Skip to content

chore: update lockfile and pnpm#12211

Merged
zkochan merged 2 commits into
mainfrom
chore/update-lockfile
Jun 5, 2026
Merged

chore: update lockfile and pnpm#12211
zkochan merged 2 commits into
mainfrom
chore/update-lockfile

Conversation

@zkochan

@zkochan zkochan commented Jun 5, 2026

Copy link
Copy Markdown
Member

This automated PR refreshes the project's pinned versions:

  • Updates the lockfile to the latest compatible versions of dependencies.
  • Bumps Node.js to the latest 26.x release, propagated into the CI, release, and benchmark workflows via the meta-updater.
  • Bumps pnpm to the latest release (packageManager and devEngines.packageManager).
  • Bumps the @pnpm/pacquet config dependency to its latest release.

Created by the update-lockfile workflow.

Summary by CodeRabbit

  • Chores
    • Updated package manager to version 11.5.2.

@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR bumps the pnpm package manager version from 11.5.1 to 11.5.2 in the root package.json. The version change is applied to both the packageManager field and the devEngines.packageManager.version configuration, ensuring consistency across workspace toolchain specifications.

Changes

pnpm version bump

Layer / File(s) Summary
pnpm version bump
package.json
Package.json packageManager and devEngines.packageManager.version fields are updated from pnpm@11.5.1 to pnpm@11.5.2.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • pnpm/pnpm#11719: Bumps packageManager and devEngines.packageManager.version pnpm versions in root package.json.
  • pnpm/pnpm#11765: Updates root package.json's pnpm version in both packageManager and devEngines fields.
  • pnpm/pnpm#12014: Modifies root package.json's pnpm tooling metadata in packageManager and devEngines.packageManager.version fields.

Poem

🐰 A tiny bump in our toolkit today,
Eleven-five-two shows the way,
pnpm updated, swift and lean,
The finest version we've yet seen! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title mentions updating 'lockfile and pnpm', but the actual changeset only shows pnpm version bump (11.5.1 → 11.5.2) in package.json, with no lockfile changes visible in the summary. Update the title to accurately reflect the changeset, e.g., 'chore: bump pnpm to 11.5.2' or verify that lockfile changes should be included.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-lockfile

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

Review Summary by Qodo

Update pnpm to 11.5.2 and add Node.js catalog entry

✨ Enhancement

Grey Divider

Walkthroughs

Description
• Bumps pnpm from 11.5.1 to 11.5.2 across all configurations
• Adds node catalog entry with runtime version ^26.3.0
• Updates pnpm-lock.yaml with new dependency versions
• Synchronizes package manager versions in devEngines
Diagram
flowchart LR
  A["pnpm 11.5.1"] -->|"Update to"| B["pnpm 11.5.2"]
  C["package.json"] -->|"Update packageManager"| B
  D["pnpm-lock.yaml"] -->|"Refresh lockfile"| E["Updated dependencies"]
  F["pnpm-workspace.yaml"] -->|"Add node catalog"| G["node: runtime:^26.3.0"]

Loading

Grey Divider

File Changes

1. package.json Dependencies +3/-2

Update pnpm version and add node catalog

• Updates packageManager from pnpm@11.5.1 to pnpm@11.5.2
• Updates devEngines.packageManager.version to 11.5.2
• Adds node as a catalog dependency

package.json


2. pnpm-lock.yaml Dependencies +43/-40

Refresh lockfile with pnpm 11.5.2 and node

• Updates all pnpm-related packages from 11.5.1 to 11.5.2
• Updates @pnpm/exe, @pnpm/linux-*, @pnpm/macos-*, @pnpm/win-* versions
• Refreshes integrity hashes for all updated packages
• Adds node catalog entry with version 26.3.0

pnpm-lock.yaml


3. pnpm-workspace.yaml ⚙️ Configuration changes +1/-0

Add Node.js runtime to catalog

• Adds node: runtime:^26.3.0 to the catalog section

pnpm-workspace.yaml


Grey Divider

Qodo Logo

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 56: The devDependency entry "node": "catalog:" is redundant and ambiguous
given devEngines.runtime already pins Node via devEngines.runtime = "26.3.0";
either remove the "node": "catalog:" line from package.json devDependencies or
change it to explicitly match the exact version used by devEngines.runtime
(replace the catalog range with the exact "26.3.0") and add a brief comment
clarifying its purpose; update package.json so devDependencies and
devEngines.runtime are consistent (prefer removing the devDependency if runtime
is authoritative).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f4b5ad77-a0fc-410b-8cdf-d25d01621aa2

📥 Commits

Reviewing files that changed from the base of the PR and between 70554b8 and 55a670f.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • package.json
  • pnpm-workspace.yaml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: Compile & Lint
  • GitHub Check: Analyze (javascript)
  • GitHub Check: Run benchmark on ubuntu-latest
  • GitHub Check: Compile & Lint
🧰 Additional context used
🧠 Learnings (14)
📓 Common learnings
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-25T12:36:42.202Z
Learning: User-visible changes (CLI flags, defaults, environment variables, lockfile/manifest/state-file formats, error codes/messages, log emissions, store layout, hook semantics) in pnpm must be mirrored to pacquet in the same PR
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-25T12:36:42.202Z
Learning: Always explicitly include 'pnpm' in changeset files with appropriate version bump (patch, minor, or major)
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.372Z
Learning: Reference the upstream pnpm commit/PR when porting code from pnpm in commit messages
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.372Z
Learning: Do not change lockfile format, store layout, `.npmrc` semantics, or CLI surface unless pnpm changed them first
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-25T12:36:42.202Z
Learning: Version pnpm CLI patch for bug fixes, internal refactors, and changes that don't require documentation; minor for new features/settings that should be documented; major for breaking changes
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.372Z
Learning: Match how the same feature is implemented in the TypeScript pnpm CLI — any change in pacquet must match pnpm's behavior, logic, edge cases, config resolution, error messages, file/lockfile formats, and existing tests
📚 Learning: 2026-05-25T12:36:42.202Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-25T12:36:42.202Z
Learning: User-visible changes (CLI flags, defaults, environment variables, lockfile/manifest/state-file formats, error codes/messages, log emissions, store layout, hook semantics) in pnpm must be mirrored to pacquet in the same PR

Applied to files:

  • pnpm-workspace.yaml
  • package.json
📚 Learning: 2026-05-25T12:36:42.202Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-25T12:36:42.202Z
Learning: Always explicitly include 'pnpm' in changeset files with appropriate version bump (patch, minor, or major)

Applied to files:

  • pnpm-workspace.yaml
  • package.json
📚 Learning: 2026-05-29T18:03:15.372Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.372Z
Learning: Do not change lockfile format, store layout, `.npmrc` semantics, or CLI surface unless pnpm changed them first

Applied to files:

  • pnpm-workspace.yaml
  • package.json
📚 Learning: 2026-05-20T22:49:17.652Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11787
File: pacquet/crates/catalogs-resolver/src/lib.rs:156-167
Timestamp: 2026-05-20T22:49:17.652Z
Learning: In pacquet's `catalogs-resolver` crate (`pacquet/crates/catalogs-resolver/src/lib.rs`), the protocol detection pattern `catalog_lookup.split(':').next().unwrap_or("")` is an intentional byte-for-byte port of pnpm's upstream JavaScript `getProtocol`/split logic in `catalogs/resolver/src/resolveFromCatalog.ts#L95`. A bare value like `"workspace"` (without a colon) is deliberately classified as the `"workspace"` protocol, matching upstream behavior. pacquet's cardinal rule is to match upstream pnpm behavior including quirks; any behavioral change must land in pnpm first and then be ported here.

Applied to files:

  • pnpm-workspace.yaml
  • package.json
📚 Learning: 2026-05-29T18:03:24.797Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pnpr/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:24.797Z
Learning: Applies to pnpr/**/pnpr/**/Cargo.toml : Declare new shared dependencies in the root [workspace.dependencies] and use { workspace = true } in pnpr crate's Cargo.toml

Applied to files:

  • pnpm-workspace.yaml
📚 Learning: 2026-05-29T18:03:15.372Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.372Z
Learning: Do not add features, flags, or behaviors that pnpm does not have

Applied to files:

  • pnpm-workspace.yaml
  • package.json
📚 Learning: 2026-05-19T19:23:00.981Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11752
File: pacquet/crates/config/src/lib.rs:1062-1073
Timestamp: 2026-05-19T19:23:00.981Z
Learning: In `pacquet/crates/config/src/lib.rs`, `modules_dir` does not need a `!virtual_store_dir_explicit` guard on its workspace re-anchor because `modules_dir` is in pnpm's `excludedPnpmKeys` (filtered out by `WorkspaceSettings::clear_workspace_only_fields`) and therefore can only be set by workspace yaml (applied immediately after) or env vars (applied later in the cascade) — not by global `config.yaml`. `virtual_store_dir`, by contrast, IS settable from global config and requires the `if !virtual_store_dir_explicit` guard to survive the workspace-root re-anchor.

Applied to files:

  • pnpm-workspace.yaml
📚 Learning: 2026-05-25T12:36:42.202Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-25T12:36:42.202Z
Learning: Version pnpm CLI patch for bug fixes, internal refactors, and changes that don't require documentation; minor for new features/settings that should be documented; major for breaking changes

Applied to files:

  • pnpm-workspace.yaml
  • package.json
📚 Learning: 2026-05-29T18:03:15.372Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.372Z
Learning: Match how the same feature is implemented in the TypeScript pnpm CLI — any change in pacquet must match pnpm's behavior, logic, edge cases, config resolution, error messages, file/lockfile formats, and existing tests

Applied to files:

  • pnpm-workspace.yaml
  • package.json
📚 Learning: 2026-05-20T19:41:03.063Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11774
File: pacquet/crates/resolving-deps-resolver/src/resolve_peers.rs:0-0
Timestamp: 2026-05-20T19:41:03.063Z
Learning: In the pacquet project (Rust), the semver crate used is `node-semver` (version ~2.2.0), NOT `nodejs-semver`. These are two distinct crates. `node-semver` only exposes `Range::satisfies` as its public satisfaction API — there is no separate `satisfies_with_prerelease` method. Prerelease-tolerant matching is handled inline by retrying against the stripped `MAJOR.MINOR.PATCH` base when `Range::satisfies` rejects a prerelease version.

Applied to files:

  • pnpm-workspace.yaml
📚 Learning: 2026-05-26T18:31:14.579Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11967
File: .changeset/git-fetcher-reject-non-sha-commits.md:2-2
Timestamp: 2026-05-26T18:31:14.579Z
Learning: In the pnpm monorepo, the `fetching/` directory contains multiple separate npm packages each with their own scoped name using a dot-separator convention, e.g., `pnpm/fetching.git-fetcher` (declared in `fetching/git-fetcher/package.json`) and `pnpm/fetching.tarball-fetcher`. There is no top-level `pnpm/fetching` package. Changesets targeting the git-fetcher should use `"pnpm/fetching.git-fetcher"`.

Applied to files:

  • package.json
📚 Learning: 2026-05-23T17:30:06.849Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11878
File: resolving/npm-resolver/src/createNpmResolutionVerifier.ts:381-418
Timestamp: 2026-05-23T17:30:06.849Z
Learning: In `resolving/npm-resolver/src/pickPackage.ts` (pnpm/pnpm), the resolver's `PackageMetaCache` keys by `name` (abbreviated) and `name:full` (full metadata) only — no registry component is included. This is a pre-existing limitation meaning that if two different registries serve packages of the same name in one install, the cache will only hold the first fetched entry. The `createNpmResolutionVerifier.ts` shares this same cache and inherits the limitation; a `validateSharedMeta` name-check guards against cross-package contamination but cannot distinguish same-named packages from different registries. Tightening to a registry-qualified key would require a coordinated change to the resolver's cache key shape. The Pacquet/Rust side is already registry-qualified (`{registry}\x00{name}:full`).

Applied to files:

  • package.json
📚 Learning: 2026-05-05T23:03:04.286Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11479
File: __utils__/scripts/package.json:6-9
Timestamp: 2026-05-05T23:03:04.286Z
Learning: The pattern cross-env NODE_OPTIONS="$NODE_OPTIONS ..." in package.json scripts is an established convention in the pnpm/pnpm repository and is used across many packages (e.g., fs/hard-link-dir, worker, __utils__/scripts). Do not flag this as a cross-platform issue in individual files; if a change is needed, apply it as a repo-wide change in a separate PR. Scope this guidance to all package.json files in the repo; use the minimatch pattern '**/package.json' to identify relevant files and review changes at the repository level rather than per-file.

Applied to files:

  • package.json
🔇 Additional comments (2)
package.json (1)

61-61: LGTM!

Also applies to: 65-65

pnpm-workspace.yaml (1)

237-237: ⚖️ Poor tradeoff

Validate runtime: usage inside catalog entries (node: runtime:^26.3.0)

pnpm-workspace.yaml (catalog section) adds node: runtime:^26.3.0. Pacquet’s catalog-mode rules intentionally skip runtime: specifiers from catalog promotion because they’re meant to round-trip to devEngines.runtime (so cataloging/routing via "node": "catalog:<name>" could strand the runtime: value in devDependencies instead of going through devEngines.runtime). Also, the catalog range ^26.3.0 may not match devEngines.runtime if that is an exact 26.3.0. Please confirm pnpm’s supported behavior for runtime: inside catalogs and adjust the catalog entry if this is not intended.

Comment thread package.json Outdated
@zkochan zkochan changed the title chore: update lockfile, Node.js, pnpm, and pacquet versions chore: update lockfile and pnpm Jun 5, 2026
@zkochan zkochan merged commit 9f002da into main Jun 5, 2026
8 checks passed
@zkochan zkochan deleted the chore/update-lockfile branch June 5, 2026 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant