chore: bump up all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
cross-platform-actions/action	action	minor	v1.0.0 → v1.1.0
pnpm (source)	packageManager	patch	11.1.1 → 11.1.2

---

Release Notes

cross-platform-actions/action (cross-platform-actions/action)

v1.1.0: Cross Platform Action 1.1.0

Compare Source

Added

• Add support for DragonFly BSD (#​19)

• Add support for MidnightBSD (#​102)

• Add support for FreeBSD 14.4 (#​122)

• Add support for OmniOS r151058

• New syntax for multiple steps (#​83).
  Instead of invoking the action multiple times it's now possible to use a
  custom shell when running commands:

  jobs:
    custom-shell:
      runs-on: ubuntu-latest
      defaults:
        run:
          shell: cpa.sh {0}
  
      steps:
        - name: Start VM
          uses: cross-platform-actions/action@master
          with:
            operating_system: freebsd
            architecture: x86-64
            version: '15.0'
  
        - name: Run command using custom shell
          run: '[ "`uname`" = FreeBSD ]'

  Each custom-shell step automatically synchronizes files in both
  directions: runner-to-vm before the step runs and vm-to-runner after.
  Pass --sync-files DIRECTION after the file argument to change this
  (both (default), none (skip sync), runner-to-vm, or
  vm-to-runner), or use cpa.sh --sync-files standalone to sync on
  demand without running a command:

  - name: Sync files from runner to VM
    run: cpa.sh --sync-files runner-to-vm

• Reboot mode for rebooting the VM and waiting for it to come back up
  (#​103,
  #​118).
  cpa.sh --reboot issues the reboot and blocks until the VM is reachable
  again:

  - name: Reboot VM
    run: cpa.sh --reboot

Security

• Bump builders to releases that use immutable releases, providing
  integrity verification for downloaded artifacts
  (#​140)

Deprecated

• The run input parameter has been deprecated and is now optional. Use the
  custom shell (shell: cpa.sh {0}) in subsequent steps to run commands in
  the virtual machine instead.

• The shutdown_vm input parameter has been deprecated and will be removed
  in a future release. There is no replacement. When unset, it now defaults
  to true if the run parameter is provided (preserving the legacy
  behavior) and false otherwise (so the VM stays alive across subsequent
  custom-shell steps without needing to specify it).

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

• convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

• Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

• Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

• Fix minimumReleaseAge handling for cached abbreviated metadata.

  The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

  When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

  Closes #​11619.

• Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

• Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

• Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.