Dependabot + PNPM: Known Issues with 10.9.0-10.11.0

[robaiken]

An issue was identified with PNPM versions 10.9.0 to 10.11.0 that affects how Dependabot processes package updates. The issue has been resolved in PNPM 10.11.1.

Since PNPM v10.9.0, running pnpm update <pkg> --lockfile-only re-resolves the entire lockfile instead of only updating the specified package. This causes Dependabot to regenerate metadata for all packages, not just the one being updated.

Impact on Dependabot

• Users with PNPM versions 10.9.0 to 10.11.0 in their package.json packageManager field have been affected for ~3 weeks
• Dependabot uses corepack to download the PNPM version specified in your package.json
• If no version is specified, we default to the bundled version (now 10.11.1)
• Important: Users who have affected versions should still expect this behaviour until they update their version of PNPM

Solution

Update your version of PNPM

corepack use pnpm@latest

This will download the latest version and update your package.json automatically.

Related Dependabot issues

• Support PNPM v10 #11246

Questions?

If you're still experiencing issues after upgrading to PNPM 10.11.1, please raise a new issue with details about your setup.