chore(deps): update pnpm to v10.26.0

[ctison]

This PR contains the following updates:

Package	Type	Update	Change
pnpm (source)	packageManager	minor	10.25.0 -> 10.26.0

---

Release Notes

pnpm/pnpm (pnpm)

v10.26.0: pnpm 10.26

Compare Source

Minor Changes

• Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #​10288.

• Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #​10287.

• Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

  When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

  This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

  Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

  Related PR: #​10265.

• Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

  Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them:

  allowBuilds:
    esbuild: true
    core-js: false

  The example above achieves the same result as the previous configuration:

  onlyBuiltDependencies:
    - esbuild
  ignoredBuiltDependencies:
    - core-js

  Related PR: #​10311

• Added support for --dry-run to the pack command #​10301.

Patch Changes

• Show deprecation in table/list formats when latest version is deprecated #​8658.
• Remove the injectWorkspacePackages setting from the lockfile on the deploy command #​10294.
• Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #​10273.
• When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #​10197.

Platinum Sponsors

Gold Sponsors

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[Copilot]

Pull request overview

This PR updates the pnpm package manager from version 10.25.0 to 10.26.0 as part of routine dependency maintenance. The update includes several semi-breaking security enhancements and new features focused on securing the dependency supply chain.

Key Changes:

• Updates packageManager field to specify pnpm v10.26.0
• Brings enhanced security features for git-hosted and HTTP tarball dependencies
• Adds support for new allowBuilds configuration option (though not utilized in this project yet)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.