chore(deps): update pnpm to v10.21.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	10.18.3 -> 10.21.0

---

Release Notes

pnpm/pnpm (pnpm)

v10.21.0

Compare Source

v10.20.0

Compare Source

Minor Changes

• Support --all option in pnpm --help to list all commands #​8628.

Patch Changes

• When the latest version doesn't satisfy the maturity requirement configured by minimumReleaseAge, pick the highest version that is mature enough, even if it has a different major version #​10100.
• create command should not verify patch info.
• Set managePackageManagerVersions to false, when switching to a different version of pnpm CLI, in order to avoid subsequent switches #​10063.

v10.19.0

Compare Source

Minor Changes

• You can now allow specific versions of dependencies to run postinstall scripts. onlyBuiltDependencies now accepts package names with lists of trusted versions. For example:

  onlyBuiltDependencies:
    - [email protected] || 21.6.5
    - [email protected]

  Related PR: #​10104.

• Added support for exact versions in minimumReleaseAgeExclude #​9985.

  You can now list one or more specific versions that pnpm should allow to install, even if those versions don’t satisfy the maturity requirement set by minimumReleaseAge. For example:

  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - [email protected]
    - [email protected] || 5.102.1

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by mheob. View repository job log here

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
eslint-config	Ready	Preview	Comment	Nov 10, 2025 1:47am

[changeset-bot]

⚠️ No Changeset found

Latest commit: bb6575d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

PR Review - pnpm Update v10.18.3 → v10.20.0

Summary

This is a straightforward dependency update from Renovate Bot upgrading pnpm from 10.18.3 to 10.20.0. The changes are limited to the package manager version in package.json and the corresponding lockfile updates.

Code Quality ✅

• Clean update: Only affects package.json (1 line) and pnpm-lock.yaml (dependency resolution updates)
• Conventional commits: PR title follows the conventional commit format (chore(deps))

Changes Analysis

New Features (Minor)

1. --all flag for help: New option to list all commands in pnpm --help
2. Version-specific build allowlist: onlyBuiltDependencies now accepts version ranges (e.g., [email protected] || 21.6.5)
3. minimumReleaseAgeExclude exact versions: Can now specify exact versions to bypass maturity requirements

Bug Fixes (Patch)

• Better handling when latest version doesn't meet maturity requirements
• create command no longer verifies patch info unnecessarily
• Fixes managePackageManagerVersions behavior when switching pnpm versions

Compatibility Assessment ✅

Project Configuration Compatibility:

• ✅ onlyBuiltDependencies (pnpm-workspace.yaml:3-5): Currently uses simple package names (esbuild, unrs-resolver). The new version-range feature is optional and backward compatible.
• ✅ No minimumReleaseAge config: Project doesn't use this feature, so the new exclusion capability is not applicable but harmless.
• ✅ Node version: Project requires >=22.20.0, well above pnpm's requirement of ^18.18.0 || ^20.9.0 || >=21.1.0

Lockfile Changes ✅

The pnpm-lock.yaml changes show:

• 74 additions, 236 deletions - Net reduction in lockfile size is normal for dependency resolution optimization
• Removed duplicate @typescript-eslint/* versions: Consolidated from v8.46.1 to v8.46.2 (good - removes duplicate resolution)
• Removed duplicate semver versions: Consolidated from v7.7.2 to v7.7.3
• Removed duplicate utility package versions: fdir, get-tsconfig, magic-string, tinyglobby - all deduplicated to latest patch versions
• Source map codec consolidation: Removed @jridgewell/[email protected], kept only v1.5.5

These changes represent improved dependency resolution and deduplication, which is expected and beneficial.

Potential Issues 🟡

Minor consideration:

• The lockfile shows consolidation to newer patch versions of TypeScript ESLint packages (8.46.1 → 8.46.2). While this is generally safe for patch updates, it's worth verifying that the build and lint processes complete successfully.

Security Concerns ✅

• No security concerns identified
• This is a minor version bump with backward-compatible changes
• All changes are from the official pnpm team

Performance Considerations ✅

• Lockfile deduplication should result in slightly smaller node_modules size
• No negative performance impacts expected
• The new features are opt-in and don't affect existing behavior

Recommendations

1. ✅ Safe to merge - This is a low-risk update with backward-compatible changes
2. ✅ CI validation - Ensure CI passes to confirm compatibility with consolidated dependencies
3. 💡 Optional enhancement - Consider using the new version-specific onlyBuiltDependencies syntax if you need more granular control over which package versions can run postinstall scripts

Test Plan

The existing CI should cover:

• ✅ Build process (pnpm build)
• ✅ Linting (pnpm lint)
• ✅ Type checking
• ✅ All workspace packages

---

Verdict: ✅ LGTM - This is a clean, low-risk dependency update. The lockfile changes represent beneficial deduplication. No breaking changes detected.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud