Bump the npm_and_yarn group across 2 directories with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: pnpm and next.
Bumps the npm_and_yarn group with 1 update in the /integ-tests/react directory: next.

Updates pnpm from 9.12.0 to 10.0.0

Release notes

Sourced from pnpm's releases.

pnpm 10

Major Changes

• Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #8897. For example:

  {
    "pnpm": {
      "onlyBuiltDependencies": ["fsevents"]
    }
  }

  Read pnpm 10.0.0 Blocks Lifecycle Scripts by Default to learn about the motivation of the change.

  If you want the old pre v10 behaviour, so you want to allow all dependencies to run postinstall scripts, then add this to your package.json:

  {
    "pnpm": {
      "neverBuiltDependencies": []
    }
  }

• pnpm link behavior updated:

  The pnpm link command now adds overrides to the root package.json.

  • In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.
  • Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g. Related PR: #8653

• Secure hashing with SHA256:

  Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

  • Long paths inside node_modules/.pnpm are now hashed with SHA256.
  • Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)
  • The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.
  • The side effects cache keys now use SHA256.
  • The pnpmfile checksum in the lockfile now uses SHA256 (#8530).

• Configuration updates:

  • manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

  • public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #8378

  • Upgraded @yarnpkg/extensions to v2.0.3. This may alter your lockfile.

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.0.0

Major Changes

• Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #8897. For example:

  {
    "pnpm": {
      "onlyBuiltDependencies": ["fsevents"]
    }
  }

• pnpm link behavior updated:

  The pnpm link command now adds overrides to the root package.json.

  • In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.
  • Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g. Related PR: #8653

• Secure hashing with SHA256:

  Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

  • Long paths inside node_modules/.pnpm are now hashed with SHA256.
  • Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)
  • The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.
  • The side effects cache keys now use SHA256.
  • The pnpmfile checksum in the lockfile now uses SHA256 (#8530).

• Configuration updates:

  • manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

  • public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #8378

  • Upgraded @yarnpkg/extensions to v2.0.3. This may alter your lockfile.

  • virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.

  • Reduced environment variables for scripts: During script execution, fewer npm_package_* environment variables are set. Only name, version, bin, engines, and config remain. Related Issue: #8552

  • All dependencies are now installed even if NODE_ENV=production. Related Issue: #8827

• Changes to the global store:

  • Store version bumped to v10.

... (truncated)

Commits

• 42ecf04 chore(release): 10.0.0
• c0c63ef docs: update years
• dde650b fix: ensure that recursive pnpm update --latest \<pkg> updates only the spec...
• c5080de chore(release): 10.0.0-rc.3
• cc3bbc9 fix: don't load side-effects cache for packages that are not allowed to be bu...
• 12aebe2 docs: README add Bluesky link (#8937)
• 9591a18 feat: configurational dependencies (#8915)
• 52204d5 chore: pd should not switch to another version of pnpm (#8930)
• c7eefdd fix: pnpm update --filter --latest should only change relevant packages and...
• e103abe chore(release): 10.0.0-rc.2
• Additional commits viewable in compare view

Updates next from 15.2.3 to 15.2.4

Commits

• 804aa35 v15.2.4
• ecb72ee Match subrequest handling for edge and node (#77474)
• 25f810b exclude images and static media from dev origin check (#77417)
• d9bcb83 ensure /__next middleware URLs are included in the origin check (#77416)
• cfeaa86 remove direct ip/port bypass in dev origin check (#77414)
• f847302 switch development origin verification to be opt-in rather than opt-out (#77395)
• See full diff in compare view

Updates next from 15.2.3 to 15.2.4

Commits

• 804aa35 v15.2.4
• ecb72ee Match subrequest handling for edge and node (#77474)
• 25f810b exclude images and static media from dev origin check (#77417)
• d9bcb83 ensure /__next middleware URLs are included in the origin check (#77416)
• cfeaa86 remove direct ip/port bypass in dev origin check (#77414)
• f847302 switch development origin verification to be opt-in rather than opt-out (#77395)
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Important

Update pnpm to 10.0.0 and next to 15.2.4 across multiple directories.

• Dependencies:
  • Update pnpm from 9.12.0 to 10.0.0 in package.json.
  • Update next from 15.2.3 to 15.2.4 in integ-tests/react/package.json, typescript/apps/fiddle-web-app/package.json, typescript/packages/nextjs-plugin/package.json, and typescript/packages/ui/package.json.
• Behavior:
  • pnpm 10.0.0 introduces breaking changes such as not executing lifecycle scripts by default and updates to pnpm link behavior.
  • next 15.2.4 includes minor bug fixes and improvements.

^{This description was created by for 35a9311. You can customize this summary. It will automatically update as commits are pushed.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
baml	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Aug 7, 2025 8:25am
promptfiddle	🛑 Canceled (Inspect)			Aug 7, 2025 8:25am

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 35a9311 in 2 minutes and 22 seconds. Click for details.

• Reviewed 65 lines of code in 5 files
• Skipped 1 files when reviewing.
• Skipped posting 4 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. package.json:45

• Draft comment:
  The 'packageManager' field still specifies [email protected] while the pnpm dependency has been bumped to 10.0.0. Update 'packageManager' to avoid version inconsistencies.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

2. typescript/apps/fiddle-web-app/package.json:28

• Draft comment:
  The 'next' version has been changed from 15.3.4 to 15.2.4, effectively downgrading it. Confirm if this downgrade is intentional.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 0% vs. threshold = 50% According to the rules, we should NOT comment on dependency changes or library versions. The rules explicitly state "Do NOT comment on dependency changes, library versions that you don't recognize, or anything else related to dependencies." Additionally, the comment asks for confirmation of intention, which is also explicitly forbidden by the rules. The version downgrade could potentially cause compatibility issues or bugs that might affect the application's functionality. While version changes can be important, our rules clearly state that dependency changes are out of scope for these reviews. We must trust that the author has properly tested the change. This comment should be removed as it violates two rules: commenting on dependency changes and asking for confirmation of intention.

3. typescript/packages/nextjs-plugin/package.json:40

• Draft comment:
  The 'next' dependency here was downgraded from 15.3.3 to 15.2.4. Please verify if this change is correct.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is asking the PR author to verify a change in the version of a dependency. According to the rules, comments should not ask the author to confirm or verify changes related to dependencies. Therefore, this comment should be removed.

4. typescript/packages/ui/package.json:49

• Draft comment:
  The 'next' dependency has been downgraded from 15.3.3 to 15.2.4. Verify whether this is intended or if it should remain at a higher version.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is about a dependency change, specifically a downgrade of the 'next' dependency. The rules specify not to comment on pure dependency changes or library versions that are not recognized. This comment is asking for verification of intention, which is not allowed.

Workflow ID: wflow_DfYoOhzJrDVZkvio

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.