Skip to content

chore(deps): update support-deps#2785

Open
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/support-deps
Open

chore(deps): update support-deps#2785
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/support-deps

Conversation

@renovate

@renovate renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@commitlint/cli (source) 21.1.021.2.1 age confidence devDependencies minor
@commitlint/config-conventional (source) 21.1.021.2.0 age confidence devDependencies minor
@eslint/eslintrc 3.3.53.3.6 age confidence devDependencies patch
@eslint/js (source) 9.39.49.39.5 age confidence devDependencies patch
@types/node (source) 24.13.224.13.3 age confidence devDependencies patch
@vitest/coverage-v8 (source) 4.1.94.1.10 age confidence devDependencies patch
actions/setup-node v6.4.0v7.0.0 age confidence action major
adm-zip ^0.5.16^0.6.0 age confidence devDependencies minor
astral-sh/setup-uv v8.2.0v8.3.2 age confidence action minor
astral-sh/uv 0.11.250.11.28 age confidence patch 0.11.29
astral-sh/uv 0.11.250.11.28 age confidence uses-with patch 0.11.29
csv-parse (source) 7.0.07.0.1 age confidence devDependencies patch
defenseunicorns/uds-cli v0.34.0v0.34.2 age confidence patch
defenseunicorns/uds-common v1.25.0v1.26.3 age confidence minor
dorny/paths-filter (changelog) fbd0ab87b450ff action digest
ghcr.io/zarf-dev/packages/init v0.80.0v0.81.1 age confidence minor
github/codeql-action v4.36.2v4.37.0 age confidence action minor v4.37.1
js-yaml 5.2.05.2.1 age confidence devDependencies patch
slackapi/slack-github-action v3.0.3v3.0.5 age confidence action patch v4.0.0 (+2)
typescript (source) ^6.0.0^7.0.0 age confidence devDependencies major
vitest (source) 4.1.94.1.10 age confidence devDependencies patch
zarf-dev/zarf v0.80.0v0.81.1 age confidence minor

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

conventional-changelog/commitlint (@​commitlint/cli)

v21.2.1

Compare Source

Note: Version bump only for package @​commitlint/cli

v21.2.0

Compare Source

Features
  • resolve-extends: resolve pure-ESM presets (conventional-changelog v7/v9/v10) (#​4859) (fdb566f)
conventional-changelog/commitlint (@​commitlint/config-conventional)

v21.2.0

Compare Source

Features
  • resolve-extends: resolve pure-ESM presets (conventional-changelog v7/v9/v10) (#​4859) (fdb566f)
eslint/eslintrc (@​eslint/eslintrc)

v3.3.6

Compare Source

Bug Fixes
  • update js-yaml to 4.3.0 to address security vulnerability (#​235) (0c5de74)
eslint/eslint (@​eslint/js)

v9.39.5

Compare Source

Bug Fixes

Documentation

Chores

  • 458205f chore: update @eslint/eslintrc and @eslint/js for v9.39.5 (#​21077) (Francesco Trotta)
  • 202117b chore: package.json update for @​eslint/js release (Jenkins)
  • d9eb6ed test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#​21074) (Francesco Trotta)
  • 7b431a7 chore: override re2 dependency for @metascraper/helpers (#​21068) (Milos Djermanovic)
  • daf7791 chore: pin fflate@​0.8.2 (#​20895) (Milos Djermanovic)
  • daee8ba ci: use pnpm in eslint-flat-config-utils type integration test (#​20829) (Milos Djermanovic)
  • 116d4be ci: unpin Node.js 25.x in CI (#​20619) (Copilot)
vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
actions/setup-node (actions/setup-node)

v7.0.0

Compare Source

What's Changed
Enhancements:
Bug fixes:
Documentation updates:
Dependency update:
New Contributors

Full Changelog: actions/setup-node@v6...v7.0.0

v7

Compare Source

v6.5.0

Compare Source

What's Changed

Full Changelog: actions/setup-node@v6.4.0...v6.5.0

cthackers/adm-zip (adm-zip)

v0.6.0

Compare Source

==================

Security

  • Fixed CVE-2026-39244: a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc (memory exhaustion / DoS) before any validation. Allocation is now bounded by the data actually present — STORED output is sized from the real bytes, DEFLATED output is grown by the inflater and capped at the declared size (#​568)
  • Hardened the internal entry-name lookup table against object injection: entry names come from untrusted archives, and a name such as __proto__ previously resolved to Object.prototype, crashing addFile and hiding the entry from getEntry/readFile. The table is now prototype-less

Bug fixes

  • Fixed a regression (0.5.15) that rejected valid archives using a data descriptor (general-purpose bit 3). The payload is now validated against the authoritative central-directory CRC instead of requiring/parsing the trailing descriptor (#​548, #​533, #​554)
  • Fixed extractAllTo/extractAllToAsync not restoring directory permissions with keepOriginalPermission; directory modes are applied after their contents are written, deepest path first, and no longer lock the extractor out of a restrictive directory (#​530)
  • Fixed infinite recursion in addLocalFolder when a folder contains a symlink pointing back to an ancestor (e.g. workspace node_modules); the walk now tracks resolved real paths and skips already-visited directories (#​541)
  • Fixed an uncaught exception (ERR_INVALID_ARG_TYPE) that crashed the process when writeFileToAsync could not open the target file (bad permissions, invalid filename, exhausted file descriptors); write failures are now reported through the callback and write errors are no longer silently swallowed (#​470, #​459, #​402)
  • Fixed directory entries reporting an empty name (e.g. a/b/c/ now returns c) (#​466)
  • Fixed extractEntryTo flattening subdirectories when maintainEntryPath is false; the structure below the extracted directory is now preserved instead of collapsing (and overwriting) files by basename (#​306)
  • Fixed a failed utimes aborting extraction; setting the modification time is now best-effort and never fails extraction of already-written content (#​379)
  • Fixed test() always returning false for any archive containing a file (it indexed the entries array with an entry object instead of reading the entry); it now correctly verifies each entry's CRC

Performance

  • Faster entry sorting when writing archives with many entries: names are decoded once instead of on every comparison (about 6× faster sort for large archives)

Added

  • Bundled TypeScript type definitions (types.d.ts), so @types/adm-zip is no longer required

Notes

  • Behavior change: extractEntryTo(dir, target, /* maintainEntryPath */ false) now preserves subdirectories beneath the extracted directory rather than flattening them
  • Behavior change: extraction no longer fails when the modification time cannot be set

v0.5.18

Compare Source

What's Changed
New Contributors

Full Changelog: cthackers/adm-zip@v0.5.17...v0.5.18

astral-sh/setup-uv (astral-sh/setup-uv)

v8.3.2

Compare Source

v8.3.1

Compare Source

v8.3.0

Compare Source

astral-sh/uv (astral-sh/uv)

v0.11.28

Compare Source

Released on 2026-07-07.

Security

This release updates our ZIP library, astral-async-zip, to v0.0.20, which includes 15 changes that harden our ZIP handling against parser differentials. uv may reject ZIP archives with malformed or ambiguous content that were previously accepted.

See the upstream commits for a full list of changes.

Python
Enhancements
  • Improve trace logs for unexpected error chains (#​20220)
  • Move lockfile update guidance to a hint (#​20219)
  • Preserve indentation for multiline error causes (#​20156)
  • Render user errors with their cause chains (#​20217)
  • Route final command errors through the printer to respect -q and -qq (#​20163)
  • Use standard rendering for uv build errors (#​20159)
  • Use standard rendering for tool requirement errors (#​20160)
Performance
  • Only compile bytecode for installed distributions in uv pip install (#​19914)
  • Avoid allocating URL-safe Git revisions (#​20194)
  • Avoid allocating canonical Python request strings (#​20193)
  • Avoid allocating custom Astral mirror URLs (#​20204)
  • Avoid allocating expanded compatibility tags (#​20190)
  • Avoid allocating shell strings that need no escaping (#​20196)
  • Avoid allocating static ABI descriptions (#​20201)
  • Avoid allocating static Windows executable names (#​20200)
  • Avoid allocating static dependency table names (#​20199)
  • Avoid allocating static platform triple components (#​20195)
  • Avoid allocating static resolver report labels (#​20198)
  • Avoid allocating static unavailable-version messages (#​20197)
  • Avoid allocating unchanged Python download architectures (#​20202)
  • Avoid allocating unchanged paths during case normalization (#​20203)
  • Avoid allocations when expanding group conflicts (#​20211)
  • Avoid allocations when formatting requirements (#​20206)
  • Avoid cloning credential lookup services (#​20210)
  • Avoid cloning dry-run distributions (#​20209)
  • Avoid cloning owned dependency metadata (#​20212)
  • Avoid redundant direct URL clones (#​20207)
  • Create metadata version errors lazily (#​20205)
  • Optimize expanded tag compatibility checks (#​20171)
  • Optimize parsing of single-digit three-part versions (#​20118)
Bug fixes
  • Avoid overflow when computing HTTP cache age (#​20178)
  • Respect --upgrade when upgrade-package is configured (#​19955)
  • Support uv tree in dependency-group-only projects (#​20167)
  • Treat cache entries as stale at exact expiration (#​20183)

v0.11.27

Compare Source

Released on 2026-07-06.

Enhancements
  • Continue on ignored errors when fetching wheel metadata (#​12255)
  • Use caching for --python-downloads-json-url (#​16749)
Preview features
  • Discover extensionless shebang scripts in uv workspace list --scripts (#​20099)
Performance
  • Avoid full site-packages scans for direct reinstalls (#​20119)
  • Avoid redundant pyproject parsing (#​20076)
  • Cache default dependency markers when reading locks (#​20125)
  • Enable SIMD-accelerated TOML parsing (#​20079)
  • Intern requires-python specifiers in Simple API parsing (#​20104)
  • Read cache entries into exact-sized buffers (#​20120)
  • Reduce VersionSpecifiers parsing allocations (#​20105)
  • Reduce site-packages scan allocation overhead (#​20087)
  • Reuse package names when parsing wheel filenames (#​20110)
  • Sort Simple API files after grouping (#​20112)
Bug fixes
  • Always emit packages table for pylock.toml (#​20145)
  • Avoid blank line for empty uv pip tree (#​20062)
  • Encode hashes in file paths (#​19807)
  • Error on a registry uv.lock package without a version instead of panicking (#​19855)
  • Preserve conditional extra markers in exports (#​20148)
  • Skip the ambiguous authority check for file transport VCS URLs (#​20086)
  • Sync index format when uv add --index updates an existing index URL (#​19818)
Other changes

v0.11.26

Compare Source

Released on 2026-06-30.

Performance
  • Adapt uv to IDs-only PubGrub dependencies (#​20048)
  • Avoid allocations in ForkMap::contains (#​20023)
  • Reuse resolver work across PubGrub iterations (#​20020)
  • Speed up candidate selection for disjoint ranges (#​20026)
Bug fixes
  • Warn when the build cache is inside the source directory (#​20056)
adaltas/node-csv (csv-parse)

v7.0.1

Compare Source

Bug Fixes
  • csv-parse: ship stream cjs export (#​490)
defenseunicorns/uds-cli (defenseunicorns/uds-cli)

v0.34.2

Compare Source

v0.34.1

Compare Source

What's Changed

Full Changelog: defenseunicorns/uds-cli@v0.34.0...v0.34.1

defenseunicorns/uds-common (defenseunicorns/uds-common)

v1.26.3

Compare Source

Miscellaneous

v1.26.2

Compare Source

Miscellaneous

v1.26.1

Compare Source

Features
  • license: add paths input to scope addlicense walk (#​691) (ef26a64)
Miscellaneous
github/codeql-action (github/codeql-action)

v4.37.0

Compare Source

  • Update default CodeQL bundle version to 2.26.0. #​3995
  • In addition to the existing input format, the config-file input for the codeql-action/init step will soon support a new [owner/]repo[@​ref][:path] format. All components except the repository name are optional. If omitted, owner defaults to the same owner as the repository the analysis is running for, ref to main, and path to .github/codeql-action.yaml. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. #​3973

v4.36.3

Compare Source

No user facing changes.

nodeca/js-yaml (js-yaml)

v5.2.1

Compare Source

Fixed
  • Add Map support to !!omap (should work when realMapTag used)
Security
  • Remove quadratic complexity from !!omap addItem. Regression from v5
    (usually not critical, because YAML11_SCHEMA is not default anymore).
slackapi/slack-github-action (slackapi/slack-github-action)

v3.0.5: Slack GitHub Action v3.0.5

Compare Source

Patch Changes
  • 96fddbe: fix: revert multiline yaml parsing indentation change

v3.0.4: Slack GitHub Action v3.0.4

Compare Source

Patch Changes
microsoft/TypeScript (typescript)

v7.0.2

Compare Source

zarf-dev/zarf (zarf-dev/zarf)

v0.81.1

Compare Source

Bug Fixes
What's Changed
🚀 Updates
📦 Dependencies

Full Changelog: zarf-dev/zarf@v0.81.0...v0.81.1

Verifying Init Packages

The init packages in this release are signed with keyless Sigstore signing. Verify with:

amd64:

zarf package verify zarf-init-amd64-v0.81.1.tar.zst \
  --certificate-identity "https://github.com/zarf-dev/zarf/.github/workflows/release.yml@refs/tags/v0.81.1" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

arm64:

zarf package verify zarf-init-arm64-v0.81.1.tar.zst \
  --certificate-identity "https://github.com/zarf-dev/zarf/.github/workflows/release.yml@refs/tags/v0.81.1" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

See RELEASES.md for details.

v0.81.0

Compare Source

⚠ BREAKING CHANGES
  • ocischeme: support per-host transport negotiation for plain http (#​5047)
  • sign: remove legacy signature from production (#​5030)
  • sbom: remove compare tool (#​5033)
  • verification: behavior updates for verification logic (#​5011)
Features
Bug Fixes

What's Changed

🚀 Updates

Full Changelog: zarf-dev/zarf@v0.81.0-rc1...v0.81.0

Verifying Init Packages

The init packages in this release are signed with keyless Sigstore signing. Verify with:

amd64:

zarf package verify zarf-init-amd64-v0.81.0.tar.zst \
  --certificate-identity "https://github.com/zarf-dev/zarf/.github/workflows/release.yml@refs/tags/v0.81.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

arm64:

zarf package verify zarf-init-arm64-v0.81.0.tar.zst \
  --certificate-identity "https://github.com/zarf-dev/zarf/.github/workflows/release.yml@refs/tags/v0.81.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

See RELEASES.md for details.


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from a team as a code owner July 2, 2026 18:20
@github-actions github-actions Bot added the needs-review Label used for Renovate PRs that are ready for review/test label Jul 2, 2026
@renovate
renovate Bot force-pushed the renovate/support-deps branch from e48de8f to 9d4ecf7 Compare July 3, 2026 00:00
@renovate renovate Bot changed the title chore(deps): update support dependencies to 7b450ff chore(deps): update support-deps Jul 3, 2026
@renovate
renovate Bot force-pushed the renovate/support-deps branch 8 times, most recently from 0527bed to a97d6f0 Compare July 10, 2026 13:01
@renovate
renovate Bot force-pushed the renovate/support-deps branch 11 times, most recently from 7d923c5 to 2d7d48a Compare July 17, 2026 15:57
@joelmccoy
joelmccoy force-pushed the renovate/support-deps branch from 2d7d48a to 94a0709 Compare July 17, 2026 16:55
@joelmccoy joelmccoy added renovate-ready Label used to trigger Renovate PR CI and removed needs-review Label used for Renovate PRs that are ready for review/test labels Jul 17, 2026
@github-actions github-actions Bot added the needs-review Label used for Renovate PRs that are ready for review/test label Jul 17, 2026
@joelmccoy joelmccoy added renovate-ready Label used to trigger Renovate PR CI and removed renovate-ready Label used to trigger Renovate PR CI labels Jul 17, 2026
| datasource      | package                         | from    | to      |
| --------------- | ------------------------------- | ------- | ------- |
| npm             | @commitlint/cli                 | 21.1.0  | 21.2.1  |
| npm             | @commitlint/config-conventional | 21.1.0  | 21.2.0  |
| npm             | @eslint/eslintrc                | 3.3.5   | 3.3.6   |
| npm             | @eslint/js                      | 9.39.4  | 9.39.5  |
| npm             | @types/node                     | 24.13.2 | 24.13.3 |
| npm             | @vitest/coverage-v8             | 4.1.9   | 4.1.10  |
| github-tags     | actions/setup-node              | v6.4.0  | v7.0.0  |
| npm             | adm-zip                         | 0.5.17  | 0.6.0   |
| github-tags     | astral-sh/setup-uv              | v8.2.0  | v8.3.2  |
| github-tags     | astral-sh/uv                    | 0.11.25 | 0.11.28 |
| github-releases | astral-sh/uv                    | 0.11.25 | 0.11.28 |
| npm             | csv-parse                       | 7.0.0   | 7.0.1   |
| github-tags     | defenseunicorns/uds-cli         | v0.34.0 | v0.34.2 |
| github-tags     | defenseunicorns/uds-common      | v1.25.0 | v1.26.3 |
| docker          | ghcr.io/zarf-dev/packages/init  | v0.80.0 | v0.81.1 |
| github-tags     | github/codeql-action            | v4.36.2 | v4.37.0 |
| npm             | js-yaml                         | 5.2.0   | 5.2.1   |
| github-tags     | slackapi/slack-github-action    | v3.0.3  | v3.0.5  |
| npm             | typescript                      | 6.0.3   | 7.0.2   |
| npm             | vitest                          | 4.1.9   | 4.1.10  |
| github-tags     | zarf-dev/zarf                   | v0.80.0 | v0.81.1 |
@renovate
renovate Bot force-pushed the renovate/support-deps branch from 380a136 to 6305d7f Compare July 18, 2026 01:11
@renovate

renovate Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-review Label used for Renovate PRs that are ready for review/test renovate-ready Label used to trigger Renovate PR CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants