Update all non-major dependencies#31
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
monsterbuddy | cc9348a | Commit Preview URL Branch Preview URL |
Jun 30 2026, 03:53 PM |
d969513 to
49dbeb6
Compare
15e5d5f to
d87179a
Compare
d87179a to
daf92a0
Compare
e9dc8fa to
9795983
Compare
b00ad12 to
d2d97a7
Compare
fb5c1ee to
40b1598
Compare
2fa942d to
dcc250e
Compare
f3e85b6 to
7a5e35e
Compare
7a5e35e to
cc9348a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.2.83→^1.2.88^1.15.2→^1.16.0^1.1.2→^1.1.3^4.8.0→^4.9.05.1.3→5.3.1^24.12.4→^24.13.2^4.4.2→^4.4.4^1.46.1→^1.49.0^5.1.11→^5.1.1610.33.4→10.34.43.8.3→3.9.3^4.3.0→^4.3.2^4.22.3→^4.22.4^3.3.1→^3.3.5^4.94.0→^4.105.0Release Notes
nuxt/eslint (@nuxt/eslint)
v1.16.0Compare Source
🚀 Features
View changes on GitHub
nuxt/hints (@nuxt/hints)
v1.1.3Compare Source
🩹 Fixes
❤️ Contributors
nuxt/ui (@nuxt/ui)
v4.9.0Compare Source
Features
registerMessageRef(#6275) (f99778e)iconwithfalse(#6597) (09eb639)removeFilein slots (#6492) (4da3a5d)leaveandenterevents (#6596) (006324a)theme.unstyledoption (#6551) (a2a8bc9)separatorprop (#6392) (89b30e8)shadowprop (#6561) (d850ae6)multiplein theme (#6554) (f66eb65)transitionprop (#6484) (af80a67)rootoption to override.nuxt-uidirectory location (#6595) (cccb3d5)Bug Fixes
max-heightinstead of toggling preheight(#6565) (52d3c45)VNode[](52367b1)idand aria attributes on trigger (#6572) (c3bef7a)v4.8.2Compare Source
Bug Fixes
nameattribute (#6539) (f8186e2)localeprop (#6546) (ed2f955)v4.8.1Compare Source
Bug Fixes
method="post"to prevent credential leaking via GET before hydration (#6512) (7a0825a)tagPriorityto-2for inline style tag (2dac778)max-height(#6503) (f4d7cbe)harlan-zw/nuxt-seo (@nuxtjs/seo)
v5.3.1Compare Source
🐞 Bug Fixes
View changes on GitHub
v5.3.0Compare Source
🚀 Features
🐞 Bug Fixes
🏎 Performance
View changes on GitHub
v5.2.6Compare Source
🐞 Bug Fixes
View changes on GitHub
v5.2.5Compare Source
🐞 Bug Fixes
View changes on GitHub
v5.2.4Compare Source
🐞 Bug Fixes
View changes on GitHub
v5.2.3Compare Source
🐞 Bug Fixes
View changes on GitHub
v5.2.2Compare Source
🐞 Bug Fixes
View changes on GitHub
v5.2.1Compare Source
No significant changes
View changes on GitHub
v5.2.0Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
v5.1.4Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
dexie/Dexie.js (dexie)
v4.4.4: Dexie v4.4.4Compare Source
This is a maintenance release that resolves a bug in
useLiveQuerycaching and includes a TypeScript typing enhancement.Related Package Releases
Bug Fixes
dexie@4.4.4
useLiveQueryfails to detect updates when mutating queried objects in-place and callingput()— In default/cloned cache mode (cache: 'cloned'), mutating queried objects in-place and subsequently callingput()on them would pollute the cache directly, preventing subsequent live-queries from detecting the change because the "before" and "after" states in the cache became identical. Live-queries now deeply clone results on read to completely isolate query results from in-place consumer mutations. (#2310). Reported in #2309 by @laukaichung. Fixed by @liz709 and @dfahlander .Other Changes
dexie@4.4.4
table4parameter to the typescript type definition ofDexie.transaction(), aligning it with other table parameters. Contributed by @renbaoshuo (#2311)v4.4.3: Dexie v4.4.3Compare Source
This is a maintenance release with bug fixes and a configuration API improvement.
Related Package Releases
Bug Fixes
dexie@4.4.3
fix:
delByKeyPath()creates empty intermediate objects on missing path —Dexie.delByKeyPath(obj, "foo.bar")on an object withoutfoowould create{foo: {}}as a side effect instead of doing nothing. This caused a real-world bug in dexie-cloud-addon where clearing a dotted key from a changeSpec (e.g.claims.sub) would leave{claims: {}}in the spec, which then overwrote the inline primary key withundefined, resulting in:DataError: Evaluating the object store's key path did not yield a value. Fixed insetByKeyPathto bail out early when value isundefinedand the intermediate path doesn't exist. (#2303)fix: Collection.sortBy() mutates frozen array in immutable cache mode — calling
.sortBy()on a table when using immutable cache mode could throwTypeError: Cannot assign to read only propertybecauseArray.sort()was called on a frozen array. Fixed by sorting on a copy instead. (#2294)dexie-cloud-addon@4.4.12
rename:
maxStringLength→largeStringThreshold— the string offloading option is renamed for clarity. The old name is kept as a backward-compatible alias. (#2290)fix: blob writebacks routed through BlobSavingQueue to avoid PSD context loss — after an async native
fetch(blob download), Dexie's PSD zone is no longer active, causingtable.mutate()to crash withCannot read properties of undefined (reading 'table'). This surfaced as[dexie-cloud:blobResolve] Failed to resolve BlobRefs. Fixed by always routing blob writebacks throughBlobSavingQueue.saveBlobs(), which opens a proper Dexie rw-transaction in a fresh JS task. Fixes lazy blob mode crash when using Dexie hooks with dexie-cloud-addon. (#2302)fix: eager blob downloader could starve RAM — the eager downloader triggered
blobResolveMiddlewarewhich resolved all pending blobs into memory at once. Fixed by downloading blobs in chunks with a query limit, so memory usage stays bounded regardless of how many blobs are pending. (#2302)fix: in-flight blob downloads are now deduplicated — if a blob is requested after download starts but before it is persisted, the existing download promise is reused instead of starting a new download. (#2302)
fix: use
cache: no-storefor blob fetch requests — avoids the browser caching raw blob responses and double-storing them. (#2302)dexie-cloud-addon@4.4.13
$loginsupdate — when a user received a server update for the$loginstable, dexie-cloud-addon tried to clearclaims.subfrom the changeSpec usingdelByKeyPath. Due to the bug above, this left{claims: {}}in the spec, overwriting the inline primary key withundefinedand causingDataError: Evaluating the object store's key path did not yield a value. Fixed by guarding against empty changeSpec objects after key deletion. (#2304)Other Changes
dexie-observableanddexie-syncableREADME updated to mark them as legacy/unmaintained, with a recommendation to usedexie-cloud-addonfor sync. (#2298)toss/es-toolkit (es-toolkit)
v1.49.0Compare Source
Released on June 26th, 2026.
es-toolkit/fpentrypoint with data-last, pipeable utilities,documentation, benchmarks, and bundle-size checks. ([#1781])
es-toolkit/fp, covering slicing,grouping, set operations, ordering, zipping, and collection helpers. ([#1801])
trimStartto validate multi-character trim strings correctly beforeit stops trimming. ([#1615])
compat/pickto prefer a literal key over a dot-notation path when thepicked value is
undefined. ([#1775])compat/randomto better match Lodash behavior for coerced bounds andfloating-point options. ([#1767])
compat/chunkto handleNaNandInfinitysize values consistentlywith Lodash. ([#1797])
references. ([#1785], [#1786], [#1788], [#1790], [#1791], [#1792], [#1793],
[#1795], [#1800])
We sincerely thank @Antoliny0919, @D-Sketon, @eunwoo-levi, and @raon0211 for
their contributions. We appreciate your great efforts!
v1.48.1Compare Source
Released on June 21st, 2026.
jsdelivrandunpkgCDN<script>entry that regressed in v1.48.0. The fields are now declared at the package root soyarn packpreserves them, sincepublishConfigonly carries standard fields and dropped them. Both CDNs now serve the UMD bundle again.v1.48.0Compare Source
Released on June 21st, 2026.
AbortSignalsupport totimeoutandwithTimeout. ([#1617])<script>resolution by pointingjsdelivr/unpkgto the UMD bundle and dropping the misusedbrowserfield. ([#1395])toMergedto deep clone the target so untouched nested values stay independent. ([#1780])compat/toPathto keep empty segments for consecutive and trailing dots. ([#1778])compat/differenceto treat sparse array holes asundefined. ([#1773])compat/parseIntto coerce input to a string before parsing. ([#1771])compat/isNaNto improve checks for boxed values and non-numbers. ([#1646])compat/isMatchWithto align nested primitive matching with lodash. ([#1647])We sincerely thank @aidant, @Antoliny0919, @D-Sketon, @miinhho, @MyraxByte, @raon0211, @sarathfrancis90, and @ssi02014 for their contributions. We appreciate your great efforts!
v1.47.1Compare Source
Released on June 12th, 2026.
maxByandminByto propagateNaN, matchingMath.max/Math.minbehavior. ([#1749])orderByandsortByto placenullandundefinedvalues last when sorting. ([#1681])isNumberto no longer treat boxedNumberobjects as numbers. ([#1726])reduceandreduceRightto respect explicitly passed nullish accumulators. ([#1742])isEmptyto handle functions with own enumerable properties. ([#1645])globalThispolyfill to avoidFunction(...), supporting CSP environments withoutunsafe-eval../compat/*subpaths in package exports. ([#1757])compat/sizeto count array-like objects by theirlength. ([#1766])compat/round,compat/ceil, andcompat/floorto returnInfinityfor infinite values with precision. ([#1764])compat/randomto coerce the upper bound for non-numbermax. ([#1751])compat/toLengthto coerce non-numeric values to 0. ([#1758])pull. ([#1746])We sincerely thank @Amund211, @Antoliny0919, @chatman-media, @D-Sketon, @dayongkr, @JetProc, @parkhojeong, @pbk95120, @raon0211, @sarathfrancis90, @shaked-shlomo, and @sukvvon for their contributions. We appreciate your great efforts!
ai/nanoid (nanoid)
v5.1.16Compare Source
v5.1.15Compare Source
v5.1.14Compare Source
v5.1.13Compare Source
v5.1.12Compare Source
pnpm/pnpm (pnpm)
v10.34.4Compare Source
v10.34.3Compare Source
v10.34.2Compare Source
v10.34.1: pnpm 10.34.1Compare Source
Patch Changes
pnpm-lock.yamlentries whose remote tarballresolution:block is missing theintegrityfield. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that stripsintegrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under--frozen-lockfile. pnpm now fails closed at lockfile-read time withERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: trueor a URL on codeload.github.com / bitbucket.org / gitlab.com) andfile:tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.Platinum Sponsors
Gold Sponsors
v10.34.0: pnpm 10.34Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.Patch Changes
_authToken,_auth,username/_password,tokenHelper, inlinecert/key) to the registry declared in the same config source at load time, so a later layer overridingregistry=(workspace.npmrc,pnpm-workspace.yaml, CLI--registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.minimumReleaseAgehandling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-versiontimefield) by default, which made the maturity check throwERR_PNPM_MISSING_TIMEwhenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch whenminimumReleaseAgeis active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and letsERR_PNPM_MISSING_TIMEfrom the cache fast-path fall through to the network fetch even under strict mode.commitfield is not a 40-character hexadecimal SHA before invokinggit. A malicious lockfile could otherwise smuggle a value such as--upload-pack=<command>throughgit fetch/git checkout, which on SSH or local-file transports executes the supplied command.diff --githeaders reference paths outside the patched package directory. Previously a malicious.patchfile added via a pull request could write, delete, or rename arbitrary files reachable by the user runningpnpm install.--prefix=<dir>not being honored when locating the workspace root. The--prefix → dirrename was applied after workspace detection, so workspace settings declared in<dir>/pnpm-workspace.yamlwere not loaded when pnpm was invoked from outside<dir>#11535.@x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them intonode_modules. A malicious registry package could otherwise use a transitive dependency key to makepnpm installcreate symlinks at attacker-chosen paths outside the intendednode_modulesdirectory.Platinum Sponsors
Gold Sponsors
prettier/prettier (prettier)
v3.9.3Compare Source
v3.9.2Compare Source
v3.9.1Compare Source
v3.9.0Compare Source
diff
🔗 Release Notes
v3.8.5Compare Source
v3.8.4Compare Source
diff
Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @byplayer)
Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.
tailwindlabs/tailwindcss (tailwindcss)
v4.3.2Compare Source
Fixed
auto-rows-*andauto-cols-*utilities (e.g.auto-rows-12andauto-cols-16) (#20229)@tailwindcss/cliin--watchmode from crashing on Windows when@sourcepoints to a directory that doesn't exist (#20242)@tailwindcss/vitefrom crashing in Deno v2.8.x whencontext.parentURLis not a valid URL (#20245)@tailwindcss/cliin--watchmode rebuilds when the input CSS file changes in an ignored directory (#20246)@variantrules used inaddBase(…)to use custom variants defined later (#20247)@tailwindcss/vitefrom crashing during HMR when scanned files or directories are deleted (#20259)font-sizeinstead ofcolordeclarations fortext-[--spacing(…)](#20260)@sourcepatterns from scanning unrelated sibling files and folders (#20263)%]…[%in.tt,.tt2, andConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.