chore(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Confidence
node (source)		minor	24.15.0 → 24.16.0
npm:pnpm (source)		minor	11.2.2 → 11.3.0	11.5.0 (+1)
pnpm (source)	packageManager	minor	11.2.2+sha512.36e6621fad506178936455e70247b8808ef4ec25797a9f437a93281a020484e2607f6a469a22e982987c3dbb8866e3071514ab10a4a1749e06edcd1ec118436f → 11.3.0	11.5.0 (+1)
quay.io/pypa/manylinux_2_28	final	digest	65f13b3 → f135790
rust (source, changelog)	toolchain	patch	nightly-2026-05-24 → nightly-2026-05-25	nightly-2026-05-31 (+5)

---

Release Notes

nodejs/node (node)

v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #​61098
• [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #​61747
• [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #​62820
• [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #​60751
• [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #​61556

Commits

• [dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #​62509
• [add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #​62888
• [1b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #​62667
• [8752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #​62902
• [341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #​62974
• [28a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #​62863
• [16e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #​62839
• [eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #​62875
• [9dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #​59051
• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [7597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #​62474
• [4bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #​63013
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [83e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #​63375
• [ec8c6b939a] - deps: V8: cherry-pick 657d8de (Guy Bedford) #​62784
• [722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #​61187
• [5304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #​60046
• [e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #​59249
• [1d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #​59249
• [8b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #​63090
• [62fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #​63045
• [137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #​62810
• [14a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #​62962
• [3e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #​62898
• [01dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #​62881
• [6cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #​62699
• [f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #​62698
• [b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [2faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #​62594
• [fa46c90c5d] - deps: update googletest to d72f9c8 (Node.js GitHub Bot) #​62593
• [099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #​62592
• [7ce95afe96] - deps: libuv: cherry-pick aabb765 (Santiago Gimeno) #​62561
• [57ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #​62324
• [493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #​61829
• [b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #​63011
• [cb67a925e9] - deps: use npm undici@​seven tag in update-undici.sh (Matteo Collina) #​62739
• [aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #​62828
• [f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #​62917
• [b6378e215c] - doc: fix node-config-schema (Сковорода Никита Андреевич) #​61596
• [233894a9ce] - doc: fix the TypeScript Execute (tsx) project link (David Thornton) #​63093
• [5d97919f8f] - doc: correct diagnostics_channel built-in channel names (Bryan English) #​62995
• [2a9ccc927e] - doc: use mjs/cjs blocks for callbackify null reason example (Daijiro Wachi) #​62884
• [ef413b5358] - doc: fix typo in test.md (Rich Trott) #​62960
• [76f21c5070] - doc: correct typo in PR contribution instructions (Mike McCready) #​62738
• [ca02af1f7d] - doc: fix duplicate word "of of" in postMessageToThread (Daijiro Wachi) #​62917
• [46c99ed526] - doc: fix duplicate word "for for" in compile cache (Daijiro Wachi) #​62917
• [1a60851734] - doc: fix typo in dns.lookup options description (Daijiro Wachi) #​62882
• [169b5ea2ed] - doc: fix Argon2 parameter bounds (Tobias Nießen) #​62868
• [9a3a190f4e] - doc: clarify diffieHellman.generateKeys recomputes same key (Kit Dallege) #​62205
• [0fba9e87d6] - doc: remove Ayase-252 and meixg from triagger team (Antoine du Hamel) #​62841
• [9c700f3446] - doc: clarify dns.lookup() callback signature when all is true (eungi) #​62800
• [6b7280bc17] - doc: add experimental modules lifetime policy (Paolo Insogna) #​62753
• [ce47ea31c9] - doc: clarify process._debugProcess() in Permission Model (Fahad Khan) #​62537
• [ba01633757] - doc: fix typo in devcontainer guide (Rohan Santhosh Kumar) #​62687
• [70b4d5839b] - doc: clarify Backport-PR-URL metadata added automatically (Mike McCready) #​62668
• [8126d1c3eb] - doc: update WPT test runner README.md (Filip Skokan) #​62680
• [978afea4b5] - doc: fix spelling in release announcement guidance (Rohan Santhosh Kumar) #​62663
• [1684ab8ff8] - doc: note non-monotonic clock in crypto.randomUUIDv7 (nabeel378) #​62600
• [86d4f07930] - doc: update bug bounty program (Rafael Gonzaga) #​62590
• [736ed8a08f] - doc: document TransformStream transformer.cancel option (Tom Pereira) #​62566
• [938af9be01] - doc: mention test runner retry attemp is zero based (Moshe Atlow) #​62504
• [94433e450f] - doc,src,test: fix dead inspector help URL (semimikoh) #​62745
• [ddf1f01659] - esm: add ERR_REQUIRE_ESM_RACE_CONDITION (Antoine du Hamel) #​62462
• [4a506acd16] - fs: add followSymlinks option to glob (Matteo Collina) #​62695
• [f4ea495f9b] - fs: restore fs patchability in ESM loader (Joyee Cheung) #​62835
• [63c111cd60] - fs: validate position argument before length === 0 early return (Edy Silva) #​62674
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [717476a24e] - http: emit 'drain' on OutgoingMessage only after buffers drain (Robert Nagy) #​62936
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [64f15c274a] - http: fix leaked error listener on sync HTTP req create + destroy (Tim Perry) #​62872
• [5c4798d799] - http: fix no_proxy leading-dot suffix matching (Daijiro Wachi) #​62333
• [9f3bc70ae5] - http: cleanup pipeline queue (Robert Nagy) #​62534
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [900dc758ff] - http2: expose writable stream state on compat response (T) #​63003
• [b3bfe35912] - inspector: coerce key and value to string in webstorage events (Ali Hassan) #​62616
• [3dc3fb6ad8] - inspector: return errors when CDP protocol event emission fails (Ryuhei Shima) #​62162
• [4f3f21bd7c] - inspector: auto collect webstorage data (Ryuhei Shima) #​62145
• [36cc04189d] - inspector: initial support storage inspection (Ryuhei Shima) #​61139
• [1718bc3b9b] - inspector: fix absolute URLs in network http (bugyaluwang) #​62955
• [97e32c7a74] - lib: avoid quadratic shift() in startup snapshot callback (Daijiro Wachi) #​62914
• [25d2e999de] - lib: harden kKeyOps lookup with null prototype (Filip Skokan) #​62877
• [37d3913c8f] - lib: short-circuit WebIDL BufferSource SAB check (Filip Skokan) #​62833
• [430c69d25f] - lib: use js-only implementation of isDataView() (René) #​62780
• [3ba0add6a0] - lib: fix lint in internal/webstreams/util.js (Filip Skokan) #​62806
• [9b95c41398] - lib: fix sequence argument handling in Blob constructor (Ms2ger) #​62179
• [314dacdbee] - lib: improve Web Cryptography key validation ordering (Filip Skokan) #​62749
• [3d18162430] - lib: reject SharedArrayBuffer in web APIs per spec (Ali Hassan) #​62632
• [ada3ce879d] - lib: defer AbortSignal.any() following (sangwook) #​62367
• [b2981ec7eb] - meta: bump actions/download-artifact from 8.0.0 to 8.0.1 (dependabot[bot]) #​62549
• [7cd20667b5] - meta: bump github/codeql-action from 4.35.1 to 4.35.3 (dependabot[bot]) #​63074
• [91a07cfe9f] - meta: bump Mozilla-Actions/sccache-action from 0.0.9 to 0.0.10 (dependabot[bot]) #​63073
• [09e17fe47c] - meta: add automation policy (Chengzhong Wu) #​62871
• [59e7fb7986] - meta: move VoltrexKeyva to emeritus (Matteo Collina) #​62895
• [1e2915cfa6] - meta: bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (dependabot[bot]) #​62845
• [0253c6e2be] - meta: bump step-security/harden-runner from 2.16.1 to 2.19.0 (dependabot[bot]) #​62844
• [f503675b86] - meta: bump actions/setup-node from 6.3.0 to 6.4.0 (dependabot[bot]) #​62842
• [5e14e4d26e] - meta: broaden stale bot (Aviv Keller) #​62658
• [795db76f87] - meta: pass release version to release worker (flakey5) #​62777
• [ef384fe39f] - meta: add QUIC to CODEOWNERS (Tim Perry) #​62652
• [67e0ac568d] - meta: move Michael to emeritus (Michael Dawson) #​62536
• [5dad616393] - meta: populate apt list for slim runner in update-openssl workflow (René) #​62628
• [a869d25d8a] - meta: bump step-security/harden-runner from 2.15.0 to 2.16.1 (dependabot[bot]) #​62550
• [769efc0403] - meta: bump actions/setup-node from 6.2.0 to 6.3.0 (dependabot[bot]) #​62548
• [73fcc2b055] - meta: bump github/codeql-action from 4.32.4 to 4.35.1 (dependabot[bot]) #​62547
• [6c001246fe] - meta: bump codecov/codecov-action from 5.5.2 to 6.0.0 (dependabot[bot]) #​62545
• [5ee40d6a03] - meta: bump actions/cache from 5.0.3 to 5.0.4 (dependabot[bot]) #​62543
• [ca16ad8a05] - meta: require DCO signoff in commit message guidelines (James M Snell) #​62510
• [db9497fc41] - meta: expand memory leak DoS criteria to all DoS (Joyee Cheung) #​62505
• [13b7d08b8d] - module: remove duplicated checks from _resolveFilename (Antoine du Hamel) #​62729
• [6b53efb53a] - module,win: fix long subpath import (Stefan Stojanovic) #​62101
• [841dfbf6fc] - node-api: update libuv ABI stability note (Chengzhong Wu) #​62789
• [01090f2aa1] - node-api: add napi_create_external_sharedarraybuffer (Ben Noordhuis) #​62623
• [87443b4355] - node-api: execute tsfn finalizer after queue drains when aborted (Kevin Eady) #​61956
• [e95570c054] - process: handle rejections only when needed (Gürgün Dayıoğlu) #​62919
• [37d49f3219] - process: optimize asyncHandledRejections by using FixedQueue (Gürgün Dayıoğlu) #​60854
• [f697c55e38] - quic: add QuicEndpoint.listening & QuicStream.destroy() and tests (Tim Perry) #​62648
• [c128942b69] - quic: fixup token verification to handle zero expiration (James M Snell) #​62620
• [abb881ec92] - quic: support multiple ALPN negotiation (James M Snell) #​62620
• [476926c2ad] - quic: apply multiple TLS context improvements and SNI support (James M Snell) #​62620
• [76d9c24b95] - quic: implement rapidhash for hashing improvements (James M Snell) #​62620
• [08726cd43d] - quic: move quic behind compile time flag (Matteo Collina) #​61444
• [ea4f19aaa7] - quic: use arena allocation for packets (James M Snell) #​62589
• [21e9239e2a] - quic: fixup linting/formatting issues (James M Snell) #​62387
• [edeed4303b] - quic: update http3 impl details (James M Snell) #​62387
• [7f3a85e6aa] - quic: fix a handful of bugs and missing functionality (James M Snell) #​62387
• [45c1ebddf8] - quic: copy options.certs buffer instead of detaching (Chengzhong Wu) #​61403
• [a31a8ee680] - quic: reduce boilerplate and other minor cleanups (James M Snell) #​59342
• [3be70ff43a] - quic: multiple fixups and updates (James M Snell) #​59342
• [b91a93444c] - quic: update more of the quic to the new compile guard (James M Snell) #​59342
• [ca0080c164] - quic: few additional small comment edits in cid.h (James M Snell) #​59342
• [6553202d83] - quic: fixup NO_ERROR macro conflict on windows (James M Snell) #​59381
• [6df1508ac2] - quic: fixup windows coverage compile error (James M Snell) #​59381
• [b2b0bf8b04] - quic: update the guard to check openssl version (James M Snell) #​59249
• [5556b154bd] - quic: start re-enabling quic with openssl 3.5 (James M Snell) #​59249
• [2ca42c8263] - repl: keep reference count for process.on('newListener') (Anna Henningsen) #​61895
• [2f37f9177f] - sqlite: use OneByte for ASCII text and internalize col names (Ali Hassan) #​61954
• [3c96ae1b2f] - sqlite: add serialize() and deserialize() (Ali Hassan) #​62579
• [be4d2f3a4c] - sqlite: enable Percentile extension (Jurj Andrei George) #​61295
• [dafed453b2] - src: clean up experimental flag variables (Antoine du Hamel) #​62759
• [dca1e6aeea] - src: expose help texts into node-config-schema.json (Pietro Marchini) #​58680
• [28c4f44eb1] - src: add permission support to config file (Marco Ippolito) #​60746
• [f49175b220] - src: fix small compile warning in quic/streams.cc (James M Snell) #​60118
• [c9d4a446d8] - src: cleanup quic TransportParams class (James M Snell) #​59884
• [99bb02fd9e] - src: swap dotenv and config file parsing order (Marco Ippolito) #​63035
• [ecb4d49b7b] - src: add missing <cstdlib> for abort() declaration (Charles Kerr) #​63001
• [b6219b6362] - src: fix crash in GetErrorSource() for invalid using syntax (semimikoh) #​62770
• [b5ca5ad4c5] - src: simplify TCPWrap::Connect signature (Anna Henningsen) #​62929
• [ef7ffce7cf] - src: use DCHECK in AsyncWrap::MakeCallback instead emiting a warning (Gerhard Stöbich) #​62795
• [cd9890a5ab] - src: fix MaybeStackBuffer char_traits deprecation warning (om-ghante) #​62507
• [c70ff44aee] - src: use context-free V8 message column getters (René) #​62778
• [06c405f1d7] - src: coerce spawnSync args to string once (Antoine du Hamel) #​62633
• [6151999ad6] - src: use stack allocation for small string encoding (Ali Hassan) #​62431
• [a71a4ac7a3] - src: add contextify interceptor debug logs (Chengzhong Wu) #​62460
• [ad9a2909c2] - src: workaround AIX libc++ std::filesystem bug (Richard Lau) #​62788
• [7792f1ae47] - stream: copyedit webstreams/adapter.js (Antoine du Hamel) #​63034
• [1397d8ce5c] - stream: remove duplicated utility (Antoine du Hamel) #​63031
• [ff86b1d64f] - stream: simplify setPromiseHandled utility (Antoine du Hamel) #​63032
• [24a078149a] - stream: validate ReadableStream.from iterator objects (Daeyeon Jeong) #​62911
• [cfb1fa9680] - stream: reject duplicate nested transferables (Daeyeon Jeong) #​62831
• [d0c913758a] - stream: ensuring cross-destruction in _duplexify to prevent leaks (Daijiro Wachi) #​62824
• [978f5c15d7] - stream: simplify readableStreamFromIterable (Antoine du Hamel) #​62651
• [3527646ba5] - stream: fix nested compose error propagation (Matteo Collina) #​62556
• [dfb9edef4f] - stream: allow shared array buffer sources in writable webstream adapter (René) #​62163
• [f00cdab627] - stream: simplify createPromiseCallback (Antoine du Hamel) #​62650
• [3ed783535f] - stream: fix writev unhandled rejection in fromWeb (sangwook) #​62297
• [29b196694c] - stream: noop pause/resume on destroyed streams (Robert Nagy) #​62557
• [d73dbb9fc8] - stream: refactor duplexify to be less suceptible to prototype pollution (Antoine du Hamel) #​62559
• [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #​61098
• [b8816580e9] - test: generate localstorage.db in a temp dir (Chengzhong Wu) #​62660
• [31a863fd29] - test: update WPT for url to 258f285 (Node.js GitHub Bot) #​63087
• [d0d19bd8e3] - test: update WPT for streams to f8f26a3 (Node.js GitHub Bot) #​62864
• [f50ac5bc78] - test: improve config-file permission test coverage (Rafael Gonzaga) #​60929
• [a0f90000f4] - test: export isRiscv64 from common module (Jamie Magee) #​62609
• [da4dd8646f] - test: normalize known inspector crash as completion (Joyee Cheung) #​62851
• [b7fdd94a4c] - test: account for RFC 7919 FFDHE negotiation in OpenSSL 4.0 (Filip Skokan) #​62805
• [375a993aaf] - test: skip tls-deprecated secp256k1 on OpenSSL 4.0 (Filip Skokan) #​62805
• [698d8287d1] - test: use an always invalid cipher and cover OpenSSL 4.0 behaviours (Filip Skokan) #​62805
• [036bc6f300] - test: use valid DER OCSP responses (Filip Skokan) #​62805
• [3aa9938da8] - test: skip test-tls-error-stack when engines are unsupported (Filip Skokan) #​62805
• [947f1ae246] - test: accept renamed OpenSSL 4.0 error code and reason (Filip Skokan) #​62805
• [afdd355622] - test: update test/addons/openssl-binding for OpenSSL 4.0 (Filip Skokan) #​62805
• [8637524a99] - test: mark test-snapshot-reproducible flaky (Filip Skokan) #​62808
• [c22d34134b] - test: check contextify contextual store behavior in strict mode (René) #​62571
• [0b4e0d3c94] - test: update tls junk data error expectations (Filip Skokan) #​62629
• [85d83c2cdb] - test: ensure WPT report is in out/wpt (Filip Skokan) #​62637
• [9e21711c60] - test: improve WPT runner summary (Filip Skokan) #​62636
• [e04e2c9ac1] - test: skip url WPT subtests instead of modifying test script (Filip Skokan) #​62635
• [7b1211f88c] - test: capture negative utimes mtime at call time (Yuya Inoue) #​62490
• [f1a6e9fcc7] - test: allow skipping individual WPT subtests (Filip Skokan) #​62517
• [23f927542e] - test: use on-disk fixture for test-npm-install (Joyee Cheung) #​62584
• [4739c45879] - test: update WPT for url to 7a3645b (Node.js GitHub Bot) #​62591
• [f68189b839] - test_runner: add testId to test events (Moshe Atlow) #​62772
• [5c2770446e] - test_runner: publish to TracingChannel for OTel instrumentation (Moshe Atlow) #​62502
• [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #​61747
• [3f74a58979] - test_runner: update node-config-schema (Pietro Marchini) #​58680
• [60c83f6199] - test_runner: fix failing suite hooks when marked with todo (Moshe Atlow) #​63097
• [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #​62820
• [3e72065ed6] - test_runner: fix suite rerun edge case (Moshe Atlow) #​62860
• [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #​60751
• [dd43efffa6] - test_runner: add passed, attempt, and diagnostic to SuiteContext (Moshe Atlow) #​62504
• [a12dc445cc] - tools: add a check for clean git tree after tests (Antoine du Hamel) #​62661
• [5b49178375] - tools: use LTS Node.js in notify-on-push workflow (Nenad Spasenic) #​63084
• [5a93bde5bb] - tools: update gr2m/create-or-update-pull-request-action to v1.10.1 (Mike McCready) #​63065
• [b133019d19] - tools: simplify update-undici.sh (Antoine du Hamel) #​63044
• [04d3538074] - tools: do not run test-linux on unrelated tools changes (Antoine du Hamel) #​63037
• [4d396ac4a5] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #​62848
• [9354bf40e7] - tools: update gyp-next to 0.22.1 (Node.js GitHub Bot) #​62961
• [c23db1ca85] - tools: fix commit linter for semver-major release proposals (Antoine du Hamel) #​62993
• [6e097ee3f1] - tools: consolidate and simplify .editorconfig deps section (Daijiro Wachi) #​62887
• [a47ea6d6ea] - tools: set bot as author of tools-deps-update PRs (Antoine du Hamel) #​62856
• [00e86f0471] - tools: bump brace-expansion from 5.0.4 to 5.0.5 in /tools/eslint (dependabot[bot]) #​62458
• [cd7e262e75] - tools: bump brace-expansion in /tools/clang-format (dependabot[bot]) #​62467
• [bfc1319bc8] - tools: exclude @​node-core/doc-kit from dependabot cooldown (Levi Zim) #​62775
• [a932fbd10b] - tools: re-enable undici WPTs in daily wpt.fyi job (Filip Skokan) #​62677
• [f7bd9e3055] - tools: update gyp-next to 0.22.0 (Node.js GitHub Bot) #​62697
• [c400d46d87] - tools: improve backport review script (Antoine du Hamel) #​62573
• [be23b75814] - tools: improve output for unexpected passes in WTP tests (Antoine du Hamel) #​62587
• [609c013ece] - tools: revert OpenSSL update workflow to ubuntu-latest (Richard Lau) #​62627
• [81bac1ebfd] - tools: bump the eslint group in /tools/eslint with 2 updates (dependabot[bot]) #​62552
• [1fee26522d] - tools: allow triagers to queue a PR for CI until it's reviewed (Antoine du Hamel) #​62524
• [332088f929] - tools: do not run commit-lint on release proposals (Antoine du Hamel) #​62523
• [9a25fc8a4d] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #​62574
• [7bd08ff60a] - url: optimize URLSearchParams set/delete duplicate handling (Gürgün Dayıoğlu) #​62266
• [2d636388fa] - url: align default argument handling for URLPattern with webidl (Filip Skokan) #​62719
• [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #​61556
• [0e2adb3e45] - watch: track worker entry files in watch mode (SudhansuBandha) #​62368
• [c58fe38211] - watch: fix --env-file-if-exists crashing on linux if the file is missing (Efe) #​61870

pnpm/pnpm (npm:pnpm)

v11.3.0

Compare Source

Minor Changes

• Added pnpm stage with publish, list, view, approve, reject, and download subcommands for npm staged publishing.

• Added a new setting trustLockfile. When true, pnpm install skips the supply-chain verification pass that re-applies minimumReleaseAge / trustPolicy='no-downgrade' to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author. Defaults to false; verification stays on by default. Set in pnpm-workspace.yaml.

  Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (~4k lockfile entries with minimumReleaseAge + trustPolicy: no-downgrade enabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (time, per-version _npmUser.trustedPublisher, dist.attestations.provenance). The abbreviated-metadata cache is similarly projected to just the package-level modified field and the set of currently-listed version names. Fixes [#​1

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • "every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: mise.lock

mise ERROR error parsing config file: /tmp/renovate/repos/github/vadimpiven/node_reqwest/mise.toml
mise ERROR Config files in /tmp/renovate/repos/github/vadimpiven/node_reqwest/mise.toml are not trusted.
Trust them with `mise trust`. See https://mise.en.dev/cli/trust.html for more information.
mise ERROR Version: 2026.5.18 linux-x64 (2026-05-31)
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

Command failed: mise lock node npm:pnpm
mise ERROR error parsing config file: /tmp/renovate/repos/github/vadimpiven/node_reqwest/mise.toml
mise ERROR Config files in /tmp/renovate/repos/github/vadimpiven/node_reqwest/mise.toml are not trusted.
Trust them with `mise trust`. See https://mise.en.dev/cli/trust.html for more information.
mise ERROR Version: 2026.5.18 linux-x64 (2026-05-31)
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

File name: package.json

Command failed: corepack use pnpm@11.3.0

[greptile-apps]

Greptile Summary

This is a routine automated dependency update PR from Renovate Bot, bumping a wide range of dependencies across the stack: GitHub Actions (setup-node v6.3.0, mise-action v3.6.3, zizmor-action v0.5.2, codeql-action v4.32.6), Node.js packages (pnpm 10.32.1, vitest/vite 4.1.0/8.0.0 stable releases from beta, oxfmt, oxlint, undici, electron, node-addon-slsa), Rust crates (tempfile 3.27.0), Python tools (ruff, semgrep, pyrefly, zizmor), and various aqua-managed CLI tools (uv, gh, gitleaks, shfmt, nextest). All GitHub Action references continue to be pinned by full commit SHA, which is good practice for this repository.

• Most changes are straightforward version bumps with no behavioral impact on the codebase itself.
• Several beta versions (vitest, vite) graduate to stable releases — a positive change.
• The packageManager field in package.json was updated to pnpm@10.32.1 but the SHA512 integrity hash that was present in the old value was dropped, removing Corepack's ability to verify the pnpm binary on download.

Confidence Score: 4/5

• This PR is safe to merge; the only notable finding is a non-critical omission of the Corepack integrity hash for pnpm.
• All changes are automated dependency bumps. GitHub Actions remain SHA-pinned, Dockerfile images are digest-pinned, and lock files are fully regenerated. The one notable point is the missing SHA512 hash in the packageManager field, which is a best-practice/supply-chain hygiene issue rather than an active vulnerability. Everything else is routine.
• package.json — missing SHA512 hash in the packageManager field.

Important Files Changed

Filename	Overview
package.json	Updated pnpm to 10.32.1 but dropped the SHA512 integrity hash from the packageManager field, removing Corepack's ability to verify the binary's integrity on download.
Dockerfile	Updated docker/dockerfile syntax to 1.22 and manylinux_2_28 base image to a new digest. Both references are pinned by SHA256. No issues found.
Cargo.lock	Updated tempfile from 3.26.0 to 3.27.0 which pulls in getrandom 0.3.4 instead of 0.4.2, and resolves different windows-sys versions for various crates. Standard lock file update.
mise.toml	Updated gitleaks, uv, gh CLI, nextest, and mvdan/sh (shfmt) to newer patch/minor versions. No issues found.
pyproject.toml	Updated pyrefly, ruff, semgrep, and zizmor to newer versions. No issues found.
pnpm-workspace.yaml	Updated catalog versions for @vitest/coverage-istanbul, electron, oxfmt, oxlint, undici, vite, and vitest from beta/older versions to stable releases. No issues found.

Comments Outside Diff (1)

1. package.json, line 202 (link)

   Missing Corepack integrity hash for pnpm

   The previous packageManager value included a +sha512 integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

   You can restore supply-chain integrity by running:

   corepack use pnpm@10.32.1

   This will update package.json with the correct hash for 10.32.1, e.g.:

   Consider asking Renovate to preserve the hash when bumping the packageManager field (the pinDigests option may help, or a custom packageRules entry targeting packageManager).

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: package.json
   Line: 202
   
   Comment:
   **Missing Corepack integrity hash for pnpm**
   
   The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.
   
   You can restore supply-chain integrity by running:
   
   ```bash
   corepack use pnpm@10.32.1
   ```
   
   This will update `package.json` with the correct hash for 10.32.1, e.g.:
   
   
   
   Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:

```suggestion
  "packageManager": "pnpm@10.32.1+sha512.<hash-for-10.32.1>",
```

Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "Update all dependenc..."}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[codspeed-hq]

Merging this PR will not alter performance

✅ 15 untouched benchmarks

---

_{Comparing renovate/all-dependencies (8a7990e) with main (d3731e4)}