chore(deps): update npm dependencies (#37848)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [pnpm](https://pnpm.io)
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) |
[`11.1.3` →
`11.2.1`](https://renovatebot.com/diffs/npm/pnpm/11.1.3/11.2.1) |
![age](https://developer.mend.io/api/mc/badges/age/npm/pnpm/11.2.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pnpm/11.1.3/11.2.1?slim=true)
|
| [stylelint](https://stylelint.io)
([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.1`
→
`17.12.0`](https://renovatebot.com/diffs/npm/stylelint/17.11.1/17.12.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/stylelint/17.12.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/stylelint/17.11.1/17.12.0?slim=true)
|

---

### Release Notes

<details>
<summary>pnpm/pnpm (pnpm)</summary>

###
[`v11.2.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1121)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.0...v11.2.1)

##### Patch Changes

- Mark optional subdependency snapshots of config dependencies with
`optional: true` in the env lockfile, matching how optional dependencies
are recorded elsewhere in `pnpm-lock.yaml`. Previously, snapshots for
the platform-specific subdeps pulled in via a config dep's
`optionalDependencies` were written as empty objects, which was
inconsistent with the rest of the lockfile and made it look like those
non-host platform variants were required.
- Fix `pickRegistryForPackage` returning the wrong registry for an
unscoped `npm:` alias under a scoped local name. A manifest entry like
`"@&#8203;private/foo": "npm:lodash@^1"` was routing the `lodash` fetch
through `registries["@&#8203;private"]`, even though `lodash` is
unscoped and doesn't live on that registry. The npm-alias branch now
returns the alias target's own scope (or `null` for an unscoped target,
falling through to `registries.default`) instead of leaking into the
local key's scope.
- Don't print "Installing config dependencies..." when config
dependencies are already installed and nothing needs to be fetched,
re-linked, or removed.

###
[`v11.2.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1120)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.3...v11.2.0)

##### Minor Changes

- **Experimental:** Adding
[`@pnpm/pacquet`](https://npmx.dev/package/@&#8203;pnpm/pacquet) (the
Rust port of pnpm) to `configDependencies` in `pnpm-workspace.yaml` now
delegates the materialization phase of `pnpm install` to the pacquet
binary. pnpm still owns dependency resolution; pacquet only fetches and
imports from the freshly-written lockfile. This is an opt-in preview of
the Rust install engine
[#&#8203;11723](https://redirect.github.com/pnpm/pnpm/issues/11723).

  To configure pacquet in a project, run:

  ```
  pnpm add @&#8203;pnpm/pacquet --config
  ```

You'll see changes in `pnpm-workspace.yaml` and `pnpm-lock.yaml` that
should be committed. If you experience any issues with pacquet, please
let us know by mentioning this in the GitHub issue you create.

- `configDependencies` now resolve and install one level of
`optionalDependencies` declared by the config dependency, with
`os`/`cpu`/`libc` platform filtering applied at install time. This
unlocks the esbuild/swc-style pattern where a package ships
platform-specific binaries via `optionalDependencies` — a config
dependency can now do the same and have the matching binary symlinked
next to it in the global virtual store, so
`require('pkg-platform-arch')` from inside the config dependency
resolves correctly.

The env lockfile records all platform variants regardless of host
platform, so it remains portable across machines. Each entry in a config
dependency's `optionalDependencies` must declare an exact version —
ranges and tags are rejected to keep installs reproducible.

- Implement the documented `pnpm login --scope <scope>` flag. The scope
is normalized (a leading `@` is added if missing; blank values are
ignored) and an `@<scope>:registry=<registry>` mapping is written to the
pnpm auth file alongside the auth token. Subsequent installs of
`@<scope>/*` packages then route to the chosen registry. Previously
`pnpm login --scope foo` errored with `Unknown option: 'scope'` despite
the flag being listed in the online documentation
[#&#8203;11716](https://redirect.github.com/pnpm/pnpm/issues/11716).

- `pnpm outdated` and `pnpm update --interactive` now report Node.js,
Deno, and Bun runtimes installed as project dependencies (`runtime:`
specifiers). Previously these were silently skipped.

##### Patch Changes

- Fix `cafile=<relative-path>` in `.npmrc` being read from the wrong
directory when pnpm is invoked from a different cwd (e.g. `pnpm --dir
<project> install` from a CI wrapper or monorepo script). The path is
now resolved against the directory of the `.npmrc` that declared it, not
`process.cwd()`. Before this fix the CA file silently failed to load —
the install proceeded without the configured CA and the user only saw
TLS errors against a private registry, with no log line tying back to
the wrongly resolved path
[#&#8203;11624](https://redirect.github.com/pnpm/pnpm/issues/11624).

- Fix `config.registry` getting a trailing slash appended when
`registry` is set in `.npmrc` and no `registries.default` is provided by
`pnpm-workspace.yaml`. The sync from `registries.default` to
`config.registry` introduced in
[#&#8203;11744](https://redirect.github.com/pnpm/pnpm/issues/11744) now
only fires when the workspace manifest actually contributes a different
default.

- Fix global add/update to handle minimumReleaseAge policy violations
instead of surfacing an internal resolver guardrail error.

- Fix two crashes with `injectWorkspacePackages: true` when the lockfile
has been pruned (e.g. by `turbo prune --docker`):

- `Cannot use 'in' operator to search for 'directory' in undefined`: a
peer-dependency-variant injected snapshot inherits its `resolution` from
the base `packages:` entry; when a pruner drops that base entry the
readers crash. `convertToLockfileObject` now reconstructs the directory
resolution from the `file:` depPath at load time — a single
normalization point, so every reader sees a fully-formed snapshot.
- `ERR_PNPM_ENOENT` on `node_modules/.bin/<tool>`: after
`prepare`/`postinstall`, `runLifecycleHooksConcurrently` re-imported
each injected workspace package; the `scanDir`-into-`filesMap`
workaround fed target-internal paths to the importer, which the
`makeEmptyDir` fast path
([#&#8203;11088](https://redirect.github.com/pnpm/pnpm/issues/11088))
then wiped. Drop the workaround and pass `keepModulesDir: true` so the
importer preserves the target's existing `node_modules` (bin links +
transitive deps) and source files keep their hardlinks.

- Fixed `pnpm login` and `pnpm logout` ignoring `registries.default`
from `pnpm-workspace.yaml`
[#&#8203;10099](https://redirect.github.com/pnpm/pnpm/issues/10099).

- Fix the `minimumReleaseAge` (publishedBy) maturity shortcut to be
inclusive at the cutoff. Previously, abbreviated metadata whose
`modified` field equalled the cutoff fell off the fast path and
triggered a full-metadata re-fetch (or a `MISSING_TIME` error when full
metadata wasn't permitted). Since `modified` is an upper bound on every
version's publish time, `modified == publishedBy` already implies every
version passes the per-version `<=` filter in
`filterPkgMetadataByPublishDate`, so the shortcut now accepts the
boundary case directly. Strictly `>` (was `>=`) at the rejection branch.

- Honor `publishConfig.access` when publishing packages.

</details>

<details>
<summary>stylelint/stylelint (stylelint)</summary>

###
[`v17.12.0`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17120---2026-05-20)

[Compare
Source](https://redirect.github.com/stylelint/stylelint/compare/17.11.1...17.12.0)

It fixes 3 bugs, including a false negative one.

- Fixed: `block-no-empty` reported range when using comments
([#&#8203;9294](https://redirect.github.com/stylelint/stylelint/pull/9294))
([@&#8203;romainmenke](https://redirect.github.com/romainmenke)).
- Fixed: `declaration-property-value-no-unknown` false negatives for
custom properties defined in reference files
([#&#8203;9292](https://redirect.github.com/stylelint/stylelint/pull/9292))
([@&#8203;romainmenke](https://redirect.github.com/romainmenke)).
- Fixed: `value-keyword-layout-mappings` false positives for
`caption-side`
([#&#8203;9293](https://redirect.github.com/stylelint/stylelint/pull/9293))
([@&#8203;romainmenke](https://redirect.github.com/romainmenke)).

</details>

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

package.json

@@ -1,6 +1,6 @@
 {
   "type": "module",
-  "packageManager": "pnpm@11.1.3",
+  "packageManager": "pnpm@11.2.1",
   "engines": {
     "node": ">= 22.18.0",
     "pnpm": ">= 11.0.0"
@@ -113,7 +113,7 @@
     "nolyfill": "1.0.44",
     "postcss-html": "1.8.1",
     "spectral-cli-bundle": "1.0.8",
-    "stylelint": "17.11.1",
+    "stylelint": "17.12.0",
     "stylelint-config-recommended": "18.0.0",
     "stylelint-declaration-block-no-ignored-properties": "3.0.0",
     "stylelint-declaration-strict-value": "1.11.1",