pnpm lockfile update issues

[wyardley]

We have a pretty vanilla repo with a single package.json, and a single pnpm-lock.yaml (no package-lock.json). Dependabot makes a branch like dependabot/npm_and_yarn/vite-6.3.4 with a lockfile-only update which it claims is bumping vite to the latest version:

One other clue might be the npm_and_yarn in the branch name? I'm not sure if it should use a different branch name when pnpm is the package manager, but from what I can read, it's supposed to be supported now.

The package is using pnpm 9.

Here's the full diff of the original PR dependabot created:

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 3cb5713363f..b17cb96ae84 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -2548,6 +2548,7 @@ packages:
 
   '@ls-lint/[email protected]':
     resolution: {integrity: sha512-lsT5/7SxtImOIjpefC9wcoXt2lkikKhCjd6U+Q9Z6X5h2HBU/71ggt+XStdodZ0HkJGO333zDUeec7JROMCPFw==}
+    cpu: [x64, arm64, s390x, ppc64le]
     os: [darwin, linux, win32]
     hasBin: true
 
@@ -3226,6 +3227,7 @@ packages:
 
   '@react-hookz/[email protected]':
     resolution: {integrity: sha512-N56fTrAPUDz/R423pag+n6TXWbvlBZDtTehaGFjK0InmN+V2OFWLE/WmORhmn6Ce7dlwH5+tQN1LJFw3ngTJVg==}
+    deprecated: Package is deprecated and will be deleted soon. Use @ver0/deep-equal instead.
 
   '@react-hookz/[email protected]':
     resolution: {integrity: sha512-DcIM6JiZklDyHF6CRD1FTXzuggAkQ+3Ncq2Wln7Kdih8GV6ZIeN9JfS6ZaQxpQUxan8/4n0J2V/R7nMeiSrb2Q==}
@@ -8494,6 +8496,7 @@ packages:
   [email protected]:
     resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
     engines: {node: '>=10.5.0'}
+    deprecated: Use your platform's native DOMException instead
 
   [email protected]:
     resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}

If I run pnpm update vite, the expected lockfile updates get made. If it matters, this is an indirect, vs. direct, dependency.

We are seeing similar issues with other packages.
The lockfile has the following:

lockfileVersion: '9.0'

settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false