Skip to content

Update all non-major dependencies#240

Merged
feeeedox merged 1 commit into
mainfrom
renovate/all-minor-patch
May 22, 2026
Merged

Update all non-major dependencies#240
feeeedox merged 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 21, 2026

This PR contains the following updates:

Package Change Age Confidence
astro (source) 6.3.56.3.6 age confidence
pnpm (source) 11.1.311.2.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

withastro/astro (astro)

v6.3.6

Compare Source

Patch Changes

  • #​16774 8f77583 Thanks @​astrobot-houston! - Fixes markdown images with empty alt text (![](image.jpg)) in content collections dropping the alt attribute entirely. The alt="" attribute is now correctly preserved in the rendered HTML output, which is important for accessibility (indicating decorative images).

  • #​16776 3d10b5e Thanks @​matthewp! - Fixes HMR serving stale content when components are passed as props via getStaticPaths()

  • #​16784 7453860 Thanks @​ematipico! - Improved the printing of the build time if it goes over the 60 seconds.

  • #​16665 3dbbcee Thanks @​Princesseuh! - Fixes remote SVG sources erroring with dangerouslyProcessSVG after the v6.3 SVG-processing gate. The default Sharp service now resolves the output format from the source up-front when it can (URL extension, data: MIME, ESM metadata), and from the actual buffer at request time when it can't, so SVG sources pass through untouched without needing to set image.dangerouslyProcessSVG: true or an explicit format="svg".

    The error message has also been updated to point at format="svg" as the simpler workaround when an SVG source is encountered without dangerouslyProcessSVG enabled.

  • #​16777 1754b91 Thanks @​matthewp! - Fixes HMR serving stale content for dynamically imported components through barrel files

  • #​16730 068d924 Thanks @​harshagarwalnyu! - Fixes an issue where the file() content loader did not generate a valid JSON Schema for collections whose JSON or YAML data is a top-level array instead of an object.

pnpm/pnpm (pnpm)

v11.2.1

Compare Source

Patch Changes
  • Mark optional subdependency snapshots of config dependencies with optional: true in the env lockfile, matching how optional dependencies are recorded elsewhere in pnpm-lock.yaml. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's optionalDependencies were written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required.
  • Fix pickRegistryForPackage returning the wrong registry for an unscoped npm: alias under a scoped local name. A manifest entry like "@​private/foo": "npm:lodash@^1" was routing the lodash fetch through registries["@​private"], even though lodash is unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (or null for an unscoped target, falling through to registries.default) instead of leaking into the local key's scope.
  • Don't print "Installing config dependencies..." when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed.

v11.2.0

Compare Source

Minor Changes

  • Experimental: Adding @pnpm/pacquet (the Rust port of pnpm) to configDependencies in pnpm-workspace.yaml now delegates the materialization phase of pnpm install to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine #​11723.

    To configure pacquet in a project, run:

    pnpm add @​pnpm/pacquet --config

    You'll see changes in pnpm-workspace.yaml and pnpm-lock.yaml that should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create.

  • configDependencies now resolve and install one level of optionalDependencies declared by the config dependency, with os/cpu/libc platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via optionalDependencies — a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so require('pkg-platform-arch') from inside the config dependency resolves correctly.

    The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's optionalDependencies must declare an exact version — ranges and tags are rejected to keep installs reproducible.

  • Implement the documented pnpm login --scope <scope> flag. The scope is normalized (a leading @ is added if missing; blank values are ignored) and an @<scope>:registry=<registry> mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of @<scope>/* packages then route to the chosen registry. Previously pnpm login --scope foo errored with Unknown option: 'scope' despite the flag being listed in the online documentation #​11716.

  • pnpm outdated and pnpm update --interactive now report Node.js, Deno, and Bun runtimes installed as project dependencies (runtime: specifiers). Previously these were silently skipped.

Patch Changes

  • Fix cafile=<relative-path> in .npmrc being read from the wrong directory when pnpm is invoked from a different cwd (e.g. pnpm --dir <project> install from a CI wrapper or monorepo script). The path is now resolved against the directory of the .npmrc that declared it, not process.cwd(). Before this fix the CA file silently failed to load — the install proceeded without the configured CA and the user only saw TLS errors against a private registry, with no log line tying back to the wrongly resolved path #​11624.

  • Fix config.registry getting a trailing slash appended when registry is set in .npmrc and no registries.default is provided by pnpm-workspace.yaml. The sync from registries.default to config.registry introduced in #​11744 now only fires when the workspace manifest actually contributes a different default.

  • Fix global add/update to handle minimumReleaseAge policy violations instead of surfacing an internal resolver guardrail error.

  • Fix two crashes with injectWorkspacePackages: true when the lockfile has been pruned (e.g. by turbo prune --docker):

    • Cannot use 'in' operator to search for 'directory' in undefined: a peer-dependency-variant injected snapshot inherits its resolution from the base packages: entry; when a pruner drops that base entry the readers crash. convertToLockfileObject now reconstructs the directory resolution from the file: depPath at load time — a single normalization point, so every reader sees a fully-formed snapshot.
    • ERR_PNPM_ENOENT on node_modules/.bin/<tool>: after prepare/postinstall, runLifecycleHooksConcurrently re-imported each injected workspace package; the scanDir-into-filesMap workaround fed target-internal paths to the importer, which the makeEmptyDir fast path (#​11088) then wiped. Drop the workaround and pass keepModulesDir: true so the importer preserves the target's existing node_modules (bin links + transitive deps) and source files keep their hardlinks.

  • Fixed pnpm login and pnpm logout ignoring registries.default from pnpm-workspace.yaml #​10099.

  • Fix the minimumReleaseAge (publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whose modified field equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or a MISSING_TIME error when full metadata wasn't permitted). Since modified is an upper bound on every version's publish time, modified == publishedBy already implies every version passes the per-version <= filter in filterPkgMetadataByPublishDate, so the shortcut now accepts the boundary case directly. Strictly > (was >=) at the rejection branch.

  • Honor publishConfig.access when publishing packages.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 21, 2026

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

@feeeedox feeeedox merged commit 4ad5fa1 into main May 22, 2026
8 checks passed
@feeeedox feeeedox deleted the renovate/all-minor-patch branch May 22, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤖 renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@feeeedox