chore(deps): update dependency pnpm to v10 (#320)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [pnpm](https://pnpm.io)
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) |
`9.15.5` -> `10.2.1` |
[![age](https://developer.mend.io/api/mc/badges/age/npm/pnpm/10.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/pnpm/10.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/pnpm/9.15.5/10.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pnpm/9.15.5/10.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>pnpm/pnpm (pnpm)</summary>

###
[`v10.2.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1021)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.2.0...v10.2.1)

##### Patch Changes

- Don't read a package from side-effects cache if it isn't allowed to be
built [#&#8203;9042](https://redirect.github.com/pnpm/pnpm/issues/9042).
- `pnpm approve-builds` should work, when executed from a subdirectory
of a workspace
[#&#8203;9042](https://redirect.github.com/pnpm/pnpm/issues/9042).
-   `pnpm deploy --legacy` should work without injected dependencies.
- Add information about how to deploy without "injected dependencies" to
the "pnpm deploy" error message.

###
[`v10.2.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1020)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.1.0...v10.2.0)

##### Minor Changes

- Packages executed via `pnpm dlx` and `pnpm create` are allowed to be
built (run postinstall scripts) by default.

If the packages executed by `dlx` or `create` have dependencies that
have to be built, they should be listed via the `--allow-build` flag.
For instance, if you want to run a package called `bundle` that has
`esbuild` in dependencies and want to allow `esbuild` to run postinstall
scripts, run:

        pnpm --allow-build=esbuild dlx bundle

Related PR:
[#&#8203;9026](https://redirect.github.com/pnpm/pnpm/pull/9026).

##### Patch Changes

- Quote args for scripts with shell-quote to support new lines (on POSIX
only) [#&#8203;8980](https://redirect.github.com/pnpm/pnpm/issues/8980).
- Fix a bug in which `pnpm deploy` fails to read the correct `projectId`
when the deploy source is the same as the workspace directory
[#&#8203;9001](https://redirect.github.com/pnpm/pnpm/issues/9001).
- Proxy settings should be respected, when resolving Git-hosted
dependencies
[#&#8203;6530](https://redirect.github.com/pnpm/pnpm/issues/6530).
- Prevent `overrides` from adding invalid version ranges to
`peerDependencies` by keeping the `peerDependencies` and overriding them
with prod `dependencies`
[#&#8203;8978](https://redirect.github.com/pnpm/pnpm/issues/8978).
- Sort the package names in the "pnpm.onlyBuiltDependencies" list saved
by `pnpm approve-builds`.

###
[`v10.1.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1010)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.0.0...v10.1.0)

##### Minor Changes

- Added a new command for printing the list of dependencies with ignored
build scripts: `pnpm ignored-builds`
[#&#8203;8963](https://redirect.github.com/pnpm/pnpm/pull/8963).
- Added a new command for approving dependencies for running scripts
during installation: `pnpm approve-builds`
[#&#8203;8963](https://redirect.github.com/pnpm/pnpm/pull/8963).
- Added a new setting called `optimistic-repeat-install`. When enabled,
a fast check will be performed before proceeding to installation. This
way a repeat install or an install on a project with everything
up-to-date becomes a lot faster. But some edge cases might arise, so we
keep it disabled by default for now
[#&#8203;8977](https://redirect.github.com/pnpm/pnpm/pull/8977).
- Added a new field "pnpm.ignoredBuiltDependencies" for explicitly
listing packages that should not be built. When a package is in the
list, pnpm will not print an info message about that package not being
built [#&#8203;8935](https://redirect.github.com/pnpm/pnpm/issues/8935).

##### Patch Changes

- Verify that the package name is valid when executing the publish
command.
- When running `pnpm install`, the `preprepare` and `postprepare`
scripts of the project should be executed
[#&#8203;8989](https://redirect.github.com/pnpm/pnpm/pull/8989).
- Allow `workspace:` and `catalog:` to be part of wider version range in
`peerDependencies`.
- `pnpm deploy` should inherit the `pnpm` object from the root
`package.json`
[#&#8203;8991](https://redirect.github.com/pnpm/pnpm/pull/8991).
- Make sure that the deletion of a `node_modules` in a sub-project of a
monorepo is detected as out-of-date
[#&#8203;8959](https://redirect.github.com/pnpm/pnpm/issues/8959).
- Fix infinite loop caused by lifecycle scripts using `pnpm` to execute
other scripts during `pnpm install` with
`verify-deps-before-run=install`
[#&#8203;8954](https://redirect.github.com/pnpm/pnpm/issues/8954).
- Replace `strip-ansi` with the built-in `util.stripVTControlCharacters`
[#&#8203;9009](https://redirect.github.com/pnpm/pnpm/pull/9009).
- Do not print patched dependencies as ignored dependencies that require
a build
[#&#8203;8952](https://redirect.github.com/pnpm/pnpm/issues/8952).

###
[`v10.0.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1000)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v9.15.5...v10.0.0)

##### Major Changes

- Lifecycle scripts of dependencies are not executed during installation
by default! This is a breaking change aimed at increasing security. In
order to allow lifecycle scripts of specific dependencies, they should
be listed in the `pnpm.onlyBuiltDependencies` field of `package.json`
[#&#8203;8897](https://redirect.github.com/pnpm/pnpm/pull/8897). For
example:

    ```json
    {
      "pnpm": {
        "onlyBuiltDependencies": ["fsevents"]
      }
    }
    ```

-   `pnpm link` behavior updated:

The `pnpm link` command now adds overrides to the root `package.json`.

- In a workspace: The override is added to the root of the workspace,
linking the dependency to all projects in the workspace.
- Global linking: To link a package globally, run `pnpm link` from the
package’s directory. Previously, you needed to use `pnpm link -g`.
Related PR:
[#&#8203;8653](https://redirect.github.com/pnpm/pnpm/pull/8653)

-   Secure hashing with SHA256:

Various hashing algorithms have been updated to SHA256 for enhanced
security and consistency:

- Long paths inside `node_modules/.pnpm` are now hashed with SHA256.
- Long peer dependency hashes in the lockfile now use SHA256 instead of
MD5. (This affects very few users since these are only used for long
keys.)
- The hash stored in the `packageExtensionsChecksum` field of
`pnpm-lock.yaml` is now SHA256.
    -   The side effects cache keys now use SHA256.
- The pnpmfile checksum in the lockfile now uses SHA256
([#&#8203;8530](https://redirect.github.com/pnpm/pnpm/pull/8530)).

-   Configuration updates:

- `manage-package-manager-versions`: enabled by default. pnpm now
manages its own version based on the `packageManager` field in
`package.json` by default.

- `public-hoist-pattern`: nothing is hoisted by default. Packages
containing `eslint` or `prettier` in their name are no longer hoisted to
the root of `node_modules`. Related Issue:
[#&#8203;8378](https://redirect.github.com/pnpm/pnpm/issues/8378)

- Upgraded `@yarnpkg/extensions` to v2.0.3. This may alter your
lockfile.

- `virtual-store-dir-max-length`: the default value on Windows has been
reduced to 60 characters.

    -   Reduced environment variables for scripts:
During script execution, fewer `npm_package_*` environment variables are
set. Only `name`, `version`, `bin`, `engines`, and `config` remain.
Related Issue:
[#&#8203;8552](https://redirect.github.com/pnpm/pnpm/issues/8552)

- All dependencies are now installed even if `NODE_ENV=production`.
Related Issue:
[#&#8203;8827](https://redirect.github.com/pnpm/pnpm/issues/8827)

-   Changes to the global store:

    -   Store version bumped to v10.

- Some registries allow identical content to be published under
different package names or versions. To accommodate this, index files in
the store are now stored using both the content hash and package
identifier.

        This approach ensures that we can:

1. Validate that the integrity in the lockfile corresponds to the
correct package, which might not be the case after a poorly resolved Git
conflict.
2. Allow the same content to be referenced by different packages or
different versions of the same package.
Related PR:
[#&#8203;8510](https://redirect.github.com/pnpm/pnpm/pull/8510)
Related Issue:
[#&#8203;8204](https://redirect.github.com/pnpm/pnpm/issues/8204)

- More efficient side effects indexing. The structure of index files in
the store has changed. Side effects are now tracked more efficiently by
listing only file differences rather than all files.
Related PR:
[#&#8203;8636](https://redirect.github.com/pnpm/pnpm/pull/8636)

- A new `index` directory stores package content mappings. Previously,
these files were in `files`.

-   Other breaking changes:
- The `#` character is now escaped in directory names within
`node_modules/.pnpm`.
Related PR:
[#&#8203;8557](https://redirect.github.com/pnpm/pnpm/pull/8557)
- Running `pnpm add --global pnpm` or `pnpm add --global
@&#8203;pnpm/exe` now fails with an error message, directing you to use
`pnpm self-update` instead.
Related PR:
[#&#8203;8728](https://redirect.github.com/pnpm/pnpm/pull/8728)
- Dependencies added via a URL now record the final resolved URL in the
lockfile, ensuring that any redirects are fully captured.
Related Issue:
[#&#8203;8833](https://redirect.github.com/pnpm/pnpm/issues/8833)
- The `pnpm deploy` command now only works in workspaces that have
`inject-workspace-packages=true`. This limitation is introduced to allow
us to create a proper lockfile for the deployed project using the
workspace lockfile.
- Removed conversion from lockfile v6 to v9. If you need v6-to-v9
conversion, use pnpm CLI v9.
- `pnpm test` now passes all parameters after the `test` keyword
directly to the underlying script. This matches the behavior of `pnpm
run test`. Previously you needed to use the `--` prefix.
Related PR:
[#&#8203;8619](https://redirect.github.com/pnpm/pnpm/pull/8619)

-   `node-gyp` updated to version 11.

- `pnpm deploy` now tries creating a dedicated lockfile from a shared
lockfile for deployment. It will fallback to deployment without a
lockfile if there is no shared lockfile or `force-legacy-deploy` is set
to `true`.

##### Minor Changes

- Added support for a new type of dependencies called "configurational
dependencies". These dependencies are installed before all the other
types of dependencies (before "dependencies", "devDependencies",
"optionalDependencies").

Configurational dependencies cannot have dependencies of their own or
lifecycle scripts. They should be added using exact version and the
integrity checksum. Example:

    ```json
    {
      "pnpm": {
        "configDependencies": {
"my-configs":
"1.0.0+sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw=="
        }
      }
    }
    ```

Related RFC: [#&#8203;8](https://redirect.github.com/pnpm/rfcs/pull/8).
Related PR:
[#&#8203;8915](https://redirect.github.com/pnpm/pnpm/pull/8915).

-   New settings:

- New `verify-deps-before-run` setting. This setting controls how `pnpm`
checks `node_modules` before running scripts:

- `install`: Automatically run `pnpm install` if `node_modules` is
outdated.
        -   `warn`: Print a warning if `node_modules` is outdated.
- `prompt`: Prompt the user to confirm running `pnpm install` if
`node_modules` is outdated.
        -   `error`: Throw an error if `node_modules` is outdated.
        -   `false`: Disable dependency checks.
Related Issue:
[#&#8203;8585](https://redirect.github.com/pnpm/pnpm/issues/8585)

- New `inject-workspace-packages` setting enables hard-linking all local
workspace dependencies instead of symlinking them. Previously, this
could be achieved using
[`dependenciesMeta[].injected`](https://pnpm.io/package_json#dependenciesmetainjected),
which remains supported.
Related PR:
[#&#8203;8836](https://redirect.github.com/pnpm/pnpm/pull/8836)

-   Faster repeat installs:

On repeated installs, `pnpm` performs a quick check to ensure
`node_modules` is up to date.
Related PR:
[#&#8203;8838](https://redirect.github.com/pnpm/pnpm/pull/8838)

-   `pnpm add` integrates with default workspace catalog:

When adding a dependency, `pnpm add` checks the default workspace
catalog. If the dependency and version requirement match the catalog,
`pnpm add` uses the `catalog:` protocol. Without a specified version, it
matches the catalog’s version. If it doesn’t match, it falls back to
standard behavior.
Related Issue:
[#&#8203;8640](https://redirect.github.com/pnpm/pnpm/issues/8640)

- `pnpm dlx` now resolves packages to their exact versions and uses
these exact versions for cache keys. This ensures `pnpm dlx` always
installs the latest requested packages.
Related PR:
[#&#8203;8811](https://redirect.github.com/pnpm/pnpm/pull/8811)

- No `node_modules` validation on certain commands. Commands that should
not modify `node_modules` (e.g., `pnpm install --lockfile-only`) no
longer validate or purge `node_modules`.
Related PR:
[#&#8203;8657](https://redirect.github.com/pnpm/pnpm/pull/8657)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "on monday" in timezone Asia/Shanghai,
Automerge - "on monday" in timezone Asia/Shanghai.

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNjQuMSIsInVwZGF0ZWRJblZlciI6IjM5LjE2NC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.mise.toml

@@ -1,2 +1,2 @@
 [tools]
-pnpm = "9.15.5"
+pnpm = "10.2.1"