npm_and_yarn: add --no-save to pnpm deep-update fallback

pnpm update <dep> --depth Infinity --lockfile-only rewrites caret ranges
in package.json and the matching specifier: lines in pnpm-lock.yaml to
^<currently-resolved-version> for every direct dep whose resolved version
is newer than its declared range floor. Dependabot returns only the
lockfile from this flow, so the package.json mutations are discarded
while the lockfile keeps specifier: entries that no longer match the
manifest, and a downstream frozen-lockfile install rejects the PR.

Adding --no-save tells pnpm to leave package.json ranges alone while
still resolving and writing the lockfile graph for the target transitive
dependency. Verified locally to: still bump the target transitive in
the lockfile, produce zero specifier: rewrites, produce zero
package.json mutations.

Fixes #15104

Author: ivnnv

npm_and_yarn/lib/dependabot/npm_and_yarn/native_helpers.rb

@@ -72,14 +72,21 @@ def self.run_pnpm_audit_fix_command
       sig { params(dependency_name: String, recursive: T::Boolean).returns(String) }
       def self.run_pnpm_deep_update_command(dependency_name, recursive: false)
         # `pnpm update --depth Infinity <dep>` traverses the full dependency
-        # graph, allowing transitive dependencies to be updated in the lockfile
-        # without modifying any package.json (unlike `pnpm audit --fix`).
-        # `-r --include-workspace-root` is required for workspace repos so the
-        # update is applied across all packages.
+        # graph so transitive dependencies can be updated in the lockfile.
+        # `--no-save` is required: without it, pnpm rewrites caret ranges in
+        # `package.json` and the matching `specifier:` lines in
+        # `pnpm-lock.yaml` to `^<currently-resolved-version>` for every
+        # direct dependency whose resolved version is newer than its
+        # declared range floor. Dependabot only returns the lockfile from
+        # this flow, so those package.json mutations are discarded while
+        # the lockfile keeps `specifier:` entries that no longer match the
+        # manifest, which a downstream frozen-lockfile install rejects.
+        # `-r --include-workspace-root` is required for workspace repos so
+        # the update is applied across all packages.
         flags = recursive ? "-r --include-workspace-root " : ""
         Helpers.run_pnpm_command(
-          "#{flags}update #{dependency_name} --depth Infinity --lockfile-only",
-          fingerprint: "#{flags}update <dependency_name> --depth Infinity --lockfile-only"
+          "#{flags}update #{dependency_name} --depth Infinity --lockfile-only --no-save",
+          fingerprint: "#{flags}update <dependency_name> --depth Infinity --lockfile-only --no-save"
         )
       end
 

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater_spec.rb

@@ -772,8 +772,8 @@
             .ordered
           expect(Dependabot::NpmAndYarn::Helpers).to receive(:run_pnpm_command)
             .with(
-              "-r --include-workspace-root update prettier --depth Infinity --lockfile-only",
-              { fingerprint: "-r --include-workspace-root update <dependency_name> --depth Infinity --lockfile-only" }
+              "-r --include-workspace-root update prettier --depth Infinity --lockfile-only --no-save",
+              { fingerprint: "-r --include-workspace-root update <dependency_name> --depth Infinity --lockfile-only --no-save" }
             )
             .ordered
             .and_return("")