chore(deps): update all dependencies by renovate[bot] · Pull Request #124 · vadimpiven/node_reqwest

renovate · 2026-03-21T01:57:25Z

This PR contains the following updates:

Package	Type	Update	Change	Pending
mitmproxy/mitmproxy		digest	`743b6cd` → `00b77b5`
pnpm (source)	packageManager	minor	`10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264` → `10.33.4`
python		patch	`3.14.2` → `3.14.4`	`3.14.5`
quay.io/pypa/manylinux_2_28	final	digest	`b0ca9da` → `41f9353`

Release Notes

pnpm/pnpm (pnpm)

`v10.33.4`: pnpm 10.33.4

Compare Source

Patch Changes

Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.
Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #11341.

Platinum Sponsors

Gold Sponsors

Patch Changes

When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #11328.

Platinum Sponsors

Gold Sponsors

`v10.33.0`

Compare Source

`v10.32.1`: pnpm 10.32.1

Compare Source

Patch Changes

Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #10909.

Platinum Sponsors

Gold Sponsors

`v10.32.0`: pnpm 10.32

Compare Source

Minor Changes

Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #10136.

Patch Changes

Reverted change related to setting explicitly the npm config file path, which caused regressions.
Reverted fix related to lockfile-include-tarball-url. Fixes #10915.

Platinum Sponsors

Gold Sponsors

`v10.31.0`

Compare Source

`v10.30.3`

Compare Source

`v10.30.2`

Compare Source

`v10.30.1`: pnpm 10.30.1

Compare Source

Patch Changes

Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #10649.

Platinum Sponsors

Gold Sponsors

`v10.30.0`: pnpm 10.30

Compare Source

Minor Changes

pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #7122.
Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #10596.

Platinum Sponsors

Gold Sponsors

`v10.29.3`

Compare Source

`v10.29.2`

Compare Source

`v10.29.1`: pnpm 10.29.1

Compare Source

Minor Changes

The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
Support configuring auditLevel in the pnpm-workspace.yaml file #10540.
Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #10436.

Patch Changes

Fixed pnpm list --json returning incorrect paths when using global virtual store #10187.
Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #10290.
Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #10497.
Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #10176.
Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #10281.
Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #10460.
Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #10540.
update tar to version 7.5.7 to fix security issue

Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842
Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #10325.
Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #10271.
pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #10561.
Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #10457.

Platinum Sponsors

Gold Sponsors

Configuration

📅 Schedule: (in timezone UTC)

Branch creation
- "every weekend"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2026-03-21T01:57:28Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package.json

Command failed: corepack use pnpm@10.33.4

greptile-apps · 2026-03-21T01:59:49Z

Greptile Summary

This is a routine automated dependency update PR from Renovate Bot, bumping a wide range of dependencies across the stack: GitHub Actions (setup-node v6.3.0, mise-action v3.6.3, zizmor-action v0.5.2, codeql-action v4.32.6), Node.js packages (pnpm 10.32.1, vitest/vite 4.1.0/8.0.0 stable releases from beta, oxfmt, oxlint, undici, electron, node-addon-slsa), Rust crates (tempfile 3.27.0), Python tools (ruff, semgrep, pyrefly, zizmor), and various aqua-managed CLI tools (uv, gh, gitleaks, shfmt, nextest). All GitHub Action references continue to be pinned by full commit SHA, which is good practice for this repository.

Most changes are straightforward version bumps with no behavioral impact on the codebase itself.
Several beta versions (vitest, vite) graduate to stable releases — a positive change.
The packageManager field in package.json was updated to pnpm@10.32.1 but the SHA512 integrity hash that was present in the old value was dropped, removing Corepack's ability to verify the pnpm binary on download.

Confidence Score: 4/5

This PR is safe to merge; the only notable finding is a non-critical omission of the Corepack integrity hash for pnpm.
All changes are automated dependency bumps. GitHub Actions remain SHA-pinned, Dockerfile images are digest-pinned, and lock files are fully regenerated. The one notable point is the missing SHA512 hash in the packageManager field, which is a best-practice/supply-chain hygiene issue rather than an active vulnerability. Everything else is routine.
package.json — missing SHA512 hash in the packageManager field.

Important Files Changed

Filename	Overview
package.json	Updated pnpm to 10.32.1 but dropped the SHA512 integrity hash from the packageManager field, removing Corepack's ability to verify the binary's integrity on download.
Dockerfile	Updated docker/dockerfile syntax to 1.22 and manylinux_2_28 base image to a new digest. Both references are pinned by SHA256. No issues found.
Cargo.lock	Updated tempfile from 3.26.0 to 3.27.0 which pulls in getrandom 0.3.4 instead of 0.4.2, and resolves different windows-sys versions for various crates. Standard lock file update.
mise.toml	Updated gitleaks, uv, gh CLI, nextest, and mvdan/sh (shfmt) to newer patch/minor versions. No issues found.
pyproject.toml	Updated pyrefly, ruff, semgrep, and zizmor to newer versions. No issues found.
pnpm-workspace.yaml	Updated catalog versions for @vitest/coverage-istanbul, electron, oxfmt, oxlint, undici, vite, and vitest from beta/older versions to stable releases. No issues found.

Comments Outside Diff (1)

package.json, line 202 (link)

Missing Corepack integrity hash for pnpm

The previous packageManager value included a +sha512 integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

corepack use pnpm@10.32.1

This will update package.json with the correct hash for 10.32.1, e.g.:

Consider asking Renovate to preserve the hash when bumping the packageManager field (the pinDigests option may help, or a custom packageRules entry targeting packageManager).

Prompt To Fix With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:



Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:

```suggestion
  "packageManager": "pnpm@10.32.1+sha512.<hash-for-10.32.1>",
```

Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "Update all dependenc..."}

codecov · 2026-04-20T21:27:48Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

codspeed-hq · 2026-05-18T07:49:49Z

Merging this PR will improve performance by 22.61%

⚠️

Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 1 improved benchmark
✅ 14 untouched benchmarks

Performance Changes

	Benchmark	`BASE`	`HEAD`	Efficiency
⚡	`node-reqwest.Agent`	76.5 ms	62.4 ms	+22.61%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

_{Comparing renovate/all-dependencies (2db6f60) with main (5377e0a)}

renovate Bot force-pushed the renovate/all-dependencies branch 4 times, most recently from 1c2d5e5 to 40653e4 Compare March 22, 2026 02:03

github-advanced-security AI found potential problems Mar 22, 2026

View reviewed changes