Skip to content

Update dependency pnpm/pnpm to v10.26.0 #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Update dependency pnpm/pnpm to v10.26.0 #48

renovate wants to merge 1 commit into from
+1 −1

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 8, 2025
edited
Loading

This PR contains the following updates:

Package Update Change
pnpm/pnpm minor 10.24.0 -> 10.26.0

Release Notes

pnpm/pnpm (pnpm/pnpm)

v10.26.0: pnpm 10.26

Compare Source

Minor Changes

  • Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #​10288.

  • Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #​10287.

  • Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

    When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

    This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

    Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

    Related PR: #​10265.

  • Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

    Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them:

    allowBuilds:
  esbuild: true
  core-js: false

    The example above achieves the same result as the previous configuration:

    onlyBuiltDependencies:
  - esbuild
ignoredBuiltDependencies:
  - core-js

    Related PR: #​10311

  • Added support for --dry-run to the pack command #​10301.

Patch Changes

  • Show deprecation in table/list formats when latest version is deprecated #​8658.
  • Remove the injectWorkspacePackages setting from the lockfile on the deploy command #​10294.
  • Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #​10273.
  • When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #​10197.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.25.0: pnpm 10.25

Compare Source

Minor Changes

  • Allow loading certificates from cert, ca, and key for specific registry URLs. E.g., //registry.example.com/:ca=-----BEGIN CERTIFICATE-----.... Previously this was only working via certfile, cafile, and keyfile.

    These properties are supported in .npmrc, but were ignored by pnpm, this will make pnpm read and use them as well.

    Related PR: #​10230.

  • Added a new flag called --bare to pnpm init for creating a package.json with the bare minimum of required fields #​10226.

Patch Changes

  • Improved reporting of ignored dependency scripts #​10276.
  • pnpm install should build any dependencies that were added to onlyBuiltDependencies and were not built yet #​10256.
  • pnpm publish -r --force should allow to run publish over already existing versions in the registry #​10272.
  • Don't fail with a ERR_PNPM_MISSING_TIME error if a package that is excluded from trust policy checks is missing the time field in the metadata.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Dec 8, 2025
@renovate renovate bot requested a review from a team as a code owner December 8, 2025 19:29
@renovate renovate bot changed the title Update dependency pnpm/pnpm to v10.25.0 Update dependency pnpm/pnpm to v10.26.0 Dec 15, 2025
@renovate renovate bot force-pushed the renovate/pnpm-pnpm-10.x branch from 5d51938 to b92cfa4 Compare December 15, 2025 13:34
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 15, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
E Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants