Skip to content

chore(deps): update all non-major dependencies#153

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#153
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@types/node (source) ^24.9.2^24.10.10 age confidence
eslint (source) ^9.38.0^9.39.2 age confidence
eslint-config-unjs ^0.5.0^0.6.2 age confidence
pnpm (source) 10.20.010.28.2 age confidence
prettier (source) ^3.6.2^3.8.1 age confidence
undici (source) ^6.22.0^6.23.0 age confidence

Release Notes

eslint/eslint (eslint)

v9.39.2

Compare Source

v9.39.1

Compare Source

v9.39.0

Compare Source

unjs/eslint-config (eslint-config-unjs)

v0.6.2

Compare Source

compare changes

🩹 Fixes
  • Disable array immutation rules for now (3cde73a)
❤️ Contributors

v0.6.1

Compare Source

compare changes

💅 Refactors
  • Migrate to @eslint/markdown (2f92a53)
  • Update default rules (84cdbad)
📦 Build
🏡 Chore
❤️ Contributors

v0.6.0

Compare Source

compare changes

💅 Refactors
  • Migrate to @eslint/markdown (2f92a53)
📦 Build
🏡 Chore
❤️ Contributors
pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

  • Security fix: prevent path traversal in directories.bin field.

  • When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

    This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

    Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

  • Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

  • Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

  • Fix installation of Git dependencies using annotated tags #​10335.

    Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

  • Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

  • Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

  • Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
  • Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.26.0

Compare Source

v10.25.0

Compare Source

v10.24.0

Compare Source

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

  • Added --lockfile-only option to pnpm list #​10020.

Patch Changes

  • pnpm self-update should download pnpm from the configured npm registry #​10205.
  • pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
  • Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
  • The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
  • pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:is-odd@3.0.1) #​8660.
  • Don't add an extra slash to the Node.js mirror URL #​10204.
  • pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

  • Added support for trustPolicyExclude #​10164.

    You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

    trustPolicy: no-downgrade
trustPolicyExclude:
  - chokidar@4.0.3
  - webpack@4.47.0 || 5.102.1

  • Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

  • Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.21.0

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)
<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>
TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)
// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;
TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)
// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

v3.7.3

Compare Source

diff

API: Fix prettier.getFileInfo() change that breaks VSCode extension (#​18375 by @​fisker)

An internal refactor accidentally broke the VSCode extension plugin loading.

v3.7.2

Compare Source

diff

JavaScript: Fix string print when switching quotes (#​18351 by @​fisker)
// Input
console.log("A descriptor\\'s .kind must be \"method\" or \"field\".")

// Prettier 3.7.1
console.log('A descriptor\\'s .kind must be "method" or "field".');

// Prettier 3.7.2
console.log('A descriptor\\\'s .kind must be "method" or "field".');
JavaScript: Preserve quote for embedded HTML attribute values (#​18352 by @​kovsu)
// Input
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

// Prettier 3.7.1
const html = /* HTML */ ` <div class=${styles.banner}></div> `;

// Prettier 3.7.2
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;
TypeScript: Fix comment in empty type literal (#​18364 by @​fisker)
// Input
export type XXX = {
  // tbd
};

// Prettier 3.7.1
export type XXX = { // tbd };

// Prettier 3.7.2
export type XXX = {
  // tbd
};

v3.7.1

Compare Source

diff

API: Fix performance regression in doc printer (#​18342 by @​fisker)

Prettier 3.7.1 can be very slow when formatting big files, the regression has been fixed.

v3.7.0

Compare Source

diff

🔗 Release Notes

nodejs/undici (undici)

v6.23.0

Compare Source

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 8dd4add to d8d5112 Compare November 27, 2025 12:57
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 1726a59 to e0b493e Compare December 3, 2025 05:12
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from d5c4b7a to 63a520f Compare December 15, 2025 15:44
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 9df6051 to e662871 Compare December 23, 2025 14:47
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from a99896f to f14287b Compare January 5, 2026 19:12
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from 6e6a232 to 1594f02 Compare January 15, 2026 19:31
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from fda06be to 2ae5e8a Compare January 23, 2026 21:26
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 2ae5e8a to 2d94f5e Compare January 26, 2026 15:37
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 2d94f5e to bd83494 Compare February 2, 2026 16:31
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from bd83494 to 5dbf893 Compare February 3, 2026 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants