pnpm lockfile update issues

[wyardley]

We have a pretty vanilla repo with a single package.json, and a single pnpm-lock.yaml (no package-lock.json). Dependabot makes a branch like dependabot/npm_and_yarn/vite-6.3.4 with a lockfile-only update which it claims is bumping vite to the latest version:

One other clue might be the npm_and_yarn in the branch name? I'm not sure if it should use a different branch name when pnpm is the package manager, but from what I can read, it's supposed to be supported now.

The package is using pnpm 9.

Here's the full diff of the original PR dependabot created:

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 3cb5713363f..b17cb96ae84 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -2548,6 +2548,7 @@ packages:
 
   '@ls-lint/[email protected]':
     resolution: {integrity: sha512-lsT5/7SxtImOIjpefC9wcoXt2lkikKhCjd6U+Q9Z6X5h2HBU/71ggt+XStdodZ0HkJGO333zDUeec7JROMCPFw==}
+    cpu: [x64, arm64, s390x, ppc64le]
     os: [darwin, linux, win32]
     hasBin: true
 
@@ -3226,6 +3227,7 @@ packages:
 
   '@react-hookz/[email protected]':
     resolution: {integrity: sha512-N56fTrAPUDz/R423pag+n6TXWbvlBZDtTehaGFjK0InmN+V2OFWLE/WmORhmn6Ce7dlwH5+tQN1LJFw3ngTJVg==}
+    deprecated: Package is deprecated and will be deleted soon. Use @ver0/deep-equal instead.
 
   '@react-hookz/[email protected]':
     resolution: {integrity: sha512-DcIM6JiZklDyHF6CRD1FTXzuggAkQ+3Ncq2Wln7Kdih8GV6ZIeN9JfS6ZaQxpQUxan8/4n0J2V/R7nMeiSrb2Q==}
@@ -8494,6 +8496,7 @@ packages:
   [email protected]:
     resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
     engines: {node: '>=10.5.0'}
+    deprecated: Use your platform's native DOMException instead
 
   [email protected]:
     resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}

If I run pnpm update vite, the expected lockfile updates get made. If it matters, this is an indirect, vs. direct, dependency.

We are seeing similar issues with other packages.
The lockfile has the following:

lockfileVersion: '9.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

[robaiken]

Hi @wyardley, I believe we have fixed the underlining issue: #12369. Can you please confirm that this issue has been resolved for you on your end.

[wyardley]

Not sure - I see one that says it's trying to update tar-fs from 2.1.2 to 2.1.3, and I get this diff, which doesn't seem right?

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index de8445a6ac0..8e895e1d302 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -2544,6 +2544,7 @@ packages:
 
   '@ls-lint/[email protected]':
     resolution: {integrity: sha512-lsT5/7SxtImOIjpefC9wcoXt2lkikKhCjd6U+Q9Z6X5h2HBU/71ggt+XStdodZ0HkJGO333zDUeec7JROMCPFw==}
+    cpu: [x64, arm64, s390x, ppc64le]
     os: [darwin, linux, win32]
     hasBin: true
 
@@ -3222,6 +3223,7 @@ packages:
 
   '@react-hookz/[email protected]':
     resolution: {integrity: sha512-N56fTrAPUDz/R423pag+n6TXWbvlBZDtTehaGFjK0InmN+V2OFWLE/WmORhmn6Ce7dlwH5+tQN1LJFw3ngTJVg==}
+    deprecated: Package is deprecated and will be deleted soon. Use @ver0/deep-equal instead.
 
   '@react-hookz/[email protected]':
     resolution: {integrity: sha512-DcIM6JiZklDyHF6CRD1FTXzuggAkQ+3Ncq2Wln7Kdih8GV6ZIeN9JfS6ZaQxpQUxan8/4n0J2V/R7nMeiSrb2Q==}
@@ -8466,6 +8468,7 @@ packages:
   [email protected]:
     resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
     engines: {node: '>=10.5.0'}
+    deprecated: Use your platform's native DOMException instead
 
   [email protected]:
     resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}
@@ -10339,6 +10342,7 @@ packages:
 
   [email protected]:
     resolution: {integrity: sha512-0h7Cvo8trUcv6sZPyA+iNHsFEwIhN4FhXtYqgndHQNYub+dTDW8ZCQURBNDNa0PvJ8Xg2wqG1V/5WSwV0l6yOw==}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     hasBin: true
 
   [email protected]:

[wyardley]

side note: our pnpm version in the package.json is set to 9.15.4, so I don't think the linked issue would be related if it relates to specific 10.x versions?