chore(deps): update pnpm to v11.1.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	11.0.9 → 11.1.1

---

Release Notes

pnpm/pnpm (pnpm)

v11.1.1

Compare Source

Patch Changes

• Skip installability validation when scanning workspace projects in checkDepsStatus (run by verifyDepsBeforeRun). Previously the status check called findWorkspaceProjects, which validates each project's engines and os/cpu/libc and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no nodeVersion threaded through, the engine check also fell back to the system Node from PATH and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use findWorkspaceProjectsNoCheck; install paths continue to validate.
• Fixed pnpm add <alias>:@&#8203;scope/pkg for named registries. The local resolver was claiming any specifier containing / as a local directory, so pnpm add bit:@​teambit/bit (with bit configured under namedRegistries) installed a bogus link to bit:@​teambit/bit/ instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.
• Updated @zkochan/cmd-shim to 9.0.3. The sh shim it writes for .cmd / .bat targets now escapes the /C switch as //C, so it survives the path translation Git Bash applies when launching cmd.exe. Without this, a bare /C was rewritten to C:\ before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.

v11.1.0

Compare Source

Minor Changes

• Added pnpm audit signatures to verify ECDSA registry signatures for installed packages against keys from /-/npm/v1/keys #​7909. Scoped registries are respected, and registries without signing keys are skipped.

• Added support for installing packages from the GitHub Packages npm registry via a built-in gh: prefix (e.g. pnpm add gh:@​acme/private), and, more broadly, for arbitrary named registries in the style of vlt's named-registry aliases. Authentication is picked up from the existing per-URL .npmrc entries (e.g. //npm.pkg.github.com/:_authToken=...), so no separate auth mechanism is required.

  Additional aliases — or an override for the built-in gh alias, for GitHub Enterprise Server — can be configured under namedRegistries in pnpm-workspace.yaml:

  namedRegistries:
    gh: https://npm.pkg.github.example.com/
    work: https://npm.work.example.com/

  With this, work:@​corp/lib@^2.0.0 resolves against https://npm.work.example.com/. #​8941.

• Allow setting sbom spec version using --sbom-spec-version #​11389.

• Add --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g. Node.js downloaded via devEngines.runtime) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and .bin linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via pnpm runtime -g set node <version>) before pnpm install runs.

• Added the pnpm bugs command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's package.json; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to <repository>/issues when the bugs field is missing #​11279.

• Added pnpm owner command to manage package owners on the registry.

Patch Changes

• Added "published X ago by Y" information to the pnpm view command output, similar to npm view. This is useful when comparing against minimumReleaseAge.

  For example, pnpm view pnpm now shows:

  published 17 hours ago by GitHub Actions
  

• pnpm publish now honors the configured HTTP/HTTPS proxy (including https_proxy/http_proxy/no_proxy environment variables) when polling the registry's doneUrl during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond 403 from a different source IP and the login to never complete #​11561.

• pnpm add -g now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example:

  • pnpm add -g foo bar installs foo and bar as two independent globals — removing one does not affect the other.
  • pnpm add -g foo,bar qar bundles foo and bar into a single isolated install while qar is installed on its own.

  Related: #​11587.

• pnpm runtime set <name> <version> no longer fails in the root of a multi-package workspace with the ADDING_TO_ROOT error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.

• Fix pnpm --version hanging for the lifetime of the worker pool after the version was printed. main.ts's --version short-circuit returned before reaching the command-handler finally that calls finishWorkers(), so the worker pool that switchCliVersion had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs finishWorkers() from its own finally, so every exit path tears the pool down.

  Repro: pnpm --version in a workspace whose devEngines.packageManager version already matches the running pnpm + onFail: "download". switchCliVersion resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Verification des checks CI

Wonderful, this rule succeeded.

Les checks main doivent passer

• check-success=main

🟢 Verification des tests E2E

Wonderful, this rule succeeded.

Les tests E2E doivent passer

• check-success=E2E Tests

🟢 Verification Chromatic

Wonderful, this rule succeeded.

Le check Chromatic doit passer

• check-success=Chromatic (Frontend)

🟢 Pas de changements demandes

Wonderful, this rule succeeded.

Aucune review avec changements demandes

• #changes-requested-reviews-by=0

[mergify]

Auto-approuve par Mergify
Mise a jour de dependance minor - Tous les tests passent

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-13 10:10 UTC · Rule: default
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-05-13 10:12 UTC · at a2ee59cab94ffb02c2f7c958d4deb4a16f85fd4d · squash

This pull request spent 1 minute 31 seconds in the queue, including 3 seconds running CI.

Required conditions to merge

• #approved-reviews-by>=0
  • chore(deps): update pnpm to v11.1.1 #787
• base=main
• check-success=Chromatic (Frontend)
• check-success=E2E Tests
• check-success=main
• all of [🛡 Merge Protections rule Pas de changements demandes]:
  • #changes-requested-reviews-by=0
    • chore(deps): update pnpm to v11.1.1 #787
• all of [🛡 Merge Protections rule Verification Chromatic]:
  • check-success=Chromatic (Frontend)
• all of [🛡 Merge Protections rule Verification des checks CI]:
  • check-success=main
• all of [🛡 Merge Protections rule Verification des tests E2E]:
  • check-success=E2E Tests
• any of [🛡 GitHub branch protection]:
  • check-success = main
  • check-neutral = main
  • check-skipped = main
• any of [🛡 GitHub branch protection]:
  • check-success = E2E Tests
  • check-neutral = E2E Tests
  • check-skipped = E2E Tests
• any of [🛡 GitHub branch protection]:
  • check-success = Chromatic (Frontend)
  • check-neutral = Chromatic (Frontend)
  • check-skipped = Chromatic (Frontend)