chore(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@eslint/compat (source)	2.0.5 → 2.1.0			devDependencies	minor
@playwright/test (source)	1.59.1 → 1.60.0			devDependencies	minor
@sveltejs/kit (source)	2.59.0 → 2.59.1			devDependencies	patch
@sveltejs/vite-plugin-svelte (source)	7.0.0 → 7.1.2			devDependencies	minor
@tailwindcss/postcss (source)	4.2.4 → 4.3.0			devDependencies	minor
@tailwindcss/vite (source)	4.2.4 → 4.3.0			devDependencies	minor
@types/node (source)	25.6.0 → 25.7.0			devDependencies	minor
actions/create-github-app-token	v3.1.1 → v3.2.0			action	minor
changesets/action	v1.7.0 → v1.8.0			action	minor
pnpm (source)	10.33.2 → 11.1.1			packageManager	major
pnpm/action-setup	v6.0.5 → v6.0.8			action	patch
postcss (source)	8.5.13 → 8.5.14			devDependencies	patch
prettier-plugin-svelte	3.5.1 → 3.5.2			devDependencies	patch
publint (source)	0.3.18 → 0.3.21			devDependencies	patch
svelte-check	4.4.7 → 4.4.8			devDependencies	patch
tailwind-merge	3.5.0 → 3.6.0			devDependencies	minor
tailwindcss (source)	4.2.4 → 4.3.0			devDependencies	minor
typescript-eslint (source)	8.59.1 → 8.59.3			devDependencies	patch
vite (source)	8.0.10 → 8.0.12			devDependencies	patch
vitest (source)	4.1.5 → 4.1.6			devDependencies	patch

---

Release Notes

eslint/rewrite (@​eslint/compat)

v2.1.0

Compare Source

Features

• Add new includeIgnoreFile() to config-helpers (#​430) (9b51352)

microsoft/playwright (@​playwright/test)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

sveltejs/kit (@​sveltejs/kit)

v2.59.1

Compare Source

Patch Changes

• fix: resolve paths to route files with the letter drive on Windows (#​15793)

sveltejs/vite-plugin-svelte (@​sveltejs/vite-plugin-svelte)

v7.1.2

Compare Source

Patch Changes

• fix: correctly resolve compiled CSS on the server for dependencies with Svelte files (#​1342)

v7.1.1

Compare Source

Patch Changes

• fix: pass typescript.onlyRemoveTypeImports to transformWithOxc in vitePreprocess so that value imports are not dropped when they are only referenced in Svelte template markup (#​1326)

• fix: correctly resolve compiled CSS for optimised Svelte dependencies on the server (#​1336)

v7.1.0

Compare Source

Minor Changes

• feat: enable optimizer for server environments during dev (#​1328)

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.3.0

Compare Source

Added

• Add @container-size utility (#​18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#​19981, #​20019)
• Add scrollbar-gutter-* utilities (#​20018)
• Add zoom-* utilities (#​20020)
• Add tab-* utilities (#​20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#​19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#​19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#​19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#​19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#​19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#​19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#​19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#​19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#​19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#​19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#​19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#​19918)
• Allow multiple @utility definitions with the same name but different value types (#​19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#​19707)
• Ensure start and end legacy utilities without values do not generate CSS (#​20003)
• Ensure --value(…) is required in functional @utility definitions (#​20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#​20011)

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

changesets/action (changesets/action)

v1.8.0

Compare Source

Minor Changes

• #​258 f5dbf72 Thanks @​tom-sherman! - Support draft version PR modes with a new prDraft input. Use create to create new version PRs as drafts, or always to also convert existing version PRs back to draft when updating them.

Patch Changes

• #​502 6002dbd Thanks @​oshytiko! - Fixed initial .changeset state being picked up, when cwd parameter is provided

• #​536 81b3f61 Thanks @​radnan! - Fixed .changeset state being picked for the version command when cwd parameter is provided

pnpm/pnpm (pnpm)

v11.1.1

Compare Source

Patch Changes

• Skip installability validation when scanning workspace projects in checkDepsStatus (run by verifyDepsBeforeRun). Previously the status check called findWorkspaceProjects, which validates each project's engines and os/cpu/libc and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no nodeVersion threaded through, the engine check also fell back to the system Node from PATH and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use findWorkspaceProjectsNoCheck; install paths continue to validate.
• Fixed pnpm add <alias>:@&#8203;scope/pkg for named registries. The local resolver was claiming any specifier containing / as a local directory, so pnpm add bit:@​teambit/bit (with bit configured under namedRegistries) installed a bogus link to bit:@​teambit/bit/ instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.
• Updated @zkochan/cmd-shim to 9.0.3. The sh shim it writes for .cmd / .bat targets now escapes the /C switch as //C, so it survives the path translation Git Bash applies when launching cmd.exe. Without this, a bare /C was rewritten to C:\ before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.

v11.1.0

Compare Source

Minor Changes

• Added pnpm audit signatures to verify ECDSA registry signatures for installed packages against keys from /-/npm/v1/keys #​7909. Scoped registries are respected, and registries without signing keys are skipped.

• Added support for installing packages from the GitHub Packages npm registry via a built-in gh: prefix (e.g. pnpm add gh:@​acme/private), and, more broadly, for arbitrary named registries in the style of vlt's named-registry aliases. Authentication is picked up from the existing per-URL .npmrc entries (e.g. //npm.pkg.github.com/:_authToken=...), so no separate auth mechanism is required.

  Additional aliases — or an override for the built-in gh alias, for GitHub Enterprise Server — can be configured under namedRegistries in pnpm-workspace.yaml:

  namedRegistries:
    gh: https://npm.pkg.github.example.com/
    work: https://npm.work.example.com/

  With this, work:@​corp/lib@^2.0.0 resolves against https://npm.work.example.com/. #​8941.

• Allow setting sbom spec version using --sbom-spec-version #​11389.

• Add --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g. Node.js downloaded via devEngines.runtime) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and .bin linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via pnpm runtime -g set node <version>) before pnpm install runs.

• Added the pnpm bugs command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's package.json; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to <repository>/issues when the bugs field is missing #​11279.

• Added pnpm owner command to manage package owners on the registry.

Patch Changes

• Added "published X ago by Y" information to the pnpm view command output, similar to npm view. This is useful when comparing against minimumReleaseAge.

  For example, pnpm view pnpm now shows:

  published 17 hours ago by GitHub Actions
  

• pnpm publish now honors the configured HTTP/HTTPS proxy (including https_proxy/http_proxy/no_proxy environment variables) when polling the registry's doneUrl during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond 403 from a different source IP and the login to never complete #​11561.

• pnpm add -g now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example:

  • pnpm add -g foo bar installs foo and bar as two independent globals — removing one does not affect the other.
  • pnpm add -g foo,bar qar bundles foo and bar into a single isolated install while qar is installed on its own.

  Related: #​11587.

• pnpm runtime set <name> <version> no longer fails in the root of a multi-package workspace with the ADDING_TO_ROOT error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.

• Fix pnpm --version hanging for the lifetime of the worker pool after the version was printed. main.ts's --version short-circuit returned before reaching the command-handler finally that calls finishWorkers(), so the worker pool that switchCliVersion had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs finishWorkers() from its own finally, so every exit path tears the pool down.

  Repro: pnpm --version in a workspace whose devEngines.packageManager version already matches the running pnpm + onFail: "download". switchCliVersion resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs.

v11.0.9

Compare Source

Patch Changes

• Fixed installation of GitLab-hosted dependencies. pnpm now downloads the tarball from https://gitlab.com/<user>/<project>/-/archive/<sha>/<project>-<sha>.tar.gz instead of the GitLab API endpoint that contained an encoded slash (%2F) between user and project. The encoded slash both triggered 406 Not Acceptable responses from GitLab and produced virtual store directory names that Node refused to import (ERR_INVALID_MODULE_SPECIFIER) #​11533.
• Honor NPM_CONFIG_USERCONFIG (and its lowercase npm_config_userconfig form) as a low-priority fallback when locating the user-level .npmrc. This restores compatibility with environments that point npm at a custom auth file via that env var — most notably actions/setup-node, which writes registry credentials to ${runner.temp}/.npmrc and exports NPM_CONFIG_USERCONFIG to reference it. Without this, GitHub Actions workflows using actions/setup-node to authenticate to private registries broke after upgrading to pnpm v11. PNPM-prefixed env vars and npmrcAuthFile from the global config.yaml continue to take precedence #​11539.
• Fix pnpm pack not bundling dependencies listed in bundleDependencies (or bundledDependencies). The npm-packlist upgrade in pnpm 11 changed its API to require the caller to pre-populate the dependency tree, which the wrapper was not doing — bundleDependencies were silently dropped from the tarball #​11519.
• Fixed the pnpm CLI crashing with a confusing SyntaxError: Invalid regular expression flags instead of printing a clear "requires Node.js v22.13" error when launched on an unsupported Node.js version. The Node.js version check in bin/pnpm.mjs was effectively dead code because the static import of the bundled dist/pnpm.mjs was hoisted by the ES module loader and parsed before the check could run #​11546.
• Fixed pnpm --prefix=<dir> install overwriting the existing pnpm-workspace.yaml in <dir> with set this to true or false placeholders. The renamed --prefix option (which maps to dir) was not honored when locating the workspace root, so the workspace manifest's allowBuilds settings were not loaded into config and got clobbered when ignored builds were auto-populated #​11535.
• Fixed pnpm publish --provenance failing with a 422 from the registry when the package version contained semver build metadata (e.g. 1.0.0-canary.0+abc1234). The +<build> segment is now stripped before packing so that the version embedded in the tarball, the metadata sent to the registry, and the sigstore provenance subject all agree #​11518.

v11.0.8

Compare Source

Patch Changes

• Restored the heuristic that preserves tarball URLs in pnpm-lock.yaml when they cannot be derived from name+version+registry, even with the default lockfileIncludeTarballUrl: false. Without this, pnpm install --frozen-lockfile from an empty store fails with ERR_PNPM_FETCH_404 for packages on registries that serve tarballs from a non-standard path — most notably GitHub Packages (https://npm.pkg.github.com/download/<scope>/<name>/<version>/<hash>) and JSR. lockfileIncludeTarballUrl: true continues to force the URL into the lockfile for every package #​11276.
• Run preversion, version, and postversion lifecycle scripts for pnpm version.
• Fixed ERR_PNPM_BAD_TARBALL_SIZE when a registry serves tarballs with an end-to-end Content-Encoding (e.g. gzip). Tarballs are already compressed, so the fetcher now requests them with Accept-Encoding: identity (matching pnpm v10's effective behavior) and, as defense in depth against misbehaving servers, no longer enforces the strict Content-Length check when the response declares a Content-Encoding — Content-Length in that case refers to the encoded payload, not the decoded bytes the fetch implementation yields #​11506.

v11.0.7

Compare Source

Patch Changes

• Restore the execute bit on the node-gyp shims packed inside @pnpm/exe (dist/node-gyp-bin/node-gyp, dist/node-gyp-bin/node-gyp.cmd, and dist/node_modules/node-gyp/bin/node-gyp.js). Without this, pnpm/action-setup's standalone path (used on runners with Node.js < 22.13) failed any install whose lifecycle script invoked node-gyp rebuild with sh: 1: node-gyp: Permission denied #​11483.

• Fixed the pn, pnpx, and pnx aliases failing in Git Bash / MSYS2 on Windows when pnpm was installed via @pnpm/exe (or after pnpm self-update) #​11486. Running pnpx (or pnx) printed the cmd.exe banner and dropped the user into an interactive command prompt instead of running pnpm dlx. The bin field rewrite on Windows was pointing those aliases at .cmd files; cmd-shim's Bash shim for a .cmd target wraps it in exec cmd /C ..., and MSYS2 mangles /C into a Windows path before cmd.exe sees it. The aliases are now .exe hardlinks of the SEA binary, which detects which name it was launched as via process.execPath and prepends dlx for pnpx / pnx.

• Fix pnpm install recreating node_modules after pnpm fetch. pnpm fetch records empty hoistPattern and publicHoistPattern in .modules.yaml; since v11 removed the explicit-config gate, the follow-up install treated those as a hoist-pattern change and purged the modules directory. The fetch step now flags the modules manifest with virtualStoreOnly: true so the next install skips the hoist-pattern comparison and completes the missing post-import linking in place #​11488.

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Allow user-level preferences in the global config.yaml. The following settings can now be set in ~/.config/pnpm/config.yaml (or via pnpm config set --location global) instead of being restricted to pnpm-workspace.yaml: agent, globalVirtualStoreDir, initPackageManager, initType, registrySupportsTimeField, scriptShell, shellEmulator, sideEffectsCache, sideEffectsCacheReadonly, stateDir, strictDepBuilds, trustPolicy, trustPolicyExclude, trustPolicyIgnoreAfter, updateNotifier, useStderr, verifyDepsBeforeRun, verifyStoreIntegrity, virtualStoreDir, virtualStoreDirMaxLength #​11474.

• Make trusted publishing (OIDC) take precedence over a configured static _authToken in pnpm publish, mirroring the npm CLI's behavior. When OIDC succeeds, the OIDC-derived token overrides any pre-configured _authToken; when OIDC is not applicable (no CI environment, exchange fails, registry has no trusted publisher configured), the static token is used as a fallback. This applies on every package during recursive publish, so each workspace package independently attempts trusted publishing.

  Additionally, the NPM_ID_TOKEN env var is now honored as a CI-agnostic injection point for an OIDC ID token. Previously OIDC was only attempted on GitHub Actions or GitLab; now any CI provider that exposes its own OIDC mechanism (e.g. CircleCI's CIRCLE_OIDC_TOKEN_V2, Buildkite, etc.) can forward its token via NPM_ID_TOKEN and trusted publishing will work without pnpm needing to recognize the provider explicitly.

• --pm-on-fail=ignore (and other universal options like --loglevel, --reporter) is now honored when combined with --help or --version. Previously the CLI argument parser short-circuited those flags before universal options were preserved, so pnpm audit --pm-on-fail=ignore --help and pnpm --pm-on-fail=ignore --version reported the strict packageManager mismatch instead of running the requested action #​11487.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

• Restore npm-CLI-compatible --json stdout output for pnpm publish (#​11476). pnpm 11 reimplemented publish natively (#​10591) and inadvertently dropped the per-package JSON object that pnpm 10 emitted transitively via the npm CLI, silently breaking downstream tooling — most notably nx release publish, which parses stdout JSON to confirm success (nrwl/nx#35575). On success, the output is now:

  • pnpm publish --json → single object { id, name, version, size, unpackedSize, shasum, integrity, filename, files, entryCount, bundled }, mirroring npm publish --json.
  • pnpm publish -r --json → array of those objects, mirroring pnpm pack --json's shape choice.
  • pnpm publish -r --report-summary → existing pnpm-publish-summary.json envelope { publishedPackages: [...] } is preserved, but each entry is upgraded to the same per-package shape (additive — name and version are still present).

• pnpm config get @&#8203;<scope>:registry now reports the same URL that pnpm publish and the resolvers actually use. Previously, config get only consulted .npmrc, while publish/install used the merged map that includes pnpm-workspace.yaml's registries block — so the two could diverge silently and a publish could go to the wrong registry #​11492.

v11.0.6

Compare Source

Patch Changes

• Fix pnpm_config_npmrc_auth_file and pnpm_config_userconfig env vars not actually loading the custom .npmrc. The env vars were parsed and assigned to the resolved config, but only after loadNpmrcConfig had already read the default ~/.npmrc — so the custom file path was set but never read. The relevant env vars are now consulted before the user-level .npmrc is loaded #​11465.
• Preserve the original key order in pnpm-workspace.yaml when updating it. Existing keys keep their position, and new keys are inserted in alphabetical position when the existing keys are already sorted (with a leading packages key allowed) or appended at the end otherwise.
• Fixed pnpm self-update on installations originally set up by pnpm v10. v10 added PNPM_HOME directly to PATH and wrote a pnpm bootstrap shim there. v11 setup writes shims under PNPM_HOME/bin instead, so when a v10 user upgrades to v11 the legacy shim at PNPM_HOME keeps pointing into the old .tools/<version> install — pnpm --version continues to report the pre-update version even though the new version was installed under global/v11. Self-update now detects this layout, refreshes the legacy shims so the upgrade actually takes effect, and prints a hint suggesting pnpm setup to migrate PATH to the v11 layout. #​11464.
• Print a warning when settings that are not allowed in the global config file (e.g. nodeLinker, hoistPattern) are present in config.yaml and silently ignored. Previously these settings were dropped without any feedback, leaving users unsure why their global configuration had no effect. The warning suggests moving those settings to a project-level pnpm-workspace.yaml, or sharing them across projects via config dependencies.
• Throw a pnpm error when overrides has an invalid shape or contains a non-string value.
• Validate all readPackage dependency map fields, including devDependencies, and reject falsy non-object invalid values instead of silently accepting them.
• Prevent crashes during pnpm config, pnpm set, and pnpm get by tolerating configDependencies install failures. For these commands, a failure to install configDependencies (for example because the registry auth token has not been written yet) is now logged at debug level and the command proceeds. All other commands still surface the install error #​10684.
• Treat allowBuilds as an install-state input and clear previously ignored builds when they are explicitly disallowed.
• Fixes #​10594, catalogs not being read from the workspace when using the catalog: protocol with the pnpm dlx / pnpx command, resulting in a catalog entry not found error.
• Accept PNPM_CONFIG_* (uppercase) environment variables in addition to pnpm_config_*. Previously, only the lowercase form was honored, so env vars renamed per the v11 migration guide (e.g. PNPM_CONFIG_USERCONFIG) silently had no effect on case-sensitive systems like macOS and Linux #​11465.

v11.0.5

Compare Source

Patch Changes

• Drop the darwin-x64 artifact from @pnpm/exe and from the GitHub release page. The Node.js SEA mechanism pnpm pack-app uses produces a binary that segfaults at startup on Intel Macs because of an upstream Node.js bug (nodejs/node#62893, tracked alongside #​59553; the Node.js team has opted not to fix it on the grounds that x64 macOS is being phased out). Re-signing with codesign or ldid doesn't help — the corruption is in LIEF's Mach-O surgery, before signing.

  Intel Mac users should install pnpm via npm install -g pnpm (uses the system Node.js, no SEA), or stay on pnpm 10.x. @pnpm/exe's preinstall on Intel Mac now exits with a clear error pointing at these alternatives.

  Closes #​11423.

• pnpm dlx (and pnpx/pnx/pnpm create) now runs the same interactive approve-builds prompt as pnpm add -g when the package being launched depends on transitive packages with install scripts. Previously, the v11 strictDepBuilds default made dlx fail with ERR_PNPM_IGNORED_BUILDS and required users to re-run with --allow-build=<pkg> for every offending dependency. dlx also now removes the partially-populated cache directory when the install fails, so a subsequent run starts clean instead of reusing a broken install whose builds were silently skipped #​11444.

• 72629fc: Fix pnpm -g ls --json and pnpm -g ls --parseable so they emit valid JSON and parseable output respectively, matching pnpm 10 behavior. Since the isolated global packages refactor in pnpm 11, the global list command had a custom path that always printed plain text and ignored --json/--parseable, which broke tools like npm-check-updates that parse the JSON output #​11440.

  pnpm -g ls --depth=<n> (with n > 0) now errors when more than one isolated global install would be involved, since each install has its own lockfile and merging their transitive trees would be incoherent. When the request can be narrowed to a single install group, the regular list flow is used and the full dependency tree is shown.

• Fixed pnpm publish to honor publishConfig.registry from package.json when publishing a single package. The native publish flow introduced in v11 was reading the registry from .npmrc only, ignoring the per-package override #​11419.

• When strictPeerDependencies is true, the ERR_PNPM_PEER_DEP_ISSUES error once again renders the peer dependency issues inline using the same format as pnpm peers check, so users (and CI tools like Renovate) can see what failed without running pnpm peers check separately #​11439.

• The WARN and error code labels in pnpm's output now wrap in brackets ([WARN], [ERR_PNPM_FOO]). Previously the labels relied entirely on a colored background to stand out, which meant they blended into the surrounding text in terminals without color (e.g. when NO_COLOR is set or output is piped). The brackets are painted in the same color as the badge background, so they appear as ordinary padding in color-capable terminals — only the no-color rendering changes.

v11.0.4

Compare Source

Patch Changes

• Fixed pnpm ci not reinstalling workspace package node_modules directories after the clean step #​11427.
• Remove pnpm's workspace state file when cleaning node_modules so pnpm ci performs a fresh install after the clean step.
• Do not remove pnpm-lock.yaml during pnpm clean when lockfile: true is configured in pnpm-workspace.yaml. The lockfile is only removed when the --lockfile option is passed to pnpm clean.
• pnpm self-update (with no version argument) no longer downgrades pnpm when the registry's latest dist-tag points to an older release than the currently active version. Run pnpm self-update latest to force a downgrade #​11418.
• minimumReleaseAgeStrict now defaults to true whenever the user explicitly sets minimumReleaseAge (via pnpm-workspace.yaml, the global config.yaml, the CLI, or pnpm_config_* env vars).

v11.0.3

Compare Source

Patch Changes

• Fix too many open files error sometimes happening on Windows, when creating command shims in node_modules/.bin #​11412.
• Fix ERR_PNPM_FETCH_404 when installing a project whose lockfile depends on a file: tarball. The previous behavior dropped the tarball field from file: and git-hosted resolutions when lockfile-include-tarball-url=false (the default), even though those URLs cannot be reconstructed from the package name, version, and registry #​11407.

v11.0.2

Compare Source

Patch Changes

• Fix ENOENT symlink failure when pnpm add -g triggers the approve-builds prompt. The global add flow used to forward an absolute modulesDir (<installDir>/node_modules) into the install run by approve-builds. The install layer treated modulesDir as a path relative to lockfileDir and joined it again, producing a doubled path on Windows because path.join does not collapse an embedded absolute path. The hoist step then tried to mkdir and symlink under <installDir>\<installDir>\node_modules\.pnpm\node_modules\... and failed with ENOENT #​11403.
• Fixed packageManagerDependencies going stale when pnpm is invoked through corepack. The lockfile sync (and the devEngines.packageManager version check) previously ran only when pnpm was invoked directly; under corepack the entire block was skipped, so a stale entry would persist even after the running pnpm version changed. The lockfile sync now runs regardless of how pnpm was invoked, while the pnpm-managed version switch (onFail: 'download') remains skipped under corepack so it doesn't fight corepack's own version selection #​11397.
• Fix recursive publish summaries to report the manifest from publishConfig.directory when packages publish from a generated directory #​11239.
• Fix negated os / cpu entries (e.g. ["!win32"]) being incorrectly rejected when supportedArchitectures expands to multiple platforms #​11375.

v11.0.1

Compare Source

Patch Changes

• Report unknown top-level options before falling back to implicit pnpm run scripts.
• Reject null named catalogs in workspace manifests with InvalidWorkspaceManifestError instead of crashing with a raw TypeError.
• Populate download location for git-sourced dependencies in SBOM output. Previously pnpm sbom emitted NOASSERTION (SPDX) and omitted the distribution reference (CycloneDX) for git dependencies. Now emits the git URL with commit hash, e.g. git+https://github.com/user/repo.git#commit.
• pnpm self-update now keeps package.json's packageManager and devEngines.packageManager in sync. When the legacy packageManager field pins pnpm, both fields are rewritten to the new exact pnpm version on update — packageManager to pnpm@<version> (without an integrity hash), and devEngines.packageManager.version to the same exact <version> (dropping any range operator). When only devEngines.packageManager is declared, the existing range-preserving behavior is unchanged #​11388.
• Sort the keys of the overrides object returned by `pnpm audit --

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • "before 10am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6cd91f7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR