chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.9#2301
chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.9#2301dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
@modelcontextprotocol/client
@modelcontextprotocol/codemod
@modelcontextprotocol/core
@modelcontextprotocol/server
@modelcontextprotocol/server-legacy
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.9
branch
from
528ddf2 to
dd5c6bd
Compare
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — mechanical Dependabot bump of pnpm/action-setup to v6.0.9, SHA-pinned consistently across all six workflows.
Extended reasoning...
Overview
This Dependabot PR bumps pnpm/action-setup from v5.0.0 to v6.0.9 in all six workflow files (conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every occurrence is updated identically, SHA-pinned (0ebf471...) with a matching version comment, following the repo's existing pinning convention. No workflow inputs, permissions, or other steps change.
Security risks
Minimal. The action remains SHA-pinned (not a floating tag), and the pinned commit matches the v6.0.9 release per the Dependabot-generated commit list. No new permissions or secrets exposure are introduced; the change touches only the pnpm installation step.
Level of scrutiny
Low — this is CI tooling, not SDK code, and the change is purely mechanical. The main compatibility question for a v5→v6 major bump is which pnpm version gets installed: the workflows pass no version input, and the repo's package.json pins packageManager: pnpm@10.26.1, which the action resolves from (v6 explicitly added a fix to bootstrap to the packageManager-pinned version), so the bundled-pnpm bump to 11.x in v6 does not change the pnpm actually used. The existing OIDC/npm note in release.yml therefore also remains accurate.
Other factors
The bug-hunting system found no issues, and the pkg-pr-new bot comment shows the publish workflow already ran successfully on this PR's commit using the new action version (install + build:all + preview publish), which is direct evidence the bump works in this repo's CI. The missing changeset is expected for workflow-only changes.
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.9
branch
from
dd5c6bd to
a6b482e
Compare
There was a problem hiding this comment.
LGTM — routine Dependabot bump of pnpm/action-setup to v6.0.9, SHA-pinned consistently across all workflows; the pnpm version itself stays controlled by the packageManager pin in package.json.
Extended reasoning...
Overview
This PR is a Dependabot bump of pnpm/action-setup from v5.0.0 to v6.0.9 across all seven workflow files (conformance.yml, deploy-docs.yml, examples.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every occurrence is updated identically and pinned to commit SHA 0ebf471..., which matches the v6.0.9 release referenced in the Dependabot description, with the version comment updated accordingly.
Security risks
Workflow changes are nominally security-relevant (the bumped action runs in publish/release jobs with OIDC and write permissions), but the action remains SHA-pinned, the SHA corresponds to the official v6.0.9 release of the upstream pnpm/action-setup repository, and no inputs, permissions, or secrets handling are changed. No new injection or token-exposure surface is introduced.
Level of scrutiny
Low. This is a mechanical, Dependabot-generated version bump following the repo's existing SHA-pinning convention. The major version change (v5 → v6) does not affect the pnpm version actually used: the action resolves pnpm from the packageManager field (pnpm@10.26.1 in package.json), and all usages set run_install: false, so build/publish behavior (including the npm-CLI-delegated OIDC publish path noted in release.yml) is unchanged. The v6 changes are bootstrap/self-update fixes that are compatible with this setup.
Other factors
The bug-hunting system found no issues, CI on the PR exercises these same workflows directly, and no changeset is needed for CI-only changes. There are no outstanding human reviewer comments.
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.9
branch
from
a6b482e to
8c4d009
Compare
There was a problem hiding this comment.
LGTM — mechanical Dependabot bump of pnpm/action-setup to v6.0.9, hash-pinned consistently across all workflows.
Extended reasoning...
Overview
This PR updates the pnpm/action-setup action from v5.0.0 to v6.0.9 across all seven workflow files (conformance, deploy-docs, examples, main, publish, release, update-spec-types). The change is purely mechanical: the same SHA-pinned uses: line is replaced everywhere, and the pinned commit 0ebf4713… matches the v6.0.9 commit listed in the upstream release notes, so the version comment is accurate. No inputs to the action change (run_install: false is preserved everywhere).
Security risks
Low. The action remains pinned to a full commit SHA from the official pnpm org, which is the repo's existing supply-chain hygiene pattern. The repo pins packageManager: pnpm@10.26.1 in package.json, so the actual pnpm version used by CI is determined by that field, not by the action's bundled default — the v6 line's bundled-pnpm bumps don't change the toolchain CI runs. The publish/release workflows are touched, but only the setup-action version changes; publish credentials, OIDC config, and the ci:publish flow are untouched.
Level of scrutiny
This is CI configuration, not SDK code, and the PR's correctness is directly exercised by the very workflows it modifies — any incompatibility with the v6 action would surface as a red check on this PR. Per the repo's CI guidance, I verified the claimed version against the upstream commit list rather than asserting behavior from memory.
Other factors
No bugs were found by the bug hunting system, there are no human review comments outstanding, and a changeset is correctly absent since no published package changes. This is the kind of routine, hash-pinned Dependabot bump that doesn't need human attention beyond green CI.
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 5.0.0 to 6.0.9. - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@fc06bc1...0ebf471) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-version: 6.0.9 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.9
branch
from
8c4d009 to
99be887
Compare
There was a problem hiding this comment.
LGTM — mechanical, SHA-pinned dependabot bump of pnpm/action-setup applied uniformly across workflows.
Extended reasoning...
Overview
This PR is a Dependabot bump of pnpm/action-setup from v5.0.0 to v6.0.9, applied identically (same SHA pin, same # v6.0.9 comment) across all seven workflow files. No inputs were changed — every callsite keeps run_install: false, and the workflows continue to resolve the actual pnpm version from the repo's packageManager: pnpm@10.26.1 field in package.json, so the action's new bundled default (pnpm 11) does not change the toolchain used in CI, including the release/publish path whose inline comment depends on pnpm@10 delegating pnpm publish to the npm CLI.
Security risks
The change touches workflows with elevated permissions (release.yml with id-token: write, update-spec-types.yml with contents/pull-requests: write), so action bumps here are nominally supply-chain-sensitive. However, the new ref is pinned to a full commit SHA rather than a floating tag, the upstream is the official pnpm org action, and the bump was generated by Dependabot — this is the standard, lowest-risk way to take such an update.
Level of scrutiny
CI configuration only; no SDK/library code, no public API, no protocol behavior. The appropriate scrutiny is verifying the bump is uniform, SHA-pinned, and doesn't silently change the pnpm version or action inputs — all of which check out. Per the repo's CI review convention, I did not speculate about third-party action breakage; the v5→v6 changes (version resolution from packageManager/devEngines, bundled default updates) are compatible with how these workflows invoke the action.
Other factors
The bug-hunting system found no issues, and the changeset bot's 'no changeset' note is expected for a CI-only change. CI itself will exercise the new action version on this PR, providing direct verification.
Bumps pnpm/action-setup from 5.0.0 to 6.0.9.
Release notes
Sourced from pnpm/action-setup's releases.
... (truncated)
Commits
0ebf471fix: update pnpm to v11.7.0 (#267)0e279bbfix: update pnpm to 11.1.1 (#248)3e83581fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)551b42edocs(README): fixcache_dependency_pathtype (#257)739bfe4fix: self-update bootstrap to packageManager-pinned version (#233) (#256)f61705dchore: add CODEOWNERS7a5507bfix: restore inputs from state in post (#255)1155470fix: honor devEngines.packageManager.onFail=error (#252) (#254)91ab88efix: bin_dest output points to self-updated pnpm, not bootstrap (#249)e578e19fix: update pnpm to 11.0.4