Update npm dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/react (source)	19.2.14 → 19.2.15			devDependencies	patch
eslint-plugin-oxlint	1.65.0 → 1.66.0			devDependencies	minor
eslint-plugin-react-dom (source)	5.8.1 → 5.8.5			devDependencies	patch
eslint-plugin-react-jsx (source)	5.8.1 → 5.8.5			devDependencies	patch
eslint-plugin-react-naming-convention (source)	5.8.1 → 5.8.5			devDependencies	patch
eslint-plugin-react-x (source)	5.8.1 → 5.8.5			devDependencies	patch
node (source)	26.1.0 → 26.2.0				minor
oxfmt (source)	^0.50.0 → ^0.51.0			devDependencies	minor
oxlint (source)	1.65.0 → 1.66.0			devDependencies	minor
oxlint-tsgolint	^0.22.1 → ^0.23.0			devDependencies	minor
pnpm (source)	11.1.2 → 11.3.0				minor
typescript-eslint (source)	8.59.3 → 8.60.0			devDependencies	minor

---

Release Notes

oxc-project/eslint-plugin-oxlint (eslint-plugin-oxlint)

v1.66.0

Compare Source

No significant changes

    View changes on GitHub

Rel1cx/eslint-react (eslint-plugin-react-dom)

v5.8.5

Compare Source

📝 Documentation

• Added rule implementation patterns guide (docs/rule-implementation-patterns.md) and term-based rule patterns guide (docs/term-based-rule-patterns.md).
• Lowered minimum TypeScript version requirement from 5.1.0 to 5.0.0 across README and documentation.
• Fixed textlint war-metaphor warnings and refined .textlintrc.json patterns.

🏗️ Internal

• Adjusted formatting across configuration and script files (#​1795).
• Fixed a typo in the CI test workflow step.
• Added regression tests for oxc issues compatibility verification (#​1796).
• Bumped dependencies across workspace packages:
  • @effect/language-service to ^0.86.2
  • @takumi-rs/image-response to ^1.3.0
  • @tsconfig/vite-react to ^8.0.6
  • @types/node to ^25.9.1
  • @types/react to ^19.2.15
  • eslint-plugin-package-json to ^1.1.0
  • fumadocs-core to ^16.9.0
  • fumadocs-mdx to ^15.0.7
  • fumadocs-ui to ^16.9.0
  • lru-cache to 11.5.0
  • nx to ^22.7.3
  • postcss to ^8.5.15
  • vite to ^8.0.14
  • vitest to ^4.1.7
  • pnpm to 11.2.1

v5.8.4

Compare Source

📝 Documentation

• Website: Restructured the FAQ page from an accordion layout to standard headings for better SEO, accessibility, and direct anchor linking.
• Website: Replaced the homepage Hint popover with a direct link to the FAQ anchor explaining the project's human/LLM collaboration policy.
• Added a new "What does 90% human-written mean?" section to the FAQ.
• Updated documentation for isClassComponent and JsxConfig.
• Removed outdated documentation files.

🏗️ Internal

• core: Simplified isClassComponent by removing the context parameter and replacing isClassComponentLoose with the simplified function.
• eslint-plugin-react-x: Removed unnecessary optional chaining across multiple rules (immutability, no-unused-state, purity, refs, set-state-in-effect, static-components, use-memo, etc.) and expanded test coverage for edge cases (#​1792).
• Added automated GitHub Release workflow and fixed actions/setup-node cache parameter error.
• Added null-safety boundary tests for rules affected by PR #​1792 (#​1794).
• Bumped dependencies across workspace packages: @takumi-rs/image-response to 1.2.1, fumadocs-mdx to 15.0.6, import-integrity-lint to 1.1.1, preact to 10.29.2, tsx to 4.22.1, @typescript-eslint to ^8.59.4, @types/node to ^25.9.0, dompurify to ^3.4.5, pnpm to 11.1.3, textlint to 15.7.1, and dprint TypeScript plugin to 0.96.1.
• Cleaned up stray empty string in tsl.config.ts.
• Cleaned up type and lint errors across the workspace (#​1793).
• Downgraded TypeScript override in pnpm-workspace.yaml from ^6.0.3 to 5.9.3.
• Fixed zizmor security audit findings in release workflow and moved ignore comments inline, removing .github/zizmor.yml.
• Removed scripts/verify-lockfile.ts, scripts/verify-devtools.ts, and all references to them.
• Reordered handler functions in react-jsx/no-children-prop (no logic change).
• Updated baseline metrics and compacted tsconfig.

Full Changelog: Rel1cx/eslint-react@v5.8.3...v5.8.4

v5.8.3

Compare Source

🐞 Fixes

• react-dom/no-unknown-property: Added React 19 precedence and blocking attributes to the known property allowlist with version-gated tag checks, preventing false positives on <style>, <link>, and <script> elements (#​1789, #​1790).

Full Changelog: Rel1cx/eslint-react@v5.8.2...v5.8.3

v5.8.2

Compare Source

📝 Documentation

• Added React 19 use hook guidance to error-boundaries, rules-of-hooks, and no-use-context docs.
• Added migration examples and corrected rule descriptions for class-component-related rules.
• Improved eslint-plugin-react-x rule documentation with scenario-based examples, Troubleshooting sections, and Further Reading links across 48 rule docs (#​1786).
• Removed inline ESLint error annotations (^^^) from documentation examples for better readability (#​1785).
• Updated migration guide for eslint-plugin-react with additional details.

🏗️ Internal

• Set up textlint and fixed inappropriate wording in documentation (#​1787).
• Bumped dependencies across workspace packages (#​1788).
• Updated pnpm-lock.yaml: bumped nx to 22.7.2 and brace-expansion to 5.0.5.

Full Changelog: Rel1cx/eslint-react@v5.8.1...v5.8.2

nodejs/node (node)

v26.2.0: 2026-05-20, Version 26.2.0 (Current), @​aduh95

Compare Source

Notable Changes

• [189d43a193] - doc: mark stream.compose stable (Matteo Collina) #​62562
• [f858c6140e] - (SEMVER-MINOR) fs: add Temporal.Instant support to Stats and BigIntStats (Livia Medeiros) #​60789
• [0cbb3895df] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #​63155

Commits

• [9a394bab84] - benchmark: respect stream/iter broadcast backpressure (Trivikram Kamat) #​63314
• [ad98b4620b] - crypto: align verifyOneShot accepted types (Anshika Jain) #​63280
• [ba0736a847] - crypto: wire ML-DSA and ML-KEM for use when using BoringSSL (Filip Skokan) #​63255
• [5573a6a4a8] - crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL (Filip Skokan) #​63255
• [7dc563b8d6] - crypto: wire AES-KW in Web Cryptography when using BoringSSL (Filip Skokan) #​63255
• [b55e2b1f4d] - crypto: improve system certificate enumeration logic on macOS (Robo) #​62576
• [fd509a755a] - crypto: harden CryptoKey algorithm slots (Filip Skokan) #​63111
• [8657df39e7] - crypto: harden KeyObject internal slots (Filip Skokan) #​63111
• [729274e046] - crypto: reject invalid raw key imports (Filip Skokan) #​63134
• [8fc9cb9c01] - crypto: improve accuracy of SubtleCrypto.supports (Filip Skokan) #​63104
• [288065cb3f] - crypto: optimize normalizeAlgorithm dispatch hot path (Filip Skokan) #​62756
• [ecf3797d09] - debugger: disambiguate probe location binding (Joyee Cheung) #​63286
• [bdc57135fd] - debugger: add --help to node inspect and improve docs (Joyee Cheung) #​63201
• [2a6e6058e9] - deps: update undici to 8.3.0 (Node.js GitHub Bot) #​63377
• [327b927271] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #​63375
• [5828fadf52] - deps: update sqlite to 3.53.1 (Node.js GitHub Bot) #​63217
• [fe127a999b] - deps: update simdjson to 4.6.4 (Node.js GitHub Bot) #​62811
• [a34c4ea159] - deps: V8: cherry-pick 435a2cd (Matthias Liedtke) #​63136
• [ad91efcc43] - deps: cherry-pick libuv/libuv@a43e543 (Ali Hassan) #​63222
• [5ea6c3ee7e] - deps: add missing static linking targets for libffi (Paolo Insogna) #​63168
• [c1f6ba22b4] - deps: update ngtcp2 to 1.22.1 (Node.js GitHub Bot) #​62812
• [7b8767ef76] - doc: remove unsupported template type from v8.md (René) #​63410
• [b2ec1880b1] - doc: fix promise nomenclature in stream_iter.md (Antoine du Hamel) #​63406
• [cf6cbbd39d] - doc: fix article usage before vowel-sound acronyms (joao-oliveira-softtor) #​62696
• [da05065d98] - doc: remove the bi-monthly contributor spotlight section (Claudio Wunder) #​62734
• [c31f320fba] - doc: update http2's push and trailers events with rawHeaders param (YuSheng Chen) #​63259
• [f0d008439b] - doc: add Rust toolchain manual installation instructions Windows (Mike McCready) #​63367
• [68b1220fbd] - doc: remove inactive members from Triagers list (Antoine du Hamel) #​63329
• [189d43a193] - doc: mark stream.compose stable (Matteo Collina) #​62562
• [c4fb894039] - doc: fix CHANGELOG (Richard Lau) #​63292
• [9f319a77e4] - doc: reference correct function in Module docs (Robin Malfait) #​63247
• [2c13acc88e] - doc: replace Visual Studio 2022 Evergreen version reference with 17.14 (Mike McCready) #​63211
• [7e42c336c9] - doc: recommend explicitly Tier 1 or 2 for production applications (Mike McCready) #​63187
• [d99e0bb6d5] - doc: document Temporal configure flags in BUILDING.md (ChrisJr404) #​63248
• [c0ea77b305] - doc: run license-builder (github-actions[bot]) #​63232
• [8265aba0f4] - doc: add large pull requests contributing guide (Matteo Collina) #​62829
• [be241bacc8] - doc: remove unnecessary <!-- eslint- magic comments (Antoine du Hamel) #​63200
• [e0b1f092c3] - doc: fix inconsistencies in CJS code snippets (Antoine du Hamel) #​63199
• [a3feb15871] - doc: clarify SEA platform support excludes darwin-x64 (MJSHANG) #​63181
• [cafd7667fc] - doc: improve quic documentation (James M Snell) #​63157
• [3c784edb6f] - doc: update release steps when post-release fails (Rafael Gonzaga) #​63131
• [9de954e9be] - doc: fix deprecation list in 26.0.0 changelog (Antoine du Hamel) #​63147
• [20c553e456] - doc: add Hmac.digest() documentation-only deprecation (DEP0206) (Anshika Jain) #​63121
• [3494eae2c8] - doc: document the latest-vX.x schema (Marco Ippolito) #​63033
• [c02413d29d] - doc: remove list of versions in BUILDING.md (Antoine du Hamel) #​63113
• [53f9a902a1] - doc,sqlite: document entryPoint argument for loadExtension (Edy Silva) #​63152
• [f858c6140e] - (SEMVER-MINOR) fs: add Temporal.Instant support to Stats and BigIntStats (Livia Medeiros) #​60789
• [b2ba62ca0e] - fs: make Date properties on Stats enumerable (LiviaMedeiros) #​63328
• [0cbb3895df] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #​63155
• [f712e6856e] - http2: validate non-link headers in writeEarlyHints (Matteo Collina) #​62017
• [3acadae676] - lib: fix typo idenity => identity (Daijiro Wachi) #​63112
• [460329e886] - lib: fixes validator message (Daijiro Wachi) #​62823
• [9438c832b2] - lib: narrow ReadableStreamBYOBRequest.view return type to Uint8Array (RoomWithOutRoof) #​63017
• [c7d27c82c4] - lib: handle --permission-audit when propagating flags (Rafael Gonzaga) #​63047
• [9f19915276] - lib: optimize webidl conversion options (Filip Skokan) #​62756
• [771afd626a] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​63402
• [67d094a554] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​63235
• [9091398f3d] - meta: ignore AI assistants files (Matteo Collina) #​62612
• [96f19a16d0] - module: fix sync hook short-circuit in require() in imported CJS (Joyee Cheung) #​62920
• [45f3e3ef11] - node-api: support SharedArrayBuffer in napi_create_typedarray (Yilong Li) #​62710
• [d7afa617bb] - quic: send correct OpenSSL alert for ALPN mismatches (Tim Perry) #​63193
• [526313beb8] - quic: fixup quic stream variable chunk len (James M Snell) #​63230
• [1613c7fe70] - quic: support --allow-net permissions (James M Snell) #​63184
• [72ab7444a8] - quic: remove unused env_ variable in session_manager.h/cc (James M Snell) #​63177
• [2b55656778] - quic: remove unused binding variable in session.cc (James M Snell) #​63177
• [83f0d37400] - quic: ignore coverage for quic files (James M Snell) #​63149
• [7e6b77b14d] - quic: complete the internal implementation of QUIC (James M Snell) #​62876
• [71372418f1] - repl: fix dedup comparing normalized line against raw history (Daijiro Wachi) #​62886
• [20f40c2c25] - sqlite: keep source database alive during backup (Matteo Collina) #​62673
• [592f741bd0] - src: simplify OpenSSL feature gates (Filip Skokan) #​63255
• [520ab7ad40] - src: add BoringSSL EVP enumeration fallback (Filip Skokan) #​63206
• [12be49acbc] - src: support multiple versions in node.config.json (Marco Ippolito) #​63033
• [296f907585] - src: remove unused using declarations in node_task_queue (Mert Can Altin) #​63144
• [7703f11b3c] - src: skip JS callback for settled Promise.race losers (Felipe Coelho) #​62336
• [74ab710c3a] - src,sqlite: remove dead code (Edy Silva) #​63204
• [e49154f4c8] - stream: add sync iterable fast path to pipeTo (Trivikram Kamat) #​63318
• [537455e98d] - stream: fix merge handling for object-like sources (Trivikram Kamat) #​63356
• [e21b8a47f0] - stream: limit iter from sync iterable batches (Trivikram Kamat) #​63324
• [3bdb64dc67] - stream: cache minimum cursor count in broadcast (Trivikram Kamat) #​63322
• [81819add6b] - stream: remove unnecessary check (Antoine du Hamel) #​63030
• [22e3579d74] - stream: avoid retrying accepted pipeTo writes (Trivikram Kamat) #​63297
• [691915ea94] - stream: validate broadcast writer writev chunks (Trivikram Kamat) #​63300
• [253f5f4ca2] - stream: uncork fromWritable writev on chunk error (Trivikram Kamat) #​63295
• [aa6913cc4a] - stream: validate fromWritable() options before cache (Trivikram Kamat) #​63278
• [6c53ddb988] - stream: optimize single-slot push queue drain (Trivikram Kamat) #​63274
• [b568649f6f] - stream: preserve toReadableSync batch after backpressure (Trivikram Kamat) #​63276
• [cdcefd7e2f] - stream: cache minimum cursor count in share (Trivikram Kamat) #​63262
• [ba7000e4f7] - stream: minor stream/iter implementation edits (René) #​63132
• [c694999ab8] - test: disable Maglev in near-heap-limit worker test (Trivikram Kamat) #​63398
• [a6d6d51c1b] - test: deflake connection refused proxy tests (Trivikram Kamat) #​63395
• [31d89c4f59] - test: avoid repeated writes in watch helper (Trivikram Kamat) #​63386
• [6f3587c773] - test: deflake watch mode worker test (Trivikram Kamat) #​63384
• [a57aebaa73] - test: update tls/crypto behaviour expectations when using BoringSSL (Filip Skokan) #​63161
• [b871cff2db] - test: relax test-memory-usage arrayBuffers check (inoway46) #​63244
• [25189bcb95] - test: reduce flakiness of different-registry-per-thread (Antoine du Hamel) #​63244
• [5bdb1f8426] - test: fix flaky test-watch-mode-inspect timeout (Matteo Collina) #​63361
• [d57bd2bf59] - test: relax min assertion in test-performance-eventloopdelay (Marco) #​63100
• [014e1f00c1] - test: avoid flaky restart sync in debugger exceptions test (Yuya Inoue) #​62055
• [dd28ff8a80] - test: avoid initial-break wait in restart-message (inoway46) #​62060
• [e89a49a13a] - test: move FFI tests to NATIVE_SUITES (Antoine du Hamel) #​63165
• [51ef0258ba] - test: update WPT for wasm/jsapi to 288c467 (Node.js GitHub Bot) #​63136
• [c0175a9ba1] - test: use ERM to destroy sqlite database handles after tests (René) #​63076
• [83054e8aba] - test_runner: avoid hanging on incomplete v8 frames (Ali Hassan) #​62704
• [4f1426d361] - test_runner: fix hooks test context (Moshe Atlow) #​63285
• [6a4c4b7193] - test_runner: fix diagnostics channel context tracking (Moshe Atlow) #​63283
• [eba9c3481b] - test_runner: add tags option and tag-name filter (Chemi Atlow) #​63221
• [2ba124f23b] - tls: add unsupported renegotiation error (Filip Skokan) #​63161
• [7c5048495a] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #​63075
• [6c574110a7] - tools: update gyp-next to 0.22.2 (Node.js GitHub Bot) #​63374
• [f14ed762b3] - tools: add boringssl to tools/nix/openssl-matrix.nix (Filip Skokan) #​63206
• [14d3924c48] - tools: fix test426 updater (Antoine du Hamel) #​63271
• [0d017ece8d] - tools: filter V8 scripts for build toolchain (Richard Lau) #​63069
• [3859a8700e] - tools: use different branch for tool updates on staging branches (Antoine du Hamel) #​63110
• [4a32ed82bd] - tools: prevent lib code from reading KeyObject and CryptoKey accessors (Filip Skokan) #​63111

oxc-project/oxc (oxfmt)

v0.51.0

Compare Source

oxc-project/oxc (oxlint)

v1.66.0

Compare Source

🚀 Features

• 0440b0f linter/eslint: Implement id-match rule (#​22379) (Vladislav Sayapin)
• 65bf119 linter: Implement react no-object-type-as-default-prop (#​22481) (uhyo)
• 2a6ddce linter/eslint: Implement no-implied-eval rule (#​22391) (Vladislav Sayapin)
• 625758a linter/vitest: Implement padding-around-after-all-blocks rule (#​21788) (kapobajza)
• 37680b0 linter: Implement react no-unstable-nested-components (#​22248) (Jovi De Croock)
• d8d9c74 linter: Implement import/newline-after-import rule (#​19142) (Ryuya Yanagi)

oxc-project/tsgolint (oxlint-tsgolint)

v0.23.0

Compare Source

What's Changed

• chore(deps): update crate-ci/typos action to v1.45.2 by @​renovate[bot] in #​915
• feat: add skill for upgrading typescript-go by @​camc314 in #​918
• chore(deps): update pnpm to v10.33.2 by @​renovate[bot] in #​921
• chore: update typescript-go submodule by @​camc314 in #​922
• fix: attach tsconfig path to diagnostics by @​camc314 in #​923
• fix(prefer-nullish-coalescing): parenthesize mixed logical fixes by @​camc314 in #​924
• tests(return-await): cover non-async arrow functions by @​camc314 in #​926
• chore(deps): update github.com/go-json-experiment/json digest to b6187a3 by @​renovate[bot] in #​927
• chore(deps): update github actions by @​renovate[bot] in #​928
• chore(deps): update crate-ci/typos action to v1.46.0 by @​renovate[bot] in #​929
• chore(deps): update module github.com/dlclark/regexp2 to v2 by @​renovate[bot] in #​930
• chore: update typescript-go submodule by @​camc314 in #​931
• chore(deps): update typescript-go digest to 48e2953 by @​renovate[bot] in #​933
• chore(deps): update typescript-go digest to 5eb880f by @​renovate[bot] in #​936
• fix(no-misused-promises): handle empty JSX attributes by @​camc314 in #​938
• fix(no-unsafe-enum-comparison): flag string literal unions by @​camc314 in #​937
• chore(deps): update typescript-go digest to e1f8f97 by @​renovate[bot] in #​939
• chore(deps): update typescript-go digest to 092b34f by @​renovate[bot] in #​940
• chore: configure typescript-go renovate schedule by @​camc314 in #​941
• chore(deps): update github actions by @​renovate[bot] in #​945
• chore(deps): update dependency dprint-typescript to v0.96.0 by @​renovate[bot] in #​947
• chore(deps): update gomod by @​renovate[bot] in #​946
• chore(deps): update crate-ci/typos action to v1.46.1 by @​renovate[bot] in #​948
• fix(prefer-nullish-coalescing): emit suggestion over fix by @​camc314 in #​951
• chore: update packageManager to pnpm 11.0.4 by @​Boshen in #​953
• chore: update typescript-go submodule by @​camc314 in #​955
• fix(no-nullable-type-assertion-style): use suggestion instead of fix by @​camc314 in #​956
• docs: Update Go version requirement to 1.26 in CONTRIBUTING.md. by @​connorshea in #​957
• fix: allow safe promise intersection members by @​camc314 in #​959
• ci: switch security workflow to ubuntu-latest by @​Boshen in #​962
• chore(deps): update dependency vitest to v4.1.6 by @​renovate[bot] in #​963
• chore(deps): update module github.com/dlclark/regexp2/v2 to v2.0.3 by @​renovate[bot] in #​964
• chore(deps): update dependency dprint-markdown to v0.22.0 by @​renovate[bot] in #​965
• chore(deps): update github actions by @​renovate[bot] in #​966
• perf(no-unnecessary-type-parameters): stop counting settled candidates by @​camc314 in #​967
• chore: add dprint to pnpm allowBuilds by @​camc314 in #​968

Full Changelog: oxc-project/tsgolint@v0.22.1...v0.23.0

pnpm/pnpm (pnpm)

v11.3.0

Compare Source

Minor Changes

• Added pnpm stage with publish, list, view, approve, reject, and download subcommands for npm staged publishing.

• Added a new setting trustLockfile. When true, pnpm install skips the supply-chain verification pass that re-applies minimumReleaseAge / trustPolicy='no-downgrade' to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author. Defaults to false; verification stays on by default. Set in pnpm-workspace.yaml.

  Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (~4k lockfile entries with minimumReleaseAge + trustPolicy: no-downgrade enabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (time, per-version _npmUser.trustedPublisher, dist.attestations.provenance). The abbreviated-metadata cache is similarly projected to just the package-level modified field and the set of currently-listed version names. Fixes #​11860.

• Implemented pnpm pkg command natively, following npm pkg standards.

• Implemented pnpm repo command natively, following npm repo standards.

• Implemented pnpm set-script (alias ss) natively. Adds or updates an entry in the scripts field of the project manifest, supporting package.json, package.json5, and package.yaml formats.

• Add a skip-manifest-obfuscation option for pnpm pack and pnpm publish. When enabled, the original packageManager field and publish lifecycle scripts are kept in the packed/published manifest instead of being stripped. The pnpm-specific pnpm field continues to be omitted.

Patch Changes

• Fixed pnpm dlx failing with ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND when the installed package's CAS slot is missing its package.json. Observed in the wild for pnpm dlx node@runtime:<version> when the GVS slot was populated without the synthesized manifest runtime archives need (they don't ship a package.json of their own, so the synthesized one is the only way it gets there; an existing slot from an earlier code path that skipped the synthesis stays incomplete). The bin link itself is wired up from the resolution and remains valid, so dlx now falls back to the scopeless package name when the slot's manifest is unreadable — for single-bin packages (the dlx common case, including every runtime: spec) this matches what manifest.bin would have named. Multi-bin packages already require --package=<spec> <bin> to disambiguate and don't enter this code path.
• Fixed non-determinism in pnpm dedupe and pnpm install when a dependency graph contains packages with transitive peer dependencies on each other (e.g. @aws-sdk/client-sts and @aws-sdk/client-sso-oidc) and auto-install-peers is enabled. The lockfile no longer flips between two equally-valid forms across consecutive runs. The root cause was that resolveDependencies pushed onto its pkgAddresses / postponedResolutionsQueue arrays from inside Promise.all-spawned callbacks, so completion-order timing leaked into the array order and downstream cyclic-peer suffix assignment. Fixes #​8155.
• Fixed a regression introduced by #​11711 where pnpm add <github-shorthand> (and any other wanted-dependency whose alias can't be parsed from the user-supplied spec, e.g. tarball URLs or pnpm/test-git-fetch#sha) was silently dropped from the manifest update and from pendingBuilds. The alias-keyed lookup added in that PR couldn't find a wantedDependency whose alias was undefined at parse time but resolved to a package name only after fetching, so the entry never made it into specsToUpsert. Restored the original index-based pairing between directDependencies and wantedDependencies; the catalog-protocol preservation that PR was originally fixing is unaffected because it's driven by rdd.catalogLookup.userSpecifiedBareSpecifier, not by the lookup. Fixes the three rebuilds dependencies / rebuilds specific dependencies / rebuild with pending option failures in building/commands/test/build/index.ts.
• Fixed pnpm add --config leaving orphan entries in pnpm-lock.env.yaml (the optional subdependencies of the previously resolved version of the updated config dependency).

v11.2.2

Compare Source

Patch Changes

• When the install engine is delegated to pacquet via configDependencies, the user's CLI flags passed to pnpm install (e.g. --no-runtime, --prod, --dev, --no-optional, --node-linker, --cpu/--os/--libc, --offline, --prefer-offline) are now forwarded to pacquet's install subcommand verbatim. Previously pacquet was invoked with a fixed argument list, so flags like --no-runtime were silently dropped. Flag forwarding is gated on the command being install/i; add, update, and dedupe still don't forward (their flag surface doesn't line up with pacquet's install).
• Fixed pnpm up (and pnpm add / pnpm remove) failing with pacquet_package_manager::outdated_lockfile when pacquet is declared in configDependencies. pnpm now passes --ignore-manifest-check to pacquet so its --frozen-lockfile check doesn't fire against the (pre-mutation) package.json pnpm hasn't written yet #​11797. Requires a pacquet release that supports the flag — bump PACQUET_VERSION in the e2e tests once it ships.

v11.2.1

Compare Source

Patch Changes

• Mark optional subdependency snapshots of config dependencies with optional: true in the env lockfile, matching how optional dependencies are recorded elsewhere in pnpm-lock.yaml. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's optionalDependencies were written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required.
• Fix pickRegistryForPackage returning the wrong registry for an unscoped npm: alias under a scoped local name. A manifest entry like "@​private/foo": "npm:lodash@^1" was routing the lodash fetch through registries["@​private"], even though lodash is unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (or null for an unscoped target, falling through to registries.default) instead of leaking into the local key's scope.
• Don't print "Installing config dependencies..." when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed.

v11.2.0

Compare Source

Minor Changes

• Experimental: Adding @pnpm/pacquet (the Rust port of pnpm) to configDependencies in pnpm-workspace.yaml now delegates the materialization phase of pnpm install to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine #​11723.

  To configure pacquet in a project, run:

  pnpm add @​pnpm/pacquet --config
  

  You'll see changes in pnpm-workspace.yaml and pnpm-lock.yaml that should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create.

• configDependencies now resolve and install one level of optionalDependencies declared by the config dependency, with os/cpu/libc platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via optionalDependencies — a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so require('pkg-platform-arch') from inside the config dependency resolves correctly.

  The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's `optionalDe

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.