Skip to content

chore(deps): update pnpm to v10.34.4#338

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pnpm-10.x
Open

chore(deps): update pnpm to v10.34.4#338
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pnpm-10.x

Conversation

@renovate

@renovate renovate Bot commented Mar 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pnpm (source) 10.30.010.34.4 age adoption passing confidence

Release Notes

pnpm/pnpm (pnpm)

v10.34.4

Compare Source

v10.34.3

Compare Source

v10.34.2

Compare Source

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

  • Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

  • Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

    pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

    The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

    --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

  • Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
  • Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
  • Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
  • Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
  • Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
  • Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

  • Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

    A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

  • Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes
  • When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.
Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

  • Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

  • Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

  • Reverted change related to setting explicitly the npm config file path, which caused regressions.
  • Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.31.0

Compare Source

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

  • Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Workleap
Stackblitz Nx

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Mar 8, 2026

Copy link
Copy Markdown

Deploying charlotte with  Cloudflare Pages  Cloudflare Pages

Latest commit: 017de49
Status: ✅  Deploy successful!
Preview URL: https://f7e05abe.charlotte-e3z.pages.dev
Branch Preview URL: https://renovate-pnpm-10-x.charlotte-e3z.pages.dev

View logs

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@netlify

netlify Bot commented Mar 8, 2026

Copy link
Copy Markdown

Deploy Preview for chuwublog ready!

Name Link
🔨 Latest commit 017de49
🔍 Latest deploy log https://app.netlify.com/projects/chuwublog/deploys/6a349ff81ec372000829c39b
😎 Deploy Preview https://deploy-preview-338--chuwublog.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse
1 paths audited
Performance: 78
Accessibility: 97
Best Practices: 100
SEO: 99
PWA: -
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from ef6f96e to c2d1ba4 Compare March 9, 2026 21:56
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.31.0 chore(deps): update pnpm to v10.32.0 Mar 9, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from c2d1ba4 to a5f7d8a Compare March 11, 2026 02:57
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.32.0 chore(deps): update pnpm to v10.32.1 Mar 11, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from a5f7d8a to e35b6f5 Compare March 24, 2026 17:42
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.32.1 chore(deps): update pnpm to v10.33.0 Mar 24, 2026
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.33.0 chore(deps): update pnpm to v10.33.1 Apr 22, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from e35b6f5 to 6d976fb Compare April 22, 2026 17:52
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.33.1 chore(deps): update pnpm to v10.33.2 Apr 23, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 6d976fb to 6c4e6f9 Compare April 23, 2026 15:39
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.33.2 chore(deps): update pnpm to v10.33.3 May 4, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 6c4e6f9 to 73c7475 Compare May 4, 2026 21:57
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.33.3 chore(deps): update pnpm to v10.33.4 May 6, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 73c7475 to 9153694 Compare May 6, 2026 16:56
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.33.4 chore(deps): update pnpm to v10.34.0 May 27, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch 2 times, most recently from 2faace2 to 40c8b88 Compare May 28, 2026 00:56
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.34.0 chore(deps): update pnpm to v10.34.1 May 28, 2026
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.34.1 chore(deps): update pnpm to v10.34.2 Jun 10, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 40c8b88 to cc9600b Compare June 10, 2026 15:48
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.34.2 chore(deps): update pnpm to v10.34.3 Jun 12, 2026
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from cc9600b to 023e18f Compare June 12, 2026 00:42
@renovate renovate Bot force-pushed the renovate/pnpm-10.x branch from 023e18f to 017de49 Compare June 19, 2026 01:48
@renovate renovate Bot changed the title chore(deps): update pnpm to v10.34.3 chore(deps): update pnpm to v10.34.4 Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants