Skip to content

build: update pnpm to v10.34.5 (22.0.x)#33558

Open
angular-robot wants to merge 1 commit into
angular:22.0.xfrom
angular-robot:ng-renovate/22.0.x-pnpm-10-x
Open

build: update pnpm to v10.34.5 (22.0.x)#33558
angular-robot wants to merge 1 commit into
angular:22.0.xfrom
angular-robot:ng-renovate/22.0.x-pnpm-10-x

Conversation

@angular-robot

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pnpm (source) 10.34.410.34.5 age adoption passing confidence

  • If you want to rebase/retry this PR, check this box

Release Notes

pnpm/pnpm (pnpm)

v10.34.5: pnpm 10.34.5

Compare Source

Patch Changes
  • 78e29fe: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at iterateHashedGraphNodes, the single point every global-virtual-store slot path funnels through.
  • 78e29fe: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 47ef6f0: Fixed switching to and self-updating to pnpm v12. pnpm v12 (the Rust port) ships as the pnpm and @pnpm/exe npm packages whose bins are placeholders replaced at install time by the host's native binary from a @pnpm/exe.<platform>-<arch>[-musl] optional dependency. Because pnpm installs its own engine with --ignore-scripts, that relinking never ran, leaving a non-executable placeholder. pnpm now relinks the native binary itself for v12 (recognizing the new platform-package naming scheme and the native pnpm package), and verifies the native binary's npm registry signature before running it.
  • 36928be: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry.
Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

See associated pull request for more information.
@angular-robot angular-robot added action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project target: automation This PR is targeted to only merge into the branch defined in Github [bot use only] labels Jul 13, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the pnpm package manager version from 10.34.4 to 10.34.5 in both MODULE.bazel and package.json, along with updating the corresponding integrity hash. There are no review comments, and I have no feedback to provide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project target: automation This PR is targeted to only merge into the branch defined in Github [bot use only]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant