Bump pnpm from 10.5.0 to 10.17.0

[dependabot]

Bumps pnpm from 10.5.0 to 10.17.0.

Release notes

Sourced from pnpm's releases.

pnpm 10.17

Minor Changes

• The minimumReleaseAgeExclude setting now supports patterns. For instance:

  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - "@eslint/*"

  Related PR: #9984.

Patch Changes

• Don't ignore the minimumReleaseAge check, when the package is requested by exact version and the packument is loaded from cache #9978.
• When minimumReleaseAge is set and the active version under a dist-tag is not mature enough, do not downgrade to a prerelease version in case the original version wasn't a prerelease one #9979.

Platinum Sponsors

Gold Sponsors

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.17.0

Minor Changes

• The minimumReleaseAgeExclude setting now supports patterns. For instance:

  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - "@eslint/*"

  Related PR: #9984.

Patch Changes

• Don't ignore the minimumReleaseAge check, when the package is requested by exact version and the packument is loaded from cache #9978.
• When minimumReleaseAge is set and the active version under a dist-tag is not mature enough, do not downgrade to a prerelease version in case the original version wasn't a prerelease one #9979.

10.16.1

Patch Changes

• The full metadata cache should be stored not at the same location as the abbreviated metadata. This fixes a bug where pnpm was loading the abbreviated metadata from cache and couldn't find the "time" field as a result #9963.
• Forcibly disable ANSI color codes when generating patch diff #9914.

10.16.0

Minor Changes

• There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.

  The new setting is called minimumReleaseAge. It specifies the number of minutes that must pass after a version is published before pnpm will install it. For example, setting minimumReleaseAge: 1440 ensures that only packages released at least one day ago can be installed.

  If you set minimumReleaseAge but need to disable this restriction for certain dependencies, you can list them under the minimumReleaseAgeExclude setting. For instance, with the following configuration pnpm will always install the latest version of webpack, regardless of its release time:

  minimumReleaseAgeExclude:
    - webpack

  Related issue: #9921.

• Added support for finders #9946.

  In the past, pnpm list and pnpm why could only search for dependencies by name (and optionally version). For example:

  pnpm why minimist
  

... (truncated)

Commits

• 1a1a272 chore(release): 10.17.0
• ea44ff9 chore(release): 10.16.1
• a3c1498 chore(release): 10.16.0
• e792927 feat: support finder functions for performing complex searches with list and ...
• 3d1711a chore(release): 10.15.1
• f1552d1 refactor: replace p-any with Promise.any (#9911)
• 979ce80 chore(release): 10.15.0
• facd765 refactor: always use extensions in relative imports (#9878)
• c89c93d test: use @​jest/globals (#9877)
• 14c78e8 test: use jest.mocked (#9874)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #29.