Update all non-major dependencies

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
node		minor	`20.5.1` -> `20.8.1`
pnpm (source)	packageManager	minor	`8.7.0` -> `8.9.2`

Release Notes

nodejs/node (node)

### [`v20.8.1`](https://togithub.com/nodejs/node/releases/tag/v20.8.1): 2023-10-13, Version 20.8.1 (Current), @RafaelGSS [Compare Source](https://togithub.com/nodejs/node/compare/v20.5.1...v20.8.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) - [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) - [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High) - [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High) - [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) - [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low) More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post. ##### Commits - \[[`c86883e844`](https://togithub.com/nodejs/node/commit/c86883e844)] - **deps**: update nghttp2 to 1.57.0 (James M Snell) [#50121](https://togithub.com/nodejs/node/pull/50121) - \[[`2860631359`](https://togithub.com/nodejs/node/commit/2860631359)] - **deps**: update undici to v5.26.3 (Matteo Collina) [#50153](https://togithub.com/nodejs/node/pull/50153) - \[[`cd37838bf8`](https://togithub.com/nodejs/node/commit/cd37838bf8)] - **lib**: let deps require `node` prefixed modules (Matthew Aitken) [#50047](https://togithub.com/nodejs/node/pull/50047) - \[[`f5c90b2951`](https://togithub.com/nodejs/node/commit/f5c90b2951)] - **module**: fix code injection through export names (Tobias Nießen) [nodejs-private/node-private#461](https://togithub.com/nodejs-private/node-private/pull/461) - \[[`fa5dae1944`](https://togithub.com/nodejs/node/commit/fa5dae1944)] - **permission**: fix Uint8Array path traversal (Tobias Nießen) [nodejs-private/node-private#456](https://togithub.com/nodejs-private/node-private/pull/456) - \[[`cd35275111`](https://togithub.com/nodejs/node/commit/cd35275111)] - **permission**: improve path traversal protection (Tobias Nießen) [nodejs-private/node-private#456](https://togithub.com/nodejs-private/node-private/pull/456) - \[[`a4cb7fc7c0`](https://togithub.com/nodejs/node/commit/a4cb7fc7c0)] - **policy**: use tamper-proof integrity check function (Tobias Nießen) [nodejs-private/node-private#462](https://togithub.com/nodejs-private/node-private/pull/462)

pnpm/pnpm (pnpm)

### [`v8.9.2`](https://togithub.com/pnpm/pnpm/releases/tag/v8.9.2) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.9.1...v8.9.2) #### Patch Changes - Don't use reflink on Windows [#7186](https://togithub.com/pnpm/pnpm/issues/7186). - Do not run node-gyp rebuild if `preinstall` lifecycle script is present [#7206](https://togithub.com/pnpm/pnpm/pull/7206). #### Our Gold Sponsors

#### Our Silver Sponsors

### [`v8.9.1`](https://togithub.com/pnpm/pnpm/releases/tag/v8.9.1) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.9.0...v8.9.1) #### Patch Changes - Optimize selection result output of `pnpm update --interactive` [7109](https://togithub.com/pnpm/pnpm/issues/7109) - When `shared-workspace-lockfile` is set to `false`, read the pnpm settings from `package.json` files that are nested. This was broken in pnpm v8.9.0 [#7184](https://togithub.com/pnpm/pnpm/issues/7184). - Fix file cloning to `node_modules` on Windows Dev Drives [#7186](https://togithub.com/pnpm/pnpm/issues/7186). This is a fix to a regression that was shipped with v8.9.0. - `pnpm dlx` should ignore any settings that are in a `package.json` file found in the current working directory [#7198](https://togithub.com/pnpm/pnpm/issues/7198). #### Our Gold Sponsors

#### Our Silver Sponsors

### [`v8.9.0`](https://togithub.com/pnpm/pnpm/releases/tag/v8.9.0) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.8.0...v8.9.0) #### Minor Changes - **🚀Performance improvement:** Use reflinks instead of hard links by default on macOS and Windows Dev Drives [#5001](https://togithub.com/pnpm/pnpm/issues/5001). - The list of packages that are allowed to run installation scripts now may be provided in a separate configuration file. The path to the file should be specified via the `pnpm.onlyBuiltDependenciesFile` field in `package.json`. For instance: ```json { "dependencies": { "@my-org/policy": "1.0.0" } "pnpm": { "onlyBuiltDependenciesFile": "node_modules/@my-org/policy/allow-build.json" } } ``` In the example above, the list is loaded from a dependency. The JSON file with the list should contain an array of package names. For instance: ```json ["esbuild", "@reflink/reflink"] ``` With the above list, only `esbuild` and `@reflink/reflink` will be allowed to run scripts during installation. Related issue: [#7137](https://togithub.com/pnpm/pnpm/issues/7137). - Add `disallow-workspace-cycles` option to error instead of warn about cyclic dependencies - Allow `env rm` to remove multiple node versions at once, and introduce `env add` for installing node versions without setting as default [#7155](https://togithub.com/pnpm/pnpm/pull/7155). #### Patch Changes - Fix memory error in `pnpm why` when the dependencies tree is too big, the command will now prune the tree to just 10 end leafs and now supports `--depth` argument [#7122](https://togithub.com/pnpm/pnpm/pull/7122). - Use `neverBuiltDependencies` and `onlyBuiltDependencies` from the root `package.json` of the workspace, when `shared-workspace-lockfile` is set to `false` [#7141](https://togithub.com/pnpm/pnpm/pull/7141). - Optimize peers resolution to avoid out-of-memory exceptions in some rare cases, when there are too many circular dependencies and peer dependencies [#7149](https://togithub.com/pnpm/pnpm/pull/7149). - Instead of `pnpm.overrides` replacing `resolutions`, the two are now merged. This is intended to make it easier to migrate from Yarn by allowing one to keep using `resolutions` for Yarn, but adding additional changes just for pnpm using `pnpm.overrides`. #### Our Gold Sponsors

#### Our Silver Sponsors

### [`v8.8.0`](https://togithub.com/pnpm/pnpm/releases/tag/v8.8.0) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.7.6...v8.8.0) #### Minor Changes - Add `--reporter-hide-prefix` option for `run` command to hide project name as prefix for lifecycle log outputs of running scripts [#7061](https://togithub.com/pnpm/pnpm/issues/7061). #### Patch Changes - Pass through the `--ignore-scripts` command to install, when running `pnpm dedupe --ignore-scripts` [#7102](https://togithub.com/pnpm/pnpm/issues/7102). - Throw meaningful error for config sub commands[#7106](https://togithub.com/pnpm/pnpm/issues/7106). - When the `node-linker` is set to `hoisted`, the `package.json` files of the existing dependencies inside `node_modules` will be checked to verify their actual versions. The data in the `node_modules/.modules.yaml` and `node_modules/.pnpm/lock.yaml` may not be fully reliable, as an installation may fail after changes to dependencies were made but before those state files were updated [#7107](https://togithub.com/pnpm/pnpm/pull/7107). - Don't update git-hosted dependencies when adding an unrelated dependency [#7008](https://togithub.com/pnpm/pnpm/issues/7008). #### Our Gold Sponsors

#### Our Silver Sponsors

### [`v8.7.6`](https://togithub.com/pnpm/pnpm/releases/tag/v8.7.6) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.7.5...v8.7.6) #### Patch Changes - Don't run the `prepublishOnly` scripts of git-hosted dependencies [#7026](https://togithub.com/pnpm/pnpm/issues/7026). - Fix a bug in which `use-node-version` or `node-version` isn't passed down to `checkEngine` when using pnpm workspace, resulting in an error [#6981](https://togithub.com/pnpm/pnpm/issues/6981). - Don't print out each deprecated subdependency separately with its deprecation message. Just print out a summary of all the deprecated subdependencies [#6707](https://togithub.com/pnpm/pnpm/issues/6707). - Fixed an ENOENT error that was sometimes happening during install with "hoisted" `node_modules` [#6756](https://togithub.com/pnpm/pnpm/issues/6756). #### Our Gold Sponsors

#### Our Silver Sponsors

### [`v8.7.5`](https://togithub.com/pnpm/pnpm/releases/tag/v8.7.5) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.7.4...v8.7.5) #### Patch Changes - Improve performance of installation by using a worker for creating the symlinks inside `node_modules/.pnpm` [#7069](https://togithub.com/pnpm/pnpm/pull/7069). - Tarballs that have hard links are now unpacked successfully. This fixes a regression introduced in v8.7.0, which was shipped with our new in-house tarball parser [#7062](https://togithub.com/pnpm/pnpm/pull/7062). #### Our Gold Sponsors

#### Our Silver Sponsors

### [`v8.7.4`](https://togithub.com/pnpm/pnpm/releases/tag/v8.7.4) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.7.3...v8.7.4) #### Patch Changes - Fix a bug causing the pnpm server to hang if a tarball worker was requested while another worker was exiting [#7041](https://togithub.com/pnpm/pnpm/pull/7041). - Fixes a regression published with pnpm v8.7.3. Don't hang while reading `package.json` from the content-addressable store [#7051](https://togithub.com/pnpm/pnpm/pull/7051). - Allow create scoped package with preferred version. [#7053](https://togithub.com/pnpm/pnpm/issues/7053) - Reverting a change shipped in v8.7 that caused issues with the `pnpm deploy` command and "injected dependencies" [#6943](https://togithub.com/pnpm/pnpm/pull/6943). #### Our Gold Sponsors

#### Our Silver Sponsors

### [`v8.7.3`](https://togithub.com/pnpm/pnpm/releases/tag/v8.7.3) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.7.2...v8.7.3) #### Patch Changes - Fix a bug causing errors to be printed as "Cannot read properties of undefined (reading 'code')" instead of the underlying reason when using the pnpm store server [#7032](https://togithub.com/pnpm/pnpm/pull/7032) #### Our Gold Sponsors

#### Our Silver Sponsors

### [`v8.7.2`](https://togithub.com/pnpm/pnpm/compare/v8.7.1...v8.7.2) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.7.1...v8.7.2) ### [`v8.7.1`](https://togithub.com/pnpm/pnpm/releases/tag/v8.7.1) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.7.0...v8.7.1) #### Patch Changes - Fixed an issue with extracting some old versions of tarballs [#6991](https://togithub.com/pnpm/pnpm/issues/6991). - Side-effects cache will now be leveraged when running install in a workspace that uses dedicated lockfiles for each project [#6890](https://togithub.com/pnpm/pnpm/issues/6890). - Reduce concurrency in the `pnpm -r publish` command [#6968](https://togithub.com/pnpm/pnpm/issues/6968). - Improved the `pnpm update --interactive` output by grouping dependencies by type. Additionally, a new column has been added with links to the documentation for outdated packages [#6978](https://togithub.com/pnpm/pnpm/pull/6978). #### Our Gold Sponsors

#### Our Silver Sponsors

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

adamjkb / bark

Update all non-major dependencies #65

Release Notes

Configuration

⚠️ No Changeset found