chore: update pnpm-lock.yaml#12014
Conversation
📝 WalkthroughWalkthroughBumps pnpm to 11.5.1 and Node runtime to 26.3.0 in package.json and updates CI/benchmark/release workflows. Adds meta-updater logic to read devEngines.runtime and rewrite any ChangesTooling and Runtime Version Updates
Sequence Diagram(s)sequenceDiagram
participant MetaUpdater
participant RootManifest
participant PackageScripts
participant WorkflowYAML
MetaUpdater->>RootManifest: read devEngines.runtime (name: "node", version)
MetaUpdater->>PackageScripts: scan & replace node@runtime:<old> → node@runtime:<version>
MetaUpdater->>WorkflowYAML: update workflow node major pin to match runtime version
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Review Summary by QodoUpdate pnpm-lock.yaml with latest compatible dependency versions
WalkthroughsDescription• Update amaro from 1.1.9 to 1.1.10 • Update @pnpm/symlink-dependency from 1000.0.17 to 1000.0.18 • Update @pnpm/worker from 1000.6.8 to 1000.6.9 • Update multiple transitive dependencies including electron-to-chromium, make-fetch-happen, pnpm, streamx, and which-typed-array Diagramflowchart LR
A["pnpm-lock.yaml"] -->|"amaro 1.1.9 → 1.1.10"| B["Updated Dependencies"]
A -->|"@pnpm/worker 1000.6.8 → 1000.6.9"| B
A -->|"@pnpm/symlink-dependency 1000.0.17 → 1000.0.18"| B
A -->|"electron-to-chromium, make-fetch-happen, pnpm, streamx, which-typed-array"| B
B -->|"Transitive updates"| C["Lockfile Resolved"]
File Changes1. pnpm-lock.yaml
|
Integrated-Benchmark Report (Linux)Scenario: Isolated linker: fresh restore, cold cache + cold store
BENCHMARK_REPORT.json{
"results": [
{
"command": "pacquet@HEAD",
"mean": 2.1391251589799998,
"stddev": 0.1764560505728665,
"median": 2.10336133638,
"user": 2.74913378,
"system": 3.3329432199999993,
"min": 1.9936348263800001,
"max": 2.58050911038,
"times": [
2.11774002738,
2.18013620238,
1.99915533838,
2.10176098838,
2.04026919938,
1.9936348263800001,
2.25935000738,
2.58050911038,
2.01373420538,
2.10496168438
]
},
{
"command": "pacquet@main",
"mean": 2.11894962718,
"stddev": 0.044529183139360516,
"median": 2.09833939638,
"user": 2.76335658,
"system": 3.31675222,
"min": 2.07206502038,
"max": 2.20591822138,
"times": [
2.20591822138,
2.0797093493800003,
2.16849465238,
2.0979341803800002,
2.13205363538,
2.09874461238,
2.08265749738,
2.1547034053800003,
2.07206502038,
2.0972156973800002
]
}
]
}Scenario: Isolated linker: fresh restore, hot cache + hot store
BENCHMARK_REPORT.json{
"results": [
{
"command": "pacquet@HEAD",
"mean": 0.69375711284,
"stddev": 0.034495248735077054,
"median": 0.6814657053400001,
"user": 0.37645085999999994,
"system": 1.3493338,
"min": 0.6705199368400001,
"max": 0.75984777284,
"times": [
0.75984777284,
0.68117237584,
0.75731347684,
0.6705199368400001,
0.6824771418400001,
0.6836653138400001,
0.6744070358400001,
0.6708284618400001,
0.6817590348400001,
0.67558057784
]
},
{
"command": "pacquet@main",
"mean": 0.7380759367400002,
"stddev": 0.10315105583331431,
"median": 0.71093244984,
"user": 0.37455605999999997,
"system": 1.3715457999999998,
"min": 0.67077415484,
"max": 1.0243851688399999,
"times": [
0.7170074608400001,
0.6897313448400001,
0.67077415484,
0.7317725838400001,
0.6964738918400001,
0.73918604184,
0.7048574388400001,
0.7275939078400001,
0.67897737384,
1.0243851688399999
]
}
]
}Scenario: Isolated linker: fresh install, cold cache + cold store
BENCHMARK_REPORT.json{
"results": [
{
"command": "pacquet@HEAD",
"mean": 2.3528343240800003,
"stddev": 0.04745531246187647,
"median": 2.34913704648,
"user": 3.9186412999999995,
"system": 3.01997772,
"min": 2.2978410134800002,
"max": 2.4214649984800003,
"times": [
2.3711018684800003,
2.40531332148,
2.40597578748,
2.2987513834800004,
2.4214649984800003,
2.3686331434800003,
2.2978410134800002,
2.3296409494800003,
2.3118335034800004,
2.3177872714800003
]
},
{
"command": "pacquet@main",
"mean": 2.3568202990800002,
"stddev": 0.050515879874622444,
"median": 2.36118055948,
"user": 3.9016354,
"system": 3.0158159199999997,
"min": 2.27474052248,
"max": 2.4544195504800004,
"times": [
2.3935186234800003,
2.3746653494800003,
2.27474052248,
2.3591069464800003,
2.4544195504800004,
2.3001620484800003,
2.34955696948,
2.36325417248,
2.37783933748,
2.3209394704800004
]
}
]
}Scenario: Isolated linker: fresh install, hot cache + hot store
BENCHMARK_REPORT.json{
"results": [
{
"command": "pacquet@HEAD",
"mean": 1.49827950224,
"stddev": 0.011210516625994137,
"median": 1.4995845714399998,
"user": 1.7026269399999996,
"system": 1.778635,
"min": 1.48561371194,
"max": 1.5193246809399998,
"times": [
1.48631060794,
1.4991341859399998,
1.5193246809399998,
1.50069994094,
1.48561371194,
1.4887609659399998,
1.5000349569399998,
1.48921866794,
1.50159163794,
1.5121056659399998
]
},
{
"command": "pacquet@main",
"mean": 1.4972660599399998,
"stddev": 0.04185864462310905,
"median": 1.49404413744,
"user": 1.7067696399999999,
"system": 1.7777788,
"min": 1.45141456894,
"max": 1.59828287194,
"times": [
1.4756594219399999,
1.45852999294,
1.50781525794,
1.59828287194,
1.51925540294,
1.50313804694,
1.45141456894,
1.4704767609399998,
1.5020286479399998,
1.48605962694
]
}
]
} |
|
| Branch | pr/12014 |
| Testbed | pacquet |
Click to view all benchmark results
| Benchmark | Latency | Benchmark Result milliseconds (ms) (Result Δ%) | Upper Boundary milliseconds (ms) (Limit %) |
|---|---|---|---|
| isolated-linker.fresh-install.cold-cache.cold-store | 📈 view plot 🚷 view threshold | 2,352.83 ms(-0.40%)Baseline: 2,362.31 ms | 2,834.77 ms (83.00%) |
| isolated-linker.fresh-install.hot-cache.hot-store | 📈 view plot 🚷 view threshold | 1,498.28 ms(+0.78%)Baseline: 1,486.66 ms | 1,783.99 ms (83.98%) |
| isolated-linker.fresh-restore.cold-cache.cold-store | 📈 view plot 🚷 view threshold | 2,139.13 ms(+3.47%)Baseline: 2,067.45 ms | 2,480.94 ms (86.22%) |
| isolated-linker.fresh-restore.hot-cache.hot-store | 📈 view plot 🚷 view threshold | 693.76 ms(+2.04%)Baseline: 679.89 ms | 815.87 ms (85.03%) |
e0c1ca2 to
55ac18f
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Around line 67-69: The repo declares dev runtime "runtime": { "name": "node",
"version": "26.3.0" } but the compile-only script still invokes "pnx
node@runtime:26.0.0"; update the hardcoded runtime in that script to match the
declared dev runtime (26.3.0) so both the runtime object and the "pnx
node@runtime:..." invocation use the same version; locate the compile-only
script entry that contains "pnx node@runtime:26.0.0" and replace the version
token to "26.3.0" (or better, parameterize it to reference the single source of
truth if your package.json scripts support it).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 318d932a-28f3-4d96-8498-0b6cc32fff24
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (1)
package.json
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Compile & Lint
- GitHub Check: zizmor latest via PyPI
- GitHub Check: Compile & Lint
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-05-05T23:03:04.286Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11479
File: __utils__/scripts/package.json:6-9
Timestamp: 2026-05-05T23:03:04.286Z
Learning: The pattern cross-env NODE_OPTIONS="$NODE_OPTIONS ..." in package.json scripts is an established convention in the pnpm/pnpm repository and is used across many packages (e.g., fs/hard-link-dir, worker, __utils__/scripts). Do not flag this as a cross-platform issue in individual files; if a change is needed, apply it as a repo-wide change in a separate PR. Scope this guidance to all package.json files in the repo; use the minimatch pattern '**/package.json' to identify relevant files and review changes at the repository level rather than per-file.
Applied to files:
package.json
There was a problem hiding this comment.
Pull request overview
Automated lockfile and packageManager update to pick up newer compatible dependency versions.
Changes:
- Bump
packageManageranddevEngines.packageManagerto pnpm 11.5.1 anddevEngines.runtimeNode to 26.3.0. - Refresh
pnpm-lock.yamlwith updated transitive/catalog versions (e.g.@inquirer/prompts8.5.2, eslint 10.4.1, lru-cache 11.5.1, tinyglobby 0.2.17, amaro 1.1.10, etc.).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Update packageManager pin and devEngines versions for pnpm and Node. |
| pnpm-lock.yaml | Regenerate lockfile with bumped dependency versions. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.meta-updater/src/index.ts (2)
329-333: 💤 Low valueConsider sanitizing
majorbefore regex construction.Static analysis flagged line 331 for potential ReDoS due to constructing a RegExp from variable input. While
majorcomes from a controlled source (devEngines.runtime.version), defensive coding would validate that it contains only digits before use in the regex.🛡️ Optional defensive check
function syncNodeVersionInWorkflow (content: string | null, version: string | undefined): string | null { if (content == null || !version) return content const major = version.split('.')[0] + // Ensure major is numeric to prevent regex injection + if (!/^\d+$/.test(major)) { + throw new Error(`Invalid major version: ${major}`) + } return content.replace(new RegExp(`\\b${major}\\.\\d+\\.\\d+\\b`, 'g'), version) }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.meta-updater/src/index.ts around lines 329 - 333, The regex in syncNodeVersionInWorkflow builds a pattern from the unvalidated variable major which can cause ReDoS or unintended regex injection; validate or sanitize major (from version) to ensure it consists only of digits (e.g., /^\d+$/) before constructing the RegExp, and if it fails validation return content unchanged or handle safely; update the function syncNodeVersionInWorkflow to parse and verify major is numeric and only then create the RegExp using the validated value (or escape it) and replace, otherwise skip the replacement.
309-313: 💤 Low valueConsider validating the version string format.
The function reads
devEngines.runtime.versionbut doesn't validate that it's a well-formed semver string (e.g.,26.3.0). While the regex usage downstream will gracefully fail to match malformed versions, explicit validation would make debugging easier and provide clearer error messages if the manifest contains an invalid version format.🛡️ Optional validation to add
function readNodeRuntimeVersion (workspaceDir: string): string | undefined { const manifest = loadJsonFileSync<{ devEngines?: { runtime?: { name?: string, version?: string } } }>(path.join(workspaceDir, 'package.json')) const runtime = manifest?.devEngines?.runtime - return runtime?.name === 'node' ? runtime.version : undefined + const version = runtime?.name === 'node' ? runtime.version : undefined + // Validate basic semver format (major.minor.patch) + if (version && !/^\d+\.\d+\.\d+$/.test(version)) { + throw new Error(`devEngines.runtime.version must be in format X.Y.Z, got: ${version}`) + } + return version }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.meta-updater/src/index.ts around lines 309 - 313, readNodeRuntimeVersion currently returns whatever is in manifest.devEngines.runtime.version without validating it's a proper semver; update readNodeRuntimeVersion to verify runtime.version is present and matches a semver (either use semver.valid from the 'semver' package or a strict regex like /^\d+\.\d+\.\d+(-[0-9A-Za-z-.]+)?(\+[0-9A-Za-z-.]+)?$/) and only return the value if valid, otherwise return undefined (or throw/log a clear error mentioning readNodeRuntimeVersion and the invalid version string) so downstream code gets a validated Node runtime version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.meta-updater/src/index.ts:
- Around line 329-333: The regex in syncNodeVersionInWorkflow builds a pattern
from the unvalidated variable major which can cause ReDoS or unintended regex
injection; validate or sanitize major (from version) to ensure it consists only
of digits (e.g., /^\d+$/) before constructing the RegExp, and if it fails
validation return content unchanged or handle safely; update the function
syncNodeVersionInWorkflow to parse and verify major is numeric and only then
create the RegExp using the validated value (or escape it) and replace,
otherwise skip the replacement.
- Around line 309-313: readNodeRuntimeVersion currently returns whatever is in
manifest.devEngines.runtime.version without validating it's a proper semver;
update readNodeRuntimeVersion to verify runtime.version is present and matches a
semver (either use semver.valid from the 'semver' package or a strict regex like
/^\d+\.\d+\.\d+(-[0-9A-Za-z-.]+)?(\+[0-9A-Za-z-.]+)?$/) and only return the
value if valid, otherwise return undefined (or throw/log a clear error
mentioning readNodeRuntimeVersion and the invalid version string) so downstream
code gets a validated Node runtime version.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 155ef944-601b-4406-8a8c-cb81361e8dc7
📒 Files selected for processing (4)
.github/workflows/benchmark.yml.github/workflows/ci.yml.github/workflows/release.yml.meta-updater/src/index.ts
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/release.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
- GitHub Check: Upload results
- GitHub Check: Run benchmark on ubuntu-latest
- GitHub Check: Compile & Lint
- GitHub Check: Analyze (javascript)
- GitHub Check: Compile & Lint
🧰 Additional context used
🪛 ast-grep (0.43.0)
.meta-updater/src/index.ts
[warning] 331-331: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(\\b${major}\\.\\d+\\.\\d+\\b, 'g')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html
(regexp-from-variable)
🔇 Additional comments (7)
.github/workflows/benchmark.yml (1)
66-66: LGTM!.github/workflows/ci.yml (1)
55-55: LGTM!Also applies to: 64-64
.meta-updater/src/index.ts (5)
5-5: LGTM!
317-322: LGTM!
335-342: LGTM!
69-79: LGTM!
187-189: LGTM!
This PR updates the lockfile to pick up the latest compatible versions of dependencies.
This is an automated PR created by the update-lockfile workflow.
Summary by CodeRabbit