chore(deps): update pnpm to v10.34.4 by bfra-me[bot] · Pull Request #2337 · bfra-me/.github · GitHub
Skip to content

chore(deps): update pnpm to v10.34.4#2337

Merged
bfra-me[bot] merged 2 commits into
mainfrom
renovate/pnpm-10.x
Jun 25, 2026
Merged

chore(deps): update pnpm to v10.34.4#2337
bfra-me[bot] merged 2 commits into
mainfrom
renovate/pnpm-10.x

Conversation

@bfra-me

@bfra-me bfra-me Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence OpenSSF Code Search
pnpm (source) 10.34.310.34.4 age confidence OpenSSF Scorecard GitHub Code Search for "pnpm"

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

pnpm/pnpm (pnpm)

v10.34.4: pnpm 10.34.4

Compare Source

Patch Changes

  • 352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. A pnpm-workspace.yaml with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.

  • 352ae48: Reject path-traversal and reserved dependency aliases (such as ../../../escape, .bin, .pnpm, or node_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted node_modules directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.

    The nodeLinker: hoisted graph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.

  • 352ae48: Prevent pnpm patch-remove from removing files outside the configured patches directory.

  • 217fbe0: Hardened the warning printed when a project .npmrc uses environment variables in registry/auth settings: the suggested pnpm config set command is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled .npmrc and a shell expands $(...), backticks, and $VAR even inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

Configuration

📅 Schedule: (in timezone America/Phoenix)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@bfra-me bfra-me Bot added automerge Automated merge approved dependencies Dependency updates or security alerts packageManager Package manager changes patch Patch version changes renovate Renovate bot updates javascript labels Jun 25, 2026
@bfra-me bfra-me Bot enabled auto-merge (squash) June 25, 2026 04:54
@bfra-me bfra-me Bot requested review from fro-bot and marcusrbrown June 25, 2026 04:54
Added 1 changeset file(s): .changeset/renovate-c92abbe.md
@bfra-me bfra-me Bot added the documentation Improvements or additions to documentation label Jun 25, 2026
@bfra-me bfra-me Bot merged commit 9fd5c4c into main Jun 25, 2026
12 checks passed
@bfra-me bfra-me Bot deleted the renovate/pnpm-10.x branch June 25, 2026 04:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automerge Automated merge approved dependencies Dependency updates or security alerts documentation Improvements or additions to documentation packageManager Package manager changes patch Patch version changes renovate Renovate bot updates

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants