This repository was archived by the owner on Jun 16, 2026. It is now read-only.
chore(deps): update pnpm to v10.34.1#502
Merged
Merged
Conversation
✅ Deploy Preview for homarr-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
The latest updates on your projects. Learn more about Argos notifications ↗︎ Awaiting the start of a new Argos build… |
735f396 to
ced5492
Compare
ced5492 to
5192c13
Compare
3053e3b to
75fd886
Compare
1217bc6 to
ee42c7d
Compare
139fdfd to
1b08e32
Compare
ac4f9fd to
adfc796
Compare
36b9bdf to
4355ddb
Compare
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
1f4ca10 to
7313118
Compare
7313118 to
e99acc6
Compare
2746271 to
e763f67
Compare
c5ca576 to
63bc8fa
Compare
fad8dca to
00e64bf
Compare
f9ab8d8 to
aa46531
Compare
a5e6c13 to
09d1eaa
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

This PR contains the following updates:
10.30.3→10.34.1Release Notes
pnpm/pnpm (pnpm)
v10.34.1: pnpm 10.34.1Compare Source
Patch Changes
pnpm-lock.yamlentries whose remote tarballresolution:block is missing theintegrityfield. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that stripsintegrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under--frozen-lockfile. pnpm now fails closed at lockfile-read time withERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: trueor a URL on codeload.github.com / bitbucket.org / gitlab.com) andfile:tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.Platinum Sponsors
Gold Sponsors
v10.34.0: pnpm 10.34Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.Patch Changes
_authToken,_auth,username/_password,tokenHelper, inlinecert/key) to the registry declared in the same config source at load time, so a later layer overridingregistry=(workspace.npmrc,pnpm-workspace.yaml, CLI--registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.minimumReleaseAgehandling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-versiontimefield) by default, which made the maturity check throwERR_PNPM_MISSING_TIMEwhenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch whenminimumReleaseAgeis active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and letsERR_PNPM_MISSING_TIMEfrom the cache fast-path fall through to the network fetch even under strict mode.commitfield is not a 40-character hexadecimal SHA before invokinggit. A malicious lockfile could otherwise smuggle a value such as--upload-pack=<command>throughgit fetch/git checkout, which on SSH or local-file transports executes the supplied command.diff --githeaders reference paths outside the patched package directory. Previously a malicious.patchfile added via a pull request could write, delete, or rename arbitrary files reachable by the user runningpnpm install.--prefix=<dir>not being honored when locating the workspace root. The--prefix → dirrename was applied after workspace detection, so workspace settings declared in<dir>/pnpm-workspace.yamlwere not loaded when pnpm was invoked from outside<dir>#11535.@x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them intonode_modules. A malicious registry package could otherwise use a transitive dependency key to makepnpm installcreate symlinks at attacker-chosen paths outside the intendednode_modulesdirectory.Platinum Sponsors
Gold Sponsors
v10.33.4: pnpm 10.33.4Compare Source
Patch Changes
Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
A new
gitHosted: truefield is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.Fix a regression where
pnpm --recursive --filter '!<pkg>' run/exec/test/addwould include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative--filterarguments are provided, matching the documented behavior. To include the root, pass--include-workspace-root#11341.Platinum Sponsors
Gold Sponsors
v10.33.3: pnpm 10.33.3Compare Source
Patch Changes
@pnpm/exeto v11+ on Intel macOS (darwin-x64),pnpm self-updatenow transparently switches to the JS-onlypnpmpackage on npm instead of installing@pnpm/exe@v11+(which doesn't ship a working binary for Intel Macs because of an upstream Node.js SEA bug — see #11423 and nodejs/node#62893). Without this, the self-update would silently leave the user with no workingpnpmbinary. The new install requires Node.js to be available onPATH; a warning is printed when the swap happens. All other host/version combinations are unchanged.pnpm self-update(with no version argument) no longer downgrades pnpm when the registry'slatestdist-tag points to an older release than the currently active version. Runpnpm self-update latestto force a downgrade #11418.Platinum Sponsors
Gold Sponsors
v10.33.2: pnpm 10.33.2Compare Source
Patch Changes
Globally-installed bins no longer fail with
ERR_PNPM_NO_IMPORTER_MANIFEST_FOUNDwhen pnpm was installed via the standalone@pnpm/exebinary (e.g.curl -fsSL https://get.pnpm.io/install.sh | sh -) on a system without a separate Node.js installation. Previously, whenwhich('node')failed duringpnpm add --global, pnpm fell back toprocess.execPath, which in@pnpm/exeis the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node #11291, #4645.Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g.
npm install -g pnpm@A) and run inside a project whosepackage.jsonselected a different pnpm version via thepackageManagerfield (e.g.pnpm@B), while apnpm-workspace.yamlalso existed at the project root.The child's environment is now forced to
manage-package-manager-versions=false(v10) andpm-on-fail=ignore(v11+), which disables the package-manager-version handling in whichever pnpm runs as the child.Fixes #11337.
Platinum Sponsors
Gold Sponsors
v10.33.1: pnpm 10.33.1Compare Source
Patch Changes
packageManagerfield selects pnpm v11 or newer, commands that v10 would have passed through to npm (version,login,logout,publish,unpublish,deprecate,dist-tag,docs,ping,search,star,stars,unstar,whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example,pnpm version --helpprint npm's help on a project withpackageManager: pnpm@11.0.0-rc.3#11328.Platinum Sponsors
Gold Sponsors
v10.33.0: pnpm 10.33Compare Source
Minor Changes
dedupePeerssetting that reduces peer dependency duplication. When enabled, peer dependency suffixes use version-only identifiers (name@version) instead of full dep paths, eliminating nested suffixes like(foo@1.0.0(bar@2.0.0)). This dramatically reduces the number of package instances in projects with many recursive peer dependencies #11070.Patch Changes
Fail on incompatible lockfiles in CI when frozen lockfile mode is enabled, while preserving non-frozen CI fallback behavior.
When package metadata is malformed or can't be fetched, the error thrown will now show the originating error.
Fixed intermittent failures when multiple
pnpm dlxcalls run concurrently for the same package. When the global virtual store is enabled, the importer now verifies file content before skipping a rename, avoiding destructive swap-renames that break concurrent processes. Also tolerates EPERM during bin creation on Windows and properly propagatesenableGlobalVirtualStorethrough the install pipeline.Fixed handling of non-string version selectors in
hoistPeers, preventing invalid peer dependency specifiers.Improve the non-interactive modules purge error hint to include the
confirmModulesPurge=falseworkaround.When pnpm needs to recreate
node_modulesbut no TTY is available, the error now suggests either settingCI=trueor disabling the purge confirmation prompt viaconfirmModulesPurge=false.Adds a regression test for the non-TTY flow.
Fixed false "Command not found" errors on Windows when a command exists in PATH but exits with a non-zero code. Also fixed path resolution for
--filtercontexts where the command runs in a different package directory.When a pnpm-lock.yaml contains two documents, ignore the first one. pnpm v11 will write two lockfile documents into pnpm-lock.yaml in order to store pnpm version integrities and config dependency resolutions.
Fixed a bug preventing the
clearCachefunction returned bycreateNpmResolverfrom properly clearing metadata cache.Platinum Sponsors
Gold Sponsors
v10.32.1: pnpm 10.32.1Compare Source
Patch Changes
pnpm-workspace.yamlwithout apackagesfield caused all directories to be treated as workspace projects. This broke projects that usepnpm-workspace.yamlonly for settings (e.g.minimumReleaseAge) without defining workspace packages #10909.Platinum Sponsors
Gold Sponsors
v10.32.0: pnpm 10.32Compare Source
Minor Changes
--allflag topnpm approve-buildsthat approves all pending builds without interactive prompts #10136.Patch Changes
lockfile-include-tarball-url. Fixes #10915.Platinum Sponsors
Gold Sponsors
v10.31.0: pnpm 10.31Compare Source
Minor Changes
pnpm-workspace.yaml, comments, string formatting, and whitespace will be preserved.Patch Changes
Added
-Fas a short alias for the--filteroption in the help output.Handle undefined pkgSnapshot in
pnpm why -r#10700.Fix headless install not being used when a project has an injected self-referencing
file:dependency that resolves tolink:in the lockfile.Fixed a race condition when multiple worker threads import the same package to the global virtual store concurrently. The rename operation now tolerates
ENOTEMPTY/EEXISTerrors if another thread already completed the import.When
lockfile-include-tarball-urlis set tofalse, tarball URLs are now always excluded from the lockfile. Previously, tarball URLs could still appear for packages hosted under non-standard URLs, making the behavior flaky and inconsistent #6667.Fixed
optimisticRepeatInstallskipping install whenoverrides,packageExtensions,ignoredOptionalDependencies,patchedDependencies, orpeersSuffixMaxLengthchanged.Fixed
pnpm patch-commitfailing with "unable to access '/.config/git/attributes': Permission denied" error in environments where HOME is unset or non-standard (Docker containers, CI systems).The issue occurred because pnpm was setting
HOMEand the Windows user profile env var to empty strings to suppress user git configuration when runninggit diff. This caused git to resolve the home directory (~) as root (/), leading to permission errors when attempting to access/.config/git/attributes.Now uses
GIT_CONFIG_GLOBAL: os.devNullinstead, which is git's proper mechanism for bypassing user-level configuration without corrupting the home directory path resolution.Fixes #6537
Fix
pnpm why -r --parseablemissing dependents when multiple workspace packages share the same dependency #8100.Fix
link-workspace-packages=trueincorrectly linking workspace packages when the requested version doesn't match the workspace package's version. Previously, on fresh installs the version constraint is overridden to*in the fallback resolution paths, causing any workspace package with a matching name to be linked regardless of version #10173.Fixed
pnpm update --interactivetable breaking with long version strings (e.g., prerelease versions like7.0.0-dev.20251209.1) by dynamically calculating column widths instead of using hardcoded values #10316.Explicitly tell
npmthe path to the globalrcconfig file.The parameter set by the
--allow-buildflag is written toallowBuilds.Fix a bug in which specifying
filteronpnpm-workspace.yamlwould cause pnpm to not detect any projects.Print help message on running pnpm dlx without arguments and exit.
Platinum Sponsors
Gold Sponsors