chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.9

[dependabot]

Bumps pnpm/action-setup from 5.0.0 to 6.0.9.

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.9

What's Changed

• fix: update pnpm to v11.7.0 by @​zkochan in pnpm/action-setup#267

Full Changelog: pnpm/action-setup@v6...v6.0.9

v6.0.8

What's Changed

• docs(README): fix cache_dependency_path type by @​haines in pnpm/action-setup#257
• fix: drop patchPnpmEnv so standalone+self-update works on Windows by @​zkochan in pnpm/action-setup#258
• fix: update pnpm to 11.1.1 by @​mungodewar in pnpm/action-setup#248

New Contributors

• @​mungodewar made their first contribution in pnpm/action-setup#248

Full Changelog: pnpm/action-setup@v6.0.7...v6.0.8

v6.0.7

What's Changed

• fix: honor devEngines.packageManager.onFail=error (#252) by @​zkochan in pnpm/action-setup#254
• fix: restore inputs from state in post by @​haines in pnpm/action-setup#255
• fix: self-update bootstrap to packageManager-pinned version (#233) by @​zkochan in pnpm/action-setup#256

New Contributors

• @​haines made their first contribution in pnpm/action-setup#255

Full Changelog: pnpm/action-setup@v6.0.6...v6.0.7

v6.0.6

What's Changed

• fix: bin_dest output points to self-updated pnpm, not bootstrap by @​zkochan in pnpm/action-setup#249

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

v6.0.5

What's Changed

• fix: append (not prepend) action node dir to PATH for npm bootstrap by @​zkochan in pnpm/action-setup#241

Full Changelog: pnpm/action-setup@v6.0.4...v6.0.5

v6.0.4

What's Changed

• fix: use npm co-located with the action node binary by @​benquarmby in pnpm/action-setup#239

New Contributors

• @​benquarmby made their first contribution in pnpm/action-setup#239

... (truncated)

Commits

• 0ebf471 fix: update pnpm to v11.7.0 (#267)
• 0e279bb fix: update pnpm to 11.1.1 (#248)
• 3e83581 fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)
• 551b42e docs(README): fix cache_dependency_path type (#257)
• 739bfe4 fix: self-update bootstrap to packageManager-pinned version (#233) (#256)
• f61705d chore: add CODEOWNERS
• 7a5507b fix: restore inputs from state in post (#255)
• 1155470 fix: honor devEngines.packageManager.onFail=error (#252) (#254)
• 91ab88e fix: bin_dest output points to self-updated pnpm, not bootstrap (#249)
• e578e19 fix: update pnpm to 11.0.4
• Additional commits viewable in compare view

[changeset-bot]

⚠️ No Changeset found

Latest commit: dd5c6bd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@2301

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/codemod@2301

@modelcontextprotocol/core

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/core@2301

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@2301

@modelcontextprotocol/server-legacy

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server-legacy@2301

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@2301

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/fastify@2301

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@2301

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@2301

commit: dd5c6bd

[claude]

LGTM — mechanical Dependabot bump of pnpm/action-setup to v6.0.9, SHA-pinned consistently across all six workflows.

Extended reasoning...

Overview

This Dependabot PR bumps pnpm/action-setup from v5.0.0 to v6.0.9 in all six workflow files (conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every occurrence is updated identically, SHA-pinned (0ebf471...) with a matching version comment, following the repo's existing pinning convention. No workflow inputs, permissions, or other steps change.

Security risks

Minimal. The action remains SHA-pinned (not a floating tag), and the pinned commit matches the v6.0.9 release per the Dependabot-generated commit list. No new permissions or secrets exposure are introduced; the change touches only the pnpm installation step.

Level of scrutiny

Low — this is CI tooling, not SDK code, and the change is purely mechanical. The main compatibility question for a v5→v6 major bump is which pnpm version gets installed: the workflows pass no version input, and the repo's package.json pins packageManager: pnpm@10.26.1, which the action resolves from (v6 explicitly added a fix to bootstrap to the packageManager-pinned version), so the bundled-pnpm bump to 11.x in v6 does not change the pnpm actually used. The existing OIDC/npm note in release.yml therefore also remains accurate.

Other factors

The bug-hunting system found no issues, and the pkg-pr-new bot comment shows the publish workflow already ran successfully on this PR's commit using the new action version (install + build:all + preview publish), which is direct evidence the bump works in this repo's CI. The missing changeset is expected for workflow-only changes.