Bump pnpm from 10.4.1 to 10.5.2

[dependabot]

Bumps pnpm from 10.4.1 to 10.5.2.

Release notes

Sourced from pnpm's releases.

pnpm 10.5.2

Patch Changes

• The pnpm config set command should change the global .npmrc file by default. This was a regression introduced by #9151 and shipped in pnpm v10.5.0.

Platinum Sponsors

Gold Sponsors

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.5.2

Patch Changes

• The pnpm config set command should change the global .npmrc file by default. This was a regression introduced by #9151 and shipped in pnpm v10.5.0.

10.5.1

Patch Changes

• Throw an error message if a pnpm-workspaces.yaml or pnpm-workspaces.yml file is found instead of a pnpm-workspace.yaml #9170.
• Fix the update of pnpm-workspace.yaml by the pnpm approve-builds command #9168.
• Normalize generated link paths in package.json #9163
• Specifying overrides in pnpm-workspace.yaml should work.
• pnpm dlx should ignore settings from the package.json file in the current working directory #9178.

10.5.0

Minor Changes

• Allow to set the "pnpm" settings from package.json via the pnpm-workspace.yaml file #9121.

• Added support for automatically syncing files of injected workspace packages after pnpm run #9081. Use the sync-injected-deps-after-scripts setting to specify which scripts build the workspace package. This tells pnpm when syncing is needed. The setting should be defined in a .npmrc file at the root of the workspace. Example:

  sync-injected-deps-after-scripts[]=compile

• The packages field in pnpm-workspace.yaml became optional.

Patch Changes

• pnpm link with no parameters should work as if --global is specified #9151.
• Allow scope registry CLI option without --config. prefix such as --@scope:registry=https://scope.example.com/npm #9089.
• pnpm link <path> should calculate relative path from the root of the workspace directory #9132.
• Fix a bug causing catalog snapshots to be removed from the pnpm-lock.yaml file when using --fix-lockfile and --filter. #8639
• Fix a bug causing catalog protocol dependencies to not re-resolve on a filtered install #8638.

Commits

• fcb01a1 chore(release): 10.5.2
• c334834 fix: config set should be global by default (#9185)
• 70d565c chore(release): 10.5.1
• 0e9fff7 chore(release): 10.5.0
• b352d2a fix: pnpm link: imply global mode when no arguments are specified (#9151)
• e32b1a2 feat: update injected packages after run (#9100)
• 8fcc221 feat: reading settings from pnpm-workspace.yaml (#9121)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/pnpm	10.6.1	🟢 6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 15/30 approved changesets -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 115 existing vulnerabilities detected
npm/pnpm	^10.6.1	🟢 6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 15/30 approved changesets -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 115 existing vulnerabilities detected
npm/nanoid	3.3.9	🟢 4.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 1 Found 5/29 approved changesets -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 27 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 9 1 existing vulnerabilities detected
npm/pnpm	10.6.1	🟢 6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 15/30 approved changesets -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 115 existing vulnerabilities detected

Scanned Files

• package-lock.json
• package.json
• pnpm-lock.yaml