Commit 2de8164
authored
chore(deps): update pnpm to v10.34.4 (#1996)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Adoption](https://docs.renovatebot.com/merge-confidence/) |
[Passing](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|---|---|
| [pnpm](https://pnpm.io)
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) |
[`10.33.2` →
`10.34.4`](https://renovatebot.com/diffs/npm/pnpm/10.33.2/10.34.4) |

|

|

|

|
---
### Release Notes
<details>
<summary>pnpm/pnpm (pnpm)</summary>
###
[`v10.34.4`](https://redirect.github.com/pnpm/pnpm/compare/v10.34.3...v10.34.4)
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.34.3...v10.34.4)
###
[`v10.34.3`](https://redirect.github.com/pnpm/pnpm/compare/v10.34.2...v10.34.3)
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.34.2...v10.34.3)
###
[`v10.34.2`](https://redirect.github.com/pnpm/pnpm/compare/v10.34.1...v10.34.2)
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.34.1...v10.34.2)
###
[`v10.34.1`](https://redirect.github.com/pnpm/pnpm/releases/tag/v10.34.1):
pnpm 10.34.1
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.34.0...v10.34.1)
#### Patch Changes
- Reject `pnpm-lock.yaml` entries whose remote tarball `resolution:`
block is missing the `integrity` field. Previously the worker that
extracts a downloaded tarball skipped hash verification when no
integrity was supplied and minted a fresh one from the unverified bytes,
so an attacker who could both alter the lockfile (e.g. via a pull
request that strips `integrity:`) and serve modified content at the
referenced tarball URL could install a tampered package without any
error — including under `--frozen-lockfile`. pnpm now fails closed at
lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. Git-hosted
tarballs (`gitHosted: true` or a URL on codeload.github.com /
bitbucket.org / gitlab.com) and `file:` tarballs are exempt — the commit
SHA in a git-host URL and the user-controlled local path already anchor
the bytes.
<!-- sponsors -->
#### Platinum Sponsors
<table>
<tbody>
<tr>
<td align="center" valign="middle">
<a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes"
target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80"
alt="Bit"></a>
</td>
</tr>
</tbody>
</table>
#### Gold Sponsors
<table>
<tbody>
<tr>
<td align="center" valign="middle">
<a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/sanity.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/sanity_light.svg" />
<img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity"
/>
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/discord.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/discord_light.svg" />
<img src="https://pnpm.io/img/users/discord.svg" width="220"
alt="Discord" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes"
target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg"
width="42" alt="Vite"></a>
</td>
</tr>
<tr>
<td align="center" valign="middle">
<a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/serpapi_dark.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/serpapi_light.svg" />
<img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160"
alt="SerpApi" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a
href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/coderabbit.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/coderabbit_light.svg" />
<img src="https://pnpm.io/img/users/coderabbit.svg" width="220"
alt="CodeRabbit" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a
href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/stackblitz.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/stackblitz_light.svg" />
<img src="https://pnpm.io/img/users/stackblitz.svg" width="190"
alt="Stackblitz" />
</picture>
</a>
</td>
</tr>
<tr>
<td align="center" valign="middle">
<a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/workleap.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/workleap_light.svg" />
<img src="https://pnpm.io/img/users/workleap.svg" width="190"
alt="Workleap" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/nx.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/nx_light.svg" />
<img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" />
</picture>
</a>
</td>
</tr>
</tbody>
</table>
<!-- sponsors end -->
###
[`v10.34.0`](https://redirect.github.com/pnpm/pnpm/releases/tag/v10.34.0):
pnpm 10.34
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.33.4...v10.34.0)
#### Minor Changes
- Treat tarball-integrity mismatches against the lockfile as a hard
failure by default. Previously, `pnpm install` (non-frozen) would log
`ERR_PNPM_TARBALL_INTEGRITY`, silently re-resolve from the registry, and
overwrite the locked integrity — which meant a compromised registry,
proxy, or republished version could substitute attacker-controlled
content on a clean machine even though the project shipped a committed
lockfile.
`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` and a hint
pointing at the new opt-in flag.
The only opt-in is **`pnpm install --update-checksums`** — narrowly
scoped to refreshing the locked integrity values from what the registry
currently serves. Mirrors yarn's flag of the same name. A warning still
prints when the bypass takes effect so the operation is auditable.
`--force` and `pnpm update` deliberately do **not** bypass the integrity
check. They are routine refresh operations; silently overwriting a
locked integrity in those flows would erase the protection a committed
lockfile is supposed to provide. `--frozen-lockfile` behavior is
unchanged. `--fix-lockfile` keeps its documented purpose (filling in
missing lockfile entries) and is also not a bypass.
#### Patch Changes
- Pin unscoped per-registry settings (`_authToken`, `_auth`,
`username`/`_password`, `tokenHelper`, inline `cert`/`key`) to the
registry declared in the same config source at load time, so a later
layer overriding `registry=` (workspace `.npmrc`, `pnpm-workspace.yaml`,
CLI `--registry`) cannot redirect a credential or client certificate
authored for a different host. A deprecation warning is emitted whenever
an unscoped per-registry setting is encountered, naming the source and
the URL it was pinned to. Reported by JUNYI LIU.
- Fixed `minimumReleaseAge` handling when cached metadata is
abbreviated. The npm registry returns abbreviated package metadata
(without the per-version `time` field) by default, which made the
maturity check throw `ERR_PNPM_MISSING_TIME` whenever cached abbreviated
metadata was reused. pnpm now upgrades cached abbreviated metadata to
the full document via a follow-up fetch when `minimumReleaseAge` is
active, persists the upgrade to the on-disk cache so subsequent installs
skip the extra fetch, and lets `ERR_PNPM_MISSING_TIME` from the cache
fast-path fall through to the network fetch even under strict mode.
- Reject git resolutions whose `commit` field is not a 40-character
hexadecimal SHA before invoking `git`. A malicious lockfile could
otherwise smuggle a value such as `--upload-pack=<command>` through `git
fetch` / `git checkout`, which on SSH or local-file transports executes
the supplied command.
- Reject patch files whose `diff --git` headers reference paths outside
the patched package directory. Previously a malicious `.patch` file
added via a pull request could write, delete, or rename arbitrary files
reachable by the user running `pnpm install`.
- Fixed `--prefix=<dir>` not being honored when locating the workspace
root. The `--prefix → dir` rename was applied after workspace detection,
so workspace settings declared in `<dir>/pnpm-workspace.yaml` were not
loaded when pnpm was invoked from outside `<dir>`
[#​11535](https://redirect.github.com/pnpm/pnpm/issues/11535).
- Reject dependency aliases that contain path-traversal segments (such
as `@x/../../../../../.git/hooks`) when reading them from a package
manifest or symlinking them into `node_modules`. A malicious registry
package could otherwise use a transitive dependency key to make `pnpm
install` create symlinks at attacker-chosen paths outside the intended
`node_modules` directory.
<!-- sponsors -->
#### Platinum Sponsors
<table>
<tbody>
<tr>
<td align="center" valign="middle">
<a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes"
target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80"
alt="Bit"></a>
</td>
</tr>
</tbody>
</table>
#### Gold Sponsors
<table>
<tbody>
<tr>
<td align="center" valign="middle">
<a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/sanity.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/sanity_light.svg" />
<img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity"
/>
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/discord.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/discord_light.svg" />
<img src="https://pnpm.io/img/users/discord.svg" width="220"
alt="Discord" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes"
target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg"
width="42" alt="Vite"></a>
</td>
</tr>
<tr>
<td align="center" valign="middle">
<a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/serpapi_dark.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/serpapi_light.svg" />
<img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160"
alt="SerpApi" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a
href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/coderabbit.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/coderabbit_light.svg" />
<img src="https://pnpm.io/img/users/coderabbit.svg" width="220"
alt="CodeRabbit" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a
href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/stackblitz.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/stackblitz_light.svg" />
<img src="https://pnpm.io/img/users/stackblitz.svg" width="190"
alt="Stackblitz" />
</picture>
</a>
</td>
</tr>
<tr>
<td align="center" valign="middle">
<a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/workleap.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/workleap_light.svg" />
<img src="https://pnpm.io/img/users/workleap.svg" width="190"
alt="Workleap" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/nx.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/nx_light.svg" />
<img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" />
</picture>
</a>
</td>
</tr>
</tbody>
</table>
<!-- sponsors end -->
###
[`v10.33.4`](https://redirect.github.com/pnpm/pnpm/releases/tag/v10.33.4):
pnpm 10.33.4
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.33.3...v10.33.4)
#### Patch Changes
- Pin the integrity of git-hosted tarballs (codeload.github.com,
gitlab.com, bitbucket.org) in the lockfile so that subsequent installs
detect a tampered or substituted tarball and refuse to install it.
Previously the lockfile only stored the tarball URL for git
dependencies, so a compromised git host or a man-in-the-middle could
serve arbitrary code on later installs without lockfile changes.
A new `gitHosted: true` field is recorded on git-hosted tarball
resolutions in the lockfile, letting every reader/writer route them by a
single typed check instead of pattern-matching the tarball URL in each
call site. Lockfiles written by older pnpm versions are enriched on load
(URL fallback) so the field can be relied on uniformly across the
codebase.
- Fix a regression where `pnpm --recursive --filter '!<pkg>'
run/exec/test/add` would include the workspace root in the matched
projects. The workspace root is now correctly excluded by default when
only negative `--filter` arguments are provided, matching the
[documented behavior](https://pnpm.io/cli/recursive). To include the
root, pass `--include-workspace-root`
[#​11341](https://redirect.github.com/pnpm/pnpm/issues/11341).
<!-- sponsors -->
#### Platinum Sponsors
<table>
<tbody>
<tr>
<td align="center" valign="middle">
<a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes"
target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80"
alt="Bit"></a>
</td>
</tr>
</tbody>
</table>
#### Gold Sponsors
<table>
<tbody>
<tr>
<td align="center" valign="middle">
<a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/sanity.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/sanity_light.svg" />
<img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity"
/>
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/discord.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/discord_light.svg" />
<img src="https://pnpm.io/img/users/discord.svg" width="220"
alt="Discord" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes"
target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg"
width="42" alt="Vite"></a>
</td>
</tr>
<tr>
<td align="center" valign="middle">
<a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/serpapi_dark.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/serpapi_light.svg" />
<img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160"
alt="SerpApi" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a
href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/coderabbit.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/coderabbit_light.svg" />
<img src="https://pnpm.io/img/users/coderabbit.svg" width="220"
alt="CodeRabbit" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a
href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/stackblitz.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/stackblitz_light.svg" />
<img src="https://pnpm.io/img/users/stackblitz.svg" width="190"
alt="Stackblitz" />
</picture>
</a>
</td>
</tr>
<tr>
<td align="center" valign="middle">
<a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/workleap.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/workleap_light.svg" />
<img src="https://pnpm.io/img/users/workleap.svg" width="190"
alt="Workleap" />
</picture>
</a>
</td>
<td align="center" valign="middle">
<a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes"
target="_blank">
<picture>
<source media="(prefers-color-scheme: light)"
srcset="https://pnpm.io/img/users/nx.svg" />
<source media="(prefers-color-scheme: dark)"
srcset="https://pnpm.io/img/users/nx_light.svg" />
<img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" />
</picture>
</a>
</td>
</tr>
</tbody>
</table>
<!-- sponsors end -->
###
[`v10.33.3`](https://redirect.github.com/pnpm/pnpm/compare/v10.33.2...v10.33.3)
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.33.2...v10.33.3)
</details>
---
### Configuration
📅 **Schedule**: (in timezone Asia/Shanghai)
- Branch creation
- "before 10am on the first day of the month"
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/voidzero-dev/vite-plus).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 3d49d4d commit 2de8164
2 files changed
Lines changed: 2 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
28 | | - | |
| 28 | + | |
29 | 29 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
42 | 42 | | |
43 | 43 | | |
44 | 44 | | |
45 | | - | |
| 45 | + | |
46 | 46 | | |
0 commit comments