chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0#1890
chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0#1890dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@fc06bc1...08c4be7) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
|
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — routine Dependabot SHA bump for pnpm/action-setup.
Extended reasoning...
Overview
Dependabot bumps pnpm/action-setup from the v5.0.0 pinned SHA to the v6.0.0 pinned SHA across all six workflow files (conformance.yml, deploy-docs.yml, main.yml, publish.yml, release.yml, update-spec-types.yml). No other lines change; the with: run_install: false inputs are preserved everywhere.
Security risks
None introduced by this diff. The action remains pinned to a full commit SHA (not a mutable tag), and the upstream v6.0.0 release is a maintenance release adding pnpm v11 support plus a few bootstrap fixes — no new permissions, secrets, or inputs are required. The repo continues to resolve the actual pnpm version from packageManager in package.json, so the bootstrap version change inside the action does not alter what runs in CI.
Level of scrutiny
Low. This is a mechanical, Dependabot-generated version bump touching only CI workflow plumbing, not SDK source, tests, or published artifacts. Any incompatibility would surface immediately as a CI failure on this PR itself (the main.yml build/test jobs run on pull_request). No changeset is needed since nothing user-facing changes.
Other factors
No prior reviews or outstanding comments beyond the changeset-bot notice (expected for CI-only changes). All nine call sites are updated consistently, so there are no leftover references to the old SHA.
Bumps pnpm/action-setup from 5.0.0 to 6.0.0.
Release notes
Sourced from pnpm/action-setup's releases.
Commits
08c4be7docs(README): update action-setup version5798914chore: update .gitignoreddffd66fix: remove accidentally committed fileb43f991fix: update pnpm to 11.0.0-rc.03852509README.md: bring versions up-to-date (#222)6e7bdbdchore: bump bootstrap pnpm to 11.0.0-beta.4-1 and add update script6b87c46fix: Windows standalone mode — bypass broken npm shims (#217)994d756feat: read pnpm version from devEngines.packageManager (#211)738f428docs: upgrade pnpm/action-setup from v4 to v562bce64fix: extract pnpm version from packageManager field instead of returning unde...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)