chore: update dependencies (#12346)

* chore: update dependencies Update all catalog dependencies to their latest versions, except those held back by pnpm's supported Node.js floor (>=22.13) or known issues; each held-back entry now carries a comment in pnpm-workspace.yaml explaining why. Notable changes: - msgpackr 1.11.8 -> 2.0.4 (unpinned; types compile again and the store-index output is byte-compatible with 1.x in both directions) - typescript 5.9.3 -> 6.0.3, esbuild 0.28, commitlint 21, concurrently 10, eslint plugin majors (autofixed one import-sort error they introduced) - open 11, memoize 11, cli-truncate 6, pidtree 1, @yarnpkg/core 4.8, @rushstack/worker-pool 0.7.18 - removed unused nock devDependency and the deprecated @types/tar stub - bole stays on 5: bole 6 is ESM-only and under Jest the workspace logger's ESM copy and the published @pnpm/logger's CJS bole 5 no longer share the globalThis.$$bole output registry, breaking reporter assertions Held back due to Node >=22.13 support floor: ssri 14, write-file-atomic 8, validate-npm-package-name 8, normalize-package-data 9, npm-packlist 11, ini 7 (need ^22.22.2), undici 8 (needs >=22.19), cspell 10 (needs >=22.18; bumped to 9.8.0 instead). * chore: add changeset for updated dependency ranges Patch-bump every published package whose runtime dependency or peer dependency range changed in the dependency update, following the precedent of commit 09cf46f6 (update @pnpm/logger in peer dependencies).
2026-06-27 17:35:30 -04:00 · 2026-06-12 08:27:37 +02:00
parent 01b3d45ddb
commit a31faa7c19
8 changed files with 1260 additions and 1272 deletions
--- a/.changeset/update-dependency-ranges.md
+++ b/.changeset/update-dependency-ranges.md
@@ -0,0 +1,102 @@
+---
+"@pnpm/auth.commands": patch
+"@pnpm/bins.linker": patch
+"@pnpm/bins.remover": patch
+"@pnpm/building.after-install": patch
+"@pnpm/building.commands": patch
+"@pnpm/building.during-install": patch
+"@pnpm/cache.api": patch
+"@pnpm/cache.commands": patch
+"@pnpm/cli.commands": patch
+"@pnpm/cli.default-reporter": patch
+"@pnpm/cli.utils": patch
+"@pnpm/config.commands": patch
+"@pnpm/config.package-is-installable": patch
+"@pnpm/config.reader": patch
+"@pnpm/config.version-policy": patch
+"@pnpm/core-loggers": patch
+"@pnpm/deps.compliance.audit": patch
+"@pnpm/deps.compliance.commands": patch
+"@pnpm/deps.compliance.license-scanner": patch
+"@pnpm/deps.compliance.sbom": patch
+"@pnpm/deps.graph-builder": patch
+"@pnpm/deps.inspection.commands": patch
+"@pnpm/deps.inspection.list": patch
+"@pnpm/deps.inspection.outdated": patch
+"@pnpm/deps.inspection.peers-checker": patch
+"@pnpm/deps.inspection.tree-builder": patch
+"@pnpm/deps.path": patch
+"@pnpm/deps.peer-range": patch
+"@pnpm/deps.security.signatures": patch
+"@pnpm/deps.status": patch
+"@pnpm/engine.pm.commands": patch
+"@pnpm/engine.runtime.bun-resolver": patch
+"@pnpm/engine.runtime.commands": patch
+"@pnpm/engine.runtime.deno-resolver": patch
+"@pnpm/engine.runtime.node-resolver": patch
+"@pnpm/engine.runtime.system-version": patch
+"@pnpm/exec.commands": patch
+"@pnpm/exec.lifecycle": patch
+"@pnpm/fetching.directory-fetcher": patch
+"@pnpm/fetching.git-fetcher": patch
+"@pnpm/fetching.tarball-fetcher": patch
+"@pnpm/fs.hard-link-dir": patch
+"@pnpm/fs.indexed-pkg-importer": patch
+"@pnpm/fs.symlink-dependency": patch
+"@pnpm/global.commands": patch
+"@pnpm/global.packages": patch
+"@pnpm/hooks.pnpmfile": patch
+"@pnpm/hooks.read-package-hook": patch
+"@pnpm/installing.commands": patch
+"@pnpm/installing.context": patch
+"@pnpm/installing.deps-installer": patch
+"@pnpm/installing.deps-resolver": patch
+"@pnpm/installing.deps-restorer": patch
+"@pnpm/installing.env-installer": patch
+"@pnpm/installing.linking.direct-dep-linker": patch
+"@pnpm/installing.linking.hoist": patch
+"@pnpm/installing.linking.modules-cleaner": patch
+"@pnpm/installing.package-requester": patch
+"@pnpm/installing.read-projects-context": patch
+"@pnpm/lockfile.filtering": patch
+"@pnpm/lockfile.fs": patch
+"@pnpm/lockfile.merger": patch
+"@pnpm/lockfile.to-pnp": patch
+"@pnpm/lockfile.verification": patch
+"@pnpm/modules-mounter.daemon": patch
+"@pnpm/network.auth-header": patch
+"@pnpm/network.fetch": patch
+"@pnpm/network.web-auth": patch
+"@pnpm/object.key-sorting": patch
+"@pnpm/patching.apply-patch": patch
+"@pnpm/patching.commands": patch
+"@pnpm/patching.config": patch
+"@pnpm/pkg-manifest.utils": patch
+"@pnpm/registry-access.commands": patch
+"@pnpm/releasing.commands": patch
+"@pnpm/resolving.git-resolver": patch
+"@pnpm/resolving.local-resolver": patch
+"@pnpm/resolving.npm-resolver": patch
+"@pnpm/resolving.registry.pkg-metadata-filter": patch
+"@pnpm/store.cafs": patch
+"@pnpm/store.commands": patch
+"@pnpm/store.connection-manager": patch
+"@pnpm/store.controller": patch
+"@pnpm/store.create-cafs-store": patch
+"@pnpm/store.index": patch
+"@pnpm/worker": patch
+"@pnpm/workspace.injected-deps-syncer": patch
+"@pnpm/workspace.project-manifest-reader": patch
+"@pnpm/workspace.projects-reader": patch
+"@pnpm/workspace.range-resolver": patch
+"@pnpm/workspace.state": patch
+"@pnpm/workspace.workspace-manifest-writer": patch
+"pnpm": patch
+---
+
+Updated dependency ranges. Notably:
+
+- `@pnpm/logger` peer dependency range moved to `^1100.0.0`.
+- `msgpackr` 1.11.8 → 2.0.4 (store index files remain byte-compatible in both directions).
+- `open` ^7.4.2 → ^11.0.0, `memoize` ^10 → ^11, `cli-truncate` ^5 → ^6, `pidtree` ^0.6 → ^1.
+- `@yarnpkg/core` 4.5.0 → 4.8.0, `@rushstack/worker-pool` 0.7.7 → 0.7.18, `@cyclonedx/cyclonedx-library` 10.0.0 → 10.1.0, `@pnpm/config.nerf-dart` ^1 → ^2, `@pnpm/log.group` 3.0.2 → 4.0.1, `@pnpm/util.lex-comparator` ^3 → ^4.
--- a/utils/scripts/package.json
+++ b/utils/scripts/package.json
@@ -23,7 +23,6 @@
    "@pnpm/logger": "catalog:",
    "@pnpm/scripts": "workspace:*",
    "@types/normalize-path": "catalog:",
-    "@types/tar": "catalog:",
    "cross-env": "catalog:"
  },
  "jest": {
--- a/cli/commands/src/completion/completionServer.ts
+++ b/cli/commands/src/completion/completionServer.ts
@@ -1,7 +1,7 @@
 import type { CompletionFunc } from '@pnpm/cli.command'
 import type { ParsedCliArgs } from '@pnpm/cli.parse-cli-args'
-import { type CompletionItem, getShellFromEnv } from '@pnpm/tabtab'
 import tabtab from '@pnpm/tabtab'
+import { type CompletionItem, getShellFromEnv } from '@pnpm/tabtab'
 import { split as splitCmd } from 'split-cmd/index.modern.mjs'

 import { complete } from './complete.js'
--- a/deps/compliance/commands/package.json
+++ b/deps/compliance/commands/package.json
@@ -85,7 +85,6 @@
    "@types/semver": "catalog:",
    "@types/zkochan__table": "catalog:",
    "load-json-file": "catalog:",
-    "nock": "catalog:",
    "read-yaml-file": "catalog:",
    "tempy": "catalog:"
  },
--- a/installing/deps-installer/package.json
+++ b/installing/deps-installer/package.json
@@ -156,7 +156,6 @@
    "execa": "catalog:",
    "exists-link": "catalog:",
    "is-windows": "catalog:",
-    "nock": "catalog:",
    "path-name": "catalog:",
    "read-yaml-file": "catalog:",
    "resolve-link-target": "catalog:",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -74,21 +74,21 @@ catalog:
  '@babel/core': ^7.29.7
  '@babel/plugin-transform-explicit-resource-management': ^7.29.7
  '@changesets/cli': ^2.31.0
-  '@commitlint/cli': ^20.5.3
-  '@commitlint/config-conventional': ^20.5.3
-  '@commitlint/prompt-cli': ^20.5.3
-  '@cyclonedx/cyclonedx-library': 10.0.0
+  '@commitlint/cli': ^21.0.2
+  '@commitlint/config-conventional': ^21.0.2
+  '@commitlint/prompt-cli': ^21.0.2
+  '@cyclonedx/cyclonedx-library': 10.1.0
  '@eslint/js': ^10.0.1
  '@inquirer/prompts': ^8.4.3
-  '@jest/globals': 30.3.0
+  '@jest/globals': 30.4.1
  '@npm/types': ^2.1.0
  '@pnpm/byline': ^1.0.0
  '@pnpm/colorize-semver-diff': ^2.0.0
  '@pnpm/config.env-replace': ^4.1.0
-  '@pnpm/config.nerf-dart': ^1.0.1
+  '@pnpm/config.nerf-dart': ^2.0.1
  '@pnpm/exec': ^4.0.0
-  '@pnpm/log.group': 3.0.2
-  '@pnpm/logger': '^1001.0.1'
+  '@pnpm/log.group': 4.0.1
+  '@pnpm/logger': '^1100.0.0'
  '@pnpm/meta-updater': 2.0.6
  '@pnpm/nopt': ^0.3.1
  '@pnpm/npm-lifecycle': 1100.0.0-1
@@ -98,9 +98,9 @@ catalog:
  '@pnpm/semver-diff': ^2.0.0
  '@pnpm/tabtab': ^0.5.4
  '@pnpm/tgz-fixtures': 0.0.0
-  '@pnpm/util.lex-comparator': ^3.0.2
+  '@pnpm/util.lex-comparator': ^4.0.1
  '@reflink/reflink': 0.1.19
-  '@rushstack/worker-pool': 0.7.7
+  '@rushstack/worker-pool': 0.7.18
  '@stylistic/eslint-plugin': ^5.10.0
  '@types/adm-zip': ^0.5.8
  '@types/archy': 0.0.36
@@ -114,15 +114,17 @@ catalog:
  '@types/isexe': 2.0.4
  '@types/jest': ^30.0.0
  '@types/js-yaml': ^4.0.9
-  '@types/libnpmpublish': ^9.0.1
+  '@types/libnpmpublish': ^11.2.0
  '@types/lodash.kebabcase': 4.1.9
  '@types/lodash.throttle': 4.1.9
  '@types/micromatch': ^4.0.10
+  # Kept on 22.x to match pnpm's minimum supported Node.js version (>=22.13);
+  # newer majors would type APIs that don't exist on the supported floor.
  '@types/node': ^22.19.19
  '@types/normalize-package-data': ^2.4.4
  '@types/normalize-path': ^3.0.2
  '@types/object-hash': 3.0.6
-  '@types/parse-json': ^4.0.2
+  '@types/parse-json': ^7.0.0
  '@types/picomatch': ^4.0.3
  '@types/pnpm__byline': npm:@types/byline@^4.2.36
  '@types/proxyquire': ^1.3.31
@@ -131,17 +133,16 @@ catalog:
  '@types/retry': ^0.12.5
  '@types/semver': 7.7.1
  '@types/ssri': ^7.1.5
-  '@types/tar': ^7.0.87
  '@types/tar-stream': ^3.1.4
  '@types/touch': ^3.1.5
  '@types/validate-npm-package-name': ^4.0.2
  '@types/which': ^3.0.4
  '@types/write-file-atomic': ^4.0.3
  '@types/yarnpkg__lockfile': ^1.1.9
-  '@types/zkochan__table': npm:@types/table@6.0.0
-  '@typescript-eslint/utils': ^8.60.0
-  '@typescript/native-preview': 7.0.0-dev.20260421.2
-  '@yarnpkg/core': 4.5.0
+  '@types/zkochan__table': npm:@types/table@6.3.2
+  '@typescript-eslint/utils': ^8.61.0
+  '@typescript/native-preview': 7.0.0-dev.20260610.1
+  '@yarnpkg/core': 4.8.0
  '@yarnpkg/extensions': 2.0.6
  '@yarnpkg/lockfile': ^1.1.0
  '@yarnpkg/nm': 4.0.7
@@ -157,6 +158,11 @@ catalog:
  archy: ^1.0.0
  better-path-resolve: 2.0.0
  bin-links: ^6.0.2
+  # bole 6 is ESM-only. Under Jest, the workspace logger's ESM bole and the
+  # published @pnpm/logger's CJS bole 5 land in different realms, so the
+  # globalThis.$$bole output registry is no longer shared and log events
+  # emitted through one logger copy never reach the other's streamParser.
+  # Keep bole 5 until the published @pnpm/logger ships with bole 6.
  bole: ^5.0.29
  boxen: npm:@zkochan/boxen@5.1.2
  c8: ^11.0.0
@@ -166,13 +172,15 @@ catalog:
  can-write-to-dir: ^2.0.0
  chalk: ^5.6.2
  ci-info: ^4.4.0
-  cli-truncate: ^5.2.0
+  cli-truncate: ^6.0.0
  cmd-extension: ^2.0.0
  comver-to-semver: ^2.0.0
-  concurrently: 9.2.1
+  concurrently: 10.0.3
  cross-env: ^10.1.0
  cross-spawn: ^7.0.6
-  cspell: 9.7.0
+  # cspell 10.x requires Node.js >=22.18.0, above pnpm's supported floor of
+  # Node.js >=22.13.
+  cspell: 9.8.0
  deep-require-cwd: 1.0.0
  delay: ^7.0.0
  detect-indent: 7.0.2
@@ -181,15 +189,15 @@ catalog:
  dint: ^5.1.0
  dir-is-case-sensitive: ^3.0.0
  encode-registry: ^3.0.1
-  esbuild: ^0.27.7
+  esbuild: ^0.28.0
  escape-string-regexp: ^5.0.0
  eslint: ^10.4.0
  eslint-plugin-import-x: ^4.16.2
  eslint-plugin-jest: ^29.15.2
-  eslint-plugin-n: ^17.24.0
+  eslint-plugin-n: ^18.1.0
  eslint-plugin-promise: ^7.3.0
  eslint-plugin-regexp: ^3.1.0
-  eslint-plugin-simple-import-sort: ^12.1.1
+  eslint-plugin-simple-import-sort: ^13.0.0
  execa: npm:safe-execa@0.3.0
  exists-link: 2.0.0
  fast-deep-equal: ^3.1.3
@@ -207,6 +215,8 @@ catalog:
  https-proxy-server-express: 0.1.2
  husky: ^9.1.7
  hyperdrive-schemas: ^2.0.0
+  # ini 7.x requires Node.js ^22.22.2 || ^24.15.0 || >=26.0.0, above pnpm's
+  # supported floor of Node.js >=22.13.
  ini: 6.0.0
  is-gzip: 2.0.0
  is-inner-link: ^5.0.0
@@ -218,7 +228,7 @@ catalog:
  js-yaml: npm:@zkochan/js-yaml@0.0.11
  json5: ^2.2.3
  keyv: 5.6.0
-  lcov-result-merger: ^5.0.1
+  lcov-result-merger: ^6.0.0
  libnpmpublish: ^11.2.0
  load-json-file: ^7.0.1
  lodash.kebabcase: ^4.1.1
@@ -227,20 +237,21 @@ catalog:
  lru-cache: ^11.5.0
  make-empty-dir: ^4.0.0
  mdast-util-to-string: ^4.0.0
-  memoize: ^10.2.0
+  memoize: ^11.0.0
  micromatch: ^4.0.8
-  # msgpackr 1.11.9 has broken type definitions (uses Iterable/Iterator without
-  # required type arguments), incompatible with TypeScript 5.9.
-  msgpackr: 1.11.8
+  msgpackr: 2.0.4
  nm-prune: ^5.0.0
-  nock: 13.3.4
  normalize-newline: 5.0.0
+  # normalize-package-data 9.x requires Node.js ^22.22.2 || ^24.15.0 || >=26.0.0,
+  # above pnpm's supported floor of Node.js >=22.13.
  normalize-package-data: ^8.0.0
  normalize-path: ^3.0.0
  normalize-registry-url: 2.0.1
+  # npm-packlist 11.x requires Node.js ^22.22.2 || ^24.15.0 || >=26.0.0, above
+  # pnpm's supported floor of Node.js >=22.13.
  npm-packlist: 10.0.4
  object-hash: 3.0.0
-  open: ^7.4.2
+  open: ^11.0.0
  openpgp: ^6.3.1
  '@openpgp/web-stream-tools': 0.3.1
  p-defer: ^4.0.1
@@ -256,7 +267,7 @@ catalog:
  path-exists: ^5.0.0
  path-name: ^1.0.0
  path-temp: ^3.0.0
-  pidtree: ^0.6.0
+  pidtree: ^1.0.0
  preferred-pm: ^5.0.0
  pretty-bytes: ^7.1.0
  pretty-ms: ^9.3.0
@@ -281,7 +292,7 @@ catalog:
  safe-execa: ^0.3.0
  safe-promise-defer: ^2.0.0
  sanitize-filename: ^1.6.4
-  semver: ^7.8.1
+  semver: ^7.8.4
  semver-range-intersect: ^0.3.1
  semver-utils: ^1.1.4
  shlex: ^3.0.0
@@ -290,6 +301,8 @@ catalog:
  sort-keys: ^6.0.0
  split-cmd: ^1.1.0
  split2: ^4.2.0
+  # ssri 14.x requires Node.js ^22.22.2 || ^24.15.0 || >=26.0.0, above pnpm's
+  # supported floor of Node.js >=22.13.
  ssri: 13.0.1
  stacktracey: ^2.2.0
  string-length: ^7.0.1
@@ -307,14 +320,20 @@ catalog:
  touch: 3.1.1
  tree-kill: ^1.2.2
  ts-jest-resolver: 2.0.1
-  typescript: 5.9.3
-  typescript-eslint: ^8.60.0
-  undici: ^7.26.0
+  typescript: 6.0.3
+  typescript-eslint: ^8.61.0
+  # undici 8.x requires Node.js >=22.19.0, above pnpm's supported floor of
+  # Node.js >=22.13.
+  undici: ^7.27.2
  unified: ^11.0.5
+  # validate-npm-package-name 8.x requires Node.js ^22.22.2 || ^24.15.0 ||
+  # >=26.0.0, above pnpm's supported floor of Node.js >=22.13.
  validate-npm-package-name: 7.0.2
  version-selector-type: ^3.0.0
  vfile: ^6.0.3
  which: npm:@pnpm/which@^3.0.1
+  # write-file-atomic 8.x requires Node.js ^22.22.2 || ^24.15.0 || >=26.0.0,
+  # above pnpm's supported floor of Node.js >=22.13.
  write-file-atomic: ^7.0.1
  write-ini-file: 5.0.0
  write-json-file: ^7.0.0
@@ -346,7 +365,7 @@ minimumReleaseAge: 1440 # At least a day

 minimumReleaseAgeExclude:
  - '@pnpm/*'
-  - '@rushstack/worker-pool@0.7.7'
+  - '@rushstack/worker-pool@0.7.18'
  - '@zkochan/*'
  - '@zkochan/cmd-shim@9.0.3'
  - better-path-resolve
--- a/releasing/commands/package.json
+++ b/releasing/commands/package.json
@@ -107,7 +107,6 @@
    "@types/proxyquire": "catalog:",
    "@types/ramda": "catalog:",
    "@types/semver": "catalog:",
-    "@types/tar": "catalog:",
    "@types/tar-stream": "catalog:",
    "@types/validate-npm-package-name": "catalog:",
    "ci-info": "catalog:",