Bump @pnpm/dependency-path from 5.1.3 to 1001.1.10 in /npm_and_yarn/helpers in the pnpm-dependencies group

[dependabot]

Bumps the pnpm-dependencies group in /npm_and_yarn/helpers with 1 update: @pnpm/dependency-path.

Updates @pnpm/dependency-path from 5.1.3 to 1001.1.10

Release notes

Sourced from @​pnpm/dependency-path's releases.

pnpm 11 Alpha 12

Major Changes

Store

• Runtime dependencies are always linked from the global virtual store #10233.

• Optimized index file format to store the hash algorithm once per file instead of repeating it for every file entry. Each file entry now stores only the hex digest instead of the full integrity string (<algo>-<digest>). Using hex format improves performance since file paths in the content-addressable store use hex representation, eliminating base64-to-hex conversion during path lookups.

• Store version bumped to v11.

• Switched internal store and cache files from JSON to MessagePack format for improved performance.

  This change migrates all internal index files and metadata cache files to use MessagePack serialization instead of JSON. MessagePack provides faster serialization/deserialization and more compact file sizes, resulting in improved installation performance.

  Related PR: #10500

• Store the bundled manifest (name, version, bin, engines, scripts, etc.) directly in the package index file, eliminating the need to read package.json from the content-addressable store during resolution and installation. This reduces I/O and speeds up repeat installs #10473.

Global Packages

• Global installs (pnpm add -g pkg) and pnpm dlx now use the global virtual store by default. Packages are stored at {storeDir}/links instead of per-project .pnpm directories. This can be disabled by setting enableGlobalVirtualStore: false #10694.

• Isolated global packages. Each globally installed package (or group of packages installed together) now gets its own isolated installation directory with its own package.json, node_modules/, and lockfile. This prevents global packages from interfering with each other through peer dependency conflicts, hoisting changes, or version resolution shifts.

  Key changes:

  • pnpm add -g <pkg> creates an isolated installation in {pnpmHomeDir}/global/v11/{hash}/
  • pnpm remove -g <pkg> removes the entire installation group containing the package
  • pnpm update -g [pkg] re-installs packages in new isolated directories
  • pnpm list -g scans isolated directories to show all installed global packages
  • pnpm install -g (no args) is no longer supported; use pnpm add -g <pkg> instead

Configuration

• pnpm config get (without --json) no longer print INI formatted text. Instead, it would print JSON for both objects and arrays and raw string for strings, numbers, booleans, and nulls. pnpm config get --json would still print all types of values as JSON like before.

• pnpm config get <array> now prints a JSON array.

• pnpm config list now prints a JSON object instead of INI formatted text.

• pnpm config list and pnpm config get (without argument) now hide auth-related settings.

• pnpm config list and pnpm config get (without argument) now show top-level keys as camelCase. Exception: Keys that start with @ or // would be preserved (their cases don't change).

• pnpm config get and pnpm config list no longer load non camelCase options from the workspace manifest (pnpm-workspace.yaml).

• pnpm no longer loads non-auth and non-registry settings from rc files. Other settings must be defined in pnpm-workspace.yaml.

• Replace workspace project specific .npmrc with packageConfigs in pnpm-workspace.yaml.

  A workspace manifest with packageConfigs would look something like this:

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[JamieMagee]

@dependabot rebase

[JamieMagee]

Reviewed this. The version jump from 5.1.3 to 1001.1.10 looks alarming but it's just pnpm's new calendar versioning for their v10/v11 internal packages — not 996 breaking releases.

The only place we use @pnpm/dependency-path is in lockfile-parser.js, which calls dependencyPath.parse(depPath) and reads .name and .version off the result. I checked the current source and the parse() function signature and return shape haven't changed.

One thing to be aware of: @pnpm/lockfile-file@9.1.3 and @pnpm/lockfile-utils still pin @pnpm/dependency-path@5.1.3 internally, so the lockfile ends up with nested copies at 5.1.3 alongside the top-level 1001.1.10. This is fine — lockfile-file uses its own copy for its own work, and lockfile-parser.js uses the top-level one directly. They don't interact.

I did look into upgrading @pnpm/lockfile-file to its successor (@pnpm/lockfile.fs in the 1001.x line) to get the whole tree on one version, but that package silently returns empty data for lockfile v5.4 and v6.0 formats. Since Dependabot still needs to parse those, that migration isn't viable yet.

New transitive deps pulled in: @pnpm/crypto.hash, @pnpm/crypto.polyfill, @pnpm/graceful-fs, nested ssri@10.0.5. These replace @pnpm/crypto.base32-hash and are used by depPathToFilename, not by parse(). Also rfc4648 bumped 1.5.3 to 1.5.4.

Looks good to merge.