Support pnpm up to the newest versions

[TheCoreMan]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

We use pnpm on version 10.22.0, and when dependabot reports a vuln in one of our dependencies, it shows that it can't support creating a PR on it - with "pnpm version not supported"

Right now (at time of writing):

1. Docs state that pnpm 10 is supported (here: https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories)

2. Newest pnpm version is 10.27.0 (released yesterday). https://github.com/pnpm/pnpm/releases/tag/v10.27.0

Our current workaround is creating manual PRs with pnpm audit --fix or other manual upgrades.

[Magnus-V]

This is more relevant with the recent vulnerability with older pnpm 10 versions. After updating to pnpm 10.26, no longer compatible with dependabot.

https://www.miggo.io/vulnerability-database/cve/CVE-2025-69264

[cristobal]

Same here says only v10.16.0 is supported, how come it can't just use pnpm actions and use the specified engines field.

Otherwise would be nice to have a way to specify a pnpm version, strange that dependabot is so behind on using latest pnpm version, there's a list of security updates in pnpm that have been addressed since 10.16.0

[TheCoreMan]

Update - there was a security issue dubbed PackageGate so we've upgraded even further:

❯ pnpm --version
10.28.2

So supporting this became even more important as @cristobal mentioned.