chore(deps): update pnpm to v10

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pnpm (source)	9.15.5 -> 10.4.1

---

Release Notes

pnpm/pnpm (pnpm)

v10.4.1

Compare Source

Patch Changes

• Throws an error when the value provided by the --allow-build option overlaps with the pnpm.ignoredBuildDependencies list #​9105.
• Print pnpm's version after the execution time at the end of the console output.
• Print warning about ignored builds of dependencies on repeat install #​9106.
• Setting init-package-manager should work.

v10.4.0

Compare Source

Minor Changes

• pnpm approve-builds --global works now for allowing dependencies of globally installed packages to run postinstall scripts.

• The pnpm add command now supports a new flag, --allow-build, which allows building the specified dependencies. For instance, if you want to install a package called bundle that has esbuild as a dependency and want to allow esbuild to run postinstall scripts, you can run:

  pnpm --allow-build=esbuild add bundle
  

  This will run esbuild's postinstall script and also add it to the pnpm.onlyBuiltDependencies field of package.json. So, esbuild will always be allowed to run its scripts in the future.

  Related PR: #​9086.

• The pnpm init command adds a packageManager field with the current version of pnpm CLI #​9069. To disable this behaviour, set the init-package-manager setting to false.

Patch Changes

• pnpm approve-builds should work after two consecutive pnpm install runs #​9083.
• Fix instruction for updating pnpm with corepack #​9101.
• The pnpm version specified by packageManager cannot start with v.

v10.3.0

Compare Source

Minor Changes

• Added a new setting called strict-dep-builds. When enabled, the installation will exit with a non-zero exit code if any dependencies have unreviewed build scripts (aka postinstall scripts) #​9071.

Patch Changes

• Fix a false negative of verify-deps-before-run after pnpm install --production|--no-optional #​9019.
• Print the warning about blocked installation scripts at the end of the installation output and make it more prominent.

v10.2.1

Compare Source

Patch Changes

• Don't read a package from side-effects cache if it isn't allowed to be built #​9042.
• pnpm approve-builds should work, when executed from a subdirectory of a workspace #​9042.
• pnpm deploy --legacy should work without injected dependencies.
• Add information about how to deploy without "injected dependencies" to the "pnpm deploy" error message.

v10.2.0

Compare Source

Minor Changes

• Packages executed via pnpm dlx and pnpm create are allowed to be built (run postinstall scripts) by default.

  If the packages executed by dlx or create have dependencies that have to be built, they should be listed via the --allow-build flag. For instance, if you want to run a package called bundle that has esbuild in dependencies and want to allow esbuild to run postinstall scripts, run:

  pnpm --allow-build=esbuild dlx bundle
  

  Related PR: #​9026.

Patch Changes

• Quote args for scripts with shell-quote to support new lines (on POSIX only) #​8980.
• Fix a bug in which pnpm deploy fails to read the correct projectId when the deploy source is the same as the workspace directory #​9001.
• Proxy settings should be respected, when resolving Git-hosted dependencies #​6530.
• Prevent overrides from adding invalid version ranges to peerDependencies by keeping the peerDependencies and overriding them with prod dependencies #​8978.
• Sort the package names in the "pnpm.onlyBuiltDependencies" list saved by pnpm approve-builds.

v10.1.0

Compare Source

Minor Changes

• Added a new command for printing the list of dependencies with ignored build scripts: pnpm ignored-builds #​8963.
• Added a new command for approving dependencies for running scripts during installation: pnpm approve-builds #​8963.
• Added a new setting called optimistic-repeat-install. When enabled, a fast check will be performed before proceeding to installation. This way a repeat install or an install on a project with everything up-to-date becomes a lot faster. But some edge cases might arise, so we keep it disabled by default for now #​8977.
• Added a new field "pnpm.ignoredBuiltDependencies" for explicitly listing packages that should not be built. When a package is in the list, pnpm will not print an info message about that package not being built #​8935.

Patch Changes

• Verify that the package name is valid when executing the publish command.
• When running pnpm install, the preprepare and postprepare scripts of the project should be executed #​8989.
• Allow workspace: and catalog: to be part of wider version range in peerDependencies.
• pnpm deploy should inherit the pnpm object from the root package.json #​8991.
• Make sure that the deletion of a node_modules in a sub-project of a monorepo is detected as out-of-date #​8959.
• Fix infinite loop caused by lifecycle scripts using pnpm to execute other scripts during pnpm install with verify-deps-before-run=install #​8954.
• Replace strip-ansi with the built-in util.stripVTControlCharacters #​9009.
• Do not print patched dependencies as ignored dependencies that require a build #​8952.

v10.0.0

Compare Source

Major Changes

• Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #​8897. For example:

  {
    "pnpm": {
      "onlyBuiltDependencies": ["fsevents"]
    }
  }

• pnpm link behavior updated:

  The pnpm link command now adds overrides to the root package.json.

  • In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.
  • Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g.
    Related PR: #​8653

• Secure hashing with SHA256:

  Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

  • Long paths inside node_modules/.pnpm are now hashed with SHA256.
  • Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)
  • The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.
  • The side effects cache keys now use SHA256.
  • The pnpmfile checksum in the lockfile now uses SHA256 (#​8530).

• Configuration updates:

  • manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

  • public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #​8378

  • Upgraded @yarnpkg/extensions to v2.0.3. This may alter your lockfile.

  • virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.

  • Reduced environment variables for scripts:
    During script execution, fewer npm_package_* environment variables are set. Only name, version, bin, engines, and config remain.
    Related Issue: #​8552

  • All dependencies are now installed even if NODE_ENV=production. Related Issue: #​8827

• Changes to the global store:

  • Store version bumped to v10.

  • Some registries allow identical content to be published under different package names or versions. To accommodate this, index files in the store are now stored using both the content hash and package identifier.

    This approach ensures that we can:

    1. Validate that the integrity in the lockfile corresponds to the correct package, which might not be the case after a poorly resolved Git conflict.
    2. Allow the same content to be referenced by different packages or different versions of the same package.
       Related PR: #​8510
       Related Issue: #​8204

  • More efficient side effects indexing. The structure of index files in the store has changed. Side effects are now tracked more efficiently by listing only file differences rather than all files.
    Related PR: #​8636

  • A new index directory stores package content mappings. Previously, these files were in files.

• Other breaking changes:

  • The # character is now escaped in directory names within node_modules/.pnpm.
    Related PR: #​8557
  • Running pnpm add --global pnpm or pnpm add --global @​pnpm/exe now fails with an error message, directing you to use pnpm self-update instead.
    Related PR: #​8728
  • Dependencies added via a URL now record the final resolved URL in the lockfile, ensuring that any redirects are fully captured.
    Related Issue: #​8833
  • The pnpm deploy command now only works in workspaces that have inject-workspace-packages=true. This limitation is introduced to allow us to create a proper lockfile for the deployed project using the workspace lockfile.
  • Removed conversion from lockfile v6 to v9. If you need v6-to-v9 conversion, use pnpm CLI v9.
  • pnpm test now passes all parameters after the test keyword directly to the underlying script. This matches the behavior of pnpm run test. Previously you needed to use the -- prefix.
    Related PR: #​8619

• node-gyp updated to version 11.

• pnpm deploy now tries creating a dedicated lockfile from a shared lockfile for deployment. It will fallback to deployment without a lockfile if there is no shared lockfile or force-legacy-deploy is set to true.

Minor Changes

• Added support for a new type of dependencies called "configurational dependencies". These dependencies are installed before all the other types of dependencies (before "dependencies", "devDependencies", "optionalDependencies").

  Configurational dependencies cannot have dependencies of their own or lifecycle scripts. They should be added using exact version and the integrity checksum. Example:

  {
    "pnpm": {
      "configDependencies": {
        "my-configs": "1.0.0+sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw=="
      }
    }
  }

  Related RFC: #​8.
  Related PR: #​8915.

• New settings:

  • New verify-deps-before-run setting. This setting controls how pnpm checks node_modules before running scripts:

    • install: Automatically run pnpm install if node_modules is outdated.
    • warn: Print a warning if node_modules is outdated.
    • prompt: Prompt the user to confirm running pnpm install if node_modules is outdated.
    • error: Throw an error if node_modules is outdated.
    • false: Disable dependency checks.
      Related Issue: #​8585

  • New inject-workspace-packages setting enables hard-linking all local workspace dependencies instead of symlinking them. Previously, this could be achieved using dependenciesMeta[].injected, which remains supported.
    Related PR: #​8836

• Faster repeat installs:

  On repeated installs, pnpm performs a quick check to ensure node_modules is up to date.
  Related PR: #​8838

• pnpm add integrates with default workspace catalog:

  When adding a dependency, pnpm add checks the default workspace catalog. If the dependency and version requirement match the catalog, pnpm add uses the catalog: protocol. Without a specified version, it matches the catalog’s version. If it doesn’t match, it falls back to standard behavior.
  Related Issue: #​8640

• pnpm dlx now resolves packages to their exact versions and uses these exact versions for cache keys. This ensures pnpm dlx always installs the latest requested packages.
  Related PR: #​8811

• No node_modules validation on certain commands. Commands that should not modify node_modules (e.g., pnpm install --lockfile-only) no longer validate or purge node_modules.
  Related PR: #​8657

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
pixiv-now	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Feb 17, 2025 2:28am

[sourcery-ai]

我们已跳过审查此拉取请求。原因如下：

• 它似乎是由机器人创建的（嘿，renovate[bot]！）。我们假设它知道自己在做什么！
• 我们不审查包管理更改 - 如果您希望我们更改此策略，请联系我们。

Original comment in English

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.

[sourcery-ai]

审阅者指南 by Sourcery

此拉取请求将 pnpm 包管理器从版本 9.15.4 更新到 10.2.0。这是一个主要版本更新，包含破坏性变更、新功能和错误修复。主要变更是在 package.json 文件中，更新了 packageManager 字段以反映新版本。

pnpm v10 主要变更流程图

flowchart TD
    A[pnpm v10 主要变更] --> B[安全变更]
    A --> C[配置更新]
    A --> D[存储变更]

    B --> B1[默认禁用生命周期脚本]
    B --> B2[使用 SHA256 进行安全哈希]

    C --> C1[启用管理包管理器版本]
    C --> C2[无默认提升]
    C --> C3[减少 npm_package_* 环境变量]

    D --> D1[存储版本 v10]
    D --> D2[新的索引目录结构]
    D --> D3[更高效的副作用跟踪]

    B1 --> E[需要在 package.json 中明确批准]
    B2 --> F[提高安全性和一致性]

    style A fill:#f9f,stroke:#333,stroke-width:4px
    style B fill:#bbf,stroke:#333
    style C fill:#bbf,stroke:#333
    style D fill:#bbf,stroke:#333

Loading

文件级变更

变更	详情	文件
将 pnpm 依赖更新到 v10.2.0	在 packageManager 字段中将 pnpm 版本从 9.15.4 更新到 10.2.0。	package.json

---

提示和命令

与 Sourcery 交互

• 触发新审阅： 在拉取请求中评论 @sourcery-ai review。
• 继续讨论： 直接回复 Sourcery 的审阅评论。
• 从审阅评论生成 GitHub 问题： 通过回复审阅评论要求 Sourcery 创建问题。您也可以用 @sourcery-ai issue 回复审阅评论来创建问题。
• 生成拉取请求标题： 在拉取请求标题的任何位置写 @sourcery-ai 以随时生成标题。您也可以在拉取请求中评论 @sourcery-ai title 以随时（重新）生成标题。
• 生成拉取请求摘要： 在拉取请求正文的任何位置写 @sourcery-ai summary 以随时生成 PR 摘要。您也可以在拉取请求中评论 @sourcery-ai summary 以随时（重新）生成摘要。
• 生成审阅者指南： 在拉取请求中评论 @sourcery-ai guide 以随时（重新）生成审阅者指南。
• 解决所有 Sourcery 评论： 在拉取请求中评论 @sourcery-ai resolve 以解决所有 Sourcery 评论。如果您已经处理了所有评论，不想再看到它们，这很有用。
• 取消所有 Sourcery 审阅： 在拉取请求中评论 @sourcery-ai dismiss 以取消所有现有的 Sourcery 审阅。特别适用于想要重新开始审阅的情况 - 别忘了评论 @sourcery-ai review 以触发新审阅！
• 为问题生成行动计划： 在问题中评论 @sourcery-ai plan 以生成问题的行动计划。

自定义您的体验

访问您的仪表板以：

• 启用或禁用审阅功能，如 Sourcery 生成的拉取请求摘要、审阅者指南等。
• 更改审阅语言。
• 添加、删除或编辑自定义审阅说明。
• 调整其他审阅设置。

获取帮助

• 联系我们的支持团队以获取问题或反馈。
• 访问我们的文档以获取详细指南和信息。
• 通过关注我们的 X/Twitter、LinkedIn 或 GitHub 与 Sourcery 团队保持联系。

Original review guide in English

Reviewer's Guide by Sourcery

This pull request updates the pnpm package manager from version 9.15.4 to 10.2.0. This is a major version update that includes breaking changes, new features, and bug fixes. The primary change is in the package.json file, where the packageManager field is updated to reflect the new version.

Flow diagram of major changes in pnpm v10

flowchart TD
    A[pnpm v10 Major Changes] --> B[Security Changes]
    A --> C[Configuration Updates]
    A --> D[Store Changes]

    B --> B1[Lifecycle scripts disabled by default]
    B --> B2[SHA256 for secure hashing]

    C --> C1[manage-package-manager-versions enabled]
    C --> C2[No default hoisting]
    C --> C3[Fewer npm_package_* env vars]

    D --> D1[Store version v10]
    D --> D2[New index directory structure]
    D --> D3[More efficient side effects tracking]

    B1 --> E[Requires explicit approval in package.json]
    B2 --> F[Improved security and consistency]

    style A fill:#f9f,stroke:#333,stroke-width:4px
    style B fill:#bbf,stroke:#333
    style C fill:#bbf,stroke:#333
    style D fill:#bbf,stroke:#333

Loading

File-Level Changes

Change	Details	Files
Update pnpm dependency to v10.2.0	Updated the pnpm version in the packageManager field from 9.15.4 to 10.2.0.	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.