Skip to content

chore(deps): update all non-major dependencies#530

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#530
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@antfu/eslint-config ^9.0.0^9.1.0 age confidence
@types/node (source) ^25.7.0^25.9.4 age confidence
@vitejs/plugin-vue (source) ^6.0.6^6.0.7 age confidence
@vitest/coverage-v8 (source) ^4.1.6^4.1.9 age confidence
acorn ^8.16.0^8.17.0 age confidence
eslint (source) ^10.3.0^10.6.0 age confidence
local-pkg ^1.1.2^1.2.1 age confidence
oxc-parser (source) ^0.130.0^0.138.0 age confidence
pnpm (source) 10.33.410.34.4 age confidence
rolldown (source) ^1.0.1^1.1.3 age confidence
rolldown (source) ^1.0.0^1.1.3 age confidence
tinyglobby (source) ^0.2.16^0.2.17 age confidence
unplugin (source) ^3.0.0^3.3.0 age confidence
unplugin-utils ^0.3.1^0.3.2 age confidence
vite-plugin-inspect ^11.3.3^11.4.1 age confidence
vitest (source) ^4.1.6^4.1.9 age confidence
vue (source) ^3.5.34^3.5.39 age confidence
vue-tsc (source) ^3.2.9^3.3.5 age confidence

Release Notes

antfu/eslint-config (@​antfu/eslint-config)

v9.1.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
vitejs/vite-plugin-vue (@​vitejs/plugin-vue)

v6.0.7

Features
Bug Fixes
vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.9

Compare Source

🐞 Bug Fixes
  • Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #​10546 (a5180)
  • browser:
    • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in #​10555 (7fb29)
    • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in #​10497 and #​10556 (fbc62)
  • mocker:
    • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in #​10548 (2c955)
  • pool:
    • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in #​10543 and #​10564 (934b0)
View changes on GitHub

v4.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
acornjs/acorn (acorn)

v8.17.0

Compare Source

eslint/eslint (eslint)

v10.6.0

Compare Source

Features

  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#​20981) (Taejin Kim)
  • f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#​20948) (sethamus)

Bug Fixes

  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#​20997) (Milos Djermanovic)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#​21013) (den$)
  • 8fd8741 fix: don't report shadowed undefined in radix rule (#​21011) (Pixel)
  • 5784980 fix: don't report shadowed undefined in no-throw-literal (#​21010) (Pixel)
  • 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#​21008) (Pixel)
  • d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#​21006) (Pixel)
  • 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#​21003) (den$)
  • 63d52d2 fix: restore max-classes-per-file report range (#​21002) (Pixel)
  • 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#​20979) (fnx)
  • 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#​20995) (Milos Djermanovic)

Documentation

  • a83683d docs: Update README (GitHub Actions Bot)
  • f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#​20986) (playgirl)
  • bea49f7 docs: Update README (GitHub Actions Bot)
  • e5f70f9 docs: update code-path diagrams (#​20984) (Tanuj Kanti)
  • 8890c2d docs: add TypeScript config guidance for MCP server (#​20796) (Pierluigi Lenoci)
  • 3eb3d9b docs: Update README (GitHub Actions Bot)
  • c5bb59c docs: Update README (GitHub Actions Bot)
  • eb3c97c docs: fix grammar in prefer-const rule description (#​20983) (lumir)

Chores

v10.5.0

Compare Source

Features

  • 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#​20973) (Pixel998)
  • b565783 feat: report no-with violations at the with keyword (#​20971) (Pixel998)
  • 2ce032f feat: report max-lines-per-function violations at function head (#​20966) (Pixel998)
  • 732cb3e feat: report max-nested-callbacks violations at function head (#​20967) (Pixel998)
  • f9c138a feat: report max-depth violations on keywords (#​20943) (Pixel998)
  • bdb496c feat: correct max-depth handling for else-if chains (#​20944) (Pixel998)
  • c296873 feat: update error loc in max-statements to function header (#​20907) (Taejin Kim)

Documentation

  • 8ae1b5b docs: Update README (GitHub Actions Bot)
  • ca7eb90 docs: update Node.js prerequisites to include ICU support (#​20962) (Francesco Trotta)
  • f99b47a docs: Update README (GitHub Actions Bot)
  • acf03d4 docs: clarify precedence of parserOptions over languageOptions (#​20926) (sethamus)

Chores

v10.4.1

Compare Source

Bug Fixes

  • e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
  • d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
  • f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
  • c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
  • 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

  • 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
  • 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
  • 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
  • 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
  • c91b041 docs: Update README (GitHub Actions Bot)
  • e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

v10.4.0

Compare Source

Features

  • 1a45ec5 feat: check sequence expressions in for-direction (#​20701) (kuldeep kumar)
  • 450040b feat: add includeIgnoreFile() to eslint/config (#​20735) (Kirk Waiblinger)

Bug Fixes

Documentation

  • 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#​20869) (Pavel)
  • db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#​20865) (Kirk Waiblinger)
  • 9084664 docs: Update README (GitHub Actions Bot)
  • 9cc7387 docs: Update README (GitHub Actions Bot)
  • 3d7b548 docs: Update README (GitHub Actions Bot)
  • 191ec3c docs: Update README (GitHub Actions Bot)

Chores

  • 6616856 chore: upgrade knip to v6 (#​20875) (Pixel998)
  • d13b084 ci: ensure auto-created PRs run CI (#​20860) (lumir)
  • e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#​20862) (dependabot[bot])
  • d84393d test: add unit tests for SuppressionsService.applySuppressions() (#​20863) (kuldeep kumar)
  • 24db8cb test: add tests for SuppressionsService.save() (#​20802) (kuldeep kumar)
  • 2ef0549 chore: update ecosystem plugins (#​20857) (github-actions[bot])
  • a429791 ci: remove eslint-webpack-plugin types integration test (#​20668) (Milos Djermanovic)
  • 9e37386 chore: replace recast with range approach in code-sample-minimizer (#​20682) (Copilot)
  • 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#​20845) (Francesco Trotta)
  • 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#​20716) (Pixel998)
  • 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#​20800) (xbinaryx)
  • f1dfbc9 chore: update ecosystem plugins (#​20836) (github-actions[bot])
  • c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#​20843) (dependabot[bot])
  • 5b817d6 test: add unit tests for lib/shared/ast-utils (#​20838) (kuldeep kumar)
  • 1c13ae3 test: add unit tests for lib/shared/severity (#​20835) (kuldeep kumar)
antfu-collective/local-pkg (local-pkg)

v1.2.1

Compare Source

   🚀 Features
    View changes on GitHub

v1.2.0

Compare Source

   🚀 Features
    View changes on GitHub
oxc-project/oxc (oxc-parser)

v0.138.0

🛡️ Security

v0.137.0

💥 BREAKING CHANGES
  • 7a76cd3 estree: [BREAKING] Make whether to include TS fields a runtime option (#​23574) (overlookmotel)
🚀 Features
  • 53509a8 minifier: Treeshake pure typed arrays and Set/Map array literals (#​23469) (Dunqing)
🐛 Bug Fixes

v0.136.0

⚡ Performance
  • da1a6c6 diagnostics: Migrate to allocation-optimized oxc-miette (#​23094) (Boshen)

v0.135.0

v0.134.0

v0.133.0

v0.132.0

v0.131.0

pnpm/pnpm (pnpm)

v10.34.4

Compare Source

v10.34.3

Compare Source

v10.34.2

Compare Source

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

  • Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

  • Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

    pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

    The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

    --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

  • Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
  • Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
  • Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
  • Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
  • Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
  • Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx
rolldown/rolldown (rolldown)

v1.1.3

Compare Source

🐛 Bug Fixes

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "after 1am and before 5am"
  • Automerge
    • "after 2am and before 5am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 136ba0c to 088688c Compare May 1, 2026 19:40
@renovate renovate Bot changed the title chore(deps): update pnpm.catalog.prod oxc-parser to ^0.128.0 chore(deps): update all non-major dependencies May 1, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 11 times, most recently from bceb1ea to c3c38f0 Compare May 11, 2026 11:44
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from 26766d0 to 884bb49 Compare May 14, 2026 08:40
@renovate renovate Bot changed the title chore(deps): update all non-major dependencies chore(deps): update peerdependency rolldown to ^1.0.1 May 14, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 884bb49 to e86d9cd Compare May 14, 2026 14:58
@renovate renovate Bot changed the title chore(deps): update peerdependency rolldown to ^1.0.1 chore(deps): update all non-major dependencies May 14, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from 6384fba to 9537308 Compare May 19, 2026 17:07
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 12 times, most recently from a97f531 to 9cb258e Compare June 4, 2026 19:41
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 25bd351 to ac23f91 Compare June 11, 2026 23:43
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 9 times, most recently from 8b99cb0 to 5c4dfb6 Compare June 18, 2026 16:53
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 6e0757a to 442c91f Compare June 21, 2026 22:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants