chore(deps): update all non-major dependencies#46
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #46 +/- ##
===========================================
+ Coverage 99.08% 100.00% +0.91%
===========================================
Files 3 3
Lines 109 109
Branches 30 30
===========================================
+ Hits 108 109 +1
+ Misses 1 0 -1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
April 1, 2026 17:43
16084fe to
7e96df5
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
2 times, most recently
from
April 8, 2026 20:52
8539e24 to
cf20229
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
April 9, 2026 09:19
cf20229 to
7b7a5af
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
April 17, 2026 00:13
7b7a5af to
e8a9742
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
5 times, most recently
from
April 27, 2026 11:29
8c574bd to
9544fc8
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
3 times, most recently
from
May 5, 2026 02:28
030e569 to
52d8a3f
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
4 times, most recently
from
May 12, 2026 16:59
40cb925 to
a13d478
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
2 times, most recently
from
May 20, 2026 11:34
8ba7bb5 to
917400e
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
3 times, most recently
from
June 1, 2026 19:40
6426198 to
fd6465a
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
2 times, most recently
from
June 10, 2026 18:04
dfb766e to
5d18259
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
2 times, most recently
from
June 15, 2026 11:40
7ec70ea to
98fb34e
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
June 18, 2026 23:39
98fb34e to
f1fbd3c
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
3 times, most recently
from
July 12, 2026 12:06
26edfbc to
c66298c
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
July 17, 2026 01:01
c66298c to
cef236f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.1.1→4.1.102.4.6→2.4.1110.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319→10.34.56.0.2→6.0.34.1.1→4.1.10Release Notes
vitest-dev/vitest (@vitest/coverage-v8)
v4.1.10Compare Source
🐞 Bug Fixes
View changes on GitHub
v4.1.9Compare Source
🐞 Bug Fixes
importOriginalwith optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #10546 (a5180)View changes on GitHub
v4.1.8Compare Source
🐞 Bug Fixes
cdpAPI whenallowWrite/allowExec: false[backport to v4] - by @hi-ogawa and Codex in #10450 (e4067)View changes on GitHub
v4.1.7Compare Source
🐞 Bug Fixes
View changes on GitHub
v4.1.6Compare Source
🐞 Bug Fixes
ToMatchScreenshotResolvePath- by @macarie and @sheremet-va in #10138 (31882)sequence.concurrent: truewith top-leveltest(..., { concurrent: false })+ depreactesequentialtest API and options - by @hi-ogawa, Codex and @sheremet-va in #10196 (2847d)🏎 Performance
View changes on GitHub
v4.1.5Compare Source
🚀 Experimental Features
instrumenteroption - by @BartWaardenburg and @AriPerkkio in #10119 (0e0ff)🐞 Bug Fixes
vi.defineHelpercalled as object method - by @hi-ogawa in #10163 (122c2)agentreporter tominimal- by @sheremet-va in #10157 (663b9)View changes on GitHub
v4.1.4Compare Source
🚀 Features
skipFullif agent detected - by @hi-ogawa in #10018 (53757)assertionas a public field - by @sheremet-va in #10095 (a120e)🐞 Bug Fixes
expect(..., message)consistent as error message prefix - by @hi-ogawa and Codex in #10068 (a1b5f)View changes on GitHub
v4.1.3Compare Source
🚀 Experimental Features
experimental.preParseflag - by @sheremet-va in #10070 (78273)browser.locators.exactoption - by @sheremet-va in #10013 (48799)TestAttachment.bodyEncoding- by @hi-ogawa in #9969 (89ca0)🐞 Bug Fixes
expect.pollinterval - by @hi-ogawa and Claude Sonnet 4.6 in #10022 (3f5bf)@vitest/coverage-v8and@vitest/coverage-istanbulas optional dependency - by @alan-agius4 in #10025 (146d4)defineHelperfor webkit async stack trace + update playwright 1.59.0 - by @hi-ogawa in #10036 (5a5fa)JestExtendError.contextfrom verbose error reporting - by @hi-ogawa in #9983 (66751)vitest- by @hi-ogawa and Codex in #10042 (691d3)View changes on GitHub
v4.1.2Compare Source
This release bumps Vitest's
flattedversion and removes version pinning to resolveflatted's CVE related issues (#9975).🐞 Bug Fixes
setupFilesfrom parent directory - by @hi-ogawa in #9960 (7aa93)toMatchScreenshotcan't capture a stable screenshot - by @macarie in #9847 (faace)coverageConfigDefaultsvalues and types - by @Arthie in #9940 (b3c99)View changes on GitHub
vuejs/test-utils (@vue/test-utils)
v2.4.11Compare Source
compare changes
🩹 Fixes
setData()correctly for components using bothsetup()anddata()(#2846)GlobalMountOptionstype (#2851)event.codeonkeydown/keyup(#2850)❤️ Contributors
v2.4.10Compare Source
v2.4.9Compare Source
compare changes
🩹 Fixes
📖 Documentation
🏡 Chore
🤖 CI
❤️ Contributors
v2.4.8Compare Source
compare changes
🩹 Fixes
🤖 CI
❤️ Contributors
v2.4.7Compare Source
compare changes
🚀 Enhancements
🩹 Fixes
💅 Refactors
📖 Documentation
<select>(#2819)🏡 Chore
🤖 CI
❤️ Contributors
pnpm/pnpm (pnpm)
v10.34.5: pnpm 10.34.5Compare Source
Patch Changes
78e29fe: Prevent a craftedpnpm-lock.yamlfrom writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g.../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshotversion: "../../x") is now rejected atiterateHashedGraphNodes, the single point every global-virtual-store slot path funnels through.78e29fe: Fixed a path traversal vulnerability where a dependency whose manifestnamewas a scoped path traversal (e.g.@x/../../../<path>) could be written outsidenode_modulesto an attacker-controlled location duringpnpm install, even with--ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.47ef6f0: Fixed switching to and self-updating to pnpm v12. pnpm v12 (the Rust port) ships as thepnpmand@pnpm/exenpm packages whose bins are placeholders replaced at install time by the host's native binary from a@pnpm/exe.<platform>-<arch>[-musl]optional dependency. Because pnpm installs its own engine with--ignore-scripts, that relinking never ran, leaving a non-executable placeholder. pnpm now relinks the native binary itself for v12 (recognizing the new platform-package naming scheme and the nativepnpmpackage), and verifies the native binary's npm registry signature before running it.36928be:${...}environment-variable placeholders in thehttpProxy,httpsProxy,noProxy,proxy, andnoproxysettings are no longer expanded when these settings come from a project'spnpm-workspace.yaml. They now receive the same protection already applied toregistry.Platinum Sponsors
Gold Sponsors
v10.34.4: pnpm 10.34.4Compare Source
Patch Changes
352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. Apnpm-workspace.yamlwith a traversal-shapedconfigDependenciesname (such as../../PWNED) or version (such as../../../PWNED) could previously causepnpm installto create symlinks or write package files outsidenode_modules/.pnpm-configand the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.352ae48: Reject path-traversal and reserved dependency aliases (such as../../../escape,.bin,.pnpm, ornode_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoistednode_modulesdirectory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.The
nodeLinker: hoistedgraph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.352ae48: Preventpnpm patch-removefrom removing files outside the configured patches directory.217fbe0: Hardened the warning printed when a project.npmrcuses environment variables in registry/auth settings: the suggestedpnpm config setcommand is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled.npmrcand a shell expands$(...), backticks, and$VAReven inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.Platinum Sponsors
Gold Sponsors
v10.34.3: pnpm 10.34.3Compare Source
.npmrc(action may be required)Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands
${ENV_VAR}placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:.npmrc—registry,@scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken,_auth,_password,username,tokenHelper,cert,key);pnpm-workspace.yaml.This release also closes a bypass where a project
.npmrccould setuserconfig,globalconfig, orprefixto make pnpm load a repo-supplied file as trusted config (via@pnpm/npm-conf@3.0.3).Environment variables are still expanded in trusted config: your user-level
~/.npmrc, the global config, CLI options, and environment config.If your authentication broke after upgrading, move the token out of the committed
.npmrc:Or keep the
${NPM_TOKEN}line but put it in your user-level~/.npmrcinstead of the repo. In GitHub Actions,actions/setup-nodewithregistry-urlalready writes a user-level.npmrc, soNODE_AUTH_TOKENkeeps working. For other CI where editing each pipeline is hard, setNPM_CONFIG_USERCONFIG=.npmrcin the CI environment to declare the project.npmrctrusted.See https://pnpm.io/npmrc for full migration details.
Patch Changes
.npmrcuses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by runningpnpm config set "<key>" <value>to store it in the global config, or by keeping the${...}line in the user-level~/.npmrc— with a link to https://pnpm.io/npmrc..npmrccan no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could setuserconfig,globalconfig, orprefixto point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to settokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace.npmrcfiles are read. Fixed by upgrading@pnpm/npm-confto3.0.3.Platinum Sponsors
Gold Sponsors
This PR was generated by Mend Renovate. View the repository job log.