Bump pnpm from 10.28.2 to 10.29.3

[dependabot]

Bumps pnpm from 10.28.2 to 10.29.3.

Release notes

Sourced from pnpm's releases.

pnpm 10.29.3

Patch Changes

• Fixed an out-of-memory error in pnpm list (and pnpm why) on large dependency graphs by replacing the recursive tree builder with a two-phase approach: a BFS dependency graph followed by cached tree materialization. Duplicate subtrees are now deduplicated in the output, shown as "deduped (N deps hidden)" #10586.
• Fixed allowBuilds not working when set via .pnpmfile.cjs #10516.
• When the enableGlobalVirtualStore option is set, the pnpm deploy command would incorrectly create symlinks to the global virtual store. To keep the deploy directory self-contained, pnpm deploy now ignores this setting and always creates a localized virtual store within the deploy directory.
• Fixed minimumReleaseAgeExclude not being respected by pnpm dlx #10338.

Platinum Sponsors

Gold Sponsors

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.29.3

Patch Changes

• Fixed an out-of-memory error in pnpm list (and pnpm why) on large dependency graphs by replacing the recursive tree builder with a two-phase approach: a BFS dependency graph followed by cached tree materialization. Duplicate subtrees are now deduplicated in the output, shown as "deduped (N deps hidden)" #10586.
• Fixed allowBuilds not working when set via .pnpmfile.cjs #10516.
• When the enableGlobalVirtualStore option is set, the pnpm deploy command would incorrectly create symlinks to the global virtual store. To keep the deploy directory self-contained, pnpm deploy now ignores this setting and always creates a localized virtual store within the deploy directory.
• Fixed minimumReleaseAgeExclude not being respected by pnpm dlx #10338.

10.29.2

Patch Changes

• Reverted a fix shipped in v10.29.1, which caused another issue #10571. Reverted fix: Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #10497.

10.29.1

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #10457.

Commits

• f001ab7 chore(release): 10.29.3
• 0d3798c fix(dlx): respect minimumReleaseAgeExclude (#10572)
• 87d50fb docs: update sponsors
• ea870c7 chore(release): 10.29.2
• 595cd41 revert: "fix: allow pnpm run -r to work with empty pnpm-workspace.yaml (#10578)
• 046c693 chore(release): 10.29.1
• 607c2a6 fix: force isexe version that supports Node.js 18
• 11202fc chore(release): 10.29.0
• 08f28da fix: pnpm help should correctly show if pnpm is bundled with Node.js (#10563)
• e18eaf0 fix: exit with signal code when inner pnpm fails (#10549)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)