Skip to content

chore(deps): update pnpm to v10.29.1#155

Merged
descope[bot] merged 1 commit intomainfrom
renovate/pnpm-10.x
Feb 28, 2026
Merged

chore(deps): update pnpm to v10.29.1#155
descope[bot] merged 1 commit intomainfrom
renovate/pnpm-10.x

Conversation

@descope
Copy link
Contributor

@descope descope bot commented Feb 28, 2026

This PR contains the following updates:

Package Type Update Change Pending OpenSSF
pnpm (source) packageManager minor 10.28.210.29.1 10.30.3 (+5) OpenSSF Scorecard

Release Notes

pnpm/pnpm (pnpm)

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

  • The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
  • Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
  • Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

  • Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

  • Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

  • Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

  • Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

  • Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

  • Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

  • Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

  • update tar to version 7.5.7 to fix security issue

    Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

  • Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

  • Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

  • pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

  • Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@descope descope bot added the renovate label Feb 28, 2026
@descope descope bot enabled auto-merge (squash) February 28, 2026 20:56
@descope descope bot merged commit 4e13eac into main Feb 28, 2026
13 checks passed
@descope descope bot deleted the renovate/pnpm-10.x branch February 28, 2026 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@descope-approve descope-approve[bot] descope-approve[bot] approved these changes

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants