Skip to content

chore(deps): update all non-major dependencies#46

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#46
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Mar 26, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@vitest/coverage-v8 (source) 4.1.14.1.10 age confidence
@vue/test-utils 2.4.62.4.11 age confidence
pnpm (source) 10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c864931910.34.5 age confidence
typescript (source) 6.0.26.0.3 age confidence
vitest (source) 4.1.14.1.10 age confidence

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.9

Compare Source

🐞 Bug Fixes
  • Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #​10546 (a5180)
  • browser:
    • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in #​10555 (7fb29)
    • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in #​10497 and #​10556 (fbc62)
  • mocker:
    • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in #​10548 (2c955)
  • pool:
    • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in #​10543 and #​10564 (934b0)
View changes on GitHub

v4.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.4

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes
    View changes on GitHub
vuejs/test-utils (@​vue/test-utils)

v2.4.11

Compare Source

compare changes

🩹 Fixes
  • Drop legacy Mutation Event listener entries (#​2844)
  • Handle setData() correctly for components using both setup() and data() (#​2846)
  • Export GlobalMountOptions type (#​2851)
  • Set spec-compliant event.code on keydown/keyup (#​2850)
❤️ Contributors

v2.4.10

Compare Source

v2.4.9

Compare Source

compare changes

🩹 Fixes
  • Tolerate duplicate attachTo cleanup (#​2830)
📖 Documentation
🏡 Chore
  • Migrate renovate config (5d37934)
🤖 CI
  • Pin github actions to commit hashes (75dcef3)
❤️ Contributors

v2.4.8

Compare Source

compare changes

🩹 Fixes
  • Correct declaration entrypoint (#​2826)
🤖 CI
❤️ Contributors

v2.4.7

Compare Source

compare changes

🚀 Enhancements
  • Add Chinese docs translation (#​2552)
  • SetData()/shallowMount with initialData for components using the Composition API / <script setup> (#​2655)
🩹 Fixes
  • Preserve code from keyboard events (#​2434)
  • Switch browser and require exports definitions (#​2501)
  • Re-add peer dependencies but with wider range (#​2511)
  • Resolve warnings in docs:dev (30b7491)
  • Resolve TypeScript type errors in .vitepress/config (#​2549)
  • Accept FunctionalComponent as selector (0bb947f)
  • Text() misses content for array functional component (#​2579)
  • Use await in test (c5482b4)
  • deps: Update dependency vue-component-type-helpers to v3 (#​2683)
  • Remove wrapper div when unmount (#​2700)
  • Make mount options slots compatible with noUncheckedIndexedAccess true (#​2713)
  • Add missing peerDependency @​vue/compiler-dom (75801ba)
  • docs: Declare css module for vitepress typecheck (ddaca97)
💅 Refactors
  • Enforce consistent usage of type imports (#​2734)
📖 Documentation
  • Clarify findComponent vs getComponent (#​2435)
  • Update fr docs (67064ef)
  • Add note about partial transition stub support (#​2431)
  • Fix missing data at passing data section essentials guide (dda205e)
  • Fix missing data at passing data section essentials guide fr (ae2c72c)
  • Fix plugin TS declaration example (#​2466)
  • Fixed incorrect checkbox value check (#​2495)
  • Capital letter in sentence fix (#​2499)
  • Import missing DOMWrapper on Implementation of the plugin section (#​2519)
  • Add migration step for deprecated ref syntax in findAllComponents (#​2498)
  • Correct anchor hash links and fix typo (#​2551)
  • Center logo on home (#​2559)
  • zh-cn: Review a-crash-course (#​2563)
  • Use code-group for install commands (#​2571)
  • zh-cn: Review event-handing.md (#​2572)
  • zh-cn: Enhance conditional-rendering.md (#​2562)
  • zh-cn: Review easy-to-test (#​2567)
  • zh-cn: Review passing-data.md (#​2575)
  • zh-cn: Review async-suspense.md (#​2576)
  • zh: 优化 API 文档格式和内容 (#​2569)
  • zh: 更新 Vitest 模拟日期和计时器的说明 (#​2578)
  • zh-cn: Review http-requests.md (#​2580)
  • zh-cn: Review forms (#​2582)
  • zh-cn: Guide/advanced/slots.md (#​2565)
  • zh: Review extending-vtu (#​2583)
  • zh: Review index (#​2584)
  • Fix modelValue test example (85bfdf4)
  • Removes broken link from plugins.md (69bc1ce)
  • zh: Review transitions, component-instance, and reusability-composition (#​2616)
  • zh: Review v-model and vuex (#​2617)
  • zh: Review all the rest advanced guide (#​2619)
  • zh: Review migration (#​2623)
  • Fix a typo in transitions.md (#​2635)
  • Update crash-course to script setup (c81aa79)
  • Update Essentials section to setup (composition api) (#​2647)
  • Typos in examples (#​2678)
  • Typo in easy-to-test.md (#​2710)
  • Add note about mocking requestAnimationFrame for transitions (2324c65)
  • Updated example TodoApp to script setup (#​2727)
  • Remove "Using data" section from "Conditional Rendering" guide and fix passing data test example (#​2743)
  • Follow-up fixes for the conditional rendering guide (#​2744)
  • Mention shallowMount stub name changes in migration guide (80e051a)
  • Update conditional rendering documentation to clarify isVisible() usage with attachTo (#​2799)
  • Restore Options API component for data() mounting example (#​2804)
  • Promote Vitest as recommended test runner (#​2805)
  • api: Note that setValue does not accept objects on <select> (#​2819)
🏡 Chore
  • Add api/index.md to docs:translation:compare (6b8681c)
  • Remove unnecessary generic arguments (cfd70c6)
  • Ignore TS error in config object (9d0a618)
  • Simplify eslint packages (c1d0ffd)
  • Use eslint v9 with flat config (2f19fdf)
  • Expose Stubs type publicly (#​2492)
  • Update documentation file path (9c96594)
  • Use pnpm v10 (e4c2cb3)
  • Pnpm approve build (81c54e9)
  • Use github issue forms (#​2673)
  • Exclude class components from test type-checking (0899008)
  • Add explicit coverage include for vitest v4 (51672b9)
  • Update to prettier v3.7 (fed9e7c)
  • Migrate to oxfmt (81c1de9)
  • Migrate to oxlint (a361908)
  • Prepare TypeScript 6 migration settings (55e1262)
  • Adjust tsd config for TypeScript 6 (7d23eb5)
  • Avoid TypeScript 6 target deprecation warning (81d063c)
🤖 CI
  • Remove node v22 build (7ebf58d)
  • Add node v22 build (57540ee)
  • Use "pool: threads" instead of vmThreads (d0cbb54)
  • Remove node v18 and add v24 (fd9cf95)
  • Add trusted publishing release workflow (#​2825)
❤️ Contributors
pnpm/pnpm (pnpm)

v10.34.5: pnpm 10.34.5

Compare Source

Patch Changes

  • 78e29fe: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at iterateHashedGraphNodes, the single point every global-virtual-store slot path funnels through.
  • 78e29fe: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 47ef6f0: Fixed switching to and self-updating to pnpm v12. pnpm v12 (the Rust port) ships as the pnpm and @pnpm/exe npm packages whose bins are placeholders replaced at install time by the host's native binary from a @pnpm/exe.<platform>-<arch>[-musl] optional dependency. Because pnpm installs its own engine with --ignore-scripts, that relinking never ran, leaving a non-executable placeholder. pnpm now relinks the native binary itself for v12 (recognizing the new platform-package naming scheme and the native pnpm package), and verifies the native binary's npm registry signature before running it.
  • 36928be: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.4: pnpm 10.34.4

Compare Source

Patch Changes
  • 352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. A pnpm-workspace.yaml with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.

  • 352ae48: Reject path-traversal and reserved dependency aliases (such as ../../../escape, .bin, .pnpm, or node_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted node_modules directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.

    The nodeLinker: hoisted graph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.

  • 352ae48: Prevent pnpm patch-remove from removing files outside the configured patches directory.

  • 217fbe0: Hardened the warning printed when a project .npmrc uses environment variables in registry/auth settings: the suggested pnpm config set command is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled .npmrc and a shell expands $(...), backticks, and $VAR even inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.

Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.3: pnpm 10.34.3

Compare Source

⚠️ Security fix — environment variables in a project .npmrc (action may be required)

Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:

  • the project/workspace .npmrcregistry, @scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken, _auth, _password, username, tokenHelper, cert, key);
  • registry URLs in pnpm-workspace.yaml.

This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).

Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.

If your authentication broke after upgrading, move the token out of the committed .npmrc:

# Writes to your user/global config, not the repository:
pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"

Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.

See https://pnpm.io/npmrc for full migration details.

Patch Changes

  • Improved the warning printed when a project .npmrc uses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by running pnpm config set "<key>" <value> to store it in the global config, or by keeping the ${...} line in the user-level ~/.npmrc — with a link to https://pnpm.io/npmrc.
  • A repository-controlled project or workspace .npmrc can no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could set userconfig, globalconfig, or prefix to point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to set tokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace .npmrc files are read. Fixed by upgrading @pnpm/npm-conf to 3.0.3.

Platinum Sponsors

Bit

Gold Sponsors

config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov

codecov Bot commented Mar 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (8c6afd7) to head (cef236f).

Additional details and impacted files
@@             Coverage Diff             @@
##             main       #46      +/-   ##
===========================================
+ Coverage   99.08%   100.00%   +0.91%     
===========================================
  Files           3         3              
  Lines         109       109              
  Branches       30        30              
===========================================
+ Hits          108       109       +1     
+ Misses          1         0       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from 16084fe to 7e96df5 Compare April 1, 2026 17:43
@renovate renovate Bot changed the title chore(deps): update all non-major dependencies to v4.1.2 chore(deps): update all non-major dependencies to v4.1.3 Apr 7, 2026
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 8539e24 to cf20229 Compare April 8, 2026 20:52
@renovate renovate Bot changed the title chore(deps): update all non-major dependencies to v4.1.3 chore(deps): update all non-major dependencies to v4.1.4 Apr 9, 2026
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from cf20229 to 7b7a5af Compare April 9, 2026 09:19
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from 7b7a5af to e8a9742 Compare April 17, 2026 00:13
@renovate renovate Bot changed the title chore(deps): update all non-major dependencies to v4.1.4 chore(deps): update all non-major dependencies Apr 17, 2026
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 8c574bd to 9544fc8 Compare April 27, 2026 11:29
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 030e569 to 52d8a3f Compare May 5, 2026 02:28
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 40cb925 to a13d478 Compare May 12, 2026 16:59
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 8ba7bb5 to 917400e Compare May 20, 2026 11:34
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 6426198 to fd6465a Compare June 1, 2026 19:40
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from dfb766e to 5d18259 Compare June 10, 2026 18:04
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 7ec70ea to 98fb34e Compare June 15, 2026 11:40
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from 98fb34e to f1fbd3c Compare June 18, 2026 23:39
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 26edfbc to c66298c Compare July 12, 2026 12:06
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from c66298c to cef236f Compare July 17, 2026 01:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants