chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.9#2301
chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.9#2301dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
@modelcontextprotocol/client
@modelcontextprotocol/codemod
@modelcontextprotocol/core
@modelcontextprotocol/server
@modelcontextprotocol/server-legacy
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.9
branch
from
528ddf2 to
dd5c6bd
Compare
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — mechanical Dependabot bump of pnpm/action-setup to v6.0.9, SHA-pinned consistently across all six workflows.
Extended reasoning...
Overview
This Dependabot PR bumps pnpm/action-setup from v5.0.0 to v6.0.9 in all six workflow files (conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every occurrence is updated identically, SHA-pinned (0ebf471...) with a matching version comment, following the repo's existing pinning convention. No workflow inputs, permissions, or other steps change.
Security risks
Minimal. The action remains SHA-pinned (not a floating tag), and the pinned commit matches the v6.0.9 release per the Dependabot-generated commit list. No new permissions or secrets exposure are introduced; the change touches only the pnpm installation step.
Level of scrutiny
Low — this is CI tooling, not SDK code, and the change is purely mechanical. The main compatibility question for a v5→v6 major bump is which pnpm version gets installed: the workflows pass no version input, and the repo's package.json pins packageManager: pnpm@10.26.1, which the action resolves from (v6 explicitly added a fix to bootstrap to the packageManager-pinned version), so the bundled-pnpm bump to 11.x in v6 does not change the pnpm actually used. The existing OIDC/npm note in release.yml therefore also remains accurate.
Other factors
The bug-hunting system found no issues, and the pkg-pr-new bot comment shows the publish workflow already ran successfully on this PR's commit using the new action version (install + build:all + preview publish), which is direct evidence the bump works in this repo's CI. The missing changeset is expected for workflow-only changes.
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 5.0.0 to 6.0.9. - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@fc06bc1...0ebf471) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-version: 6.0.9 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.9
branch
from
dd5c6bd to
a6b482e
Compare
There was a problem hiding this comment.
LGTM — routine Dependabot bump of pnpm/action-setup to v6.0.9, SHA-pinned consistently across all workflows; the pnpm version itself stays controlled by the packageManager pin in package.json.
Extended reasoning...
Overview
This PR is a Dependabot bump of pnpm/action-setup from v5.0.0 to v6.0.9 across all seven workflow files (conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every occurrence is updated identically and pinned to commit SHA 0ebf471..., which matches the v6.0.9 release referenced in the Dependabot description, with the version comment updated accordingly.
Security risks
Workflow changes are nominally security-relevant (the bumped action runs in publish/release jobs with OIDC and write permissions), but the action remains SHA-pinned, the SHA corresponds to the official v6.0.9 release of the upstream pnpm/action-setup repository, and no inputs, permissions, or secrets handling are changed. No new injection or token-exposure surface is introduced.
Level of scrutiny
Low. This is a mechanical, Dependabot-generated version bump following the repo's existing SHA-pinning convention. The major version change (v5 → v6) does not affect the pnpm version actually used: the action resolves pnpm from the packageManager field (pnpm@10.26.1 in package.json), and all usages set run_install: false, so build/publish behavior (including the npm-CLI-delegated OIDC publish path noted in release.yml) is unchanged. The v6 changes are bootstrap/self-update fixes that are compatible with this setup.
Other factors
The bug-hunting system found no issues, CI on the PR exercises these same workflows directly, and no changeset is needed for CI-only changes. There are no outstanding human reviewer comments.
Bumps pnpm/action-setup from 5.0.0 to 6.0.9.
Release notes
Sourced from pnpm/action-setup's releases.
... (truncated)
Commits
0ebf471fix: update pnpm to v11.7.0 (#267)0e279bbfix: update pnpm to 11.1.1 (#248)3e83581fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)551b42edocs(README): fixcache_dependency_pathtype (#257)739bfe4fix: self-update bootstrap to packageManager-pinned version (#233) (#256)f61705dchore: add CODEOWNERS7a5507bfix: restore inputs from state in post (#255)1155470fix: honor devEngines.packageManager.onFail=error (#252) (#254)91ab88efix: bin_dest output points to self-updated pnpm, not bootstrap (#249)e578e19fix: update pnpm to 11.0.4