feat(manager/npm): handle pnpm lockfile updates

docs/usage/configuration-options.md

@@ -3327,7 +3327,7 @@ Behavior:
 - `bump` = e.g. bump the range even if the new version satisfies the existing range, e.g. `^1.0.0` -> `^1.1.0`
 - `replace` = Replace the range with a newer one if the new version falls outside it, and update nothing otherwise
 - `widen` = Widen the range with newer one, e.g. `^1.0.0` -> `^1.0.0 || ^2.0.0`
-- `update-lockfile` = Update the lock file when in-range updates are available, otherwise `replace` for updates out of range. Works for `bundler`, `cargo`, `composer`, `npm`, `yarn`, `terraform` and `poetry` so far
+- `update-lockfile` = Update the lock file when in-range updates are available, otherwise `replace` for updates out of range. Works for `bundler`, `cargo`, `composer`, `npm`, `yarn`, `pnpm`, `terraform` and `poetry` so far
 - `in-range-only` = Update the lock file when in-range updates are available, ignore package file updates
 
 Renovate's `"auto"` strategy works like this for npm:

lib/modules/manager/npm/post-update/index.ts

@@ -49,15 +49,14 @@ export function determineLockFileDirs(
   const pnpmShrinkwrapDirs: (string | undefined)[] = [];
 
   for (const upgrade of config.upgrades) {
-    if (upgrade.updateType === 'lockFileMaintenance' || upgrade.isRemediation) {
+    if (
+      upgrade.updateType === 'lockFileMaintenance' ||
+      upgrade.isRemediation === true ||
+      upgrade.isLockfileUpdate === true
+    ) {
       yarnLockDirs.push(upgrade.managerData?.yarnLock);
       npmLockDirs.push(upgrade.managerData?.npmLock);
       pnpmShrinkwrapDirs.push(upgrade.managerData?.pnpmShrinkwrap);
-      continue;
-    }
-    if (upgrade.isLockfileUpdate) {
-      yarnLockDirs.push(upgrade.managerData?.yarnLock);
-      npmLockDirs.push(upgrade.managerData?.npmLock);
     }
   }
 

lib/modules/manager/npm/post-update/pnpm.spec.ts

@@ -56,6 +56,26 @@ describe('modules/manager/npm/post-update/pnpm', () => {
     expect(execSnapshots).toMatchSnapshot();
   });
 
+  it('performs lock file updates', async () => {
+    const execSnapshots = mockExecAll();
+    fs.readLocalFile.mockResolvedValue('package-lock-contents');
+    const res = await pnpmHelper.generateLockFile('some-folder', {}, config, [
+      { packageName: 'some-dep', newVersion: '1.0.1', isLockfileUpdate: true },
+      {
+        packageName: 'some-other-dep',
+        newVersion: '1.1.0',
+        isLockfileUpdate: true,
+      },
+    ]);
+    expect(fs.readLocalFile).toHaveBeenCalledTimes(1);
+    expect(res.lockFile).toBe('package-lock-contents');
+    expect(execSnapshots).toMatchObject([
+      {
+        cmd: 'pnpm update --no-save some-dep@1.0.1 some-other-dep@1.1.0 --recursive --lockfile-only --ignore-scripts --ignore-pnpmfile',
+      },
+    ]);
+  });
+
   it('performs lock file maintenance', async () => {
     const execSnapshots = mockExecAll();
     fs.readLocalFile.mockResolvedValue('package-lock-contents');

lib/modules/manager/npm/post-update/pnpm.ts

@@ -1,4 +1,5 @@
 import is from '@sindresorhus/is';
+import { quote } from 'shlex';
 import upath from 'upath';
 import { GlobalConfig } from '../../../../config/global';
 import { TEMPORARY_ERROR } from '../../../../constants/error-messages';
@@ -10,6 +11,7 @@ import type {
   ToolConstraint,
 } from '../../../../util/exec/types';
 import { deleteLocalFile, readLocalFile } from '../../../../util/fs';
+import { uniqueStrings } from '../../../../util/string';
 import { parseSingleYaml } from '../../../../util/yaml';
 import type { PostUpdateConfig, Upgrade } from '../../types';
 import { getNodeToolConstraint } from './node-version';
@@ -36,7 +38,7 @@ export async function generateLockFile(
   let lockFile: string | null = null;
   let stdout: string | undefined;
   let stderr: string | undefined;
-  let cmd = 'pnpm';
+  const commands: string[] = [];
   try {
     const lazyPgkJson = lazyLoadPackageJson(lockFileDir);
     const pnpmToolConstraint: ToolConstraint = {
@@ -66,16 +68,36 @@ export async function generateLockFile(
       extraEnv.NPM_AUTH = env.NPM_AUTH;
       extraEnv.NPM_EMAIL = env.NPM_EMAIL;
     }
-    const commands: string[] = [];
 
-    cmd = 'pnpm';
-    let args = 'install --recursive --lockfile-only';
+    let args = '--recursive --lockfile-only';
     if (!GlobalConfig.get('allowScripts') || config.ignoreScripts) {
       args += ' --ignore-scripts';
       args += ' --ignore-pnpmfile';
     }
-    logger.trace({ cmd, args }, 'pnpm command');
-    commands.push(`${cmd} ${args}`);
+    logger.trace({ args }, 'pnpm command options');
+
+    if (
+      upgrades.length === 0 ||
+      !upgrades.every((upgrade) => upgrade.isLockfileUpdate)
+    ) {
+      // This command updates the lock file based on package.json
+      commands.push(`pnpm install ${args}`);
+    }
+
+    // rangeStrategy = update-lockfile
+    const lockUpdates = upgrades.filter((upgrade) => upgrade.isLockfileUpdate);
+
+    if (lockUpdates.length) {
+      logger.debug('Performing lockfileUpdate (pnpm)');
+      commands.push(
+        `pnpm update --no-save ${lockUpdates
+          // TODO: types (#22198)
+          .map((update) => `${update.packageName!}@${update.newVersion!}`)
+          .filter(uniqueStrings)
+          .map(quote)
+          .join(' ')} ${args}`,
+      );
+    }
 
     // postUpdateOptions
     if (config.postUpdateOptions?.includes('pnpmDedupe')) {
@@ -104,7 +126,7 @@ export async function generateLockFile(
     }
     logger.debug(
       {
-        cmd,
+        commands,
         err,
         stdout,
         stderr,