Skip to content

chore(deps): update all non-major dependencies#1

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#1
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 5, 2026

Copy link
Copy Markdown

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update
@arethetypeswrong/core (source) ^0.18.3^0.18.5 age confidence devDependencies patch
@commitlint/cli (source) ^21.0.2^21.2.1 age confidence devDependencies patch
@commitlint/config-conventional (source) ^21.0.2^21.2.0 age confidence devDependencies patch
@swc/core (source) ^1.15.41^1.15.43 age confidence devDependencies patch
@vitest/coverage-v8 (source) ^4.1.9^4.1.10 age confidence devDependencies patch
actions/labeler v6.1.0v6.2.0 age confidence action minor
actions/stale v10.3.0v10.4.0 age confidence action minor
knip (source) 6.20.06.26.0 age confidence devDependencies minor
oxfmt (source) 0.55.00.58.0 age confidence devDependencies minor
oxlint (source) 1.70.01.73.0 age confidence devDependencies minor
pnpm (source) 11.9.011.11.0 age confidence packageManager minor
tsdown (source) ^0.22.3^0.22.4 age confidence devDependencies patch
turbo (source) ^2.9.18^2.10.4 age confidence devDependencies patch
vitest (source) ^4.1.9^4.1.10 age confidence devDependencies patch

Release Notes

arethetypeswrong/arethetypeswrong.github.io (@​arethetypeswrong/core)

v0.18.5

Patch Changes
  • c4be7e8: Detect default exports in webpack-bundled CommonJS libraries.
conventional-changelog/commitlint (@​commitlint/cli)

v21.2.1

Compare Source

Note: Version bump only for package @​commitlint/cli

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
actions/labeler (actions/labeler)

v6.2.0

Compare Source

What's Changed

Bug Fix
Dependency Updates

Full Changelog: actions/labeler@v6.1.0...v6.2.0

actions/stale (actions/stale)

v10.4.0

Compare Source

What's Changed

Bug Fix
Dependency Updates
  • Bump undici to 6.27.0 via override, clean up stale license files, and version to 10.4.0. by @​dependabot in #​1342

New Contributors

Full Changelog: actions/stale@v10.3.0...v10.4.0

webpro-nl/knip (knip)

v6.26.0: Release 6.26.0

Compare Source

  • ci: add path filters (#​1871) (4249935) - thanks @​trueberryless!
  • Add CodeRabbit as gold sponsor (1da09fd)
  • Fix up docs a bit more (39125a7)
  • Don't report ambient declaration files as unused (aed361c)
  • Register oclif command files as entries (3b4d58c)
  • Add electron-vite plugin (d92107e)
  • Add esbuild plugin (ef3b601)
  • Ignore more globally available binaries (8292981)
  • Resolve #-imports to source when node condition is unbuilt (resolve #​1873) (f2713ed)
  • Ignore gh as a globally available binary (a6f0772)
  • Resolve Vitest benchmark files as entries (5742913)
  • Extract shared Vue auto-import machinery into plugins/_vue (7301075)
  • Scope compiler extensions per workspace (5e6f82b)
  • Resolve auto-imported components in the Vue SFC compiler (009aad8)
  • Add plugins for the Vue auto-import ecosystem (f638c83)
  • Enable Vue SFC compiler on unplugin-vue and @​vitejs/plugin-vue (9396ab1)
  • Recognize vite-plugin-vue-meta-layouts (same layouts convention) (3ceee89)
  • Add vite-plugin-pages and unplugin-icons plugins (9bc1754)
  • Add vite-plugin-pwa and @​intlify/unplugin-vue-i18n plugins (45dea0a)
  • Dog, food. (e1249ad)
  • Update query snapshot (a45941d)
  • Don't misread Nitro route types as Vue component auto-imports (43aecd5)
  • Read oxlint jsPlugins from vite-plus vite.config and .oxlintrc.json (589ffda)
  • Add vite-plus plugin for run.tasks and staged scripts (f041c19)
  • Support @​vite-pwa/nuxt PWA config in nuxt.config (8fa7b11)
  • Add @​vite-pwa/assets-generator plugin (4254f7d)
  • Add @​nuxtjs/i18n plugin (dfb9acb)
  • Read plugin entries from vite.config options and index.html (d533da8)
  • Fix false positives in VitePress, next-mdx and unplugin-vue-i18n plugins (b99702a)
  • Respect optional peers in pnpm and Yarn packageExtensions (aab080b)
  • Detect babel plugins in the Storybook config (5dea975)
  • Add shared AST helpers for imported calls and first property values (c84bb7a)
  • Inline trivial resolveFromAST wrappers and normalize orval and sst (620079d)
  • Extract inline resolveFromAST implementations to dedicated files (b5231c1)
  • Normalize resolveFromAST files to a uniform contract (fc1ba0f)
  • chore: migrate to Astro 7 and Sätteri (#​1875) (f256a5b) - thanks @​trueberryless!
  • Show contributor count on docs homepage (6b8454a)
  • Exclude gitignored package entry points (606e5d0)
  • Add Tauri plugin (199180d)
  • Add Laravel plugin (1974533)
  • Add Quasar plugin (a220729)

v6.25.0: Release 6.25.0

Compare Source

v6.24.0: Release 6.24.0

Compare Source

v6.23.0: Release 6.23.0

Compare Source

v6.22.0: Release 6.22.0

Compare Source

v6.21.0: Release 6.21.0

Compare Source

oxc-project/oxc (oxfmt)

v0.58.0

Compare Source

v0.57.0

Compare Source

v0.56.0

Compare Source

oxc-project/oxc (oxlint)

v1.73.0

Compare Source

🚀 Features
  • a2c97f3 linter/unicorn: Implement explicit-timer-delay rule (#​23612) (Mikhail Baev)
  • 85735cb linter/unicorn: Implement no-confusing-array-with rule (#​23638) (Shekhu☺️)
  • cb4fbb9 linter/eslint: Implement no-unreachable-loop rule (#​23975) (Todor Andonov)
  • dc32112 linter/eslint/no-constant-binary-expression: Check relational comparisons (#​24088) (camc314)
  • d963967 linter/unicorn/no-array-sort: Add allowAfterSpread option (#​24043) (Boshen)
  • 0a75682 linter: Add per-rule timings for type-aware linting (#​22488) (camchenry)
  • 743e222 linter/react: Add disallowedValues option for forbid-dom-props rule (#​23970) (Mikhail Baev)
🐛 Bug Fixes
  • bdb51c7 linter/jest/prefer-ending-with-an-expect: Validate config patterns (#​24122) (camc314)
  • 45d607d linter/react/forbid-component-props: Make allow/disallow lists optional in schema (#​24024) (Boshen)

v1.72.0

Compare Source

🚀 Features
  • 1c8f50c linter: Add schema for eslint/no-restricted-import (#​23642) (Sysix)
🐛 Bug Fixes
  • 742be36 refactor/node/handle-callback-err: Reject invalid regex config (#​23740) (camc314)

v1.71.0

Compare Source

🚀 Features
  • 0dc2405 linter: Add schema for eslint/no-restricted-properties (#​23619) (Sysix)
  • b638d0e linter: Add schema for node/callback-return (#​23615) (Sysix)
  • eb8bedc linter: Add schema for import/extensions (#​23557) (WaterWhisperer)
  • 46f3625 linter: Implement node/no-sync rule (#​23589) (fujitani sora)
  • b01739a linter: Add schema for unicorn/numeric-separators-style (#​23554) (Mikhail Baev)
  • 68afd2a linter/node: Implement no-mixed-requires rule (#​23539) (fujitani sora)
  • a421215 linter: Add schema for eslint/prefer-destructuring (#​23410) (WaterWhisperer)
  • 84438be linter/jsdoc: Added missing options to require-param-description (#​23416) (kapobajza)
  • 51910df linter/jsdoc: Add missing options to require-param-type rule (#​23418) (kapobajza)
  • e90925f linter/unicorn: Implement prefer-number-coercion rule (#​23497) (Shekhu☺️)
  • dd1c866 linter/vue: Implement no-async-in-computed-properties rule (#​23493) (bab)
  • b02444e linter: Add schema for react/jsx-no-script-url (#​23475) (WaterWhisperer)
  • a8dce46 linter/unicorn: Implement max-nested-calls rule (#​23461) (arieleli01212)
🐛 Bug Fixes
  • a303c23 linter/jsx-a11y: Align anchor-is-valid config with upstream (#​23446) (camc314)
📚 Documentation
  • b50bf4d linter: Remove manually written options doc for eslint/arrow-body-style (#​23490) (Mikhail Baev)
pnpm/pnpm (pnpm)

v11.11.0

Compare Source

Minor Changes
  • 508b8c2: Added the pnpm access command for managing package access and visibility on the registry, supporting listing packages and collaborators, getting and setting package status and MFA requirements, and granting or revoking team access.
Patch Changes
  • c70e33e: Allow allowBuilds entries for git-hosted packages to match by repository URL without pinning the resolved commit hash. This lets trusted git repositories keep running their build scripts after branch updates without approving each new commit, while package-name-only rules still do not approve git-hosted artifacts.
  • 3067e4f: Reduced peak memory usage during cold-cache dependency resolution. The metadata fetch is memoized for the whole resolution phase, and it was retaining each package's raw registry response body (used only to mirror the response to disk) for that entire time. The memoized cache now holds a body-less copy, so the raw body only lives as long as the call that writes the disk mirror. On large graphs that fetch full metadata (e.g. with minimumReleaseAge or trustPolicy enabled) this cuts peak RSS by roughly 30%, back in line with pnpm 10. The resolved lockfile is unchanged.
  • 51300fd: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at formatGlobalVirtualStorePath, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.
  • f8058eb: Reject symlinked pnpm-lock.yaml files when reading or writing the env lockfile document.
  • 9318a11: Allow registries and namedRegistries to be configured in the global config.yaml file.
  • 51300fd: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 14332f0: Fail instead of silently removing an optional dependency's locked entries from pnpm-lock.yaml when the registry cannot resolve it. Previously, when registry metadata lacked a version that the lockfile already pinned (for example, a mirror that had not synced a recent release yet), pnpm install and pnpm dedupe silently dropped the optional dependency's entries — emptying maps such as the platform binaries of @napi-rs/canvas — so the lockfile differed between machines and frozen installs on other hosts had nothing to link #​12853.
  • fecfe83: Fixed peer dependency resolution with autoInstallPeers when a workspace package depends on a version of a package that a transitive dependency's self-contained closure also provides for itself. The peer providers that are attached to the root project for reuse are no longer peer-resolved a second time in the root context, so packages inside such a closure no longer get their peers bound to the root project's incompatible version #​4993.
  • 5a4daec: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry, namedRegistries, and pnprServer.
  • d1da02e: pnpm publish no longer prints credentials when the target registry is configured with inline user:pass@ credentials (e.g. registry=https://user:pass@example.com/). They are now redacted both from the "publishing to registry" line and from the OIDC (trusted publishing) failure messages.
  • dcfc611: pnpm self-update now honors trustPolicy=no-downgrade. It resolves the target pnpm version against full registry metadata, so it refuses to switch to a version whose supply-chain trust evidence is weaker than an earlier-published one, the same way a regular install does.
  • a8ad82d: Register the pn alias in generated shell completion scripts.
  • 25bd5c3: Fixed standalone installer downgrades from pnpm v12 to v11.
  • 23996e9: pnpm runtime set <name> <version> now validates its arguments: the name must be node, deno, or bun, and the version must not contain a comma. Previously these were interpolated straight into a pnpm add selector, where an unsupported name or a comma (e.g. node 22,is-positive) could be misread as a list of packages or a local directory and install unintended packages or bins.

v11.10.0

Compare Source

Minor Changes
  • e2e3c81: Added the issues command as an alias of bugs, so pnpm issues opens the package's bug tracker URL in the browser.

  • 8491f8e: Added the prefix command which prints the current package prefix directory (or global prefix directory if -g / --global is used).

  • 3425e80: Added an _auth setting for configuring registry authentication as a single structured (URL-keyed) value. It can be set in the global pnpm config (config.yaml) or, for CI, via the pnpm_config__auth environment variable. The env form sidesteps the GitHub Actions / bash / zsh limitation that broke the existing pnpm_config_//host/:_authToken=… form (env var names containing /, :, or . are silently dropped). Closes #​12314.

    The value is keyed by registry URL so each secret is explicitly bound to the host that may receive it. Registry URL keys must use http or https and must not include credentials, query strings, or fragments:

    export pnpm_config__auth='{"https://registry.npmjs.org":{"@&#8203;":{"authToken":"npm-token"},"@&#8203;org":{"authToken":"org-token"}}}'

    The equivalent in the global config.yaml:

    _auth:
      https://registry.npmjs.org:
        "@&#8203;":
          authToken: npm-token
        "@&#8203;org":
          authToken: org-token

    Within each registry URL, @ means registry-wide/default credentials and package scopes like @org bind credentials to that scope on the same host. The only supported credential field is authToken (maps to _authToken / bearer auth); the deprecated basicAuth / username + password forms are intentionally not accepted here.

    Each entry also infers a trusted registry route: @ routes the default registry (and pnpm add <pkg> resolves there), and @org routes that scope. Because the credential and destination host arrive in one trusted value, repo-controlled pnpm-workspace.yaml or project .npmrc cannot redirect the token to a different host. _auth is honored only from the env var and the global config — it is ignored in a project pnpm-workspace.yaml / .npmrc, so repo-controlled config can never supply registry auth. Precedence: CLI flags (--registry, --@&#8203;scope:registry) > pnpm_config__auth > global config.yaml _auth > pnpm-workspace.yaml.

    Both pnpm_config__auth (lowercase, documented form) and PNPM_CONFIG__AUTH (all-caps, the shell convention some CI runners apply) are honored. If both are set, lowercase wins unless it is empty, in which case uppercase is used. The env var wins over the global config.yaml _auth on a conflicting key. tokenHelper is not supported in _auth. Parsing is strict: a malformed value (bad JSON, wrong shape, invalid registry URL or scope, an unsupported credential field) fails fast with an error rather than being silently dropped.

    Pacquet parity note: the pacquet (Rust) port supports the same single credential field as the TS CLI: authToken.

  • a33eeec: pnpm self-update and packageManager version-switching can now install and link pnpm v12 (the Rust port), published with equal content under both the pnpm and @pnpm/exe names on the next-12 dist-tag. Its native binaries ship as @pnpm/exe.<platform>-<arch> packages, which pnpm's built-in installer links directly — no Node.js launcher, so the command pays no Node startup cost. v12 is initialized exactly like @pnpm/exe, including per-platform global-virtual-store hashing. From v12 onward the install converges on the unscoped pnpm package (the Rust exe) — even when updating from the SEA @pnpm/exe build.

  • 1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only the Authorization header identifying the caller to pnpr is sent. The pnpr server now selects upstream credentials from its own route policy (operator-configured upstream credential aliases), so private dependencies resolve through a pnpr-managed alias the caller is authorized to use, rather than by sending the client's registry tokens to the server.

  • 1e81761: Expose web authentication authUrl and doneUrl in JSON error output when OTP is required in a non-interactive terminal #​12724.

Patch Changes
  • 2f389d6: Added the Node.js release team's new signing key (Stewart X Addison, 655F3B5C1FB3FA8D1A0CA6BDE4A7D232B936D2FD) to the embedded Node.js release keys, so runtimes whose SHASUMS256.txt is signed by the new releaser verify successfully.

  • acbdb94: Fixed shell tab completion not suggesting workspaces after the -F alias for --filter option.

  • dcabb78: Fixed pnpm up -r <pkg> bumping unrelated packages that have open semver ranges. Previously, any update mutation nullified the lockfile-derived preferredVersions globally, so packages with ^x.y.z ranges could re-resolve to newer compatible versions even though the user only asked to update a specific package. The install layer now always seeds preferredVersions from the lockfile, and caller-supplied preferred versions (such as the vulnerability penalties of pnpm audit --fix) layer on top of the seed instead of replacing it. The targeted package still bumps: the per-resolve updateRequested flag makes the resolver ignore the target's own lockfile pins.

    Closes #​10662.

  • d539172: Fixed pnpm pack and pnpm publish failing when prepack generates files that are included in the package and postpack cleans them up.

  • be6505a: Hardened global package management:

    • On Windows, removing or updating a global package now also cleans up the node.exe flavor of a bin, so a stale node.exe no longer survives on PATH after uninstall, and a new global install no longer silently overwrites an existing node.exe.
    • pnpm add -g pnpm@<version> (and @pnpm/exe@<version>) is now rejected like the bare pnpm form, pointing to pnpm self-update.
    • Dependency aliases read from a global package's manifest are validated before being joined onto node_modules paths, preventing a tampered manifest from escaping the install directory.
    • Each global install group is created in its own freshly-made directory (no longer reusing a colliding or pre-existing path).
    • Removing or updating a global package no longer unlinks a bin that belongs to a different globally installed package.
  • 25c7388: pnpm now rejects jsr: specifiers whose package name is not a valid npm package name — an empty scope or name (e.g. jsr:@&#8203;scope/), path separators inside the name, or any other shape validate-npm-package-name rejects — with ERR_PNPM_INVALID_JSR_PACKAGE_NAME instead of silently converting them into a malformed @jsr/... npm package name.

  • 25c7388: pnpm now rejects named-registry specifiers (e.g. gh:) whose package name is not a valid npm package name — an empty scope (e.g. gh:@&#8203;/bar), path separators inside the name (e.g. gh:@&#8203;scope/../name), or any other shape validate-npm-package-name rejects — with ERR_PNPM_INVALID_NAMED_REGISTRY_PACKAGE_NAME instead of passing the name through to registry URLs and metadata cache file paths.

  • 96da7c5: node-gyp's gyp_main.py and gyp entrypoints are now packed with the executable bit in the pnpm and @pnpm/exe tarballs. Without it, building native addons from source could fail with a permission error.

  • 99982b9: Sped up resolution and reduced memory use against registries that ignore npm's abbreviated metadata format and always return the full package document (for example, Azure DevOps Artifacts). pnpm now strips such documents down to the abbreviated field set before caching them. Resolution output is unchanged, and registries that honor the abbreviated format (such as the npm registry) pay no extra cost.

  • [11a7fdd](https://redirect.github.com/pnpm/pnpm/commit/11a7f

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 12pm on Sunday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@renovate renovate Bot requested a review from RedStar071 as a code owner July 5, 2026 10:17
@renovate renovate Bot added the dependencies label Jul 5, 2026
@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 54f8eab to 202c6b3 Compare July 10, 2026 11:32
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 202c6b3 to c2cbd2d Compare July 11, 2026 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants