pnpmDedupe post-update option causes all depencies to be needlessly downloaded and allows unintended script execution

[mestriga]

How are you running Renovate?

A Mend.io-hosted app

Which platform you running Renovate on?

GitHub.com

Which version of Renovate are you using?

43.66.4

Please tell us more about your question or problem

Renovate currently unconditionally passes just "--ignore-scripts" as an option to pnpm dedupe.

This causes all dependencies to be needlessly downloaded to the package store when just the lock file needs to be updated, and .pnpmfile.cjs to be execute without regards to the allowScripts global Renovate config.

Since Renovate is frequently ran in resource limited environments, such as the free Mend Renovate app, downloading of full dependency payloads for the dedupe command should be suppressed with --lockfile-only the same way it is suppressed for the install command. --ignore-pnpmfile should be passed to the dedupe command when applicable, the same way it is passed to the install command.

pnpm dedupe understands the same command line options that pnpm install understands, so that replacing "pnpm dedupe --ignore-scripts" with "pnpm dedupe ${args}" in lib/modules/manager/npm/post-update/pnpm.ts#L152 should make everything work as intended.

Logs (if relevant)

Logs

DEBUG: Executing command (branch="renovate/all-non-breaking")
{
  "command": "pnpm dedupe --ignore-scripts"
}

DEBUG: exec completed (branch="renovate/all-non-breaking")
{
  "durationMs": 10560,
  "stdout": "Progress: resolved 1, reused 0, downloaded 0, added 0\nProgress: resolved 50, reused 0, downloaded 7, added 0\nProgress: resolved 105, reused 0, downloaded 52, added 0\nProgress: resolved 146, reused 0, downloaded 111, added 0\nProgress: resolved 203, reused 0, downloaded 174, added 0\nProgress: resolved 364, reused 0, downloaded 257, added 0\nProgress: resolved 384, reused 0, downloaded 258, added 0\nProgress: resolved 481, reused 0, downloaded 263, added 0\nProgress: resolved 489, reused 0, downloaded 375, added 0\nAlready up to date\nProgress: resolved 490, reused 0, downloaded 389, added 362\nProgress: resolved 490, reused 0, downloaded 389, added 387, done\n\ndependencies:\n+ react 19.2.4\n+ react-dom 19.2.4\n+ react-router 7.13.1\n\ndevDependencies:\n+ @antfu/eslint-config 7.7.2\n+ @cloudflare/vite-plugin 1.28.0 (1.29.0 is available)\n+ @react-router/dev 7.13.1\n+ @types/react 19.2.14\n+ @types/react-dom 19.2.3\n+ eslint 10.0.3\n+ typescript 5.9.3\n+ vite 7.3.1 (8.0.0 is available)\n+ wrangler 4.73.0 (4.74.0 is available)\n\n",
  "stderr": ""
}

[jamietanna]

The fact that the pnpm dedupe --ignore-scripts doesn't ignore the scripts when executing seems concering to me - do you have anything you can share where you see the install scripts are being executed?

[mestriga]

Yes. This PR comment generated by the free Renovate App shows that it runs .pnpmfile during dedupe when ignoreScripts=false. The executed script in this sample repo first logs an error message then throws an error, that Renovate catches and logs as an Artifact Update Problem.

I submitted a PR with a fix: #42024.

[mestriga]

Hey, @jamietanna, I provided a repro showing .pnpmfile being executed in the free Mend hosted app, where ignoreScripts is set to false. Is there any other information you need?