Update pnpm to v10

[matticbot]

I modified two things after Renovate:

• Both package.json and .github/versions.sh were updated to use 10.4.0. Is this okay, or should I stick to 10.0.0? 939d785
• pnpm link is automatically global now: ac3c8ef
• Updated .npmrc:
  • strict-dep-builds = true
  • verify-deps-before-run = warn
• Updated package.json to ignore a few packages that can't build but don't need to with .pnpm.ignoredBuiltDependencies.

---

This PR contains the following updates:

Package	Type	Update	Change
pnpm (source)	packageManager	major	9.15.0 -> 10.4.0
pnpm (source)	engines	major	^9.15.0 -> ^10.0.0

---

Release Notes

pnpm/pnpm (pnpm)

v10.4.0

Compare Source

Minor Changes

• pnpm approve-builds --global works now for allowing dependencies of globally installed packages to run postinstall scripts.

• The pnpm add command now supports a new flag, --allow-build, which allows building the specified dependencies. For instance, if you want to install a package called bundle that has esbuild as a dependency and want to allow esbuild to run postinstall scripts, you can run:

  pnpm --allow-build=esbuild add bundle
  

  This will run esbuild's postinstall script and also add it to the pnpm.onlyBuiltDependencies field of package.json. So, esbuild will always be allowed to run its scripts in the future.

  Related PR: #​9086.

• The pnpm init command adds a packageManager field with the current version of pnpm CLI #​9069. To disable this behaviour, set the init-package-manager setting to false.

Patch Changes

• pnpm approve-builds should work after two consecutive pnpm install runs #​9083.
• Fix instruction for updating pnpm with corepack #​9101.
• The pnpm version specified by packageManager cannot start with v.

v10.3.0

Compare Source

Minor Changes

• Added a new setting called strict-dep-builds. When enabled, the installation will exit with a non-zero exit code if any dependencies have unreviewed build scripts (aka postinstall scripts) #​9071.

Patch Changes

• Fix a false negative of verify-deps-before-run after pnpm install --production|--no-optional #​9019.
• Print the warning about blocked installation scripts at the end of the installation output and make it more prominent.

v10.2.1

Compare Source

Patch Changes

• Don't read a package from side-effects cache if it isn't allowed to be built #​9042.
• pnpm approve-builds should work, when executed from a subdirectory of a workspace #​9042.
• pnpm deploy --legacy should work without injected dependencies.
• Add information about how to deploy without "injected dependencies" to the "pnpm deploy" error message.

v10.2.0

Compare Source

Minor Changes

• Packages executed via pnpm dlx and pnpm create are allowed to be built (run postinstall scripts) by default.

  If the packages executed by dlx or create have dependencies that have to be built, they should be listed via the --allow-build flag. For instance, if you want to run a package called bundle that has esbuild in dependencies and want to allow esbuild to run postinstall scripts, run:

  pnpm --allow-build=esbuild dlx bundle
  

  Related PR: #​9026.

Patch Changes

• Quote args for scripts with shell-quote to support new lines (on POSIX only) #​8980.
• Fix a bug in which pnpm deploy fails to read the correct projectId when the deploy source is the same as the workspace directory #​9001.
• Proxy settings should be respected, when resolving Git-hosted dependencies #​6530.
• Prevent overrides from adding invalid version ranges to peerDependencies by keeping the peerDependencies and overriding them with prod dependencies #​8978.
• Sort the package names in the "pnpm.onlyBuiltDependencies" list saved by pnpm approve-builds.

v10.1.0

Compare Source

Minor Changes

• Added a new command for printing the list of dependencies with ignored build scripts: pnpm ignored-builds #​8963.
• Added a new command for approving dependencies for running scripts during installation: pnpm approve-builds #​8963.
• Added a new setting called optimistic-repeat-install. When enabled, a fast check will be performed before proceeding to installation. This way a repeat install or an install on a project with everything up-to-date becomes a lot faster. But some edge cases might arise, so we keep it disabled by default for now #​8977.
• Added a new field "pnpm.ignoredBuiltDependencies" for explicitly listing packages that should not be built. When a package is in the list, pnpm will not print an info message about that package not being built #​8935.

Patch Changes

• Verify that the package name is valid when executing the publish command.
• When running pnpm install, the preprepare and postprepare scripts of the project should be executed #​8989.
• Allow workspace: and catalog: to be part of wider version range in peerDependencies.
• pnpm deploy should inherit the pnpm object from the root package.json #​8991.
• Make sure that the deletion of a node_modules in a sub-project of a monorepo is detected as out-of-date #​8959.
• Fix infinite loop caused by lifecycle scripts using pnpm to execute other scripts during pnpm install with verify-deps-before-run=install #​8954.
• Replace strip-ansi with the built-in util.stripVTControlCharacters #​9009.
• Do not print patched dependencies as ignored dependencies that require a build #​8952.

v10.0.0

Compare Source

Major Changes

• Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #​8897. For example:

  {
    "pnpm": {
      "onlyBuiltDependencies": ["fsevents"]
    }
  }

• pnpm link behavior updated:

  The pnpm link command now adds overrides to the root package.json.

  • In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.
  • Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g.
    Related PR: #​8653

• Secure hashing with SHA256:

  Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

  • Long paths inside node_modules/.pnpm are now hashed with SHA256.
  • Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)
  • The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.
  • The side effects cache keys now use SHA256.
  • The pnpmfile checksum in the lockfile now uses SHA256 (#​8530).

• Configuration updates:

  • manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

  • public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #​8378

  • Upgraded @yarnpkg/extensions to v2.0.3. This may alter your lockfile.

  • virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.

  • Reduced environment variables for scripts:
    During script execution, fewer npm_package_* environment variables are set. Only name, version, bin, engines, and config remain.
    Related Issue: #​8552

  • All dependencies are now installed even if NODE_ENV=production. Related Issue: #​8827

• Changes to the global store:

  • Store version bumped to v10.

  • Some registries allow identical content to be published under different package names or versions. To accommodate this, index files in the store are now stored using both the content hash and package identifier.

    This approach ensures that we can:

    1. Validate that the integrity in the lockfile corresponds to the correct package, which might not be the case after a poorly resolved Git conflict.
    2. Allow the same content to be referenced by different packages or different versions of the same package.
       Related PR: #​8510
       Related Issue: #​8204

  • More efficient side effects indexing. The structure of index files in the store has changed. Side effects are now tracked more efficiently by listing only file differences rather than all files.
    Related PR: #​8636

  • A new index directory stores package content mappings. Previously, these files were in files.

• Other breaking changes:

  • The # character is now escaped in directory names within node_modules/.pnpm.
    Related PR: #​8557
  • Running pnpm add --global pnpm or pnpm add --global @​pnpm/exe now fails with an error message, directing you to use pnpm self-update instead.
    Related PR: #​8728
  • Dependencies added via a URL now record the final resolved URL in the lockfile, ensuring that any redirects are fully captured.
    Related Issue: #​8833
  • The pnpm deploy command now only works in workspaces that have inject-workspace-packages=true. This limitation is introduced to allow us to create a proper lockfile for the deployed project using the workspace lockfile.
  • Removed conversion from lockfile v6 to v9. If you need v6-to-v9 conversion, use pnpm CLI v9.
  • pnpm test now passes all parameters after the test keyword directly to the underlying script. This matches the behavior of pnpm run test. Previously you needed to use the -- prefix.
    Related PR: #​8619

• node-gyp updated to version 11.

• pnpm deploy now tries creating a dedicated lockfile from a shared lockfile for deployment. It will fallback to deployment without a lockfile if there is no shared lockfile or force-legacy-deploy is set to true.

Minor Changes

• Added support for a new type of dependencies called "configurational dependencies". These dependencies are installed before all the other types of dependencies (before "dependencies", "devDependencies", "optionalDependencies").

  Configurational dependencies cannot have dependencies of their own or lifecycle scripts. They should be added using exact version and the integrity checksum. Example:

  {
    "pnpm": {
      "configDependencies": {
        "my-configs": "1.0.0+sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw=="
      }
    }
  }

  Related RFC: #​8.
  Related PR: #​8915.

• New settings:

  • New verify-deps-before-run setting. This setting controls how pnpm checks node_modules before running scripts:

    • install: Automatically run pnpm install if node_modules is outdated.
    • warn: Print a warning if node_modules is outdated.
    • prompt: Prompt the user to confirm running pnpm install if node_modules is outdated.
    • error: Throw an error if node_modules is outdated.
    • false: Disable dependency checks.
      Related Issue: #​8585

  • New inject-workspace-packages setting enables hard-linking all local workspace dependencies instead of symlinking them. Previously, this could be achieved using dependenciesMeta[].injected, which remains supported.
    Related PR: #​8836

• Faster repeat installs:

  On repeated installs, pnpm performs a quick check to ensure node_modules is up to date.
  Related PR: #​8838

• pnpm add integrates with default workspace catalog:

  When adding a dependency, pnpm add checks the default workspace catalog. If the dependency and version requirement match the catalog, pnpm add uses the catalog: protocol. Without a specified version, it matches the catalog’s version. If it doesn’t match, it falls back to standard behavior.
  Related Issue: #​8640

• pnpm dlx now resolves packages to their exact versions and uses these exact versions for cache keys. This ensures pnpm dlx always installs the latest requested packages.
  Related PR: #​8811

• No node_modules validation on certain commands. Commands that should not modify node_modules (e.g., pnpm install --lockfile-only) no longer validate or purge node_modules.
  Related PR: #​8657

v9.15.5: pnpm 9.15.5

Compare Source

Patch Changes

• Verify that the package name is valid when executing the publish command.
• When running pnpm install, the preprepare and postprepare scripts of the project should be executed #​8989.
• Quote args for scripts with shell-quote to support new lines (on POSIX only) #​8980.
• Proxy settings should be respected, when resolving Git-hosted dependencies #​6530.
• Replace strip-ansi with the built-in util.stripVTControlCharacters #​9009.

Platinum Sponsors

Gold Sponsors

v9.15.4: pnpm 9.15.4

Compare Source

Patch Changes

• Ensure that recursive pnpm update --latest <pkg> updates only the specified package, with dedupe-peer-dependents=true.

Platinum Sponsors

Gold Sponsors

v9.15.3: pnpm 9.15.3

Compare Source

Patch Changes

• Fixed the Regex used to find the package manifest during packing #​8938.
• pnpm update --filter <pattern> --latest <pkg> should only change the specified package for the specified workspace, when dedupe-peer-dependents is set to true #​8877.
• Exclude .DS_Store file at patch-commit #​8922.
• Fix a bug in which pnpm patch is unable to bring back old patch without specifying @version suffix #​8919.

Platinum Sponsors

Gold Sponsors

v9.15.2: pnpm 9.15.2

Compare Source

Patch Changes

• Fixed publish/pack error with workspace dependencies with relative paths #​8904. It was broken in v9.4.0 (398472c).
• Use double quotes in the command suggestion by pnpm patch on Windows #​7546.
• Do not fall back to SSH, when resolving a git-hosted package if git ls-remote works via HTTPS #​8906.
• Improve how packages with blocked lifecycle scripts are reported during installation. Always print the list of ignored scripts at the end of the output. Include a hint about how to allow the execution of those packages.

Platinum Sponsors

Gold Sponsors

v9.15.1: pnpm 9.15.1

Compare Source

Patch Changes

• pnpm remove should not link dependencies from the workspace, when link-workspace-packages is set to false #​7674.
• Installation with hoisted node_modules should not fail, when a dependency has itself in its own peer dependencies #​8854.

Platinum Sponsors

Gold Sponsors

---

Configuration

📅 Schedule: Branch creation - "* 0-2 1 * *" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[matticbot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Command failed: /tmp/monorepo/.github/files/renovate-post-upgrade-run.sh renovate/pnpm-10.x
warning: unable to access '/home/ubuntu/.config/git/attributes': Permission denied
 WARN  Issue while reading "/home/ubuntu/.npmrc". EACCES: permission denied, open '/home/ubuntu/.npmrc'
 WARN  Issue while reading "/home/ubuntu/.config/pnpm/rc". EACCES: permission denied, open '/home/ubuntu/.config/pnpm/rc'
warning: unable to access '/home/ubuntu/.config/git/ignore': Permission denied

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the renovate/pnpm-10.x branch.

  • For jetpack-mu-wpcom changes, also add define( 'JETPACK_MU_WPCOM_LOAD_VIA_BETA_PLUGIN', true ); to your wp-config.php file.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack renovate/pnpm-10.x
  

  bin/jetpack-downloader test jetpack-mu-wpcom-plugin renovate/pnpm-10.x
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[jp-launch-control]

Code Coverage Summary

This PR did not change code coverage!

That could be good or bad, depending on the situation. Everything covered before, and still is? Great! Nothing was covered before? Not so great. 🤷

Full summary · PHP report · JS report

[matticbot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[zinigor]

jetpack build --all worked fine for me with no problems, however the link command has failed:

$ jetpack cli link
  ❯ Linking the CLI
    ✖ Enabling global access to the CLI
      →  ERR_PNPM_LINK_BAD_PARAMS  You must provide a parameter
Error: Command failed with exit code 1: pnpm link
 ERR_PNPM_LINK_BAD_PARAMS  You must provide a parameter
    at makeError (file:///home/zinigor/workspace/jetpack/node_modules/.pnpm/[email protected]/node_modules/execa/lib/error.js:59:11)
    at handlePromise (file:///home/zinigor/workspace/jetpack/node_modules/.pnpm/[email protected]/node_modules/execa/index.js:119:26)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5) {
  shortMessage: 'Command failed with exit code 1: pnpm link',
  command: 'pnpm link',
  escapedCommand: 'pnpm link',
  exitCode: 1,
  signal: undefined,
  signalDescription: undefined,
  stdout: ' ERR_PNPM_LINK_BAD_PARAMS  You must provide a parameter',
  stderr: '',
  failed: true,
  timedOut: false,
  isCanceled: false,
  killed: false,
  context: [Object: null prototype] {}
}

[zinigor]

No, my bad, I haven't had pnpm set up properly to be able to link.

[anomiex]

Both package.json and .github/versions.sh were updated to use 10.4.0. Is this okay, or should I stick to 10.0.0?

Either way is fine with me, as long as there aren't any important bugfixes (or lock file changes) between 10.0.0 and 10.4.0.

Looks like we may want to do at least 10.3.0 and set strict-dep-builds=true in .npmrc to avoid potential confusion if some dep has build scripts that get not-run and then that breaks something.

Looks like there are currently five packages with build scripts being ignored:

• core-js: Looks like it just tries to display a "support me" message. But it seems pnpm hides it anyway. 🤷
• swiper: Same, but this one was removed upstream in nolimits4web/swiper@12255cf anyway.
• svelte-preprocess: Tries to echo a message about installing other stuff that might be needed. Again, it seems pnpm hides it.
• @swc/core: Tries to npm install if certain deps haven't already been installed, ugh.
• esbuild: Slightly better than swc, this one tries to manually download a package.

None seem to be required, looks like whatever deps @swc/core or esbuild are checking for we already get installed.

Other new configs we may want to look at:

• verify-deps-before-run might be set to warn, prompt, or error.

[anomiex]

Seems ok. One suggestion to consider.

Also you'll probably want to have a P2 post ready to go announcing the update. See pdWQjU-15r-p2 for the last one.

[anomiex]

Since we don't seem to actually need any of these, I might do

Suggested change

	"onlyBuiltDependencies": [
	"ignoredBuiltDependencies": [

instead. At the least we might drop core-js, svlte-preprocess, and swiper in there since their builds do nothing useful.

[tbradsha]

Yeah, I was hoping to do this, but when I ran it locally (with either ignoredBuiltDependencies or neverBuiltDependencies) I was still getting the ERR_PNPM_IGNORED_BUILDS error, and I didn't see any support for overrides in a brief skim of the source (pnpm/pnpm#9071). Does it work for you? 🤔

[anomiex]

Yeah, seems to work for me with ignoredBuiltDependencies and 10.4.0 or 10.4.1.

I had a typo earlier, copied from a typo in https://github.com/pnpm/pnpm/releases/tag/v10.4.1 😀

[tbradsha]

Looks like it was my end (surprise!); clearing node_modules fixed it.