Update pnpm to v9.15.0 [SECURITY] (#40560)

* Update pnpm to v9.15.0 [SECURITY] * Bring back pnpmfile hack for pnpm/pnpm#3935, which regressed in 9.12.0 --------- Co-authored-by: Renovate Bot <[email protected]> Co-authored-by: Brandon Kraft <[email protected]> Co-authored-by: Brad Jorsch <[email protected]>
Automattic · Dec 20, 2024 · b414852 · b414852
1 parent c6b2c65
commit b414852
Show file tree

Hide file tree

Showing 4 changed files with 124 additions and 114 deletions.
diff --git a/.github/versions.sh b/.github/versions.sh
@@ -2,7 +2,7 @@
 PHP_VERSION=8.2
 COMPOSER_VERSION=2.8.3
 NODE_VERSION=22.9.0
-PNPM_VERSION=9.3.0
+PNPM_VERSION=9.15.0
 
 # Other useful version numbers.
 MIN_PHP_VERSION=7.2

diff --git a/.pnpmfile.cjs b/.pnpmfile.cjs
@@ -223,6 +223,16 @@ function afterAllResolved( lockfile ) {
 		return lockfile;
 	}
 
+	for ( const [ k, v ] of Object.entries( lockfile.packages ) ) {
+		// Forbid installing webpack without webpack-cli. It results in lots of spurious lockfile changes.
+		// https://github.com/pnpm/pnpm/issues/3935
+		if ( k.startsWith( 'webpack@' ) && ! v.optionalDependencies?.[ 'webpack-cli' ] ) {
+			throw new Error(
+				"Something you've done is trying to add a dependency on webpack without webpack-cli.\nThis is not allowed, as it tends to result in pnpm lockfile flip-flopping.\nSee https://github.com/pnpm/pnpm/issues/3935 for the upstream bug report.\n"
+			);
+		}
+	}
+
 	return lockfile;
 }
 

diff --git a/package.json b/package.json
@@ -35,9 +35,9 @@
 	},
 	"engines": {
 		"node": "^22.9.0",
-		"pnpm": "^9.3.0 <9.12.0"
+		"pnpm": "^9.15.0"
 	},
-	"packageManager": "pnpm@9.3.0",
+	"packageManager": "pnpm@9.15.0",
 	"pnpm": {
 		"patchedDependencies": {
 			"@wordpress/[email protected]": ".pnpm-patches/@[email protected]"