Skip to content

fix(deps): update all non-major dependencies#22511

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

fix(deps): update all non-major dependencies#22511
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 25, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@babel/core (source) 7.29.07.29.7 age confidence
@babel/core (source) ^7.29.0^7.29.7 age confidence
@babel/parser (source) ^7.29.3^7.29.7 age confidence
@babel/plugin-transform-dynamic-import (source) ^7.27.1^7.29.7 age confidence
@babel/plugin-transform-modules-systemjs (source) ^7.29.4^7.29.7 age confidence
@babel/preset-env (source) ^7.29.5^7.29.7 age confidence
@babel/runtime (source) ^7.29.2^7.29.7 age confidence
@builder.io/qwik (source) ^1.19.2^1.20.0 age confidence
@clack/prompts (source) ^1.4.0^1.5.0 age confidence
@rollup/pluginutils (source) ^5.3.0^5.4.0 age confidence
@vitejs/devtools (source) ^0.1.24^0.3.1 age confidence
@vue/shared (source) ^3.5.34^3.5.35 age confidence
baseline-browser-mapping ^2.10.31^2.10.33 age confidence
eslint (source) ^10.4.0^10.4.1 age confidence
launch-editor-middleware ^2.13.2^2.14.0 age confidence
lint-staged ^17.0.5^17.0.7 age confidence
miniflare (source) ^4.20260518.0^4.20260526.0 age confidence
oxfmt (source) ^0.51.0^0.52.0 age confidence
pnpm (source) 10.33.410.34.1 age confidence
sass ^1.99.0^1.100.0 age confidence
sass-embedded ^1.99.0^1.100.0 age confidence
svelte (source) ^5.55.9^5.56.0 age confidence
terser (source) ^5.47.1^5.48.0 age confidence
tinyglobby (source) ^0.2.16^0.2.17 age confidence
tsx (source) ^4.22.3^4.22.4 age confidence
typescript-eslint (source) ^8.59.4^8.60.0 age confidence
vite (source) ^8.0.13^8.0.14 age confidence
vitepress-plugin-llms ^1.12.2^1.13.1 age confidence
vue (source) ^3.5.34^3.5.35 age confidence
vue-tsc (source) ^3.3.1^3.3.3 age confidence
ws ^8.20.1^8.21.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

babel/babel (@​babel/core)

v7.29.7

Compare Source

v7.29.6

Compare Source

babel/babel (@​babel/parser)

v7.29.7

Compare Source

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

babel/babel (@​babel/preset-env)

v7.29.7

Compare Source

QwikDev/qwik (@​builder.io/qwik)

v1.20.0

Compare Source

bombshell-dev/clack (@​clack/prompts)

v1.5.0

Compare Source

Minor Changes

  • #​543 83428ac Thanks @​florian-lefebvre! - Adds support for Standard Schema validation

    Prompts accept an optional validate() function to validate user input. While a function provides more flexibility and customization over your validation, it can be a bit verbose. To help solve this, there are libraries that provide schema-based validation to make shorthand and type-strict validation substantially easier.

    Libraries following the Standard Schema specification are now natively supported. For example, using Arktype:

    import { text } from '@​clack/prompts';
import { type } from 'arktype';

const name = await text({
	message: 'Enter your email',
+	validate: type('string.email').describe('Invalid email'),
});
Patch Changes
rollup/plugins (@​rollup/pluginutils)

v5.4.0

2026-05-29

Features
  • feat: named exports for reserved-word keys + fix duplicate default export in dataToEsm (#​2002)
vitejs/devtools (@​vitejs/devtools)

v0.3.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v0.2.0

Compare Source

   🚨 Breaking Changes
   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub
vuejs/core (@​vue/shared)

v3.5.35

Compare Source

Bug Fixes
Performance Improvements
web-platform-dx/baseline-browser-mapping (baseline-browser-mapping)

v2.10.33

Compare Source

v2.10.32

Compare Source

eslint/eslint (eslint)

v10.4.1

Compare Source

vitejs/launch-editor (launch-editor-middleware)

v2.14.0

Compare Source

lint-staged/lint-staged (lint-staged)

v17.0.7

Compare Source

Patch Changes

v17.0.6

Compare Source

Patch Changes

  • #​1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

  • #​1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

  • #​1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

  • #​1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

cloudflare/workers-sdk (miniflare)

v4.20260526.0

Patch Changes

  • #​14003 c1fd2fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260521.1 1.20260526.1

  • #​14011 420e457 Thanks @​petebacondarwin! - Warn when a remote-bindings request is blocked by Cloudflare Access

    When wrangler dev is used with remote bindings and a request from the local remote-bindings proxy client to the remote workers.dev proxy server is blocked by Cloudflare Access (HTTP 403 with the Cloudflare Access block page), Wrangler now:

    • Logs a single, visually striking warning per dev session explaining how to set CLOUDFLARE_ACCESS_CLIENT_ID / CLOUDFLARE_ACCESS_CLIENT_SECRET (Service Token credentials) or run cloudflared access login to authenticate.
    • Replaces the original Access HTML block page with a readable plain-text body containing the same guidance, so the message also reaches the user via binding error messages (e.g. InferenceUpstreamError from env.AI.run()) and any browser response piped back via a service binding .fetch().

    Previously the 403 was returned to user code with the full Access HTML, which both drowned out other logs and made it hard to tell that the failure was due to Cloudflare Access on workers.dev rather than a problem in the binding itself or the deployed proxy server. The detection runs inside the proxy client worker (which only ever talks to the remote-bindings proxy URL), so it does not trigger false positives on user-worker 403s.

v4.20260521.0

Compare Source

Patch Changes

  • #​13993 0733688 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260520.1 1.20260521.1

  • #​13999 30657e1 Thanks @​edmundhung! - Fix TCP requests failing when outboundService is configured

    Workers using outboundService can now open TCP connections with cloudflare:sockets. Previously, TCP requests could throw an error when a custom outbound service was configured.

v4.20260520.0

Compare Source

Patch Changes

  • #​13978 fa1f61f Thanks @​sassyconsultingllc! - Bump ws from 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpx

    GHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in ws@<8.20.1 when a TypedArray is passed as the reason argument to WebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #​13977 2679e05 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260518.1 1.20260519.1

  • #​13984 7e40d98 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260519.1 1.20260520.1

  • #​13912 d803737 Thanks @​petebacondarwin! - Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes

    Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whose Host or Origin hostname was a subdomain of an exact route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was incorrectly accepted. Exact configured routes and the configured upstream hostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

    This affects wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.

  • #​13971 59cd880 Thanks @​petebacondarwin! - Improve error diagnostics in the Browser Run binding worker

    When the local Browser Run binding failed to reach an upstream — for example when Chrome failed to launch and miniflare's loopback /browser/launch endpoint returned a 500 with a stack-trace text body — the binding worker would call response.json() on the non-JSON body and throw an opaque SyntaxError: Unexpected token X, "..." is not valid JSON. The actual upstream error message (e.g. Chrome readiness probe at ... timed out after 5000ms) was discarded.

    The binding worker now reads the response body as text first, surfaces the HTTP status and body content in the thrown error, and chains the original SyntaxError via cause when the body was a 2xx response that didn't parse as JSON. This makes both local-dev failures and CI test flakes self-diagnosing.

  • #​13980 e8c2031 Thanks @​petebacondarwin! - Recover from corrupted @puppeteer/browsers cache when launching a Browser Run session

    When Miniflare's local Browser Run binding launches Chrome, it calls @puppeteer/browsers' install() to ensure the binary is present. If a previous install() was interrupted mid-extraction (test timeout, process kill, antivirus quarantine), the cache directory can be left partially populated — the folder exists but the executable inside it is missing. install() then throws The browser folder (...) exists but the executable (...) is missing on every subsequent call within the same process and the entire test session, breaking every later Browser Run operation until the cache is manually cleared.

    launchBrowser now catches that specific error, removes the corrupted cache directory, and retries install() once. If the corruption persists after cleanup, the original error is rethrown with a clearer message.

    This complements #​13971, which surfaced the original error from inside the binding worker. With that diagnostic in place and this self-healing layer, the previously-intermittent "browser folder exists but executable missing" failure mode should no longer fail an entire CI run.

oxc-project/oxc (oxfmt)

v0.52.0

Compare Source

🚀 Features
  • 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#​22454) (leaysgur)
pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

  • Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.0

Compare Source

sass/dart-sass (sass)

v1.100.0

Compare Source

  • Writing two compound selectors adjacent to one another without any whitespace
    between them, such as [class]a, is now deprecated. This was always an error
    in CSS and Sass only supported it by mistake.

    See the Sass website for
    details.

sass/embedded-host-node (sass-embedded)

v1.100.0

Compare Source

  • Writing two compound selectors adjacent to one another without any whitespace
    between them, such as [class]a, is now deprecated. This was always an error
    in CSS and Sass only supported it by mistake.

    See the Sass website for
    details.

sveltejs/svelte (svelte)

v5.56.0

Compare Source

Minor Changes
  • feat: allow declarations in the template (#​18282)
Patch Changes

  • perf: use createElement instead of createElementNS for HTML elements (#​18262)

  • perf: store current_sources as a Set for O(1) membership checks (#​18278)

  • perf: deduplicate identical hoisted templates within a component (#​18320)

  • perf: hoist rest_props exclude list as a module-scope Set (#​18252)

v5.55.10

Compare Source

Patch Changes

  • fix: unlink errored and otherwise finished batch (#​18264)

  • perf: walk composedPath() directly in delegated event propagation (#​18268)

  • fix: transfer effects when merging batches (#​18254)

  • fix: allow $derived(await ...) in disconnected effect roots (#​18273)

  • fix: remove temporary raw-text hydration markers (#​18269)

  • fix: propagate async @const blockers through closure references so template expressions like {(() => host)()} correctly wait for the awaited value (#​18309)

  • fix: properly unlink batches (#​18298)

  • fix: settle discarded batch (#​18290)

  • fix: declare let: directives before {@&#8203;const} declarations on slotted elements (#​18271)

  • fix: resume outro-ed branches if they were kept around (#​18291)

  • fix: avoid waterfall-warning when async resolves to same value (#​18297)

  • fix: correctly coordinate component-level effects inside async blocks (#​18260)

  • fix: make unnecessary commit work less likely (#​18263)

  • chore: add tag name to a11y_click_events_have_key_events warning (#​18272)

  • fix: catch rejected promises while merging/committing (#​18266)

terser/terser (terser)

v5.48.0

Compare Source

  • Support import source ... and import defer ... (#​1682)
SuperchupuDev/tinyglobby (tinyglobby)

v0.2.17

Compare Source

Changed
  • Enabled staged publishing for stronger supply-chain security
Fixed
  • Defaults when undefined is passed to any of the options by chloeelim
  • Drive-relative paths on Windows by Andrej730
  • FileSystemAdapter is now exported again
privatenumber/tsx (tsx)

v4.22.4

Compare Source

Bug Fixes
  • resolve CommonJS directory requires inside dependencies (#​803) (1ce8463)

This release is also available on:

typescript-eslint/typescript-eslint (typescript-eslint)

v8.60.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.14

Compare Source

Features
Bug Fixes
Miscellaneous Chores
  • deps: update rolldown-related dependencies (#​22470) (7cb728e)
  • remove irrelevant commits from changelog (2c69495)
Code Refactoring
Tests
okineadev/vitepress-plugin-llms (vitepress-plugin-llms)

v1.13.1

Compare Source

No significant changes

     View changes on GitHub

v1.13.0

Compare Source

    🚀 Enhancements

You can now build a completely custom UI for the "Copy / Download as Markdown"
buttons without touching the bundled Vue component. 🥞

The new useCopyOrDownloadAsMarkdownButtons composable is exported directly
from vitepress-plugin-llms/vitepress-components and gives you full access to the underlying
reactive state and action handlers - copied, downloaded, copyAsMarkdown,
downloadMarkdown, viewAsMarkdown, openInAI, so you can wire them up to
any markup you want.

The list of AI providers is also now configurable via the aiProviders option,
and the default providers (ChatGPT and Claude) are exported separately as
defaultAiProviders so you can extend rather than replace them.

   💖 Contributors
     View changes on GitHub
vuejs/language-tools (vue-tsc)

v3.3.3

Compare Source

vscode
workspace

v3.3.2

Compare Source

language-core
  • feat: preserve literal types for inline v-for sources (#​6067) - Thanks to @​kkesidis!
  • fix: align v-bind shorthand identifier skipping with interpolation - Thanks to @​KazariEX!
vscode
websockets/ws (ws)

v8.21.0

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label May 25, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 18 times, most recently from b3daeec to e2d10a3 Compare May 30, 2026 20:56
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from e2d10a3 to 7118027 Compare May 31, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants