fix(deps): update all non-major dependencies#142
Merged
Conversation
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
655a3f0 to
cf4d8f9
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
cf4d8f9 to
71319c3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^9.2.1→^9.2.2^9.2.1→^9.2.2^29.0.2→^29.0.3^2.0.8→^2.0.9^2.0.0→^2.0.1^1.5.11→^1.5.122.0.1→2.0.3^2.0.0→^2.0.1^1.4.8→^1.4.9^4.3.0→^4.4.0^1.11.20→^1.11.21^4.4.2→^4.4.3^2.14.0→^2.14.1^7.3.0→^7.4.0^26.2.0→^26.3.0^1.16.0→^1.17.0^6.15.3→^6.15.424.15.0→24.16.011.2.2→11.5.0^9.3.1→^9.4.0^7.15.1→^7.16.0^2.34.1→^2.37.0^1.0.2→^1.0.3^2.1.1→^2.1.2^12.1.4→^12.2.0^5.6.0→^5.6.1^3.5.34→^3.5.35^5.0.7→^5.1.0^4.0.7→^4.0.8^5.107.1→^5.107.2^7.0.2→^7.0.3^5.31.1→^5.32.0^5.0.13→^5.0.14Release Notes
mantinedev/mantine (@mantine/core)
v9.2.2Compare Source
What's Changed
[@mantine/core]Pill: Fix incorrect overflow handling (#8929)[@mantine/dates]TimePicker: Fix incorrect am/pm switching in some cases in production builds (#8911)[@mantine/hooks]use-mask: Fix undo keyboard shortcut not working (#8927)[@mantine/hooks]use-mask: Fix cursor jumping on paste/cut (#8926)[@mantine/core]Input: Fix sections misplaced whendiroverrides parent direction (#8905)[@mantine/core]Select: Fix clear button not showing for falsy primitive values (#8901)[@mantine/core]Fix incorrect attributes type in Modal, Drawer and Spotlight[@mantine/tiptap]Fix controls throwing errors when editor is destroyed/not initialized (#8900)[@mantine/core]Menu: Add option to pass safe area polygon options down to Menu.Sub (#8908)New Contributors
Full Changelog: mantinedev/mantine@9.2.1...9.2.2
rollup/plugins (@rollup/plugin-commonjs)
v29.0.32026-05-29
Bugfixes
web-infra-dev/rsbuild (@rsbuild/core)
v2.0.9Compare Source
Highlights
Safer npm Staged Publishing
Rsbuild 2.0.9 updates the release workflow so all packages are now published through npm staged publishing, making package releases safer by staging them before final publication.
What's Changed
New Features 🎉
Bug Fixes 🐞
Document 📖
Other Changes
Full Changelog: web-infra-dev/rsbuild@v2.0.8...v2.0.9
web-infra-dev/rsdoctor (@rsdoctor/rspack-plugin)
v1.5.12Compare Source
What's Changed
Bug Fixes 🐞
Other Changes
Full Changelog: web-infra-dev/rsdoctor@v1.5.11...v1.5.12
rstackjs/rspack-dev-server (@rspack/dev-server)
v2.0.3Compare Source
What's Changed
Full Changelog: rstackjs/rspack-dev-server@v2.0.2...v2.0.3
v2.0.2Compare Source
What's Changed
48b55a0by @renovate[bot] in #211Full Changelog: rstackjs/rspack-dev-server@v2.0.1...v2.0.2
rstackjs/rspack-plugin-react-refresh (@rspack/plugin-react-refresh)
v2.0.1Compare Source
What's Changed
48b55a0by @renovate[bot] in #110Full Changelog: rstackjs/rspack-plugin-react-refresh@v2.0.0...v2.0.1
utooland/utoo (@utoo/pack-cli)
v1.4.9Compare Source
date-fns/date-fns (date-fns)
v4.4.0Compare Source
This release revisits the approach to CDN usage and introduces a new package,
@date-fns/cdnand deprecates thedate-fnsCDN scripts. It allowed reducing the zipped package size from5.83 MBdown to3.96 MBwithout introducing any breaking changes.In
v5.0.0-alpha.0where CDN scripts are completely removed fromdate-fnsthe change is more significant and brings the zipped package size down to2.89 MB.It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.
Changed
DEPRECATED: The
date-fnsCDN scripts are now deprecated and will be removed in the next major release. Please switch to the new@date-fns/cdnpackage for CDN usage.Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new
@date-fns/cdnpackage that still includes them.iamkun/dayjs (dayjs)
v1.11.21Compare Source
Bug Fixes
dexie/Dexie.js (dexie)
v4.4.3: Dexie v4.4.3Compare Source
This is a maintenance release with bug fixes and a configuration API improvement.
Related Package Releases
Bug Fixes
dexie@4.4.3
fix:
delByKeyPath()creates empty intermediate objects on missing path —Dexie.delByKeyPath(obj, "foo.bar")on an object withoutfoowould create{foo: {}}as a side effect instead of doing nothing. This caused a real-world bug in dexie-cloud-addon where clearing a dotted key from a changeSpec (e.g.claims.sub) would leave{claims: {}}in the spec, which then overwrote the inline primary key withundefined, resulting in:DataError: Evaluating the object store's key path did not yield a value. Fixed insetByKeyPathto bail out early when value isundefinedand the intermediate path doesn't exist. (#2303)fix: Collection.sortBy() mutates frozen array in immutable cache mode — calling
.sortBy()on a table when using immutable cache mode could throwTypeError: Cannot assign to read only propertybecauseArray.sort()was called on a frozen array. Fixed by sorting on a copy instead. (#2294)dexie-cloud-addon@4.4.12
rename:
maxStringLength→largeStringThreshold— the string offloading option is renamed for clarity. The old name is kept as a backward-compatible alias. (#2290)fix: blob writebacks routed through BlobSavingQueue to avoid PSD context loss — after an async native
fetch(blob download), Dexie's PSD zone is no longer active, causingtable.mutate()to crash withCannot read properties of undefined (reading 'table'). This surfaced as[dexie-cloud:blobResolve] Failed to resolve BlobRefs. Fixed by always routing blob writebacks throughBlobSavingQueue.saveBlobs(), which opens a proper Dexie rw-transaction in a fresh JS task. Fixes lazy blob mode crash when using Dexie hooks with dexie-cloud-addon. (#2302)fix: eager blob downloader could starve RAM — the eager downloader triggered
blobResolveMiddlewarewhich resolved all pending blobs into memory at once. Fixed by downloading blobs in chunks with a query limit, so memory usage stays bounded regardless of how many blobs are pending. (#2302)fix: in-flight blob downloads are now deduplicated — if a blob is requested after download starts but before it is persisted, the existing download promise is reused instead of starting a new download. (#2302)
fix: use
cache: no-storefor blob fetch requests — avoids the browser caching raw blob responses and double-storing them. (#2302)dexie-cloud-addon@4.4.13
$loginsupdate — when a user received a server update for the$loginstable, dexie-cloud-addon tried to clearclaims.subfrom the changeSpec usingdelByKeyPath. Due to the bug above, this left{claims: {}}in the spec, overwriting the inline primary key withundefinedand causingDataError: Evaluating the object store's key path did not yield a value. Fixed by guarding against empty changeSpec objects after key deletion. (#2304)Other Changes
dexie-observableanddexie-syncableREADME updated to mark them as legacy/unmaintained, with a recommendation to usedexie-cloud-addonfor sync. (#2298)element-plus/element-plus (element-plus)
v2.14.1Compare Source
2.14.1
2026-05-29
Features
Bug fixes
Refactors
krisk/Fuse (fuse.js)
v7.4.0Compare Source
i18next/i18next (i18next)
v26.3.0Compare Source
ResourceNamespaceMap— a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a singleCustomTypeOptions.resourcesdeclaration (or fall back to typing dependency namespaces asany) becauseresourcesis a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally acrossdeclare module 'i18next'blocks, so each package can ship its owni18next.d.tsindependently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoningt()overload resolution. Fully backwards-compatible — existingCustomTypeOptions.resourcesaugmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS,returnNull,enableSelector, etc.) still belong onCustomTypeOptions. Thanks @sh3xu (#2434). Fixes #2409.lucide-icons/lucide (lucide-react)
v1.17.0: Version 1.17.0Compare Source
What's Changed
martiniicon by @jamiemlaw in #4335globe-checkby @Barakudum in #4342parasolicon by @karsa-mistmere in #4347Full Changelog: lucide-icons/lucide@1.16.0...1.17.0
mobxjs/mobx (mobx)
v6.15.4Compare Source
Patch Changes
105c985c71308e439bfeed118fb1ba1eac06824e#4650 Thanks @kubk! - Avoid Rolldown invalid PURE annotation warnings from Babel-generated optional chaining output.actions/node-versions (node)
v24.16.0: 24.16.0Compare Source
Node.js 24.16.0
pnpm/pnpm (pnpm)
v11.5.0Compare Source
Minor Changes
Added a new
hoistingLimitssetting fornodeLinker: hoistedinstalls, mirroring yarn'snmHoistingLimits. It acceptsnone(the default — hoist as far as possible),workspaces(hoist only as far as each workspace package), ordependencies(hoist only up to each workspace package's direct dependencies). Originally proposed in #6468, closing #6457.Replaced
enquirerwith@inquirer/promptsfor all interactive prompts. Fixes theupdate -iscrolling overflow bug where long choice lists were clipped in the terminal #6643.User-facing changes:
pnpm update -i/pnpm update -i --latest: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination viausePaginationpnpm audit --fix -i: Same scrolling fix for vulnerability selectionpnpm approve-builds: Interactive build approval prompts updatedpnpm patch: Version selection and "apply to all" prompts updatedpnpm patch-remove: Patch removal selection updatedpnpm publish: Branch confirmation prompt updatedpnpm login: Credential prompts updatedpnpm run/pnpm exec(withverifyDepsBeforeRun=prompt): Confirmation prompt updatedVim-style
j/kkeys still work for up/down navigation in all interactive prompts.Internal: The
OtpEnquirerandLoginEnquirerDI interfaces changed from{ prompt }to{ input }/{ input, password }respectively. Plugins or custom builds that inject their own enquirer mock will need to update.Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an
approverfield, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level #11887.Patch Changes
Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example,
pnpm i nuxt@npm:nuxt-nightly@5x). Cycles whose members hit thefindHitcache instead of running their owncalculateDepPathare now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. #11999.Fix
pnpm dist-tag addandpnpm dist-tag rmagainst npmjs.org failing without--otpwith[ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA.". pnpm now sendsnpm-auth-type: webon dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the samewithOtpHandlinghelper used bypnpm publish), so the browser opens, the user authenticates, and the dist-tag is set on retry.--otp=<code>continues to work via the classic flow.Fix
minimumReleaseAgeExcludehandling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently duringpublishedBymetadata selection and cache-mtime shortcuts.Fix the
integrityfield being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent--frozen-lockfileinstalls fail withERR_PNPM_MISSING_TARBALL_INTEGRITY. #12001.Skip dependency re-resolution when
pnpm-lock.yamlis missing butnode_modules/.pnpm/lock.yamlexists and still satisfies the manifest.pnpm installnow reuses the materialized snapshot to regeneratepnpm-lock.yamlinstead of walking the registry to rebuild it from scratch, turning the cache+node_modules variation into a near-no-op for users who deleted the lockfile but kept the install #11993.--frozen-lockfilestill refuses to proceed whenpnpm-lock.yamlis absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI.v11.4.0Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.pnpm runtime set <name> <version>now saves the runtime todevEngines.runtimeby default instead ofengines.runtime. Pass--save-prod(or-P) to save it toengines.runtimeinstead #11948.Patch Changes
Fix a credential disclosure issue where an unscoped
_authToken(or_auth, orusername+_password, ortokenHelper) defined in one source —~/.npmrc,~/.config/pnpm/auth.ini, a workspace.npmrc, CLI flags, etc. — would be sent as anAuthorizationheader to whichever registry a different (potentially untrusted) source named. The same fix extends to client TLS credentials (cert,key) so they aren't presented to a registry their author didn't choose.pnpm now rewrites each unscoped per-registry setting (
_authToken,_auth,username,_password,tokenHelper,cert,key) to its URL-scoped form at load time, using theregistry=value declared in the same source (or the npmjs default registry if the source declares none). A later layer overridingregistry=therefore cannot pull an unscoped credential along, because it is already pinned to the URL its author intended.ca/cafileare intentionally not rescoped — they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally.Every rescope emits a deprecation warning telling the user where the setting was pinned and how to write it directly. npm has rejected unscoped credentials outright since
npm@9, and pnpm intends to remove support in a future major release. To target a specific registry, write the setting URL-scoped (e.g.//registry.example.com/:_authToken=...or//registry.example.com/:cert=...).@pnpm/network.auth-header: removed thedefaultRegistryparameter fromcreateGetAuthHeaderByURIandgetAuthHeadersFromCreds. Now that credentials are URL-scoped at load time, the mergedconfigByUrinever contains the empty-string "default registry" placeholder slot, so re-keying it onto the merged default registry is no longer needed.Fix
pnpm deploycrashing withENOENT: ... lstat '<deployDir>/node_modules'whenconfigDependenciesdeclares pacquet (pacquetor@pnpm/pacquet). The deploy directory never installs config dependencies, so the install engine they designate isn't on disk to invoke; the nested install now skips them.Reject git resolutions whose
commitfield is not a 40-character hexadecimal SHA before invokinggit. A malicious lockfile could otherwise smuggle a value such as--upload-pack=<command>throughgit fetch/git checkout, which on SSH or local-file transports executes the supplied command.Limit concurrent project manifest reads while listing large workspaces to avoid
EMFILEerrors.Reject patch files whose
diff --githeaders reference paths outside the patched package directory. Previously a malicious.patchfile added via a pull request could write, delete, or rename arbitrary files reachable by the user runningpnpm install.Improve the log message that pnpm prints after auto-adding entries to
minimumReleaseAgeExcludewhenminimumReleaseAgeis set withoutminimumReleaseAgeStrict. The message previously referred to the internal "loose mode" terminology, which wasn't searchable in the docs; it now tells the user to setminimumReleaseAgeStricttotrueif they want these updates gated behind a prompt instead #11747.Reject dependency aliases that contain path-traversal segments (such as
@x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them intonode_modules. A malicious registry package could otherwise use a transitive dependency key to makepnpm installcreate symlinks at attacker-chosen paths outside the intendednode_modulesdirectory.Reject
pnpm-lock.yamlentries whose remote tarballresolution:block is missing theintegrityfield. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that stripsintegrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under--frozen-lockfile. pnpm now fails closed at lockfile-read time withERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: trueor a URL on codeload.github.com / bitbucket.org / gitlab.com) andfile:tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.Validate
devEngines.runtimeandengines.runtimeversion ranges fornode,deno, andbunwhenonFailis set toerrororwarn. Previously these settings only had an effect withonFail: 'download'— theerrorandwarnmodes silently did nothing #11818. Violations now throwERR_PNPM_BAD_RUNTIME_VERSION.Require provenance before treating trusted publisher metadata as the strongest trust evidence.
v11.3.0Compare Source
Minor Changes
Added
pnpm stagewithpublish,list,view,approve,reject, anddownloadsubcommands for npm staged publishing.Added a new setting
trustLockfile. Whentrue,pnpm installskips the supply-chain verification pass that re-appliesminimumReleaseAge/trustPolicy='no-downgrade'to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author. Defaults tofalse; verification stays on by default. Set inpnpm-workspace.yaml.Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (
~4klockfile entries withminimumReleaseAge+trustPolicy: no-downgradeenabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (time, per-version_npmUser.trustedPublisher,dist.attestations.provenance). The abbreviated-metadata cache is similarly projected to just the package-levelmodifiedfield and the set of currently-listed version names. Fixes #11860.Implemented
pnpm pkgcommand natively, followingnpm pkgstandards.Implemented
pnpm repocommand natively, followingnpm repostandards.Implemented
pnpm set-script(aliasss) natively. Adds or updates an entry in thescriptsfield of the project manifest, supportingpackage.json,package.json5, andpackage.yamlformats.Add a `skip-ma
Configuration
📅 Schedule: (in timezone Asia/Shanghai)
* 0-3 1,15 * *)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.