chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.8#2123
chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.8#2123dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
the
github_actions
|
@modelcontextprotocol/client
@modelcontextprotocol/codemod
@modelcontextprotocol/server
@modelcontextprotocol/server-legacy
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — mechanical SHA-pinned Dependabot bump of pnpm/action-setup v5.0.0 → v6.0.8 across all workflows; the repo's packageManager pin (pnpm@10.26.1) means the action's default-version change in v6 has no effect here.
Extended reasoning...
Overview
Dependabot PR replacing the pinned commit for pnpm/action-setup (v5.0.0 → v6.0.8) in all six .github/workflows/*.yml files. The change is a straight find-and-replace of the action SHA + version comment; no other workflow logic, inputs, or steps are altered. All sites keep run_install: false and rely on actions/setup-node for caching.
Security risks
The bump touches publish.yml and release.yml, which run with id-token: write for npm OIDC trusted publishing — so a malicious or compromised action update would be supply-chain relevant. Mitigations: the action remains SHA-pinned (0e279bb…), pnpm/action-setup is the official pnpm-org action, and the diff makes no permission or token changes. No new secrets or scopes are introduced.
Level of scrutiny
This is a CI dependency bump, not SDK code. The main behavioral concern with v5 → v6 is that v6 changed the default pnpm version (now pnpm 11) and introduced a self-update bootstrap. Neither matters here: package.json pins "packageManager": "pnpm@10.26.1", which the action honors (and v6.0.7+ specifically fixed self-update to the packageManager-pinned version). The release.yml comment about pnpm@10 delegating pnpm publish to the npm CLI remains accurate since the pinned pnpm version is unchanged.
Other factors
No bugs found by the bug-hunting system. CI itself (main.yml, conformance.yml) will exercise the new action version on this very PR, so any installation regression surfaces before merge. No changeset is needed for workflow-only changes (changeset-bot warning is expected). This fits squarely in the approvable mechanical-version-bump category.
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.8
branch
from
8c9ff6e to
fd4a71a
Compare
There was a problem hiding this comment.
LGTM — routine Dependabot bump of pnpm/action-setup with intact SHA pins; pnpm version is still governed by the packageManager field in package.json.
Extended reasoning...
Overview
This PR is an automated Dependabot bump of pnpm/action-setup from v5.0.0 to v6.0.8 across six workflow files (conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every change is the identical mechanical replacement: updating the SHA pin from fc06bc1... to 0e279bb... and the version comment from # v5.0.0 to # v6.0.8.
Security risks
None introduced. The action remains SHA-pinned (not floated to a tag), and the new SHA corresponds to the v6.0.8 release per Dependabot's compare link. The repo's package.json pins packageManager: pnpm@10.26.1, so the actual pnpm version installed in CI is governed by that field rather than the action's bundled default — the v6 line specifically improved packageManager-pin honoring (pnpm/action-setup#233, #256), so the bootstrap change should be transparent here. The OIDC-publish guard in release.yml (forcing npm@11.5.1) is unchanged and unrelated to this action's behavior.
Level of scrutiny
Low. This is a CI-only change with no production code touched. The PR-triggered workflows (main.yml, conformance.yml, publish.yml pkg-pr-new) exercise the new action revision directly on this PR; the only paths not exercised pre-merge are release.yml/deploy-docs.yml, but those use the same install step pattern as the validated jobs.
Other factors
No bugs were found by the bug-hunting system. The PR has the dependencies and github_actions labels and a standard Dependabot description with full changelog. There are no outstanding reviewer comments.
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.8
branch
from
fd4a71a to
c0d3a8f
Compare
There was a problem hiding this comment.
LGTM — routine Dependabot bump of pnpm/action-setup to v6.0.8, SHA-pinned and applied consistently across all workflows.
Extended reasoning...
Overview
This PR is a Dependabot update bumping pnpm/action-setup from v5.0.0 to v6.0.8 in six workflow files (conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every usage is updated identically, the action remains pinned to a full commit SHA (0e279bb…, the v6.0.8 head commit per the upstream release), and the version comment matches the SHA. No workflow inputs change — all sites keep run_install: false and the existing actions/setup-node + pnpm cache setup.
Security risks
Minimal. The action stays SHA-pinned (no floating tag), preserving the repo's supply-chain hygiene. No new permissions, secrets, or tokens are introduced, and no workflow trigger or permission blocks change. The pnpm version actually installed is still governed by the packageManager: pnpm@10.26.1 field in package.json, which action-setup honors, so the v6 default-pnpm change does not alter the toolchain used in CI or the OIDC publish path in release.yml.
Level of scrutiny
Low — this is a mechanical CI dependency bump with no source-code changes, no public API impact, and no changeset needed (workflows aren't published packages). Per the repo's recurring-catches guidance, claims about third-party action behavior were checked against the upstream release notes in the PR description rather than asserted; nothing in the v5→v6 changelog affects how these workflows invoke the action (run_install: false, no version input).
Other factors
The build/test/conformance/publish-preview workflows run on this PR itself, so any incompatibility with the new action version would surface in CI before merge. The bug hunting system found no issues, and the only timeline activity is standard bot comments (changeset-bot, pkg-pr-new).
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.8
branch
2 times, most recently
from
985ce45 to
9c1131b
Compare
There was a problem hiding this comment.
LGTM — straightforward Dependabot bump of pnpm/action-setup to v6.0.8, SHA-pinned consistently across all six workflows.
Extended reasoning...
Overview
This PR is an automated Dependabot bump of pnpm/action-setup from v5.0.0 to v6.0.8 across all six workflow files (conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). Every occurrence is updated identically, the action remains pinned to a full commit SHA (0e279bb…), and the inline version comment matches the pinned commit (head of the v6.0.8 release). No workflow logic, permissions, or inputs are changed.
Security risks
The change touches CI/publish workflows, but only swaps the pinned SHA of the official pnpm/action-setup action — SHA pinning is preserved, and no token scopes, permissions blocks, or publish steps are modified. The pnpm version actually used is still controlled by the repo's packageManager: pnpm@10.26.1 field in package.json, which the action honors when no version input is given, so the publish path's pnpm@10 → npm CLI OIDC behavior (documented in release.yml) is unaffected. v6's release notes are bug fixes around bootstrap/self-update and Windows standalone, none of which apply to these Linux runners with a pinned packageManager.
Level of scrutiny
This is a mechanical, workflow-only dependency bump with no source code changes and no behavior change for the SDK itself. Per the repo's CI review conventions, claims about action behavior were checked against the action's release notes rather than assumed. The main thing worth verifying — whether the major-version bump changes which pnpm gets installed — is settled by the packageManager pin.
Other factors
No changeset is needed (workflow-only change), and CI on this PR exercises the bumped action directly across build, test, conformance, and pkg-pr-new publish jobs, so any incompatibility would surface immediately in the PR's own checks.
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 5.0.0 to 6.0.8. - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@fc06bc1...0e279bb) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-version: 6.0.8 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/pnpm/action-setup-6.0.8
branch
from
9c1131b to
f11972e
Compare
Bumps pnpm/action-setup from 5.0.0 to 6.0.8.
Release notes
Sourced from pnpm/action-setup's releases.
... (truncated)
Commits
0e279bbfix: update pnpm to 11.1.1 (#248)3e83581fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)551b42edocs(README): fixcache_dependency_pathtype (#257)739bfe4fix: self-update bootstrap to packageManager-pinned version (#233) (#256)f61705dchore: add CODEOWNERS7a5507bfix: restore inputs from state in post (#255)1155470fix: honor devEngines.packageManager.onFail=error (#252) (#254)91ab88efix: bin_dest output points to self-updated pnpm, not bootstrap (#249)e578e19fix: update pnpm to 11.0.48912a91fix: append (not prepend) action node dir to PATH for npm bootstrap (#241)