chore: Update Web dependencies#1700
Merged
Merged
Conversation
renovate
Bot
added
dependencies
renovate
Bot
added
type:chore
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF ScorecardScorecard details
Scanned Files
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Merging this PR will not alter performance
Comparing 
Footnotes
|
Aureliolo
temporarily deployed
to
cloudflare-preview
GitHub Actions
Inactive
Aureliolo
added a commit
that referenced
this pull request
May 3, 2026
## Summary Adds a cross-PR file-overlap analysis step to the `/review-dep-pr` skill so that batch reviews surface merge conflicts upfront and the user can pick a sequencing strategy before triage. ### What changed - **New Phase 5 — Cross-PR File Overlap Analysis** (skipped for single-PR runs): - Pulls each PR's changed-file list via `gh pr view --json files`. - Builds a per-file conflict map and classifies overlaps as **none / lockfile-only / config / source**. - Treats `package-lock.json`, `pnpm-lock.yaml`, `uv.lock`, `go.sum`, `atlas.sum`, etc. as lockfile-only (rebase needed, not a hard blocker). - Groups PRs into merge **waves** (Wave 1 = parallel-safe, Wave 2+ = sequential after rebase). - **Phase 6 (Present Findings)** now leads with a "Batch Overlap Summary" header and adds a `Files touched / conflicts with` row to each per-PR card. - **Phase 7 (User Decision)** opens with a strategy question whenever ≥ 2 PRs share files: - Wave-based parallel - Strict sequential - Combine into one PR - Defer the conflicting subset - **Phase 8 (Execute Decisions)** honours the chosen strategy when sequencing merges (parallel waves, rebase between waves, etc.). - New rule: multi-PR runs always compute the conflict map; lockfile-only overlaps are acceptable but expect rebase between merges. ### Why Without this, the skill would propose merging in parallel any PRs whose CI is green, then run into surprise conflicts on the second/third merge — most often on workflow YAMLs and lockfiles. The new phase makes the conflict surface explicit before the user picks a strategy, and the strategy choice is then carried through to execution. ### Test plan Dogfooded against the 8 open Renovate PRs in this repo (#1698-#1705). Surfaced three conflict clusters (`docker.yml` between #1698/#1701/#1703, `cli.yml` between #1702/#1703, `web/package.json` between #1700/#1704) plus the expected lockfile-only overlaps. The Wave-based strategy successfully merged 5 PRs sequentially with `--squash --admin` and the lockfile PR (#1705) was rebased via Renovate. ### Review coverage `/pre-pr-review quick` — docs-only change to a `.claude/` skill file, no code/agents required. Pre-commit hooks passed (trailing whitespace, EOF, secrets, em-dashes).
Aureliolo
pushed a commit
that referenced
this pull request
May 3, 2026
<!-- HIGHLIGHTS_START --> ## Highlights > _AI-generated summary (model: `openai/gpt-4.1-mini` via GitHub Models). Commit-based changelog below._ ### What you'll notice - Frontend and UX polishing improves user interface responsiveness and visual consistency. - API hygiene and validation enhancements provide smoother and more reliable interactions. ### What's new - Introduced typed-boundary helpers enabling better type safety and parse_typed workflows. - Added codebase-audit skill prompt tuning for improved project auditing. ### Under the hood - Eliminated flaky tests caused by module-level state for more stable test outcomes. - Unified image tag management under CLI and Renovate for consistent dependency updates. - Added cross-PR file-overlap analysis to the review dependency pull request skill. - Updated multiple dependencies including Python, Web, CLI, and container libraries. - Improved CI tooling and lock file maintenance for better build reliability. <!-- HIGHLIGHTS_END --> :robot: I have created a release *beep* *boop* --- ## [0.7.8](v0.7.7...v0.7.8) (2026-05-03) ### Features * **api:** typed-boundary helper + codebase-audit skill prompt tuning ([#1712](#1712)) ([40ee65b](40ee65b)) * **boundary:** RFC [#1711](#1711) Phases 2 + 3 — typed boundaries via parse_typed ([#1720](#1720)) ([7b9f409](7b9f409)) ### Bug Fixes * **api:** audit cleanup B -- API hygiene & validation ([#1719](#1719)) ([3d790d9](3d790d9)) * audit cleanup C - persistence, concurrency & data integrity ([#1708](#1708)) ([#1717](#1717)) ([bcce097](bcce097)) * **test:** exterminate xdist-flaky tests with module-level state ([#1713](#1713)) ([#1721](#1721)) ([8d258dd](8d258dd)) * **web:** audit cleanup E -- frontend & UX polish ([#1710](#1710)) ([#1718](#1718)) ([3a3591a](3a3591a)) ### Refactoring * **cli:** single source of truth for DHI image tags + Renovate manager ([#1723](#1723)) ([57980a2](57980a2)) ### Documentation * audit cleanup D -- public-facing & docs sync ([#1709](#1709)) ([#1715](#1715)) ([ade03b7](ade03b7)) ### Tests * **engine:** make TestDrainTimeout deterministic + preserve subclass type in [@Ontology](https://github.com/ontology)_entity ([#1729](#1729)) ([b00fb05](b00fb05)) ### CI/CD * Update CI tool dependencies ([#1703](#1703)) ([355a9ff](355a9ff)) ### Maintenance * add cross-PR file-overlap analysis to review-dep-pr skill ([#1722](#1722)) ([3861d8a](3861d8a)) * **ci:** unify apko-version under workflow env so Renovate manages it everywhere ([#1724](#1724)) ([9c0a7fd](9c0a7fd)) * consolidate DHI image-pin custom regex managers ([#1726](#1726)) ([b8b0cba](b8b0cba)) * **deps:** update dependency chainguard-dev/melange to v0.50.4 ([#1701](#1701)) ([8cbf83a](8cbf83a)) * Lock file maintenance ([#1705](#1705)) ([414cfea](414cfea)) * Lock file maintenance ([#1727](#1727)) ([5cb1212](5cb1212)) * Update CLI dependencies ([#1702](#1702)) ([9fb57b9](9fb57b9)) * Update Container dependencies ([#1698](#1698)) ([6d24fd6](6d24fd6)) * Update dependency @eslint-react/eslint-plugin to v5 ([#1704](#1704)) ([1cb1294](1cb1294)) * Update Python dependencies ([#1699](#1699)) ([8e7af3a](8e7af3a)) * Update Python dependencies to v4.15.0 ([#1725](#1725)) ([69164c8](69164c8)) * Update Web dependencies ([#1700](#1700)) ([715300d](715300d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: synthorg-repo-bot[bot] <279117679+synthorg-repo-bot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
10.3.5→10.3.610.3.5→10.3.610.3.5→10.3.610.3.5→10.3.65.100.6→5.100.86.1.10→6.2.11.15.2→1.16.010.2.1→10.3.029.1.0→29.1.11.12.0→1.14.02.13.6→2.14.210.3.5→10.3.64.86.0→4.87.0Release Notes
storybookjs/storybook (@storybook/addon-a11y)
v10.3.6Compare Source
TanStack/query (@tanstack/react-query)
v5.100.8Compare Source
Patch Changes
v5.100.7Compare Source
Patch Changes
withastro/astro (astro)
v6.2.1Compare Source
Patch Changes
#16531
76db01dThanks @rodrigosdev! - Fixes config validation for omittedintegrationsfields with newer Zod versions.#16535
7df0fe4Thanks @rururux! - Fixed an issue where a warning was displayed when theserverproperty was missing during config validation, even though it is not required.#16534
5cf6c51Thanks @matthewp! - Fixes compatibility with Zod 4.4.0 for theserverconfig property and error formattingv6.2.0Compare Source
Minor Changes
#16187
fe58071Thanks @gllmt! - Adds awaitUntiloption to theRenderOptionsso that adapters can forward runtime background-task hooks to Astro.When provided by an adapter, runtime cache providers receive
context.waitUntilinCacheProvider.onRequest(), which allows background cache work such as stale-while-revalidatewithout blocking the response. The Cloudflare adapter now forwards
ExecutionContext.waitUntilto this API.#16290
a49637aThanks @ViVaLaDaniel! - Ensures thatserver.allowedHosts(andvite.preview.allowedHosts) configuration is respected when usingastro previewwith the@astrojs/cloudflareadapter. This improves security by preventing DNS rebinding attacks when previewing Cloudflare builds locally.#15725
4108ec1Thanks @meyer! - Adds support for a new'jsx'value for thecompressHTMLoption. When set, whitespace is stripped using JSX whitespace rules instead of the default HTML compression strategy.In JSX, whitespaces never matter, as such, no amount of indentation, or newlines will not affect the rendered output. For instance, the following code:
will be rendered as
foobar, whereas with HTML whitespace rules, a space would be present between the words due to the newline and indentation between the tags.#16477
28fb3e1Thanks @ematipico! - Adds experimental support for configurable log handlers.This experimental feature provides better control over Astro's logging infrastructure by allowing users to replace the default console output with custom logging implementations (e.g., structured JSON). This is particularly useful for users using on-demand rendering and wishing to connect their log aggregation services, such as Kibana, Logstash, CloudWatch, Grafana, or Loki.
By default, Astro provides three built-in log handlers (
json,node, andconsole), but you can also create your own.JSON logging
JSON logging can be enabled via the CLI for the
build,dev, andsynccommands using theexperimentalJsonflag:Custom logger
You can also create your own custom logger by implementing the correct interface:
For more information on enabling and using this feature in your project, see the Experimental Logger docs.
For a complete overview and to give feedback on this experimental API, see the Custom logger RFC.
#16333
0f7c3c8Thanks @florian-lefebvre! - Adds an experimental flagsvgOptimizerthat enables automatic optimization of your SVG components using the provided optimizer. This supersedes thesvgoexperimental flag, which is now removed.When enabled, your imported SVG files used as components will be optimized for smaller file sizes and better performance while maintaining visual quality. This can significantly reduce the size of your SVG assets by removing unnecessary metadata, comments, and redundant code.
Astro ships with a SVGO based optimizer, but any can be used.
To enable this feature, add the experimental flag in your Astro config and remove
svgoif it was enabled:For more information on enabling and using this feature in your project, see the experimental SVG optimization docs.
#16302
f6f8e80Thanks @florian-lefebvre! - Adds a newexperimental_getFontFileURL()method to resolve font file URLs when using the Fonts APIThe
fontDataobject exported fromastro:assetswas introduced to provide low-level access to font family data for advanced usage. One of the goals of this API was to be able to resolve buffers using URLs. However, it turned out to be impractical, especially during prerendering.Astro now exports a new
experimental_getFontFileURL()helper function fromastro:assetsto resolve font file URLs fromfontData. For example, when using satori to generate Open Graph images:// src/pages/og.png.ts import type { APIRoute } from "astro"; -import { fontData } from "astro:assets"; +import { fontData, experimental_getFontFileURL } from "astro:assets"; -import { outDir } from "astro:config/server"; -import { readFile } from "node:fs/promises"; import satori from "satori"; import { html } from "satori-html"; import sharp from "sharp"; export const GET: APIRoute = async (context) => { const fontPath = fontData["--font-roboto"][0]?.src[0]?.url; if (fontPath === undefined) { throw new Error("Cannot find the font path."); } - const data = import.meta.env.DEV - ? await fetch(new URL(fontPath, context.url.origin)).then(async (res) => res.arrayBuffer()) - : await readFile(new URL(`.${fontPath}`, outDir)); + const url = experimental_getFontFileURL(fontPath, context.url); + const data = await fetch(url).then((res) => res.arrayBuffer()); const svg = await satori( html`<div style="color: black;">hello, world</div>`, { width: 600, height: 400, fonts: [ { name: "Roboto", data, weight: 400, style: "normal", }, ], }, ); const pngBuffer = await sharp(Buffer.from(svg)) .resize(600, 400) .png() .toBuffer(); return new Response(new Uint8Array(pngBuffer), { headers: { "Content-Type": "image/png", }, }); };See the Fonts API documentation for more information.
Patch Changes
8812382Thanks @seroperson! - Prevents script deduplication inside<template>elementsaxios/axios (axios)
v1.16.0Compare Source
v1.16.0 — May 2, 2026
This release adds support for the QUERY HTTP method and a new
ECONNREFUSEDerror constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:
maxBodyLengthandmaxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)Hostheaders. Previously, the proxy path could overwrite a customHost. Virtual-host-style routing through a proxy will now behave correctly. (#10822)https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)parseProtocolnow strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)unescape()replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacyunescape()quirks may see different output bytes. (#7378)transformRequestinput typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)🚀 New Features
ECONNREFUSEDas a constant onAxiosErrorso callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)encodehelper frombuildURLso userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)🐛 Bug Fixes
requestDetailsargument onbeforeRedirect, preserved user-suppliedHostheaders when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)AxiosErrorwhen a stream is aborted after headers arrive, honoured thetimeoutoption during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression andmaxRedirects: 0. (#10708, #10819, #7149)maxBodyLength/maxContentLengthin the fetch adapter, set theUser-Agentheader to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws aTypeErrorin restricted environments. (#10795, #10772, #10806, #7260)cancelTokenandAbortSignallisteners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)AxiosErrorwhenJSON.parsefails insidedispatchRequest, preventedsettlefrom emittingundefinederror codes, and tightened theparseProtocolregex to require a colon in the protocol separator. (#10724, #7276, #10729)CancelTokentypings with the ESM build, fixed a compiler error caused byRawAxiosHeaders, and re-exportedcreatefrom the package index. (#7414, #6389, #6460)unescape()call with a modern UTF-8 encoding implementation. (#7378)🔧 Maintenance & Chores
utilsmodule and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)FormDataEPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)paramsSerializer.encodefor strict RFC 3986 query encoding, updated theparseReviverTypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)transformRequestinput typing change from #10745 after follow-up review. (#10745, #10810)actions/setup-node, thegithub-actionsgroup, andpostcss(in/docs) to their latest versions. (#10785, #10813, #10814)🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Full Changelog
eslint/eslint (eslint)
v10.3.0Compare Source
jsdom/jsdom (jsdom)
v29.1.1Compare Source
lucide-icons/lucide (lucide-react)
v1.14.0: Version 1.14.0Compare Source
What's Changed
repeat-officon by @jguddas in #3102Full Changelog: lucide-icons/lucide@1.13.0...1.14.0
v1.13.0: Version 1.13.0Compare Source
What's Changed
waves-verticalicon by @jamiemlaw in #3867Full Changelog: lucide-icons/lucide@1.12.0...1.13.0
mswjs/msw (msw)
v2.14.2Compare Source
v2.14.2 (2026-04-29)
Bug Fixes
NetworkApitype (#2734) (f0c0321) @kettanaitov2.14.1Compare Source
v2.14.1 (2026-04-29)
Bug Fixes
f8dc874) @kettanaitov2.14.0Compare Source
v2.14.0 (2026-04-29)
Features
ws.onUpgradefor handling connection upgrades (#2732) (e00e4d6) @kettanaitoBug Fixes
6953307) @kettanaito30668e6) @kettanaitocloudflare/workers-sdk (wrangler)
v4.87.0Compare Source
Minor Changes
#13726
b5ac54bThanks @penalosa! - Hard fail on Node.js < 22Wrangler no longer supports Node.js 20.x, as it reached end-of-life on 2026-04-30. The minimum supported Node.js version is now 22.0.0. See https://github.com/nodejs/release?tab=readme-ov-file#end-of-life-releases.
#13717
9a1f014Thanks @NuroDev! - Add an experimentalexperimental_generateTypes()programmatic API.Wrangler now exposes
experimental_generateTypes()from the package root so you can generate Worker types in code using the same logic aswrangler types. The API supports the same core type-generation options (include env/runtime toggles) and returns structured output with separateenvandruntimecontent alongside the combined formatted output.Patch Changes
#13732
22e1a61Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13754
00523c8Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13711
1c4d850Thanks @dario-piotrowicz! - fix: skip auto-config and OpenNext delegation when--configis explicitly providedWhen
--configis passed towrangler deploy, the user is explicitly targeting a specific Worker configuration. Previously, wrangler would ignore--configand delegate toopennextjs-cloudflare deployif it detected an OpenNext project in the working directory, silently deploying the wrong Worker. Now, both auto-config detection and OpenNext delegation are skipped when--configis provided, matching the existing behavior for--scriptand--assets.#13735
6d28037Thanks @edmundhung! - Improveconfig-schema.jsonhover text in more editorsWrangler now emits
markdownDescriptioninconfig-schema.jsonalongside the existingdescriptionfield. Editors that support rich JSON Schema hovers can use that markdown directly instead of rendering escaped links and formatting.#13722
0827815Thanks @MattieTK! - Improve safe telemetry categorisation for user-facing Wrangler errors.#13116
e539008Thanks @dario-piotrowicz! - AllowgetPlatformProxyandunstable_getMiniflareWorkerOptionsto start when the assets directory does not exist yetPreviously,
getPlatformProxywould catch and swallowNonExistentAssetsDirErrorinternally when the configured assets directory was absent on disk. This has been refactored so that the directory-existence check is skipped entirely forgetPlatformProxyandunstable_getMiniflareWorkerOptions, since these APIs are typically used at dev time in frameworks where the assets directory is a build output that may not exist yet.wrangler dev,wrangler deploy,wrangler versions upload, andwrangler triggers deploycontinue to require the assets directory to exist when specified.Updated dependencies [
22e1a61,00523c8,b5ac54b,e653edf,e1eff94,e539008,0bf64a7,b04eedf,6457fb3,c07d0cb]:Configuration
📅 Schedule: (in timezone Etc/UTC)
* 0-6 * * 6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.