Update pnpm to v11.5.2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	11.5.1 → 11.5.2

---

Release Notes

pnpm/pnpm (pnpm)

v11.5.2

Compare Source

Patch Changes

• Peer dependency resolution now reuses the peer contexts already recorded in the lockfile when those providers are still present in the dependency graph and still satisfy the peer ranges. This avoids unnecessary peer-context rewrites during lockfile regeneration. Current manifest choices remain authoritative: a newly added, explicitly updated, or aliased direct provider, a changed nested provider, or a locked version that no longer satisfies the range still takes precedence.

• The lockfile verifier now checks that a registry entry pinning an explicit tarball URL points at the artifact the registry's own metadata lists for that name@version. Previously a tampered lockfile could pair a trusted name@version with an attacker-chosen tarball URL (and a matching integrity for those bytes), so the install fetched the attacker's bytes. A mismatch — or any entry that can't be confirmed against the registry — is rejected with ERR_PNPM_TARBALL_URL_MISMATCH. Non-registry resolutions (file:, git-hosted, etc.) and registry entries without an explicit tarball URL (the URL is reconstructed from name+version+registry, so it is inherently bound) are unaffected; non-standard registry tarball URLs (npm Enterprise, GitHub Packages) still pass because they match the metadata.

• Fix pnpm update --recursive --lockfile-only <pkg>@&#8203;<version> crashing with Invalid Version when the catalog entry for <pkg> is a version range (e.g. ^21.2.10) and catalogMode is strict or prefer. The catalog–version comparison now skips the equality check when either side is a range rather than passing a range to semver.eq(), so range specifiers fall through to the existing mismatch handling instead of throwing #​11570.

• Avoided a Node.js crash when pnpm exits after network requests on Windows.

• Fixed packages being materialized into the virtual store without their root-level files (package.json, LICENSE, README, root entrypoints) when multiple pnpm install processes ran against the same store/workspace concurrently. The fast import path used to destructively empty the shared target directory, so a concurrent importer could wipe files another importer had already written; if the surviving files included the package.json completion marker, every later install treated the broken directory as complete and never repaired it. The fast path now imports directly only when it can create the target directory exclusively, and otherwise builds the package in a private temp directory and atomically renames it into place #​12197.

• Fix dependency build scripts not running under the global virtual store (enableGlobalVirtualStore).

  In a workspace install, dependency build scripts are deferred to a single rebuild pass (buildProjects). That pass resolved each package's location from the classic node_modules/.pnpm/<depPathToFilename> layout, which does not exist under the global virtual store — so native dependencies (e.g. packages using node-gyp / prebuild-install) were never built and failed to load at runtime (Cannot find module .../build/Release/*.node).

  buildProjects now resolves the global-virtual-store projection directory (<storeDir>/links/<hash>, computed with the same graph hash the installer uses) when enableGlobalVirtualStore is set, and serializes concurrent builds of the same shared projection so parallel workspace projects don't race on the same directory.

• Don't promote a runtime: dependency (such as the Node.js version from devEngines.runtime or pnpm runtime set) into a catalog when catalogMode is strict or prefer. A runtime: dependency round-trips to devEngines.runtime, which only recognizes the runtime: protocol; cataloging it rewrote the manifest entry to catalog:, which broke that round-trip, stranded it in devDependencies, and left devEngines.runtime untouched.

• Skip lockfile minimumReleaseAge/trustPolicy verification for non-registry tarball protocols (for example file:), so local tarball dependencies are not incorrectly checked against npm registry metadata.

---

Configuration

📅 Schedule: (in timezone America/Chicago)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

[06:46:37.521] INFO (806): Installing tool node@24.16.0...
[06:46:37.767] ERROR (806): download failed
    run: 3
    err: {
      "type": "HTTPError",
      "message": "Request failed with status code 504 (Gateway Time-out): GET https://github.com/containerbase/node-prebuild/releases/download/24.16.0/node-24.16.0-x86_64.tar.xz",
      "stack":
          HTTPError: Request failed with status code 504 (Gateway Time-out): GET https://github.com/containerbase/node-prebuild/releases/download/24.16.0/node-24.16.0-x86_64.tar.xz
              at Request._onResponseBase (file:///snapshot/dist/app/main-BTOx0EXc.js:33507:22)
              at Request._onResponse (file:///snapshot/dist/app/main-BTOx0EXc.js:33568:15)
              at ClientRequest.<anonymous> (file:///snapshot/dist/app/main-BTOx0EXc.js:33594:9)
              at Object.onceWrapper (node:events:631:26)
              at ClientRequest.emit (node:events:521:24)
              at ClientRequest.emit (node:domain:489:12)
              at HTTPParser.parserOnIncomingClient (node:_http_client:798:27)
              at HTTPParser.parserOnHeadersComplete (node:_http_common:125:17)
              at TLSSocket.socketOnData (node:_http_client:633:22)
              at TLSSocket.emit (node:events:509:28)
      "name": "HTTPError",
      "code": "ERR_NON_2XX_3XX_RESPONSE",
      "timings": {
        "start": 1780901197762,
        "socket": 1780901197762,
        "lookup": 1780901197762,
        "connect": 1780901197762,
        "secureConnect": 1780901197762,
        "upload": 1780901197763,
        "response": 1780901197765,
        "end": 1780901197766,
        "phases": {
          "wait": 0,
          "dns": 2,
          "tcp": 4,
          "tls": 7,
          "request": 1,
          "firstByte": 2,
          "download": 1,
          "total": 4
        }
      },
      "options": {
        "agent": {},
        "decompress": true,
        "timeout": {},
        "prefixUrl": "",
        "ignoreInvalidCookies": false,
        "context": {},
        "hooks": {
          "init": [],
          "beforeRequest": [],
          "beforeError": [],
          "beforeRedirect": [],
          "beforeRetry": [],
          "beforeCache": [],
          "afterResponse": []
        },
        "followRedirect": true,
        "maxRedirects": 10,
        "throwHttpErrors": true,
        "username": "",
        "password": "",
        "http2": false,
        "allowGetBody": false,
        "copyPipedHeaders": false,
        "headers": {
          "user-agent": "containerbase/14.10.21 node/24.16.0 (https://github.com/containerbase)",
          "accept-encoding": "gzip, deflate, br, zstd"
        },
        "methodRewriting": false,
        "retry": {
          "limit": 2,
          "methods": [
            "GET",
            "PUT",
            "HEAD",
            "DELETE",
            "OPTIONS",
            "TRACE"
          ],
          "statusCodes": [
            408,
            413,
            429,
            500,
            502,
            503,
            504,
            521,
            522,
            524
          ],
          "errorCodes": [
            "ETIMEDOUT",
            "ECONNRESET",
            "EADDRINUSE",
            "ECONNREFUSED",
            "EPIPE",
            "ENOTFOUND",
            "ENETUNREACH",
            "EAI_AGAIN"
          ],
          "backoffLimit": null,
          "noise": 100,
          "enforceRetryRules": true
        },
        "method": "GET",
        "cacheOptions": {},
        "https": {},
        "resolveBodyOnly": false,
        "isStream": true,
        "responseType": "text",
        "url": "https://github.com/containerbase/node-prebuild/releases/download/24.16.0/node-24.16.0-x86_64.tar.xz",
        "pagination": {
          "countLimit": null,
          "backoff": 0,
          "requestLimit": 10000,
          "stackAllItems": false
        },
        "setHost": true,
        "enableUnixSockets": false,
        "strictContentLength": true
      }
    }
[06:46:37.831] ERROR (806): download failed
[06:46:37.832] FATAL (806): Install tool node failed in 328ms.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b9a80751-50ed-4ae8-a388-97943b4e3d9b

📥 Commits

Reviewing files that changed from the base of the PR and between b75420f and 9ddcfd7.

📒 Files selected for processing (1)

• package.json

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

{package.json,mise.toml}

📄 CodeRabbit inference engine (AGENTS.md)

Use packageManager field in package.json to pin the pnpm version, setting idiomatic_version_file_enable_tools = ["pnpm"] in mise.toml to read the version from the same field

Files:

• package.json

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: gtbuchanan/tooling PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-06-04T20:00:49.800Z
Learning: Applies to {package.json,mise.toml} : Use `packageManager` field in `package.json` to pin the pnpm version, setting `idiomatic_version_file_enable_tools = ["pnpm"]` in `mise.toml` to read the version from the same field

📚 Learning: 2026-06-04T20:00:49.800Z

Learnt from: CR
Repo: gtbuchanan/tooling PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-06-04T20:00:49.800Z
Learning: Applies to {package.json,mise.toml} : Use `packageManager` field in `package.json` to pin the pnpm version, setting `idiomatic_version_file_enable_tools = ["pnpm"]` in `mise.toml` to read the version from the same field

Applied to files:

• package.json

🔇 Additional comments (2)

package.json (2)

49-49: pnpm@11.5.2 pin looks valid

The npm registry has a published pnpm version 11.5.2 (and it appears among the latest 11.x versions).

---

49-49: Confirm mise.toml reads the pnpm version from package.json’s packageManager
package.json pins pnpm@11.5.2, and mise.toml includes idiomatic_version_file_enable_tools = ["pnpm"], so mise will source the pnpm version from that packageManager field. pnpm@11.5.2 is also a published pnpm v11 release.

---

📝 Walkthrough

Walkthrough

The PR updates the packageManager field in the root package.json from pnpm@11.5.1 to pnpm@11.5.2, pinning the project to the newer pnpm version. No other configuration, scripts, or dependencies are modified.

Changes

Package Manager Update

Layer / File(s)	Summary
Package Manager Version Update package.json	Root packageManager field bumped from pnpm@11.5.1 to pnpm@11.5.2.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• gtbuchanan/tooling#144: Prior pnpm version bump in the same packageManager field.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update pnpm to v11.5.2' is concise, descriptive, and clearly summarizes the main change in the changeset.
Description check	✅ Passed	The PR description is related to the changeset, containing detailed release notes and configuration information for the pnpm v11.5.2 update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}