chore(deps): update pnpm to v11.1.0 (#3395)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [pnpm](https://pnpm.io)
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) |
[`11.0.9+sha512.34ce82e6780233cf9cad8685029a8f81d2e06196c5a9bad98879f7424940c6817c4e4524fb7d38b8553ceed48b9758b8ebaf1abd3600c232c4c8cf7366086f38`
→ `11.1.0`](https://renovatebot.com/diffs/npm/pnpm/11.0.9/11.1.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/pnpm/11.1.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pnpm/11.0.9/11.1.0?slim=true)
|

---

### Release Notes

<details>
<summary>pnpm/pnpm (pnpm)</summary>

###
[`v11.1.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1110)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.9...v11.1.0)

##### Minor Changes

- Added `pnpm audit signatures` to verify ECDSA registry signatures for
installed packages against keys from `/-/npm/v1/keys`
[#&#8203;7909](https://redirect.github.com/pnpm/pnpm/issues/7909).
Scoped registries are respected, and registries without signing keys are
skipped.

- Added support for installing packages from the [GitHub Packages npm
registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry)
via a built-in `gh:` prefix (e.g. `pnpm add gh:@&#8203;acme/private`),
and, more broadly, for arbitrary named registries in the style of [vlt's
named-registry aliases](https://docs.vlt.sh/cli/registries).
Authentication is picked up from the existing per-URL `.npmrc` entries
(e.g. `//npm.pkg.github.com/:_authToken=...`), so no separate auth
mechanism is required.

Additional aliases — or an override for the built-in `gh` alias, for
GitHub Enterprise Server — can be configured under `namedRegistries` in
`pnpm-workspace.yaml`:

  ```yaml
  namedRegistries:
    gh: https://npm.pkg.github.example.com/
    work: https://npm.work.example.com/
  ```

With this, `work:@&#8203;corp/lib@^2.0.0` resolves against
`https://npm.work.example.com/`.
[#&#8203;8941](https://redirect.github.com/pnpm/pnpm/issues/8941).

- Allow setting sbom spec version using `--sbom-spec-version`
[#&#8203;11389](https://redirect.github.com/pnpm/pnpm/pull/11389).

- Add `--no-runtime` flag (config: `runtime=false`) to skip installing
runtime entries (e.g. Node.js downloaded via `devEngines.runtime`)
without modifying the lockfile. The lockfile keeps the runtime entry so
frozen-lockfile validation still passes; only the runtime fetch and
`.bin` linking are skipped. Useful in CI matrices where the runtime is
provisioned externally (e.g. via `pnpm runtime -g set node <version>`)
before `pnpm install` runs.

- Added the `pnpm bugs` command that opens a package's bug tracker URL
in the browser. With no arguments, it reads the current project's
`package.json`; with one or more package names, it fetches each
package's metadata from the registry and opens its bug tracker. Falls
back to `<repository>/issues` when the `bugs` field is missing
[#&#8203;11279](https://redirect.github.com/pnpm/pnpm/pull/11279).

- Added `pnpm owner` command to manage package owners on the registry.

##### Patch Changes

- Added "published X ago by Y" information to the `pnpm view` command
output, similar to `npm view`. This is useful when comparing against
`minimumReleaseAge`.

  For example, `pnpm view pnpm` now shows:

  ```
  published 17 hours ago by GitHub Actions
  ```

- `pnpm publish` now honors the configured HTTP/HTTPS proxy (including
`https_proxy`/`http_proxy`/`no_proxy` environment variables) when
polling the registry's `doneUrl` during the web-based authentication
flow. Previously the poll bypassed the proxy, causing the registry to
respond `403` from a different source IP and the login to never complete
[#&#8203;11561](https://redirect.github.com/pnpm/pnpm/issues/11561).

- `pnpm add -g` now installs each space-separated package into its own
isolated directory by default. To bundle multiple packages into the same
isolated install (so that they share dependencies and are removed
together), pass them as a comma-separated list. For example:

- `pnpm add -g foo bar` installs `foo` and `bar` as two independent
globals — removing one does not affect the other.
- `pnpm add -g foo,bar qar` bundles `foo` and `bar` into a single
isolated install while `qar` is installed on its own.

Related:
[#&#8203;11587](https://redirect.github.com/pnpm/pnpm/issues/11587).

- `pnpm runtime set <name> <version>` no longer fails in the root of a
multi-package workspace with the `ADDING_TO_ROOT` error. Installing the
workspace root is a valid target for a runtime, so the command now
bypasses that safety check.

- Fix `pnpm --version` hanging for the lifetime of the worker pool after
the version was printed. `main.ts`'s `--version` short-circuit returned
before reaching the command-handler `finally` that calls
`finishWorkers()`, so the worker pool that `switchCliVersion` had
spawned during integrity resolution stayed alive and held the Node event
loop open. The CLI entry now runs `finishWorkers()` from its own
`finally`, so every exit path tears the pool down.

Repro: `pnpm --version` in a workspace whose `devEngines.packageManager`
version already matches the running pnpm + `onFail: "download"`.
`switchCliVersion` resolves the integrity (spawning workers), finds
nothing to swap, returns. The version prints, then the process hangs.

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/RobinTail/express-zod-api).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzMuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE3My42IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Robin Tail <robin_tail@me.com>

Author: renovate[bot]

package.json

@@ -30,5 +30,5 @@
     "typescript-eslint": "catalog:dev",
     "vitest": "^4.1.5"
   },
-  "packageManager": "pnpm@11.0.9+sha512.34ce82e6780233cf9cad8685029a8f81d2e06196c5a9bad98879f7424940c6817c4e4524fb7d38b8553ceed48b9758b8ebaf1abd3600c232c4c8cf7366086f38"
+  "packageManager": "pnpm@11.1.0+sha512.0c44e842e5686b2c061a81adda8b2258bd8818e9704b2cf2c63d56b931a7b2e910092e085027003b96ca3911ab56a07f6df5abaed2be9925034cdd686a535b14"
 }

renovate.json

@@ -2,7 +2,6 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:recommended"],
   "dependencyDashboard": false,
-  "postUpdateOptions": ["pnpmDedupe"],
   "ignorePaths": ["**/compat-test/**"],
   "minimumReleaseAge": "1 day",
   "packageRules": [