chore(deps): update pnpm to v10.33.1

[bfra-me]

This PR contains the following updates:

Package	Change	Age	Confidence	OpenSSF	Code Search
pnpm (source)	10.32.0 → 10.33.1

---

Release Notes

pnpm/pnpm (pnpm)

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

v10.33.0: pnpm 10.33

Compare Source

Minor Changes

• Added a new dedupePeers setting that reduces peer dependency duplication. When enabled, peer dependency suffixes use version-only identifiers (name@version) instead of full dep paths, eliminating nested suffixes like (foo@1.0.0(bar@2.0.0)). This dramatically reduces the number of package instances in projects with many recursive peer dependencies #​11070.

Patch Changes

• Fail on incompatible lockfiles in CI when frozen lockfile mode is enabled, while preserving non-frozen CI fallback behavior.

• When package metadata is malformed or can't be fetched, the error thrown will now show the originating error.

• Fixed intermittent failures when multiple pnpm dlx calls run concurrently for the same package. When the global virtual store is enabled, the importer now verifies file content before skipping a rename, avoiding destructive swap-renames that break concurrent processes. Also tolerates EPERM during bin creation on Windows and properly propagates enableGlobalVirtualStore through the install pipeline.

• Fixed handling of non-string version selectors in hoistPeers, preventing invalid peer dependency specifiers.

• Improve the non-interactive modules purge error hint to include the confirmModulesPurge=false workaround.

  When pnpm needs to recreate node_modules but no TTY is available, the error now suggests either setting CI=true or disabling the purge confirmation prompt via confirmModulesPurge=false.

  Adds a regression test for the non-TTY flow.

• Fixed false "Command not found" errors on Windows when a command exists in PATH but exits with a non-zero code. Also fixed path resolution for --filter contexts where the command runs in a different package directory.

• When a pnpm-lock.yaml contains two documents, ignore the first one. pnpm v11 will write two lockfile documents into pnpm-lock.yaml in order to store pnpm version integrities and config dependency resolutions.

• Fixed a bug preventing the clearCache function returned by createNpmResolver from properly clearing metadata cache.

Platinum Sponsors

Gold Sponsors

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[bfra-me]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Recreating /tmp/renovate/repos/github/bfra-me/github-action/node_modules
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 125, reused 0, downloaded 111, added 0
Progress: resolved 308, reused 0, downloaded 279, added 0
Progress: resolved 503, reused 0, downloaded 411, added 0
Progress: resolved 720, reused 0, downloaded 652, added 0
Already up to date
Progress: resolved 720, reused 0, downloaded 652, added 646, done
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

.
└─┬ @bfra.me/eslint-config 0.50.1
  ├─┬ eslint-plugin-import-x 4.16.1
  │ └── ✕ unmet peer eslint@"^8.57.0 || ^9.0.0": found 10.2.1
  └─┬ @eslint-community/eslint-plugin-eslint-comments 4.6.0
    └── ✕ unmet peer eslint@"^6.0.0 || ^7.0.0 || ^8.0.0 || ^9.0.0": found 10.2.1
hint: To disable failing on peer dependency issues, add the following to pnpm-workspace.yaml in your project root:

  strictPeerDependencies: false