Update web npm deps non-major

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@intlify/eslint-plugin-vue-i18n	4.3.0 → 4.4.0
@intlify/unplugin-vue-i18n (source)	11.1.2 → 11.2.0
@types/node (source)	24.12.3 → 24.12.4
@vitejs/plugin-vue (source)	6.0.6 → 6.0.7
dompurify	3.4.2 → 3.4.3
eslint (source)	10.3.0 → 10.4.0
pnpm (source)	11.1.1 → 11.1.2
vite (source)	8.0.12 → 8.0.13
vitest (source)	4.1.5 → 4.1.6
vue-router (source)	5.0.6 → 5.0.7
vue-tsc (source)	3.2.8 → 3.2.9

---

Release Notes

intlify/eslint-plugin-vue-i18n (@​intlify/eslint-plugin-vue-i18n)

v4.4.0

Compare Source

Minor Changes

• #​731 d753ca3 Thanks @​lukashass! - chore(deps): allow yaml-eslint-parser ^2.0.0

Patch Changes

• #​734 1c6e0a8 Thanks @​SAY-5! - fix(no-raw-text): trim leading and trailing whitespace in warning message for readability

intlify/bundle-tools (@​intlify/unplugin-vue-i18n)

v11.2.0

Compare Source

What's Changed

💥 Breaking Changes

• chore!: drop Node.js 20 support (require >= 22.13 for pnpm v11) by @​kazupon in #​555

👕 Refactoring

• chore: bump deps by @​kazupon in #​556

Full Changelog: intlify/bundle-tools@v11.1.2...v11.2.0

vitejs/vite-plugin-vue (@​vitejs/plugin-vue)

v6.0.7

Features

• use carets for @rolldown/pluginutils version (#​776) (941b651)

Bug Fixes

• deps: update all non-major dependencies (#​762) (9e825b8)
• deps: update all non-major dependencies (#​774) (77dc8bc)

cure53/DOMPurify (dompurify)

v3.4.3

Compare Source

eslint/eslint (eslint)

v10.4.0

Compare Source

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

• convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

• Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

• Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

• Fix minimumReleaseAge handling for cached abbreviated metadata.

  The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

  When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

  Closes #​11619.

• Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

• Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

• Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

vitejs/vite (vite)

v8.0.13

Compare Source

Features

• bundled-dev: add lazy bundling support (#​21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#​22357) (47071ce)
• update rolldown to 1.0.1 (#​22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#​22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #​22274) (#​22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#​22439) (8e59c97)
• make isBundled per environment (#​22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#​22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#​22430) (6ea3838)
• update changelog (#​22413) (fcdc87c)

vitest-dev/vitest (vitest)

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

vuejs/router (vue-router)

v5.0.7

Compare Source

   🚀 Features

• Upgrade to babel 8  -  by @​posva (8d3e6)
• Make defineParamParser() more intuitive  -  by @​posva (8715b)
• Upgrade @vue/devtools-api  -  by @​posva (87c3a)
• matcher: Hint at params: {} workaround in discarded params warning  -  by @​posva and shanliuling in #​2689 (c2b13)
• param-parsers: Add include/exclude options  -  by @​posva (91cde)

   🐞 Bug Fixes

• matcher:
  • Finalize param token before processing escaped colon  -  by @​babu-ch and @​posva in #​2654 (20521)
• query:
  • Use Object.create(null) to prevent prototype pollution  -  by @​wdskuki, wdsmini and @​posva in #​2661 (be88c)
• resolve:
  • Omit empty optional params from resolved params  -  by @​babu-ch and @​posva in #​2434 (1ef09)
• types:
  • Wire RouteNamedMap via generated routes.d.ts  -  by @​posva in #​2700 (aef99)
• unplugin:
  • Avoid generating empty routes  -  by @​FrontEndDog and @​posva in #​2642 (10a8b)
  • Apply definePage path-param parser overrides  -  by @​posva in #​2699 (c8074)
• volar:
  • Drop runtime @vue/language-core import  -  by @​danielroe in #​2710 (8af50)

    View changes on GitHub

vuejs/language-tools (vue-tsc)

v3.2.9

Compare Source

language-core

• fix: do not process inline markdown syntax in semantic-aware segments (#​6038) - Thanks to @​KazariEX!
• perf: rewrite a subset of template node transforms (#​5769) - Thanks to @​KazariEX!

vscode

• fix: trigger file rename edits when moving folders with Vue files (#​6046) - Thanks to @​KazariEX!

workspace

• chore: bump volar services to 0.0.71 (#​6043) - Thanks to @​TRIS-H!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.