Update pnpm to v11.5.2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	11.5.1 → 11.5.2

---

Release Notes

pnpm/pnpm (pnpm)

v11.5.2

Compare Source

Patch Changes

• Peer dependency resolution now reuses the peer contexts already recorded in the lockfile when those providers are still present in the dependency graph and still satisfy the peer ranges. This avoids unnecessary peer-context rewrites during lockfile regeneration. Current manifest choices remain authoritative: a newly added, explicitly updated, or aliased direct provider, a changed nested provider, or a locked version that no longer satisfies the range still takes precedence.

• The lockfile verifier now checks that a registry entry pinning an explicit tarball URL points at the artifact the registry's own metadata lists for that name@version. Previously a tampered lockfile could pair a trusted name@version with an attacker-chosen tarball URL (and a matching integrity for those bytes), so the install fetched the attacker's bytes. A mismatch — or any entry that can't be confirmed against the registry — is rejected with ERR_PNPM_TARBALL_URL_MISMATCH. Non-registry resolutions (file:, git-hosted, etc.) and registry entries without an explicit tarball URL (the URL is reconstructed from name+version+registry, so it is inherently bound) are unaffected; non-standard registry tarball URLs (npm Enterprise, GitHub Packages) still pass because they match the metadata.

• Fix pnpm update --recursive --lockfile-only <pkg>@&#8203;<version> crashing with Invalid Version when the catalog entry for <pkg> is a version range (e.g. ^21.2.10) and catalogMode is strict or prefer. The catalog–version comparison now skips the equality check when either side is a range rather than passing a range to semver.eq(), so range specifiers fall through to the existing mismatch handling instead of throwing #​11570.

• Avoided a Node.js crash when pnpm exits after network requests on Windows.

• Fixed packages being materialized into the virtual store without their root-level files (package.json, LICENSE, README, root entrypoints) when multiple pnpm install processes ran against the same store/workspace concurrently. The fast import path used to destructively empty the shared target directory, so a concurrent importer could wipe files another importer had already written; if the surviving files included the package.json completion marker, every later install treated the broken directory as complete and never repaired it. The fast path now imports directly only when it can create the target directory exclusively, and otherwise builds the package in a private temp directory and atomically renames it into place #​12197.

• Fix dependency build scripts not running under the global virtual store (enableGlobalVirtualStore).

  In a workspace install, dependency build scripts are deferred to a single rebuild pass (buildProjects). That pass resolved each package's location from the classic node_modules/.pnpm/<depPathToFilename> layout, which does not exist under the global virtual store — so native dependencies (e.g. packages using node-gyp / prebuild-install) were never built and failed to load at runtime (Cannot find module .../build/Release/*.node).

  buildProjects now resolves the global-virtual-store projection directory (<storeDir>/links/<hash>, computed with the same graph hash the installer uses) when enableGlobalVirtualStore is set, and serializes concurrent builds of the same shared projection so parallel workspace projects don't race on the same directory.

• Don't promote a runtime: dependency (such as the Node.js version from devEngines.runtime or pnpm runtime set) into a catalog when catalogMode is strict or prefer. A runtime: dependency round-trips to devEngines.runtime, which only recognizes the runtime: protocol; cataloging it rewrote the manifest entry to catalog:, which broke that round-trip, stranded it in devDependencies, and left devEngines.runtime untouched.

• Skip lockfile minimumReleaseAge/trustPolicy verification for non-registry tarball protocols (for example file:), so local tarball dependencies are not incorrectly checked against npm registry metadata.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

[07:27:46.073] INFO (903): Installing tool node@24.16.0...
[07:27:49.341] ERROR (903): failed to check url
    url: "https://github.com/containerbase/node-prebuild/releases/download/24.16.0/node-24.16.0-x86_64.tar.xz.sha512"
    err: {
      "type": "HTTPError",
      "message": "Request failed with status code 504 (Gateway Time-out): HEAD https://github.com/containerbase/node-prebuild/releases/download/24.16.0/node-24.16.0-x86_64.tar.xz.sha512",
      "stack":
          HTTPError: Request failed with status code 504 (Gateway Time-out): HEAD https://github.com/containerbase/node-prebuild/releases/download/24.16.0/node-24.16.0-x86_64.tar.xz.sha512
              at file:///snapshot/dist/app/main-BTOx0EXc.js:34252:28
              at Request.<anonymous> (file:///snapshot/dist/app/main-BTOx0EXc.js:34258:7)
              at Object.onceWrapper (node:events:631:26)
              at Request.emit (node:events:521:24)
              at Request.emit (node:domain:489:12)
              at Request._onResponseBase (file:///snapshot/dist/app/main-BTOx0EXc.js:33531:22)
              at process.processTicksAndRejections (node:internal/process/task_queues:104:5)
              at async Request._onResponse (file:///snapshot/dist/app/main-BTOx0EXc.js:33568:4)
      "name": "HTTPError",
      "code": "ERR_NON_2XX_3XX_RESPONSE",
      "timings": {
        "start": 1780903669334,
        "socket": 1780903669335,
        "lookup": 1780903669335,
        "connect": 1780903669335,
        "secureConnect": 1780903669335,
        "upload": 1780903669335,
        "response": 1780903669340,
        "end": 1780903669340,
        "phases": {
          "wait": 1,
          "dns": 1,
          "tcp": 3,
          "tls": 5,
          "request": 0,
          "firstByte": 5,
          "download": 0,
          "total": 6
        }
      },
      "options": {
        "agent": {},
        "decompress": true,
        "timeout": {},
        "prefixUrl": "",
        "ignoreInvalidCookies": false,
        "context": {},
        "hooks": {
          "init": [],
          "beforeRequest": [],
          "beforeError": [],
          "beforeRedirect": [],
          "beforeRetry": [],
          "beforeCache": [],
          "afterResponse": []
        },
        "followRedirect": true,
        "maxRedirects": 10,
        "throwHttpErrors": true,
        "username": "",
        "password": "",
        "http2": false,
        "allowGetBody": false,
        "copyPipedHeaders": false,
        "headers": {
          "user-agent": "containerbase/14.10.21 node/24.16.0 (https://github.com/containerbase)",
          "accept-encoding": "gzip, deflate, br, zstd"
        },
        "methodRewriting": false,
        "retry": {
          "limit": 2,
          "methods": [
            "GET",
            "PUT",
            "HEAD",
            "DELETE",
            "OPTIONS",
            "TRACE"
          ],
          "statusCodes": [
            408,
            413,
            429,
            500,
            502,
            503,
            504,
            521,
            522,
            524
          ],
          "errorCodes": [
            "ETIMEDOUT",
            "ECONNRESET",
            "EADDRINUSE",
            "ECONNREFUSED",
            "EPIPE",
            "ENOTFOUND",
            "ENETUNREACH",
            "EAI_AGAIN"
          ],
          "backoffLimit": null,
          "noise": 100,
          "enforceRetryRules": true
        },
        "method": "HEAD",
        "cacheOptions": {},
        "https": {},
        "resolveBodyOnly": false,
        "isStream": false,
        "responseType": "text",
        "url": "https://github.com/containerbase/node-prebuild/releases/download/24.16.0/node-24.16.0-x86_64.tar.xz.sha512",
        "pagination": {
          "countLimit": null,
          "backoff": 0,
          "requestLimit": 10000,
          "stackAllItems": false
        },
        "setHost": true,
        "enableUnixSockets": false,
        "strictContentLength": true
      }
    }
[07:27:49.372] ERROR (903): Request failed with status code 504 (Gateway Time-out): HEAD https://github.com/containerbase/node-prebuild/releases/download/24.16.0/node-24.16.0-x86_64.tar.xz.sha512
[07:27:49.372] FATAL (903): Install tool node failed in 3.3s.