare February 12, 2026 15:04
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 1ee6987 to d3b661c Compare February 21, 2026 20:27
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.28.2 chore(deps): update dependency pnpm to v10.29.1 Feb 21, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from d3b661c to 6c02816 Compare February 23, 2026 02:08
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.29.1 chore(deps): update dependency pnpm to v10.29.2 Feb 23, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 6c02816 to 2eba28f Compare February 25, 2026 15:45
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.29.2 chore(deps): update dependency pnpm to v10.29.3 Feb 25, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 2eba28f to c9674f5 Compare March 3, 2026 17:00
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.29.3 chore(deps): update dependency pnpm to v10.30.0 Mar 3, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from c9674f5 to 5a14875 Compare March 6, 2026 01:29
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.30.0 chore(deps): update dependency pnpm to v10.30.1 Mar 6, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 5a14875 to a4ee30e Compare March 10, 2026 02:42
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from a4ee30e to 80777fa Compare March 12, 2026 14:35
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.30.2 chore(deps): update dependency pnpm to v10.30.3 Mar 12, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 80777fa to 5dcb089 Compare March 22, 2026 00:35
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.30.3 chore(deps): update dependency pnpm to v10.31.0 Mar 22, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 5dcb089 to 9d2bb28 Compare March 24, 2026 01:55
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.31.0 chore(deps): update dependency pnpm to v10.32.0 Mar 24, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 9d2bb28 to 429f5f2 Compare March 25, 2026 04:41
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.32.0 chore(deps): update dependency pnpm to v10.32.1 Mar 25, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 429f5f2 to 72f5c28 Compare March 26, 2026 17:08
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 72f5c28 to 47b7fe8 Compare April 7, 2026 17:58
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.32.1 chore(deps): update dependency pnpm to v10.33.0 Apr 7, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 47b7fe8 to 6ff83fb Compare April 15, 2026 09:14
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 6ff83fb to 9ab0bb4 Compare April 29, 2026 11:37
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 9ab0bb4 to 20319e6 Compare May 6, 2026 12:40
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.33.0 chore(deps): update dependency pnpm to v10.33.1 May 6, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 20319e6 to 410ba82 Compare May 7, 2026 14:46
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.33.1 chore(deps): update dependency pnpm to v10.33.2 May 7, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 410ba82 to 9fcc602 Compare May 18, 2026 21:47
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.33.2 chore(deps): update dependency pnpm to v10.33.3 May 18, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 9fcc602 to 269d09d Compare May 20, 2026 18:08
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.33.3 chore(deps): update dependency pnpm to v10.33.4 May 20, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 269d09d to c983d50 Compare June 10, 2026 15:46
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.33.4 chore(deps): update dependency pnpm to v10.34.0 Jun 10, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from c983d50 to 10e5c82 Compare June 11, 2026 01:54
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.34.0 chore(deps): update dependency pnpm to v10.34.1 Jun 11, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 10e5c82 to 50be061 Compare June 24, 2026 18:06
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.34.1 chore(deps): update dependency pnpm to v10.34.2 Jun 24, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 50be061 to ee4c31a Compare June 25, 2026 18:52
@renovate renovate Bot changed the title chore(deps): update dependency pnpm to v10.34.2 chore(deps): update dependency pnpm to v10.34.3 Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants