Skip to content

chore(deps): update pnpm to v10.29.2 #276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update pnpm to v10.29.2 #276

renovate wants to merge 1 commit into from
+135 −101

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 18, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
pnpm (source) 10.24.010.29.2 age confidence

Release Notes

pnpm/pnpm (pnpm)

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

  • The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
  • Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
  • Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

  • Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

  • Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

  • Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

  • Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

  • Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

  • Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

  • Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

  • update tar to version 7.5.7 to fix security issue

    Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

  • Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

  • Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

  • pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

  • Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

  • Security fix: prevent path traversal in directories.bin field.

  • When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

    This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

    Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

  • Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

  • Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

  • Fix installation of Git dependencies using annotated tags #​10335.

    Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

  • Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

  • Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

  • Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
  • Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.26.0

Compare Source

v10.25.0

Compare Source

Configuration

📅 Schedule: Branch creation - On day 1 of the month, every 12 months ( * * 1 */12 * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@vercel
Copy link

vercel bot commented Dec 18, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
css-in-js-benchmarks Ready Ready Preview, Comment Feb 9, 2026 3:30am
css-in-js-next Ready Ready Preview, Comment Feb 9, 2026 3:30am
styled-components-examples-next-app-router Ready Ready Preview, Comment Feb 9, 2026 3:30am
styled-components-examples-next-pages-router Ready Ready Preview, Comment Feb 9, 2026 3:30am

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Dec 18, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 3986422

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security
Copy link

socket-security bot commented Dec 18, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​react@​19.3.0-canary-bcf97c75-20251215 ⏵ 19.3.0-canary-2dd9b7cf-20260208100 +110084 +198100
Updatednpm/​react-dom@​19.3.0-canary-bcf97c75-20251215 ⏵ 19.3.0-canary-2dd9b7cf-20260208100 +110092 +198 +1100
Updatednpm/​react-is@​19.3.0-canary-bcf97c75-20251215 ⏵ 19.3.0-canary-2dd9b7cf-2026020810010010098100

View full report

@renovate renovate bot force-pushed the renovate/corepack branch from 595f598 to 501cbfb Compare December 19, 2025 03:47
@renovate renovate bot changed the title chore(deps): update pnpm to v10.26.0 chore(deps): update pnpm to v10.26.1 Dec 19, 2025
@renovate renovate bot force-pushed the renovate/corepack branch from 501cbfb to cc16157 Compare December 23, 2025 14:38
@renovate renovate bot changed the title chore(deps): update pnpm to v10.26.1 chore(deps): update pnpm to v10.26.2 Dec 23, 2025
@renovate renovate bot force-pushed the renovate/corepack branch from cc16157 to 0165db6 Compare December 30, 2025 23:10
@renovate renovate bot changed the title chore(deps): update pnpm to v10.26.2 chore(deps): update pnpm to v10.27.0 Dec 30, 2025
@renovate renovate bot force-pushed the renovate/corepack branch from 0165db6 to 737be74 Compare January 8, 2026 21:01
@renovate renovate bot force-pushed the renovate/corepack branch from aebea28 to bc99c05 Compare January 23, 2026 22:40
@renovate renovate bot force-pushed the renovate/corepack branch from bc99c05 to f5437a3 Compare January 26, 2026 15:59
@renovate renovate bot changed the title chore(deps): update pnpm to v10.28.1 chore(deps): update pnpm to v10.28.2 Jan 26, 2026
@renovate renovate bot force-pushed the renovate/corepack branch from f5437a3 to 11b67bd Compare February 2, 2026 16:36
@renovate renovate bot force-pushed the renovate/corepack branch from 11b67bd to 5f44558 Compare February 7, 2026 18:31
@renovate renovate bot changed the title chore(deps): update pnpm to v10.28.2 chore(deps): update pnpm to v10.29.1 Feb 7, 2026
@renovate renovate bot force-pushed the renovate/corepack branch from 5f44558 to 3986422 Compare February 9, 2026 03:29
@renovate renovate bot changed the title chore(deps): update pnpm to v10.29.1 chore(deps): update pnpm to v10.29.2 Feb 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤖 bot 📦 deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants