build: update pnpm to v11.1.2 (main)

[angular-robot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pnpm (source)	11.1.0 → 11.1.2

---

• If you want to rebase/retry this PR, check this box

---

Release Notes

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

• convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

• Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

• Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

• Fix minimumReleaseAge handling for cached abbreviated metadata.

  The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

  When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

  Closes #​11619.

• Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

• Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

• Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

v11.1.1

Compare Source

Patch Changes

• Skip installability validation when scanning workspace projects in checkDepsStatus (run by verifyDepsBeforeRun). Previously the status check called findWorkspaceProjects, which validates each project's engines and os/cpu/libc and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no nodeVersion threaded through, the engine check also fell back to the system Node from PATH and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use findWorkspaceProjectsNoCheck; install paths continue to validate.
• Fixed pnpm add <alias>:@&#8203;scope/pkg for named registries. The local resolver was claiming any specifier containing / as a local directory, so pnpm add bit:@​teambit/bit (with bit configured under namedRegistries) installed a bogus link to bit:@​teambit/bit/ instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.
• Updated @zkochan/cmd-shim to 9.0.3. The sh shim it writes for .cmd / .bat targets now escapes the /C switch as //C, so it survives the path translation Git Bash applies when launching cmd.exe. Without this, a bare /C was rewritten to C:\ before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.

[gemini-code-assist]

Code Review

This pull request updates the pnpm package manager version from 10.33.4 to 11.1.0 in package.json. The reviewer identified that this upgrade introduces several breaking changes that require manual migration, such as moving build settings to pnpm-workspace.yaml and updating environment variable prefixes in E2E test setups to ensure compatibility with pnpm v11.

[gemini-code-assist]

The upgrade to pnpm v11 introduces several breaking changes that require manual migration in this repository:

1. Build Settings: The pnpm.onlyBuiltDependencies field in package.json (lines 150-152) is no longer supported and will be ignored. It must be moved to pnpm-workspace.yaml using the new allowBuilds field:

   allowBuilds:
     webdriver-manager: true

2. Environment Variables: pnpm v11 no longer reads npm_config_* environment variables. The E2E test setup in tests/e2e/setup/001-npm-sandbox.ts (lines 17-51) should be updated to use the pnpm_config_* prefix (e.g., pnpm_config_registry, pnpm_config_prefix) to ensure the test sandbox remains isolated when running pnpm commands.
3. Configuration Location: Most settings previously located in the pnpm field of package.json are now deprecated or ignored in favor of pnpm-workspace.yaml.

[dgp1130]

This PR was merged into the repository. The changes were merged into the following branches:

• main: 7182455