chore(deps): update all non-major dependencies#221
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughPinned zizmor action (v0.5.3 → v0.5.6) and applied coordinated patch/minor dependency bumps across root, packages, and example manifests (Angular, React, Preact, Solid, Vanilla). ChangesMonorepo dependency and workflow updates
Estimated code review effort Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
examples/angular/injectAsyncThrottledCallback/package.json (1)
1-1:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winCritical: Lockfile out of sync with package.json changes.
The pipeline failure indicates
pnpm-lock.yamlis not up to date after the dependency updates across the monorepo. The lockfile needs to be regenerated to reflect the new versions of eslint (^10.4.0), knip (^6.14.1), and nx (^22.7.2) in the root package.json.Run the following to regenerate the lockfile:
pnpm installThen commit the updated
pnpm-lock.yaml.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@examples/angular/injectAsyncThrottledCallback/package.json` at line 1, The repo's pnpm-lock.yaml is out of sync with package.json changes (root deps updated to eslint ^10.4.0, knip ^6.14.1, nx ^22.7.2); regenerate the lockfile by running pnpm install at repo root, verify pnpm-lock.yaml updates, then commit the updated pnpm-lock.yaml alongside the modified package.json so the lockfile matches the new dependency versions.examples/solid/createDebouncer/package.json (1)
1-1:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winRegenerate pnpm-lock.yaml to fix the pipeline failure.
The CI failure indicates
pnpm-lock.yamlis out of sync with rootpackage.jsondue to mismatched specifiers for eslint, knip, and nx. Runpnpm installat the repository root to update the lockfile.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@examples/solid/createDebouncer/package.json` at line 1, Regenerate the repository lockfile so specifiers for eslint, knip, and nx match the root package.json: run pnpm install from the repository root to update pnpm-lock.yaml (ensuring the lockfile reflects the root package.json changes), then commit the updated pnpm-lock.yaml so CI no longer fails due to mismatched specifiers for eslint/knip/nx.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@examples/angular/asyncBatch/package.json`:
- Around line 23-38: The package.json was updated (packageManager/pnpm and
dependency version bumps) but the pnpm-lock.yaml was not regenerated and
committed, causing CI to fail with ERR_PNPM_OUTDATED_LOCKFILE; run pnpm install
to regenerate pnpm-lock.yaml (or pnpm install --lockfile-only) using the updated
package.json, add and commit the new pnpm-lock.yaml alongside the package.json
changes, and push so CI can run pnpm install --frozen-lockfile successfully.
In `@examples/angular/injectQueuedSignal/package.json`:
- Line 23: The repo’s pnpm lockfile is out of sync with updated dependency specs
(packageManager/pnpm version and several root/example deps), causing
ERR_PNPM_OUTDATED_LOCKFILE; regenerate pnpm-lock.yaml and commit it. Run pnpm
install using the declared pnpm version (pnpm@11.1.2) to produce an updated
pnpm-lock.yaml, verify root deps (eslint, knip, nx) and example Angular deps
match package.json entries, and commit the updated pnpm-lock.yaml so
frozen-lockfile CI will pass.
In `@examples/react/rateLimit/package.json`:
- Around line 19-20: The CI failure is caused by an out-of-sync pnpm lockfile
after dependency changes (e.g. "`@vitejs/plugin-react`" and "vite") in
package.json; run `pnpm install` in this workspace to regenerate pnpm-lock.yaml,
verify the lockfile changes, and commit the updated pnpm-lock.yaml alongside
your package.json change so the pipeline picks up the consistent dependencies.
In `@examples/react/useBatcher/package.json`:
- Around line 19-20: The package manifest was bumped (e.g., dependency entries
like "`@vitejs/plugin-react`" and "vite" in package.json) but pnpm-lock.yaml was
not regenerated, causing CI to fail with ERR_PNPM_OUTDATED_LOCKFILE; run pnpm
install (or pnpm install --lockfile-only) at the repo root to regenerate
pnpm-lock.yaml so it matches the updated manifests, verify the lockfile
addresses specifier drift for packages such as eslint/knip/nx, and commit the
updated pnpm-lock.yaml alongside the manifest changes.
In `@examples/react/useQueuerWithPersister/package.json`:
- Around line 20-21: The package.json bump for "`@vitejs/plugin-react`" and "vite"
requires updating the pnpm lockfile so CI won't fail; regenerate and commit an
updated pnpm-lock.yaml by running pnpm install (or pnpm install --lockfile-only
/ pnpm up) in the repo root to sync the lockfile with the new dependency
versions, verify the lockfile changes are staged/committed, and re-run CI to
confirm the ERR_PNPM_OUTDATED_LOCKFILE error is resolved.
In `@package.json`:
- Around line 61-66: The lockfile is out of sync with the bumped dependency
versions (eslint, knip, nx) causing --frozen-lockfile to fail; regenerate
pnpm-lock.yaml by running pnpm install (or pnpm install --lockfile-only) so the
lockfile matches the new specifiers, verify the updated pnpm-lock.yaml reflects
the updated packages (eslint, knip, nx), and commit the changed pnpm-lock.yaml
to the repo so CI can install deterministically.
---
Outside diff comments:
In `@examples/angular/injectAsyncThrottledCallback/package.json`:
- Line 1: The repo's pnpm-lock.yaml is out of sync with package.json changes
(root deps updated to eslint ^10.4.0, knip ^6.14.1, nx ^22.7.2); regenerate the
lockfile by running pnpm install at repo root, verify pnpm-lock.yaml updates,
then commit the updated pnpm-lock.yaml alongside the modified package.json so
the lockfile matches the new dependency versions.
In `@examples/solid/createDebouncer/package.json`:
- Line 1: Regenerate the repository lockfile so specifiers for eslint, knip, and
nx match the root package.json: run pnpm install from the repository root to
update pnpm-lock.yaml (ensuring the lockfile reflects the root package.json
changes), then commit the updated pnpm-lock.yaml so CI no longer fails due to
mismatched specifiers for eslint/knip/nx.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 2024b0f6-f342-4cd9-917f-27fc3cb3b02e
📒 Files selected for processing (167)
.github/workflows/zizmor.ymlexamples/angular/asyncBatch/package.jsonexamples/angular/asyncDebounce/package.jsonexamples/angular/asyncRateLimit/package.jsonexamples/angular/asyncRetry/package.jsonexamples/angular/asyncThrottle/package.jsonexamples/angular/batch/package.jsonexamples/angular/debounce/package.jsonexamples/angular/injectAsyncBatchedCallback/package.jsonexamples/angular/injectAsyncBatcher/package.jsonexamples/angular/injectAsyncDebouncedCallback/package.jsonexamples/angular/injectAsyncDebouncer/package.jsonexamples/angular/injectAsyncQueuedSignal/package.jsonexamples/angular/injectAsyncQueuer/package.jsonexamples/angular/injectAsyncRateLimiter/package.jsonexamples/angular/injectAsyncRateLimiterWithPersister/package.jsonexamples/angular/injectAsyncThrottledCallback/package.jsonexamples/angular/injectAsyncThrottler/package.jsonexamples/angular/injectBatchedCallback/package.jsonexamples/angular/injectBatcher/package.jsonexamples/angular/injectDebouncedCallback/package.jsonexamples/angular/injectDebouncedSignal/package.jsonexamples/angular/injectDebouncedValue/package.jsonexamples/angular/injectDebouncer/package.jsonexamples/angular/injectQueuedSignal/package.jsonexamples/angular/injectQueuedValue/package.jsonexamples/angular/injectQueuer/package.jsonexamples/angular/injectQueuerWithPersister/package.jsonexamples/angular/injectRateLimitedCallback/package.jsonexamples/angular/injectRateLimitedSignal/package.jsonexamples/angular/injectRateLimitedValue/package.jsonexamples/angular/injectRateLimiter/package.jsonexamples/angular/injectRateLimiterWithPersister/package.jsonexamples/angular/injectThrottledCallback/package.jsonexamples/angular/injectThrottledSignal/package.jsonexamples/angular/injectThrottledValue/package.jsonexamples/angular/injectThrottler/package.jsonexamples/angular/queue/package.jsonexamples/angular/rateLimit/package.jsonexamples/angular/throttle/package.jsonexamples/preact/asyncBatch/package.jsonexamples/preact/asyncDebounce/package.jsonexamples/preact/asyncRateLimit/package.jsonexamples/preact/asyncRetry/package.jsonexamples/preact/asyncThrottle/package.jsonexamples/preact/batch/package.jsonexamples/preact/debounce/package.jsonexamples/preact/queue/package.jsonexamples/preact/rateLimit/package.jsonexamples/preact/throttle/package.jsonexamples/preact/useAsyncBatchedCallback/package.jsonexamples/preact/useAsyncBatcher/package.jsonexamples/preact/useAsyncDebouncedCallback/package.jsonexamples/preact/useAsyncDebouncer/package.jsonexamples/preact/useAsyncQueuedState/package.jsonexamples/preact/useAsyncQueuer/package.jsonexamples/preact/useAsyncRateLimiter/package.jsonexamples/preact/useAsyncRateLimiterWithPersister/package.jsonexamples/preact/useAsyncThrottledCallback/package.jsonexamples/preact/useAsyncThrottler/package.jsonexamples/preact/useBatchedCallback/package.jsonexamples/preact/useBatcher/package.jsonexamples/preact/useDebouncedCallback/package.jsonexamples/preact/useDebouncedState/package.jsonexamples/preact/useDebouncedValue/package.jsonexamples/preact/useDebouncer/package.jsonexamples/preact/useQueuedState/package.jsonexamples/preact/useQueuedValue/package.jsonexamples/preact/useQueuer/package.jsonexamples/preact/useQueuerWithPersister/package.jsonexamples/preact/useRateLimitedCallback/package.jsonexamples/preact/useRateLimitedState/package.jsonexamples/preact/useRateLimitedValue/package.jsonexamples/preact/useRateLimiter/package.jsonexamples/preact/useRateLimiterWithPersister/package.jsonexamples/preact/useThrottledCallback/package.jsonexamples/preact/useThrottledState/package.jsonexamples/preact/useThrottledValue/package.jsonexamples/preact/useThrottler/package.jsonexamples/preact/util-comparison/package.jsonexamples/react/asyncBatch/package.jsonexamples/react/asyncDebounce/package.jsonexamples/react/asyncRateLimit/package.jsonexamples/react/asyncRetry/package.jsonexamples/react/asyncThrottle/package.jsonexamples/react/batch/package.jsonexamples/react/debounce/package.jsonexamples/react/queue/package.jsonexamples/react/rateLimit/package.jsonexamples/react/react-query-debounced-prefetch/package.jsonexamples/react/react-query-queued-prefetch/package.jsonexamples/react/react-query-throttled-prefetch/package.jsonexamples/react/throttle/package.jsonexamples/react/useAsyncBatchedCallback/package.jsonexamples/react/useAsyncBatcher/package.jsonexamples/react/useAsyncDebouncedCallback/package.jsonexamples/react/useAsyncDebouncer/package.jsonexamples/react/useAsyncQueuedState/package.jsonexamples/react/useAsyncQueuer/package.jsonexamples/react/useAsyncRateLimiter/package.jsonexamples/react/useAsyncRateLimiterWithPersister/package.jsonexamples/react/useAsyncThrottledCallback/package.jsonexamples/react/useAsyncThrottler/package.jsonexamples/react/useBatchedCallback/package.jsonexamples/react/useBatcher/package.jsonexamples/react/useDebouncedCallback/package.jsonexamples/react/useDebouncedState/package.jsonexamples/react/useDebouncedValue/package.jsonexamples/react/useDebouncer/package.jsonexamples/react/useQueuedState/package.jsonexamples/react/useQueuedValue/package.jsonexamples/react/useQueuer/package.jsonexamples/react/useQueuerWithPersister/package.jsonexamples/react/useRateLimitedCallback/package.jsonexamples/react/useRateLimitedState/package.jsonexamples/react/useRateLimitedValue/package.jsonexamples/react/useRateLimiter/package.jsonexamples/react/useRateLimiterWithPersister/package.jsonexamples/react/useThrottledCallback/package.jsonexamples/react/useThrottledState/package.jsonexamples/react/useThrottledValue/package.jsonexamples/react/useThrottler/package.jsonexamples/react/util-comparison/package.jsonexamples/solid/asyncBatch/package.jsonexamples/solid/asyncDebounce/package.jsonexamples/solid/asyncRateLimit/package.jsonexamples/solid/asyncThrottle/package.jsonexamples/solid/batch/package.jsonexamples/solid/createAsyncBatcher/package.jsonexamples/solid/createAsyncDebouncer/package.jsonexamples/solid/createAsyncQueuer/package.jsonexamples/solid/createAsyncRateLimiter/package.jsonexamples/solid/createAsyncThrottler/package.jsonexamples/solid/createBatcher/package.jsonexamples/solid/createDebouncedSignal/package.jsonexamples/solid/createDebouncedValue/package.jsonexamples/solid/createDebouncer/package.jsonexamples/solid/createQueuedSignal/package.jsonexamples/solid/createQueuer/package.jsonexamples/solid/createRateLimitedSignal/package.jsonexamples/solid/createRateLimitedValue/package.jsonexamples/solid/createRateLimiter/package.jsonexamples/solid/createThrottledSignal/package.jsonexamples/solid/createThrottledValue/package.jsonexamples/solid/createThrottler/package.jsonexamples/solid/debounce/package.jsonexamples/solid/queue/package.jsonexamples/solid/rateLimit/package.jsonexamples/solid/throttle/package.jsonexamples/vanilla/LiteBatcher/package.jsonexamples/vanilla/LiteDebouncer/package.jsonexamples/vanilla/LiteQueuer/package.jsonexamples/vanilla/LiteRateLimiter/package.jsonexamples/vanilla/LiteThrottler/package.jsonexamples/vanilla/liteBatch/package.jsonexamples/vanilla/liteDebounce/package.jsonexamples/vanilla/liteQueue/package.jsonexamples/vanilla/liteRateLimit/package.jsonexamples/vanilla/liteThrottle/package.jsonpackage.jsonpackages/angular-pacer/package.jsonpackages/pacer-devtools/package.jsonpackages/preact-pacer-devtools/package.jsonpackages/preact-pacer/package.jsonpackages/react-pacer-devtools/package.jsonpackages/react-pacer/package.jsonpackages/solid-pacer/package.json
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
5124183 to
2d4efc4
Compare
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@examples/angular/asyncBatch/package.json`:
- Around line 25-30: Update the Angular build and CLI package versions to match
the runtime packages: change the `@angular/build` and `@angular/cli` entries to use
^21.2.13 so they align with `@angular/core`, `@angular/common`, `@angular/compiler`,
`@angular/forms`, `@angular/platform-browser`, and `@angular/router`; locate and edit
the `@angular/build` and `@angular/cli` entries in package.json to ensure all
Angular packages are on the same 21.2.13 patch level.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 8ac82c91-3225-4eb0-8072-b2a8db3ee3bb
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (167)
.github/workflows/zizmor.ymlexamples/angular/asyncBatch/package.jsonexamples/angular/asyncDebounce/package.jsonexamples/angular/asyncRateLimit/package.jsonexamples/angular/asyncRetry/package.jsonexamples/angular/asyncThrottle/package.jsonexamples/angular/batch/package.jsonexamples/angular/debounce/package.jsonexamples/angular/injectAsyncBatchedCallback/package.jsonexamples/angular/injectAsyncBatcher/package.jsonexamples/angular/injectAsyncDebouncedCallback/package.jsonexamples/angular/injectAsyncDebouncer/package.jsonexamples/angular/injectAsyncQueuedSignal/package.jsonexamples/angular/injectAsyncQueuer/package.jsonexamples/angular/injectAsyncRateLimiter/package.jsonexamples/angular/injectAsyncRateLimiterWithPersister/package.jsonexamples/angular/injectAsyncThrottledCallback/package.jsonexamples/angular/injectAsyncThrottler/package.jsonexamples/angular/injectBatchedCallback/package.jsonexamples/angular/injectBatcher/package.jsonexamples/angular/injectDebouncedCallback/package.jsonexamples/angular/injectDebouncedSignal/package.jsonexamples/angular/injectDebouncedValue/package.jsonexamples/angular/injectDebouncer/package.jsonexamples/angular/injectQueuedSignal/package.jsonexamples/angular/injectQueuedValue/package.jsonexamples/angular/injectQueuer/package.jsonexamples/angular/injectQueuerWithPersister/package.jsonexamples/angular/injectRateLimitedCallback/package.jsonexamples/angular/injectRateLimitedSignal/package.jsonexamples/angular/injectRateLimitedValue/package.jsonexamples/angular/injectRateLimiter/package.jsonexamples/angular/injectRateLimiterWithPersister/package.jsonexamples/angular/injectThrottledCallback/package.jsonexamples/angular/injectThrottledSignal/package.jsonexamples/angular/injectThrottledValue/package.jsonexamples/angular/injectThrottler/package.jsonexamples/angular/queue/package.jsonexamples/angular/rateLimit/package.jsonexamples/angular/throttle/package.jsonexamples/preact/asyncBatch/package.jsonexamples/preact/asyncDebounce/package.jsonexamples/preact/asyncRateLimit/package.jsonexamples/preact/asyncRetry/package.jsonexamples/preact/asyncThrottle/package.jsonexamples/preact/batch/package.jsonexamples/preact/debounce/package.jsonexamples/preact/queue/package.jsonexamples/preact/rateLimit/package.jsonexamples/preact/throttle/package.jsonexamples/preact/useAsyncBatchedCallback/package.jsonexamples/preact/useAsyncBatcher/package.jsonexamples/preact/useAsyncDebouncedCallback/package.jsonexamples/preact/useAsyncDebouncer/package.jsonexamples/preact/useAsyncQueuedState/package.jsonexamples/preact/useAsyncQueuer/package.jsonexamples/preact/useAsyncRateLimiter/package.jsonexamples/preact/useAsyncRateLimiterWithPersister/package.jsonexamples/preact/useAsyncThrottledCallback/package.jsonexamples/preact/useAsyncThrottler/package.jsonexamples/preact/useBatchedCallback/package.jsonexamples/preact/useBatcher/package.jsonexamples/preact/useDebouncedCallback/package.jsonexamples/preact/useDebouncedState/package.jsonexamples/preact/useDebouncedValue/package.jsonexamples/preact/useDebouncer/package.jsonexamples/preact/useQueuedState/package.jsonexamples/preact/useQueuedValue/package.jsonexamples/preact/useQueuer/package.jsonexamples/preact/useQueuerWithPersister/package.jsonexamples/preact/useRateLimitedCallback/package.jsonexamples/preact/useRateLimitedState/package.jsonexamples/preact/useRateLimitedValue/package.jsonexamples/preact/useRateLimiter/package.jsonexamples/preact/useRateLimiterWithPersister/package.jsonexamples/preact/useThrottledCallback/package.jsonexamples/preact/useThrottledState/package.jsonexamples/preact/useThrottledValue/package.jsonexamples/preact/useThrottler/package.jsonexamples/preact/util-comparison/package.jsonexamples/react/asyncBatch/package.jsonexamples/react/asyncDebounce/package.jsonexamples/react/asyncRateLimit/package.jsonexamples/react/asyncRetry/package.jsonexamples/react/asyncThrottle/package.jsonexamples/react/batch/package.jsonexamples/react/debounce/package.jsonexamples/react/queue/package.jsonexamples/react/rateLimit/package.jsonexamples/react/react-query-debounced-prefetch/package.jsonexamples/react/react-query-queued-prefetch/package.jsonexamples/react/react-query-throttled-prefetch/package.jsonexamples/react/throttle/package.jsonexamples/react/useAsyncBatchedCallback/package.jsonexamples/react/useAsyncBatcher/package.jsonexamples/react/useAsyncDebouncedCallback/package.jsonexamples/react/useAsyncDebouncer/package.jsonexamples/react/useAsyncQueuedState/package.jsonexamples/react/useAsyncQueuer/package.jsonexamples/react/useAsyncRateLimiter/package.jsonexamples/react/useAsyncRateLimiterWithPersister/package.jsonexamples/react/useAsyncThrottledCallback/package.jsonexamples/react/useAsyncThrottler/package.jsonexamples/react/useBatchedCallback/package.jsonexamples/react/useBatcher/package.jsonexamples/react/useDebouncedCallback/package.jsonexamples/react/useDebouncedState/package.jsonexamples/react/useDebouncedValue/package.jsonexamples/react/useDebouncer/package.jsonexamples/react/useQueuedState/package.jsonexamples/react/useQueuedValue/package.jsonexamples/react/useQueuer/package.jsonexamples/react/useQueuerWithPersister/package.jsonexamples/react/useRateLimitedCallback/package.jsonexamples/react/useRateLimitedState/package.jsonexamples/react/useRateLimitedValue/package.jsonexamples/react/useRateLimiter/package.jsonexamples/react/useRateLimiterWithPersister/package.jsonexamples/react/useThrottledCallback/package.jsonexamples/react/useThrottledState/package.jsonexamples/react/useThrottledValue/package.jsonexamples/react/useThrottler/package.jsonexamples/react/util-comparison/package.jsonexamples/solid/asyncBatch/package.jsonexamples/solid/asyncDebounce/package.jsonexamples/solid/asyncRateLimit/package.jsonexamples/solid/asyncThrottle/package.jsonexamples/solid/batch/package.jsonexamples/solid/createAsyncBatcher/package.jsonexamples/solid/createAsyncDebouncer/package.jsonexamples/solid/createAsyncQueuer/package.jsonexamples/solid/createAsyncRateLimiter/package.jsonexamples/solid/createAsyncThrottler/package.jsonexamples/solid/createBatcher/package.jsonexamples/solid/createDebouncedSignal/package.jsonexamples/solid/createDebouncedValue/package.jsonexamples/solid/createDebouncer/package.jsonexamples/solid/createQueuedSignal/package.jsonexamples/solid/createQueuer/package.jsonexamples/solid/createRateLimitedSignal/package.jsonexamples/solid/createRateLimitedValue/package.jsonexamples/solid/createRateLimiter/package.jsonexamples/solid/createThrottledSignal/package.jsonexamples/solid/createThrottledValue/package.jsonexamples/solid/createThrottler/package.jsonexamples/solid/debounce/package.jsonexamples/solid/queue/package.jsonexamples/solid/rateLimit/package.jsonexamples/solid/throttle/package.jsonexamples/vanilla/LiteBatcher/package.jsonexamples/vanilla/LiteDebouncer/package.jsonexamples/vanilla/LiteQueuer/package.jsonexamples/vanilla/LiteRateLimiter/package.jsonexamples/vanilla/LiteThrottler/package.jsonexamples/vanilla/liteBatch/package.jsonexamples/vanilla/liteDebounce/package.jsonexamples/vanilla/liteQueue/package.jsonexamples/vanilla/liteRateLimit/package.jsonexamples/vanilla/liteThrottle/package.jsonpackage.jsonpackages/angular-pacer/package.jsonpackages/pacer-devtools/package.jsonpackages/preact-pacer-devtools/package.jsonpackages/preact-pacer/package.jsonpackages/react-pacer-devtools/package.jsonpackages/react-pacer/package.jsonpackages/solid-pacer/package.json
✅ Files skipped from review due to trivial changes (106)
- examples/react/useQueuerWithPersister/package.json
- examples/react/asyncDebounce/package.json
- packages/preact-pacer-devtools/package.json
- examples/react/throttle/package.json
- packages/solid-pacer/package.json
- examples/react/asyncBatch/package.json
- examples/solid/rateLimit/package.json
- examples/react/useAsyncBatchedCallback/package.json
- examples/solid/createThrottledValue/package.json
- examples/react/useThrottler/package.json
- examples/react/useDebouncedState/package.json
- packages/pacer-devtools/package.json
- examples/react/useQueuer/package.json
- examples/preact/useDebouncedValue/package.json
- examples/react/useAsyncDebouncer/package.json
- examples/react/useAsyncBatcher/package.json
- examples/react/batch/package.json
- examples/react/useAsyncDebouncedCallback/package.json
- examples/preact/useAsyncRateLimiter/package.json
- examples/react/useDebouncer/package.json
- examples/preact/asyncThrottle/package.json
- examples/preact/useQueuedState/package.json
- examples/react/useRateLimitedValue/package.json
- examples/solid/asyncBatch/package.json
- examples/vanilla/liteRateLimit/package.json
- examples/solid/createBatcher/package.json
- examples/react/queue/package.json
- examples/solid/createDebouncedValue/package.json
- examples/preact/useThrottledValue/package.json
- examples/react/useAsyncRateLimiter/package.json
- examples/preact/useAsyncThrottler/package.json
- examples/react/useThrottledValue/package.json
- examples/solid/createAsyncRateLimiter/package.json
- examples/preact/useAsyncDebouncer/package.json
- examples/react/useQueuedState/package.json
- examples/preact/useAsyncBatchedCallback/package.json
- examples/react/useThrottledState/package.json
- packages/angular-pacer/package.json
- examples/react/useDebouncedCallback/package.json
- examples/solid/createRateLimitedSignal/package.json
- examples/solid/createAsyncBatcher/package.json
- examples/preact/useRateLimitedValue/package.json
- examples/vanilla/LiteQueuer/package.json
- examples/preact/useAsyncRateLimiterWithPersister/package.json
- examples/preact/useQueuedValue/package.json
- examples/solid/batch/package.json
- examples/preact/useAsyncBatcher/package.json
- examples/vanilla/liteThrottle/package.json
- examples/react/useRateLimitedState/package.json
- examples/react/rateLimit/package.json
- examples/solid/createQueuedSignal/package.json
- examples/react/util-comparison/package.json
- examples/vanilla/LiteRateLimiter/package.json
- examples/react/useAsyncRateLimiterWithPersister/package.json
- examples/vanilla/liteBatch/package.json
- examples/angular/rateLimit/package.json
- examples/preact/useAsyncThrottledCallback/package.json
- examples/preact/useThrottledState/package.json
- examples/react/useQueuedValue/package.json
- examples/solid/asyncRateLimit/package.json
- package.json
- examples/solid/createRateLimiter/package.json
- examples/react/useAsyncThrottledCallback/package.json
- examples/solid/queue/package.json
- examples/vanilla/LiteDebouncer/package.json
- examples/react/useThrottledCallback/package.json
- examples/solid/createRateLimitedValue/package.json
- examples/preact/useBatchedCallback/package.json
- examples/angular/injectDebouncedCallback/package.json
- examples/react/useDebouncedValue/package.json
- examples/preact/useAsyncQueuer/package.json
- examples/react/useBatcher/package.json
- examples/preact/useDebouncedCallback/package.json
- examples/preact/useRateLimiterWithPersister/package.json
- examples/solid/createThrottler/package.json
- examples/angular/injectBatcher/package.json
- examples/angular/injectDebouncedValue/package.json
- examples/angular/injectAsyncBatchedCallback/package.json
- examples/preact/asyncRateLimit/package.json
- examples/solid/createAsyncThrottler/package.json
- packages/react-pacer/package.json
- examples/solid/createThrottledSignal/package.json
- examples/preact/debounce/package.json
- examples/vanilla/LiteThrottler/package.json
- examples/preact/useRateLimiter/package.json
- examples/solid/asyncThrottle/package.json
- examples/preact/useDebouncedState/package.json
- examples/react/useBatchedCallback/package.json
- examples/angular/injectRateLimitedSignal/package.json
- examples/angular/injectQueuerWithPersister/package.json
- examples/preact/useBatcher/package.json
- examples/solid/asyncDebounce/package.json
- examples/preact/rateLimit/package.json
- examples/angular/asyncDebounce/package.json
- examples/solid/createQueuer/package.json
- examples/react/useAsyncQueuer/package.json
- examples/react/useAsyncQueuedState/package.json
- examples/angular/injectAsyncQueuedSignal/package.json
- examples/vanilla/LiteBatcher/package.json
- examples/solid/createAsyncQueuer/package.json
- examples/angular/injectRateLimitedCallback/package.json
- packages/preact-pacer/package.json
- examples/angular/asyncRetry/package.json
- examples/preact/queue/package.json
- examples/angular/queue/package.json
- examples/solid/createAsyncDebouncer/package.json
🚧 Files skipped from review as they are similar to previous changes (51)
- examples/preact/useThrottledCallback/package.json
- examples/preact/useAsyncQueuedState/package.json
- examples/vanilla/liteQueue/package.json
- examples/react/debounce/package.json
- examples/preact/batch/package.json
- examples/solid/debounce/package.json
- .github/workflows/zizmor.yml
- examples/react/asyncRateLimit/package.json
- examples/angular/injectRateLimiter/package.json
- examples/preact/asyncBatch/package.json
- examples/angular/injectThrottledValue/package.json
- examples/angular/throttle/package.json
- examples/preact/util-comparison/package.json
- examples/angular/injectAsyncThrottler/package.json
- examples/vanilla/liteDebounce/package.json
- examples/preact/useRateLimitedCallback/package.json
- examples/angular/injectQueuedValue/package.json
- examples/preact/useQueuer/package.json
- examples/angular/debounce/package.json
- examples/angular/injectAsyncDebouncer/package.json
- examples/angular/injectAsyncBatcher/package.json
- examples/react/useRateLimiterWithPersister/package.json
- examples/solid/throttle/package.json
- examples/preact/useRateLimitedState/package.json
- examples/angular/injectRateLimitedValue/package.json
- examples/angular/injectBatchedCallback/package.json
- examples/angular/injectAsyncRateLimiterWithPersister/package.json
- examples/preact/useQueuerWithPersister/package.json
- examples/react/useRateLimiter/package.json
- examples/react/useRateLimitedCallback/package.json
- examples/angular/injectThrottler/package.json
- examples/react/react-query-queued-prefetch/package.json
- examples/react/useAsyncThrottler/package.json
- examples/angular/injectThrottledSignal/package.json
- packages/react-pacer-devtools/package.json
- examples/angular/injectQueuer/package.json
- examples/angular/injectQueuedSignal/package.json
- examples/angular/injectRateLimiterWithPersister/package.json
- examples/preact/useDebouncer/package.json
- examples/preact/asyncRetry/package.json
- examples/angular/injectAsyncThrottledCallback/package.json
- examples/solid/createDebouncedSignal/package.json
- examples/angular/injectAsyncQueuer/package.json
- examples/angular/injectDebouncer/package.json
- examples/angular/batch/package.json
- examples/preact/useAsyncDebouncedCallback/package.json
- examples/angular/asyncThrottle/package.json
- examples/angular/injectThrottledCallback/package.json
- examples/angular/injectDebouncedSignal/package.json
- examples/angular/injectAsyncRateLimiter/package.json
- examples/preact/asyncDebounce/package.json
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
14 times, most recently
from
32c7c10 to
ed96a2e
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
9 times, most recently
from
268a849 to
9afed2b
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
3 times, most recently
from
9ec03bb to
62a7596
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
16 times, most recently
from
c2fc1ba to
378ea90
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
378ea90 to
4d72878
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^21.2.11→^21.2.14^21.2.11→^21.2.14^21.2.12→^21.2.16^21.2.12→^21.2.16^21.2.12→^21.2.16^21.2.12→^21.2.16^21.2.12→^21.2.16^21.2.12→^21.2.16^21.2.12→^21.2.16^21.2.12→^21.2.16^5.7.7→^5.8.17^5.100.10→^5.101.0^5.100.10→^5.101.0^19.2.14→^19.2.17^6.0.1→^6.0.2v6.0.2→v6.0.3v1.8.0→v1.9.0^1.11.20→^1.11.21^10.3.0→^10.4.1^20.9.0→^20.10.2^6.13.1→^6.16.1^22.7.1→^22.7.511.1.1→11.5.2>=11.0.0→>=11.5.2^10.29.1→^10.29.2^10.29.1→^10.29.2^3.8.3→^3.8.4^19.2.6→^19.2.7^19.2.6→^19.2.7^19.2.6→^19.2.7^1.9.12→^1.9.13^1.9.12→^1.9.13^0.2.16→^0.2.17^0.22.0→^0.22.2^8.0.12→^8.0.16^4.1.6→^4.1.8v0.5.3→v0.5.6Release Notes
angular/angular-cli (@angular/build)
v21.2.14Compare Source
@angular/cli
@angular/build
angular/angular (@angular/common)
v21.2.16Compare Source
angular/angular (@angular/compiler)
v21.2.16Compare Source
common
compiler
core
platform-server
Rel1cx/eslint-react (@eslint-react/eslint-plugin)
v5.8.17Compare Source
📝 Documentation
🏗️ Internal
typescript-eslintpackages tov8.61.0(#1863, #1864).rename-rulescript and npm script (#1857).sponsors.svg(#1855).undiciand cleaned updprintconfig (#1854).Full Changelog: Rel1cx/eslint-react@v5.8.16...v5.8.17
v5.8.16Compare Source
🐞 Fixes
Full Changelog: Rel1cx/eslint-react@v5.8.15...v5.8.16
v5.8.15📝 Documentation
AGENTS.mdandCONTRIBUTING.mddocuments and references (#1848).🏗️ Internal
@types/*dependencies (#1852).Full Changelog: Rel1cx/eslint-react@v5.8.13...v5.8.15
v5.8.13Compare Source
📝 Documentation
GoogleCloudPlatform/gke-mcpand removed archivedantfu/shiki-streamfrom community projects on the website.no-multiple-children-in-titlerecipe from the website.🏗️ Internal
RuleListenerreturn type to all rulecreatefunctions (#1845).react-domrules, JSX rules, andnaming-conventionrules (context-name,id-name,ref-name).react-x/no-leaked-conditional-rendering(#1844).pnpmand updated lockfile.tsdownto0.22.2and updated dependencies.merge()calls in rules (#1843).ubuntu-latest.Full Changelog: Rel1cx/eslint-react@v5.8.12...v5.8.13
v5.8.12Compare Source
🪄 Improvements
jsx: AlignedgetChildrenwith Babel'sbuildChildrenandcleanJSXElementLiteralChildpatterns, improving whitespace handling accuracy inreact-jsx/no-useless-fragmentandreact-jsx/no-children-proprules. Migrated child text cleanup to@eslint-react/jsxutilities and removed locallib.tshelpers. (#1836)jsx: RemovedisPaddingWhitespaceAPI and added whitespace boundary tests forreact-jsx/no-useless-fragmentandreact-dom/no-dangerously-set-innerhtml-with-childrenrules. (#1837)jsx: RenamedcleanJSXTextValuetocollapseMultilineTextin the public API and updatedreact-jsx/no-useless-fragmentto use the new name. (#1838)📝 Documentation
🏗️ Internal
scripts/generate-website-icons.pyfor automated icon generation and refined logo geometry across all website assets. (#1833)import-integrity-lintandenhanced-resolve.axiosto^1.17.0andshikito4.2.0.dompurifyandrolldown.no-useless-fragment,no-children-prop, andno-dangerously-set-innerhtml-with-children. (#1836, #1837, #1838)Full Changelog: Rel1cx/eslint-react@v5.8.11...v5.8.12
v5.8.11Compare Source
📝 Documentation
🏗️ Internal
19.2.7(#1827).@fontsource/iosevka-aileand switched to system font fallbacks.6.0.3(#1828).@typescript-eslint/*to8.60.1,react/react-domto19.2.7,nextto16.2.7, and@types/reactto19.2.16.Full Changelog: Rel1cx/eslint-react@v5.8.10...v5.8.11
v5.8.10Compare Source
🐞 Fixes
react-dom/no-unused-class-component-members: Aligned preset details in rule documentation (#1825).react-dom/no-unsafe-iframe-sandbox,react-x/context-name,react-x/id-name,react-x/ref-name,react-x/no-unnecessary-use-prefix,react-x/no-string-style-prop: Fixed missing or incorrect presets in rule documentation (#1826).📝 Documentation
naming-convention: Expanded examples and annotated Ok cases forcontext-name,id-name, andref-namerules (#1819).MyComponentexamples toButtoncomponent in custom rules of props and function component definition recipes (#1823).azat-ioeslint-config to the community presets list.🏗️ Internal
jsx: Consolidated whitespace child predicates and addedisEmptyStringExpressionto the public API (#1820).verify-docs.ts(#1822).AGENTS.mdguide for AI coding agents (#1824)..pkgs/*.viteto^8.0.15andansisto^4.3.1across workspace packages.New Contributors
Full Changelog: Rel1cx/eslint-react@v5.8.9...v5.8.10
v5.8.9Compare Source
🐞 Fixes
react-x/no-direct-mutation-state: Detect nested state mutations and member expressions in assignment expressions (#1818).📝 Documentation
🏗️ Internal
.vscodedirectories from all examples, added missingengines.nodeto Preact examples, cleaned up redundant.config/*.tsfromtsconfig.node.json, and updated.gitignore.eslint,tinyglobby, andtsdownacross workspace packages; added@fontsource/iosevka-aileto the website; reordered CSS imports inlayout.tsx..sentruxbaseline timestamp.Full Changelog: Rel1cx/eslint-react@v5.8.8...v5.8.9
TanStack/query (@tanstack/react-query)
v5.101.0Compare Source
Patch Changes
TanStack/query (@tanstack/react-query-devtools)
v5.101.0Compare Source
Patch Changes
3042860,e631dc3]:actions/checkout (actions/checkout)
v6.0.3Compare Source
changesets/action (changesets/action)
v1.9.0Compare Source
Minor Changes
#636
b072bccThanks @bluwy! - Add a new@changesets/action/pr-commentsub-action to comment on PRs#625
8795eeeThanks @bluwy! - Add a new@changesets/action/pr-statussub-action to generate the changeset status comment for PRs as an alternative to the Changesets Bot.Patch Changes
#535
34f64f6Thanks @Andarist! - Fixed an issue with GitHub releases not being created for successfully published packages when some packages failed to be published to the registry.#632
1d54b9eThanks @bluwy! - Simplify internal implementation to get changelog entries for a package version#629
e0c90aaThanks @bluwy! - Fix custom version and publish command argument parsing#645
f9585d9Thanks @Andarist! - Improved force-push handling when usingcommitMode: "github-api"so updating an existing branch no longer temporarily resets the target branch to the base commit, avoiding cases where GitHub closes open pull requests during the update. This should remove a possibility of a GitHub state race that caused the force-pushed PRs not being reopened.capricorn86/happy-dom (happy-dom)
v20.10.2Compare Source
👷♂️ Patch fixes
v20.10.1Compare Source
v20.10.0Compare Source
webpro-nl/knip (knip)
v6.16.1: Release 6.16.1Compare Source
370ef4c)v6.16.0: Release 6.16.0Compare Source
fadf13a)fc3598c)2d9ce84)fcd444b)4b898a9)workspaceRootconfig option to enable use in a VSCode workspace that does not have package.json at the workspace root (#1667) (7c1ebef) - thanks @anmilleriii!b360c5c)c12153c)ba15e41)62dcda5)348d2c9)77fd7ed)d908099)ec4c779)ba6865d)94632cd)230bd73)f1f4c1b)f1adc7f)e4720ca)d14eb05)d7cbe12)152d730)8a37f8c)105fba3)f4fcf4e)pnpm/pnpm (pnpm)
v11.5.2Compare Source
Patch Changes
Peer dependency resolution now reuses the peer contexts already recorded in the lockfile when those providers are still present in the dependency graph and still satisfy the peer ranges. This avoids unnecessary peer-context rewrites during lockfile regeneration. Current manifest choices remain authoritative: a newly added, explicitly updated, or aliased direct provider, a changed nested provider, or a locked version that no longer satisfies the range still takes precedence.
The lockfile verifier now checks that a registry entry pinning an explicit
tarballURL points at the artifact the registry's own metadata lists for thatname@version. Previously a tampered lockfile could pair a trustedname@versionwith an attacker-chosen tarball URL (and a matching integrity for those bytes), so the install fetched the attacker's bytes. A mismatch — or any entry that can't be confirmed against the registry — is rejected withERR_PNPM_TARBALL_URL_MISMATCH. Non-registry resolutions (file:, git-hosted, etc.) and registry entries without an explicit tarball URL (the URL is reconstructed from name+version+registry, so it is inherently bound) are unaffected; non-standard registry tarball URLs (npm Enterprise, GitHub Packages) still pass because they match the metadata.Fix
pnpm update --recursive --lockfile-only <pkg>@​<version>crashing withInvalid Versionwhen the catalog entry for<pkg>is a version range (e.g.^21.2.10) andcatalogModeisstrictorprefer. The catalog–version comparison now skips the equality check when either side is a range rather than passing a range tosemver.eq(), so range specifiers fall through to the existing mismatch handling instead of throwing #11570.Avoided a Node.js crash when pnpm exits after network requests on Windows.
Fixed packages being materialized into the virtual store without their root-level files (
package.json,LICENSE, README, root entrypoints) when multiplepnpm installprocesses ran against the same store/workspace concurrently. The fast import path used to destructively empty the shared target directory, so a concurrent importer could wipe files another importer had already written; if the surviving files included thepackage.jsoncompletion marker, every later install treated the broken directory as complete and never repaired it. The fast path now imports directly only when it can create the target directory exclusively, and otherwise builds the package in a private temp directory and atomically renames it into place #12197.Fix dependency build scripts not running under the global virtual store (
enableGlobalVirtualStore).In a workspace install, dependency build scripts are deferred to a single
rebuildpass (buildProjects). That pass resolved each package's location from the classicnode_modules/.pnpm/<depPathToFilename>layout, which does not exist under the global virtual store — so native dependencies (e.g. packages usingnode-gyp/prebuild-install) were never built and failed to load at runtime (Cannot find module .../build/Release/*.node).buildProjectsnow resolves the global-virtual-store projection directory (<storeDir>/links/<hash>, computed with the same graph hash the installer uses) whenenableGlobalVirtualStoreis set, and serializes concurrent builds of the same shared projection so parallel workspace projects don't race on the same directory.Don't promote a
runtime:dependency (such as the Node.js version fromdevEngines.runtimeorpnpm runtime set) into a catalog whencatalogModeisstrictorprefer. Aruntime:dependency round-trips todevEngines.runtime, which only recognizes theruntime:protocol; cataloging it rewrote the manifest entry tocatalog:, which broke that round-trip, stranded it indevDependencies, and leftdevEngines.runtimeuntouched.Skip lockfile
minimumReleaseAge/trustPolicyverification for non-registry tarball protocols (for examplefile:), so local tarball dependencies are not incorrectly checked against npm registry metadata.v11.5.1Compare Source
Patch Changes
pnpm auditperformance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap.npm_config_user_agentfor root lifecycle scripts during headless installs.integrityfield of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example viapnpm update, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail withERR_PNPM_MISSING_TARBALL_INTEGRITY#12067.repositoryfield into the{ type, url }object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a stringrepositorywith a 500 Internal Server Error duringpnpm publish#12099.@typescript-eslint/eslint-pluginpeer-depends on both@typescript-eslint/parserandtypescript, and@typescript-eslint/parserpeer-depends ontypescript), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version #12079.v11.5.0Compare Source
Minor Changes
Added a new
hoistingLimitssetting fornodeLinker: hoistedinstalls, mirroring yarn'snmHoistingLimits. It acceptsnone(the default — hoist as far as possible),workspaces(hoist only as far as each workspace package), ordependencies(hoist only up to each workspace package's direct dependencies). Originally proposed in #6468, closing #6457.Replaced
enquirerwith@inquirer/promptsfor all interactive prompts. Fixes theupdate -iscrolling overflow bug where long choice lists were clipped in the terminal #6643.User-facing changes:
pnpm update -i/pnpm update -i --latest: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination viausePaginationpnpm audit --fix -i: Same scrolling fix for vulnerability selectionpnpm approve-builds: Interactive build approval prompts updatedpnpm patch: Version selection and "apply to all" prompts updatedpnpm patch-remove: Patch removal selection updatedpnpm publish: Branch confirmation prompt updatedpnpm login: Credential prompts updatedpnpm run/pnpm exec(withverifyDepsBeforeRun=prompt): Confirmation prompt updatedVim-style
j/kkeys still work for up/down navigation in all interactive prompts.Internal: The
OtpEnquirerandLoginEnquirerDI interfaces changed from{ prompt }to{ input }/{ input, password }respectively. Plugins or custom builds that inject their own enquirer mock will need to update.Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an
approverfield, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level #11887.Patch Changes
Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example,
pnpm i nuxt@npm:nuxt-nightly@5x). Cycles whose members hit thefindHitcache instead of running their owncalculateDepPathare now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. #11999.Fix
pnpm dist-tag addandpnpm dist-tag rmagainst npmjs.org failing without--otpwith[ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA.". pnpm now sendsnpm-auth-type: webon dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the samewithOtpHandlinghelper used bypnpm publish), so the browser opens, the user authenticates, and the dist-tag is set on retry.--otp=<code>continues to work via the classic flow.Fix
minimumReleaseAgeExcludehandling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently duringpublishedBymetadata selection and cache-mtime shortcuts.Fix the
integrityfield being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent--frozen-lockfileinstalls fail withERR_PNPM_MISSING_TARBALL_INTEGRITY. #12001.Skip dependency re-resolution when
pnpm-lock.yamlis missing butnode_modules/.pnpm/lock.yamlexists and still satisfies the manifest.pnpm installnow reuses the materialized snapshot to regeneratepnpm-lock.yamlinstead of walking the registry to rebuild it from scratch, turning the cache+node_modules variation into a near-no-op for users who deleted the lockfile but kept the install #11993.--frozen-lockfilestill refuses to proceed whenpnpm-lock.yamlis absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI.v11.4.0Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.pnpm runtime set <name> <version>now saves the runtime todevEngines.runtimeby default instead ofengines.runtime. Pass--save-prod(or-P) to save it toengines.runtimeinstead #11948.Patch Changes
Fix a credential disclosure issue where an unscoped
_authToken(or_auth, orusername+_password, ortokenHelper) defined in one source —~/.npmrc,~/.config/pnpm/auth.ini, a workspace.npmrc, CLI flags, etc. — would be sent as anAuthorizationheader to whichever registry a different (potentially untrusted) source named. The same fix extends to client TLS credentials (cert,key) so they aren't presented to a registry their author didn't choose.pnpm now rewrites each unscoped per-registry setting (
_authToken,_auth,username,_password,tokenHelper,cert,key) to its URL-scoped form at load time, using theregistry=value declared in the same source (or the npmjs default registry if the source declares none). A later layer overridingregistry=therefore cannot pull an unscoped credential along, because it is already pinned to the URL its author intended.ca/cafileare intentionaConfiguration
📅 Schedule: (UTC)
* 0-3 * * 1)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.