Skip to content

chore(deps): update non-major dependencies#418

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/non-major-dependencies
Open

chore(deps): update non-major dependencies#418
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/non-major-dependencies

Conversation

@renovate

@renovate renovate Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change Pending Age Confidence
node (source) minor 24.16.024.18.0 age confidence
pnpm (source) packageManager minor 11.5.211.11.0 11.13.1 age confidence
pnpm/action-setup action patch v6.0.8v6.0.9 age confidence
prettier (source) pnpm.catalog.default minor 3.8.43.9.5 age confidence

Release Notes

nodejs/node (node)

v24.18.0: 2026-06-23, Version 24.18.0 'Krypton' (LTS), @​richardlau prepared by @​sxa

Compare Source

Notable Changes
  • [e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
  • [44c8ebcbd6] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #​64004
  • [d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
  • [bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #​62527
  • [b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #​62527
  • [ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
  • [4c9251fc09] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #​63155
  • [8c989ec4a3] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
  • [3f54c8ba32] - Revert "stream: noop pause/resume on destroyed streams" (Stewart X Addison) #​63834
Commits

v24.17.0: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95

Compare Source

This is a security release.

Notable Changes
  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
Commits
pnpm/pnpm (pnpm)

v11.11.0

Compare Source

Minor Changes
  • 508b8c2: Added the pnpm access command for managing package access and visibility on the registry, supporting listing packages and collaborators, getting and setting package status and MFA requirements, and granting or revoking team access.
Patch Changes
  • c70e33e: Allow allowBuilds entries for git-hosted packages to match by repository URL without pinning the resolved commit hash. This lets trusted git repositories keep running their build scripts after branch updates without approving each new commit, while package-name-only rules still do not approve git-hosted artifacts.
  • 3067e4f: Reduced peak memory usage during cold-cache dependency resolution. The metadata fetch is memoized for the whole resolution phase, and it was retaining each package's raw registry response body (used only to mirror the response to disk) for that entire time. The memoized cache now holds a body-less copy, so the raw body only lives as long as the call that writes the disk mirror. On large graphs that fetch full metadata (e.g. with minimumReleaseAge or trustPolicy enabled) this cuts peak RSS by roughly 30%, back in line with pnpm 10. The resolved lockfile is unchanged.
  • 51300fd: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at formatGlobalVirtualStorePath, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.
  • f8058eb: Reject symlinked pnpm-lock.yaml files when reading or writing the env lockfile document.
  • 9318a11: Allow registries and namedRegistries to be configured in the global config.yaml file.
  • 51300fd: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 14332f0: Fail instead of silently removing an optional dependency's locked entries from pnpm-lock.yaml when the registry cannot resolve it. Previously, when registry metadata lacked a version that the lockfile already pinned (for example, a mirror that had not synced a recent release yet), pnpm install and pnpm dedupe silently dropped the optional dependency's entries — emptying maps such as the platform binaries of @napi-rs/canvas — so the lockfile differed between machines and frozen installs on other hosts had nothing to link #​12853.
  • fecfe83: Fixed peer dependency resolution with autoInstallPeers when a workspace package depends on a version of a package that a transitive dependency's self-contained closure also provides for itself. The peer providers that are attached to the root project for reuse are no longer peer-resolved a second time in the root context, so packages inside such a closure no longer get their peers bound to the root project's incompatible version #​4993.
  • 5a4daec: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry, namedRegistries, and pnprServer.
  • d1da02e: pnpm publish no longer prints credentials when the target registry is configured with inline user:pass@ credentials (e.g. registry=https://user:pass@example.com/). They are now redacted both from the "publishing to registry" line and from the OIDC (trusted publishing) failure messages.
  • dcfc611: pnpm self-update now honors trustPolicy=no-downgrade. It resolves the target pnpm version against full registry metadata, so it refuses to switch to a version whose supply-chain trust evidence is weaker than an earlier-published one, the same way a regular install does.
  • a8ad82d: Register the pn alias in generated shell completion scripts.
  • 25bd5c3: Fixed standalone installer downgrades from pnpm v12 to v11.
  • 23996e9: pnpm runtime set <name> <version> now validates its arguments: the name must be node, deno, or bun, and the version must not contain a comma. Previously these were interpolated straight into a pnpm add selector, where an unsupported name or a comma (e.g. node 22,is-positive) could be misread as a list of packages or a local directory and install unintended packages or bins.

v11.10.0

Compare Source

Minor Changes
  • e2e3c81: Added the issues command as an alias of bugs, so pnpm issues opens the package's bug tracker URL in the browser.

  • 8491f8e: Added the prefix command which prints the current package prefix directory (or global prefix directory if -g / --global is used).

  • 3425e80: Added an _auth setting for configuring registry authentication as a single structured (URL-keyed) value. It can be set in the global pnpm config (config.yaml) or, for CI, via the pnpm_config__auth environment variable. The env form sidesteps the GitHub Actions / bash / zsh limitation that broke the existing pnpm_config_//host/:_authToken=… form (env var names containing /, :, or . are silently dropped). Closes #​12314.

    The value is keyed by registry URL so each secret is explicitly bound to the host that may receive it. Registry URL keys must use http or https and must not include credentials, query strings, or fragments:

    export pnpm_config__auth='{"https://registry.npmjs.org":{"@&#8203;":{"authToken":"npm-token"},"@&#8203;org":{"authToken":"org-token"}}}'

    The equivalent in the global config.yaml:

    _auth:
      https://registry.npmjs.org:
        "@&#8203;":
          authToken: npm-token
        "@&#8203;org":
          authToken: org-token

    Within each registry URL, @ means registry-wide/default credentials and package scopes like @org bind credentials to that scope on the same host. The only supported credential field is authToken (maps to _authToken / bearer auth); the deprecated basicAuth / username + password forms are intentionally not accepted here.

    Each entry also infers a trusted registry route: @ routes the default registry (and pnpm add <pkg> resolves there), and @org routes that scope. Because the credential and destination host arrive in one trusted value, repo-controlled pnpm-workspace.yaml or project .npmrc cannot redirect the token to a different host. _auth is honored only from the env var and the global config — it is ignored in a project pnpm-workspace.yaml / .npmrc, so repo-controlled config can never supply registry auth. Precedence: CLI flags (--registry, --@&#8203;scope:registry) > pnpm_config__auth > global config.yaml _auth > pnpm-workspace.yaml.

    Both pnpm_config__auth (lowercase, documented form) and PNPM_CONFIG__AUTH (all-caps, the shell convention some CI runners apply) are honored. If both are set, lowercase wins unless it is empty, in which case uppercase is used. The env var wins over the global config.yaml _auth on a conflicting key. tokenHelper is not supported in _auth. Parsing is strict: a malformed value (bad JSON, wrong shape, invalid registry URL or scope, an unsupported credential field) fails fast with an error rather than being silently dropped.

    Pacquet parity note: the pacquet (Rust) port supports the same single credential field as the TS CLI: authToken.

  • a33eeec: pnpm self-update and packageManager version-switching can now install and link pnpm v12 (the Rust port), published with equal content under both the pnpm and @pnpm/exe names on the next-12 dist-tag. Its native binaries ship as @pnpm/exe.<platform>-<arch> packages, which pnpm's built-in installer links directly — no Node.js launcher, so the command pays no Node startup cost. v12 is initialized exactly like @pnpm/exe, including per-platform global-virtual-store hashing. From v12 onward the install converges on the unscoped pnpm package (the Rust exe) — even when updating from the SEA @pnpm/exe build.

  • 1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only the Authorization header identifying the caller to pnpr is sent. The pnpr server now selects upstream credentials from its own route policy (operator-configured upstream credential aliases), so private dependencies resolve through a pnpr-managed alias the caller is authorized to use, rather than by sending the client's registry tokens to the server.

  • 1e81761: Expose web authentication authUrl and doneUrl in JSON error output when OTP is required in a non-interactive terminal #​12724.

Patch Changes
  • 2f389d6: Added the Node.js release team's new signing key (Stewart X Addison, 655F3B5C1FB3FA8D1A0CA6BDE4A7D232B936D2FD) to the embedded Node.js release keys, so runtimes whose SHASUMS256.txt is signed by the new releaser verify successfully.

  • acbdb94: Fixed shell tab completion not suggesting workspaces after the -F alias for --filter option.

  • dcabb78: Fixed pnpm up -r <pkg> bumping unrelated packages that have open semver ranges. Previously, any update mutation nullified the lockfile-derived preferredVersions globally, so packages with ^x.y.z ranges could re-resolve to newer compatible versions even though the user only asked to update a specific package. The install layer now always seeds preferredVersions from the lockfile, and caller-supplied preferred versions (such as the vulnerability penalties of pnpm audit --fix) layer on top of the seed instead of replacing it. The targeted package still bumps: the per-resolve updateRequested flag makes the resolver ignore the target's own lockfile pins.

    Closes #​10662.

  • d539172: Fixed pnpm pack and pnpm publish failing when prepack generates files that are included in the package and postpack cleans them up.

  • be6505a: Hardened global package management:

    • On Windows, removing or updating a global package now also cleans up the node.exe flavor of a bin, so a stale node.exe no longer survives on PATH after uninstall, and a new global install no longer silently overwrites an existing node.exe.
    • pnpm add -g pnpm@<version> (and @pnpm/exe@<version>) is now rejected like the bare pnpm form, pointing to pnpm self-update.
    • Dependency aliases read from a global package's manifest are validated before being joined onto node_modules paths, preventing a tampered manifest from escaping the install directory.
    • Each global install group is created in its own freshly-made directory (no longer reusing a colliding or pre-existing path).
    • Removing or updating a global package no longer unlinks a bin that belongs to a different globally installed package.
  • [25c7388](https://redirect.github.com/pnpm/pnpm/commit/

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the renovate label Jun 17, 2026
@renovate
renovate Bot requested a review from frantic1048 June 17, 2026 19:10
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 1bf26a0 to d095013 Compare June 17, 2026 19:11
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from d095013 to 3426ddc Compare June 19, 2026 00:48
@renovate renovate Bot changed the title chore(deps): update non-major dependencies to v11.5.3 chore(deps): update non-major dependencies to v11.6.0 Jun 19, 2026
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 3426ddc to 175cf8f Compare June 19, 2026 00:49
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 175cf8f to 2171f75 Compare June 22, 2026 07:49
@renovate renovate Bot changed the title chore(deps): update non-major dependencies to v11.6.0 chore(deps): update non-major dependencies to v11.7.0 Jun 22, 2026
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 2171f75 to 5def839 Compare June 22, 2026 07:50
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 5def839 to fc59bb8 Compare June 22, 2026 18:03
@renovate renovate Bot changed the title chore(deps): update non-major dependencies to v11.7.0 chore(deps): update non-major dependencies Jun 22, 2026
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from fc59bb8 to bd01f9b Compare June 22, 2026 18:04
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from bd01f9b to 4850d53 Compare June 24, 2026 01:37
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 4850d53 to 8b843b8 Compare June 24, 2026 01:38
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 8b843b8 to b08bf5a Compare June 25, 2026 10:54
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from b08bf5a to 7ca43fb Compare June 25, 2026 10:55
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 7ca43fb to 1d558ff Compare June 30, 2026 03:53
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 1d558ff to 7dc5b53 Compare June 30, 2026 03:54
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 7dc5b53 to babaf68 Compare June 30, 2026 16:05
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from babaf68 to 499cadf Compare June 30, 2026 16:06
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 499cadf to ee20265 Compare July 3, 2026 13:31
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from ee20265 to 5fa8205 Compare July 3, 2026 13:32
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 5fa8205 to 090240e Compare July 4, 2026 00:49
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 090240e to 0793a8f Compare July 4, 2026 00:49
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 0793a8f to 81bfeef Compare July 4, 2026 14:27
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 81bfeef to a561c0e Compare July 4, 2026 14:28
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from a561c0e to 47a8950 Compare July 5, 2026 00:33
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 47a8950 to 5598e9c Compare July 5, 2026 00:34
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 5598e9c to 6d8807e Compare July 6, 2026 15:59
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 6d8807e to e1c4736 Compare July 6, 2026 16:00
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from e1c4736 to f52b674 Compare July 7, 2026 02:10
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from f52b674 to 9f9d1b6 Compare July 7, 2026 02:10
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 9f9d1b6 to 8581104 Compare July 11, 2026 21:49
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 8581104 to 5d18228 Compare July 11, 2026 21:49
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 5d18228 to cc4ccaf Compare July 12, 2026 16:05
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from cc4ccaf to b43c483 Compare July 12, 2026 16:06
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from b43c483 to 1d07f1a Compare July 16, 2026 20:16
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from 1d07f1a to 4c4a8e7 Compare July 16, 2026 20:17
@renovate
renovate Bot force-pushed the renovate/non-major-dependencies branch from 4c4a8e7 to c2f8bf4 Compare July 17, 2026 00:41
@rc-actions-bot
rc-actions-bot Bot force-pushed the renovate/non-major-dependencies branch from c2f8bf4 to e0051ff Compare July 17, 2026 00:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Development

Successfully merging this pull request may close these issues.

1 participant