Update pnpm to v11.1.2#1332
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/pnpm-11.x
branch
from
da287d0 to
cd2d92f
Compare
renovate
Bot
force-pushed
the
renovate/pnpm-11.x
branch
from
cd2d92f to
fac0578
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
11.1.0→11.1.2Release Notes
pnpm/pnpm (pnpm)
v11.1.2Compare Source
Patch Changes
convertEnginesRuntimeToDependencies: switch the runtime-dependency write toObject.definePropertyso the CodeQLjs/prototype-polluting-assignmentrule treats the assignment as safe regardless of the property name (follow-up to #11609).Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (
__proto__,constructor,prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.Strip
sec-fetch-*headers from outgoing HTTP requests. These headers are automatically added by undici'sfetch()implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #11572.Fix
minimumReleaseAgehandling for cached abbreviated metadata.The version-spec cache fast path no longer rethrows
ERR_PNPM_MISSING_TIMEunderstrictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version
time), pnpm now re-fetches withfullMetadata: trueifminimumReleaseAgeis active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.Closes #11619.
Fix
pnpm upgrade --interactive --latest -rnot respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g."catalog:foo") would incorrectly rewritepackage.jsonto"catalog:"and place the updated version in the default catalog instead of the named one #10115.Fixed
optimisticRepeatInstallskippingpnpm-lock.yamlmerge conflict resolution when the existingnode_modulesstate appears up to date.Fix
minimumReleaseAge/resolutionMode: time-basedinstalls failing on lockfiles whosetime:block is missing entries. The npm-resolver's peek-from-store fast path now surfacespublishedAtfrom the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.v11.1.1Compare Source
Patch Changes
checkDepsStatus(run byverifyDepsBeforeRun). Previously the status check calledfindWorkspaceProjects, which validates each project'senginesandos/cpu/libcand warns about useless fields in non-root manifests — work that the install pipeline already performs. With nonodeVersionthreaded through, the engine check also fell back to the system Node fromPATHand emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now usefindWorkspaceProjectsNoCheck; install paths continue to validate.pnpm add <alias>:@​scope/pkgfor named registries. The local resolver was claiming any specifier containing/as a local directory, sopnpm add bit:@​teambit/bit(withbitconfigured undernamedRegistries) installed a bogus link tobit:@​teambit/bit/instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.@zkochan/cmd-shimto 9.0.3. The sh shim it writes for.cmd/.battargets now escapes the/Cswitch as//C, so it survives the path translation Git Bash applies when launchingcmd.exe. Without this, a bare/Cwas rewritten toC:\before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.