fix(deps): update minor updates (minor)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	10.28.2 → 10.30.0
undici@>=7.0.0 <7.18.2 (source)	[>=7.19.2 → >=7.22.0](https://renovatebot.com/diffs/npm/undici@&gt;&#x3D;7.0.0 <7.18.2/7.19.2/7.22.0)

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

pnpm/pnpm (pnpm)

v10.30.0

Compare Source

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

nodejs/undici (undici@>=7.0.0 <7.18.2)

v7.22.0

Compare Source

What's Changed

• docs: fix syntax highlighting in WebSocket.md by @​styfle in #​4814
• fix: use OR operator in includesCredentials per WHATWG URL Standard by @​jackhax in #​4816
• feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @​SuperOleg39 in #​4676
• fix: route WebSocket upgrades through onRequestUpgrade by @​mcollina in #​4787
• build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @​dependabot[bot] in #​4821
• fix(deduplicate): do not deduplicate non-safe methods by default by @​mcollina in #​4818
• feat: Support async cache stores in revalidation by @​marcopiraccini in #​4826

New Contributors

• @​jackhax made their first contribution in #​4816
• @​marcopiraccini made their first contribution in #​4826

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

Compare Source

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @​dependabot[bot] in #​4796
• test: restore global dispatcher after fetch tests by @​mcollina in #​4790
• Add missing close method to WebSocketStream interface by @​piotr-cz in #​4802
• fix: error stream instead of canceling by @​KhafraDev in #​4804
• Fix clientTtl cleanup race in Agent by @​mcollina in #​4807
• feat(#​4230): Implement pingInterval for dispatching PING frames by @​metcoder95 in #​4296
• fix: handle undefined __filename in bundled environments by @​mcollina in #​4812
• fix: set finalizer only for fetch responses by @​tsctx in #​4803

New Contributors

• @​piotr-cz made their first contribution in #​4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

Compare Source

What's Changed

• fix: preserve fetch stack traces by @​mcollina in #​4778
• Fix error handling in MockPool example by @​dave-kennedy in #​4781
• feat: expose statusText in request() ResponseData by @​domenic in #​4784
• test: reduce retry-after invalid date flake by @​mcollina in #​4788
• extractBody fixes by @​KhafraDev in #​4791
• fix: MockAgent delayed response with AbortSignal (#​4693) by @​mcollina in #​4772
• fix: onParserTimeout potentially accessing undefined by @​vbfox in #​4758

New Contributors

• @​dave-kennedy made their first contribution in #​4781
• @​vbfox made their first contribution in #​4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

---

Configuration

📅 Schedule: Branch creation - "after 10:00 before 19:00 every weekday except after 13:00 before 14:00" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.