Skip to content

Update all non-major dependencies#31

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

Update all non-major dependencies#31
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented May 25, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@iconify-json/simple-icons ^1.2.83^1.2.88 age confidence
@nuxt/eslint (source) ^1.15.2^1.16.0 age confidence
@nuxt/hints ^1.1.2^1.1.3 age confidence
@nuxt/ui (source) ^4.8.0^4.9.0 age confidence
@nuxtjs/seo (source) 5.1.35.3.1 age confidence
@types/node (source) ^24.12.4^24.13.2 age confidence
dexie (source) ^4.4.2^4.4.4 age confidence
es-toolkit (source) ^1.46.1^1.49.0 age confidence
nanoid ^5.1.11^5.1.16 age confidence
pnpm (source) 10.33.410.34.4 age confidence
prettier (source) 3.8.33.9.3 age confidence
tailwindcss (source) ^4.3.0^4.3.2 age confidence
tsx (source) ^4.22.3^4.22.4 age confidence
vue-tsc (source) ^3.3.1^3.3.5 age confidence
wrangler (source) ^4.94.0^4.105.0 age confidence

Release Notes

nuxt/eslint (@​nuxt/eslint)

v1.16.0

Compare Source

   🚀 Features
    View changes on GitHub
nuxt/hints (@​nuxt/hints)

v1.1.3

Compare Source

🩹 Fixes
  • Ignore style serialization-only hydration diffs (#​352)
❤️ Contributors
nuxt/ui (@​nuxt/ui)

v4.9.0

Compare Source

Features
Bug Fixes

v4.8.2

Compare Source

Bug Fixes
  • Form: support setting the name attribute (#​6539) (f8186e2)
  • InputMenu/SelectMenu: re-highlight first item when items change (#​6538) (0414dd0)
  • InputNumber/InputDate/InputTime/Calendar: restore locale prop (#​6546) (ed2f955)
  • module: merge custom variants into AppConfig type (#​6531) (f0571c3)

v4.8.1

Compare Source

Bug Fixes
  • ContentSearch/DashboardSearch: proxy missing CommandPalette props (#​6505) (631f5dc)
  • Form: add method="post" to prevent credential leaking via GET before hydration (#​6512) (7a0825a)
  • Icon: avoid recursive icon resolution (#​6495) (d50c121)
  • locale: improve Thai translation accuracy and consistency (#​6509) (5d82418)
  • module: expose component theme keys in AppConfig type (#​6520) (ffaf163)
  • module: revert tagPriority to -2 for inline style tag (2dac778)
  • Select/SelectMenu/InputMenu: add fallback for max-height (#​6503) (f4d7cbe)
harlan-zw/nuxt-seo (@​nuxtjs/seo)

v5.3.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v5.3.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v5.2.6

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v5.2.5

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v5.2.4

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v5.2.3

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v5.2.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v5.2.1

Compare Source

No significant changes

    View changes on GitHub

v5.2.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v5.1.4

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
dexie/Dexie.js (dexie)

v4.4.4: Dexie v4.4.4

Compare Source

This is a maintenance release that resolves a bug in useLiveQuery caching and includes a TypeScript typing enhancement.

Related Package Releases

Package Version
dexie 4.4.4
dexie-cloud-addon 4.4.13 (no change)
dexie-react-hooks 4.4.0 (no change)
y-dexie 4.4.0 (no change)

Bug Fixes

dexie@​4.4.4
  • fix: useLiveQuery fails to detect updates when mutating queried objects in-place and calling put() — In default/cloned cache mode (cache: 'cloned'), mutating queried objects in-place and subsequently calling put() on them would pollute the cache directly, preventing subsequent live-queries from detecting the change because the "before" and "after" states in the cache became identical. Live-queries now deeply clone results on read to completely isolate query results from in-place consumer mutations. (#​2310). Reported in #​2309 by @​laukaichung. Fixed by @​liz709 and @​dfahlander .

Other Changes

dexie@​4.4.4
  • fix: typescript typings - add missing table4 parameter to transaction method — Added the missing table4 parameter to the typescript type definition of Dexie.transaction(), aligning it with other table parameters. Contributed by @​renbaoshuo (#​2311)

v4.4.3: Dexie v4.4.3

Compare Source

This is a maintenance release with bug fixes and a configuration API improvement.

Related Package Releases

Package Version
dexie 4.4.3
dexie-cloud-addon 4.4.13

Bug Fixes

dexie@​4.4.3
  • fix: delByKeyPath() creates empty intermediate objects on missing pathDexie.delByKeyPath(obj, "foo.bar") on an object without foo would create {foo: {}} as a side effect instead of doing nothing. This caused a real-world bug in dexie-cloud-addon where clearing a dotted key from a changeSpec (e.g. claims.sub) would leave {claims: {}} in the spec, which then overwrote the inline primary key with undefined, resulting in: DataError: Evaluating the object store's key path did not yield a value. Fixed in setByKeyPath to bail out early when value is undefined and the intermediate path doesn't exist. (#​2303)

  • fix: Collection.sortBy() mutates frozen array in immutable cache mode — calling .sortBy() on a table when using immutable cache mode could throw TypeError: Cannot assign to read only property because Array.sort() was called on a frozen array. Fixed by sorting on a copy instead. (#​2294)

dexie-cloud-addon@​4.4.12
  • rename: maxStringLengthlargeStringThreshold — the string offloading option is renamed for clarity. The old name is kept as a backward-compatible alias. (#​2290)

  • fix: blob writebacks routed through BlobSavingQueue to avoid PSD context loss — after an async native fetch (blob download), Dexie's PSD zone is no longer active, causing table.mutate() to crash with Cannot read properties of undefined (reading 'table'). This surfaced as [dexie-cloud:blobResolve] Failed to resolve BlobRefs. Fixed by always routing blob writebacks through BlobSavingQueue.saveBlobs(), which opens a proper Dexie rw-transaction in a fresh JS task. Fixes lazy blob mode crash when using Dexie hooks with dexie-cloud-addon. (#​2302)

  • fix: eager blob downloader could starve RAM — the eager downloader triggered blobResolveMiddleware which resolved all pending blobs into memory at once. Fixed by downloading blobs in chunks with a query limit, so memory usage stays bounded regardless of how many blobs are pending. (#​2302)

  • fix: in-flight blob downloads are now deduplicated — if a blob is requested after download starts but before it is persisted, the existing download promise is reused instead of starting a new download. (#​2302)

  • fix: use cache: no-store for blob fetch requests — avoids the browser caching raw blob responses and double-storing them. (#​2302)

dexie-cloud-addon@​4.4.13
  • fix: DataError when applying server-side $logins update — when a user received a server update for the $logins table, dexie-cloud-addon tried to clear claims.sub from the changeSpec using delByKeyPath. Due to the bug above, this left {claims: {}} in the spec, overwriting the inline primary key with undefined and causing DataError: Evaluating the object store's key path did not yield a value. Fixed by guarding against empty changeSpec objects after key deletion. (#​2304)

Other Changes

  • dexie-observable and dexie-syncable README updated to mark them as legacy/unmaintained, with a recommendation to use dexie-cloud-addon for sync. (#​2298)
toss/es-toolkit (es-toolkit)

v1.49.0

Compare Source

Released on June 26th, 2026.

  • Added the es-toolkit/fp entrypoint with data-last, pipeable utilities,
    documentation, benchmarks, and bundle-size checks. ([#​1781])
  • Added a broad set of array utilities to es-toolkit/fp, covering slicing,
    grouping, set operations, ordering, zipping, and collection helpers. ([#​1801])
  • Fixed trimStart to validate multi-character trim strings correctly before
    it stops trimming. ([#​1615])
  • Fixed compat/pick to prefer a literal key over a dot-notation path when the
    picked value is undefined. ([#​1775])
  • Fixed compat/random to better match Lodash behavior for coerced bounds and
    floating-point options. ([#​1767])
  • Fixed compat/chunk to handle NaN and Infinity size values consistently
    with Lodash. ([#​1797])
  • Improved documentation and JSDoc accuracy across array, function, and compat
    references. ([#​1785], [#​1786], [#​1788], [#​1790], [#​1791], [#​1792], [#​1793],
    [#​1795], [#​1800])

We sincerely thank @​Antoliny0919, @​D-Sketon, @​eunwoo-levi, and @​raon0211 for
their contributions. We appreciate your great efforts!

v1.48.1

Compare Source

Released on June 21st, 2026.

  • Fixed the jsdelivr and unpkg CDN <script> entry that regressed in v1.48.0. The fields are now declared at the package root so yarn pack preserves them, since publishConfig only carries standard fields and dropped them. Both CDNs now serve the UMD bundle again.

v1.48.0

Compare Source

Released on June 21st, 2026.

  • Added AbortSignal support to timeout and withTimeout. ([#​1617])
  • Fixed CDN <script> resolution by pointing jsdelivr/unpkg to the UMD bundle and dropping the misused browser field. ([#​1395])
  • Fixed toMerged to deep clone the target so untouched nested values stay independent. ([#​1780])
  • Fixed compat/toPath to keep empty segments for consecutive and trailing dots. ([#​1778])
  • Fixed compat/difference to treat sparse array holes as undefined. ([#​1773])
  • Fixed compat/parseInt to coerce input to a string before parsing. ([#​1771])
  • Fixed compat/isNaN to improve checks for boxed values and non-numbers. ([#​1646])
  • Fixed compat/isMatchWith to align nested primitive matching with lodash. ([#​1647])

We sincerely thank @​aidant, @​Antoliny0919, @​D-Sketon, @​miinhho, @​MyraxByte, @​raon0211, @​sarathfrancis90, and @​ssi02014 for their contributions. We appreciate your great efforts!

v1.47.1

Compare Source

Released on June 12th, 2026.

  • Fixed maxBy and minBy to propagate NaN, matching Math.max/Math.min behavior. ([#​1749])
  • Fixed orderBy and sortBy to place null and undefined values last when sorting. ([#​1681])
  • Fixed isNumber to no longer treat boxed Number objects as numbers. ([#​1726])
  • Fixed reduce and reduceRight to respect explicitly passed nullish accumulators. ([#​1742])
  • Fixed isEmpty to handle functions with own enumerable properties. ([#​1645])
  • Fixed the globalThis polyfill to avoid Function(...), supporting CSP environments without unsafe-eval.
  • Fixed ESM resolution for ./compat/* subpaths in package exports. ([#​1757])
  • Fixed compat/size to count array-like objects by their length. ([#​1766])
  • Fixed compat/round, compat/ceil, and compat/floor to return Infinity for infinite values with precision. ([#​1764])
  • Fixed compat/random to coerce the upper bound for non-number max. ([#​1751])
  • Fixed compat/toLength to coerce non-numeric values to 0. ([#​1758])
  • Removed unused generic type parameters from pull. ([#​1746])

We sincerely thank @​Amund211, @​Antoliny0919, @​chatman-media, @​D-Sketon, @​dayongkr, @​JetProc, @​parkhojeong, @​pbk95120, @​raon0211, @​sarathfrancis90, @​shaked-shlomo, and @​sukvvon for their contributions. We appreciate your great efforts!

ai/nanoid (nanoid)

v5.1.16

Compare Source

v5.1.15

Compare Source

  • Fixed random pool corruption on big ID sizes.

v5.1.14

Compare Source

  • Fixed npm package size regression.

v5.1.13

Compare Source

  • Fixed npm package size regression.

v5.1.12

Compare Source

  • Moved to npm Provenance and Staged Publishing.
pnpm/pnpm (pnpm)

v10.34.4

Compare Source

v10.34.3

Compare Source

v10.34.2

Compare Source

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

  • Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

  • Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

    pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

    The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

    --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

  • Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
  • Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
  • Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
  • Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
  • Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
  • Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx
prettier/prettier (prettier)

v3.9.3

Compare Source

v3.9.2

Compare Source

v3.9.1

Compare Source

v3.9.0

Compare Source

diff

🔗 Release Notes

v3.8.5

Compare Source

v3.8.4

Compare Source

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#​17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a

  - b

- c

  - d

<!-- Prettier 3.8.3 -->
- a
  - b
- c
  - d

<!-- Prettier 3.8.4 -->
- a

  - b

- c

  - d
tailwindlabs/tailwindcss (tailwindcss)

v4.3.2

Compare Source

Fixed
  • Support bare spacing values for auto-rows-* and auto-cols-* utilities (e.g. auto-rows-12 and auto-cols-16) (#​20229)
  • Prevent @tailwindcss/cli in --watch mode from crashing on Windows when @source points to a directory that doesn't exist (#​20242)
  • Prevent @tailwindcss/vite from crashing in Deno v2.8.x when context.parentURL is not a valid URL (#​20245)
  • Ensure @tailwindcss/cli in --watch mode rebuilds when the input CSS file changes in an ignored directory (#​20246)
  • Allow @variant rules used in addBase(…) to use custom variants defined later (#​20247)
  • Prevent @tailwindcss/vite from crashing during HMR when scanned files or directories are deleted (#​20259)
  • Generate font-size instead of color declarations for text-[--spacing(…)] (#​20260)
  • Prevent @source patterns from scanning unrelated sibling files and folders (#​20263)
  • Extract class candidates adjacent to Template Toolkit delimiters like %]…[% in .tt, .tt2, and

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented May 25, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
monsterbuddy cc9348a Commit Preview URL

Branch Preview URL
Jun 30 2026, 03:53 PM

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from d969513 to 49dbeb6 Compare May 25, 2026 16:27
@renovate renovate Bot changed the title Update dependency es-toolkit to ^1.47.0 Update all non-major dependencies May 25, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 15e5d5f to d87179a Compare May 26, 2026 09:40
@renovate renovate Bot changed the title Update all non-major dependencies Update dependency es-toolkit to ^1.47.0 May 26, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from d87179a to daf92a0 Compare May 26, 2026 20:58
@renovate renovate Bot changed the title Update dependency es-toolkit to ^1.47.0 Update all non-major dependencies May 26, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 8 times, most recently from e9dc8fa to 9795983 Compare June 2, 2026 18:28
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 9 times, most recently from b00ad12 to d2d97a7 Compare June 9, 2026 18:01
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from fb5c1ee to 40b1598 Compare June 14, 2026 22:12
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 10 times, most recently from 2fa942d to dcc250e Compare June 24, 2026 18:37
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 8 times, most recently from f3e85b6 to 7a5e35e Compare June 30, 2026 11:14
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 7a5e35e to cc9348a Compare June 30, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants