chore(deps-dev): bump pnpm from 10.5.0 to 10.16.0 by dependabot[bot] · Pull Request #116 · step-security/action-setup

dependabot · 2025-09-12T22:12:28Z

Bumps pnpm from 10.5.0 to 10.16.0.

Release notes

pnpm 10.16

Minor Changes
There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.

The new setting is called minimumReleaseAge. It specifies the number of minutes that must pass after a version is published before pnpm will install it. For example, setting minimumReleaseAge: 1440 ensures that only packages released at least one day ago can be installed.

If you set minimumReleaseAge but need to disable this restriction for certain dependencies, you can list them under the minimumReleaseAgeExclude setting. For instance, with the following configuration pnpm will always install the latest version of webpack, regardless of its release time:
minimumReleaseAgeExclude:
  - webpack
Related issue: #9921.
Added support for finders #9946.

In the past, pnpm list and pnpm why could only search for dependencies by name (and optionally version). For example:
pnpm why minimist
prints the chain of dependencies to any installed instance of minimist:
verdaccio 5.20.1
├─┬ handlebars 4.7.7
│ └── minimist 1.2.8
└─┬ mv 2.1.1
  └─┬ mkdirp 0.5.6
    └── minimist 1.2.8
What if we want to search by other properties of a dependency, not just its name? For instance, find all packages that have react@17 in their peer dependencies?

This is now possible with "finder functions". Finder functions can be declared in .pnpmfile.cjs and invoked with the --find-by=<function name> flag when running pnpm list or pnpm why.

Let's say we want to find any dependencies that have React 17 in peer dependencies. We can add this finder to our .pnpmfile.cjs:
module.exports = {
  finders: {
    react17: (ctx) => {
      return ctx.readManifest().peerDependencies?.react === "^17.0.0";
    },
  },
};
Now we can use this finder function by running:
pnpm why --find-by=react17

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.16.0

Minor Changes
There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.

The new setting is called minimumReleaseAge. It specifies the number of minutes that must pass after a version is published before pnpm will install it. For example, setting minimumReleaseAge: 1440 ensures that only packages released at least one day ago can be installed.

If you set minimumReleaseAge but need to disable this restriction for certain dependencies, you can list them under the minimumReleaseAgeExclude setting. For instance, with the following configuration pnpm will always install the latest version of webpack, regardless of its release time:
minimumReleaseAgeExclude:
  - webpack
Related issue: #9921.
Added support for finders #9946.

In the past, pnpm list and pnpm why could only search for dependencies by name (and optionally version). For example:
pnpm why minimist
prints the chain of dependencies to any installed instance of minimist:
verdaccio 5.20.1
├─┬ handlebars 4.7.7
│ └── minimist 1.2.8
└─┬ mv 2.1.1
  └─┬ mkdirp 0.5.6
    └── minimist 1.2.8
What if we want to search by other properties of a dependency, not just its name? For instance, find all packages that have react@17 in their peer dependencies?

This is now possible with "finder functions". Finder functions can be declared in .pnpmfile.cjs and invoked with the --find-by=<function name> flag when running pnpm list or pnpm why.

Let's say we want to find any dependencies that have React 17 in peer dependencies. We can add this finder to our .pnpmfile.cjs:
module.exports = {
  finders: {
    react17: (ctx) => {
      return ctx.readManifest().peerDependencies?.react === "^17.0.0";
    },
  },
};

... (truncated)

Commits

a3c1498 chore(release): 10.16.0
e792927 feat: support finder functions for performing complex searches with list and ...
3d1711a chore(release): 10.15.1
f1552d1 refactor: replace p-any with Promise.any (#9911)
979ce80 chore(release): 10.15.0
facd765 refactor: always use extensions in relative imports (#9878)
c89c93d test: use @jest/globals (#9877)
14c78e8 test: use jest.mocked (#9874)
ba5f447 chore: update registry-mock to v5
dfea901 chore: use catalogs only in dependencies (#9868)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pnpm](https://github.com/pnpm/pnpm/tree/HEAD/pnpm) from 10.5.0 to 10.16.0. - [Release notes](https://github.com/pnpm/pnpm/releases) - [Changelog](https://github.com/pnpm/pnpm/blob/main/pnpm/CHANGELOG.md) - [Commits](https://github.com/pnpm/pnpm/commits/v10.16.0/pnpm) --- updated-dependencies: - dependency-name: pnpm dependency-version: 10.16.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2025-09-15T22:14:06Z

Superseded by #117.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Sep 12, 2025

dependabot bot mentioned this pull request Sep 12, 2025

chore(deps-dev): bump pnpm from 10.5.0 to 10.15.1 #110

Closed

dependabot bot closed this Sep 15, 2025

dependabot bot deleted the dependabot/npm_and_yarn/pnpm-10.16.0 branch September 15, 2025 22:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps-dev): bump pnpm from 10.5.0 to 10.16.0#116

chore(deps-dev): bump pnpm from 10.5.0 to 10.16.0#116
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/pnpm-10.16.0

dependabot bot commented on behalf of github Sep 12, 2025

Uh oh!

dependabot bot commented on behalf of github Sep 15, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Sep 12, 2025

pnpm 10.16

Minor Changes

10.16.0

Minor Changes

Uh oh!

dependabot bot commented on behalf of github Sep 15, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants