Skip to content

chore(deps): update all non-major dependencies#241

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#241
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@hono/node-server ^2.0.4^2.0.8 age confidence devDependencies patch
@module-federation/runtime-tools (source) ^2.5.1^2.6.0 age confidence devDependencies minor
@rslib/core (source) ^0.22.1^0.23.2 age confidence devDependencies minor
@rslint/core ^0.6.1^0.6.5 age confidence devDependencies patch
@rstest/core (source) ^0.10.4^0.11.0 age confidence devDependencies minor
hono (source) ^4.12.25^4.12.27 age confidence devDependencies patch 4.12.28
http-proxy-middleware 4.1.14.2.0 age confidence devDependencies minor
node 24.16.024.18.0 age confidence uses-with minor
pnpm (source) 11.6.011.10.0 age confidence packageManager minor
pnpm/action-setup v6.0.8v6.0.9 age confidence action patch
prettier (source) 3.8.43.9.4 age confidence devDependencies minor

Release Notes

honojs/node-server (@​hono/node-server)

v2.0.8

Compare Source

What's Changed

Full Changelog: honojs/node-server@v2.0.7...v2.0.8

v2.0.6

Compare Source

v2.0.5

Compare Source

Security Fix

Fixed a security issue in Serve Static Middleware where prefix-mounted middleware could be bypassed on Windows. This only affects applications running on Windows that use Serve Static Middleware. Affected users are encouraged to upgrade to this version.

See GHSA-frvp-7c67-39w9 for details.

module-federation/core (@​module-federation/runtime-tools)

v2.6.0

Compare Source

Patch Changes
web-infra-dev/rslib (@​rslib/core)

v0.23.2

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐞
Refactor 🔨
Document 📖
Other Changes

Full Changelog: web-infra-dev/rslib@v0.23.1...v0.23.2

v0.23.1

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐞
Other Changes

Full Changelog: web-infra-dev/rslib@v0.23.0...v0.23.1

v0.23.0

Compare Source

What's Changed

New Features 🎉
Performance 🚀
Other Changes

Full Changelog: web-infra-dev/rslib@v0.22.1...v0.23.0

web-infra-dev/rslint (@​rslint/core)

v0.6.5

Compare Source

v0.6.4

Compare Source

Highlights

Rslint Node API for In-Memory Linting

Rslint now ships a programmatic Node.js API (@rslint/core) aligned with ESLint v10's interface. Use Rslint#lintFiles / lintText to lint from scripts, dev servers, or editor integrations — results are ESLint-shaped (LintResult[] with messages, errorCount, warningCount, output, etc.). Auto-fix is supported via fix: true plus Rslint.outputFixes. Config resolution (overrideConfig, file discovery, normalization) all stays in JS; the Go --api server receives only the final resolved config and never reads disk.

import { Rslint } from '@​rslint/core';

// Lint files by glob (auto-discovers the nearest config from cwd).
const rslint = new Rslint({ cwd: process.cwd() });
const results = await rslint.lintFiles(['src/**/*.ts']);

Fully in-memory linting is also supported through the new virtualFiles overlay — source, config, and tsconfig.json can all live in memory with zero disk access, which makes the API a natural fit for playgrounds, web workers, and editor integrations:

const rslint = new Rslint({
  cwd: '/', // virtual root: doesn't touch process.cwd() or disk
  overrideConfigFile: true, // use only overrideConfig — skip config discovery
  overrideConfig: [
    {
      files: ['**/*.ts'],
      // The tsconfig + parserOptions.project below are needed ONLY for type-aware rules (like no-for-in-array). Syntax-only rules need neither.
      languageOptions: { parserOptions: { project: ['./tsconfig.json'] } },
      plugins: ['@​typescript-eslint'],
      rules: { '@​typescript-eslint/no-for-in-array': 'error' },
    },
  ],
  virtualFiles: {
    'tsconfig.json': JSON.stringify({
      compilerOptions: { strict: true },
      files: ['./a.ts'],
    }),
  },
});
const [result] = await rslint.lintText(
  'const a = [1];\nfor (const k in a) {}\n',
  { filePath: 'a.ts' },
);

See the new Node.js API guide for details.

What's Changed

New Features 🎉
Other Changes

Full Changelog: web-infra-dev/rslint@v0.6.3...v0.6.4

v0.6.3

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐞
Other Changes

Full Changelog: web-infra-dev/rslint@v0.6.2...v0.6.3

v0.6.2

Compare Source

What's Changed

New Features 🎉
Performance 🚀
Bug Fixes 🐞
Refactor 🔨
Other Changes

Full Changelog: web-infra-dev/rslint@v0.6.1...v0.6.2

web-infra-dev/rstest (@​rstest/core)

v0.11.0

Compare Source

What's Changed

Breaking Changes 🍭
New Features 🎉
Performance 🚀
  • perf(coverage-v8): optimize V8 AST coverage conversion by @​9aoy in #​1490
  • perf(coverage-v8): resolve raw coverage in main process by @​9aoy in #​1501
Bug Fixes 🐞
Document 📖
Other Changes

New Contributors

Full Changelog: web-infra-dev/rstest@v0.10.6...v0.11.0

v0.10.6

Compare Source

What's Changed
Bug Fixes 🐞
Document 📖
Other Changes

Full Changelog: web-infra-dev/rstest@v0.10.5...v0.10.6

v0.10.5

Compare Source

What's Changed
New Features 🎉
Bug Fixes 🐞
Document 📖
Other Changes

Full Changelog: web-infra-dev/rstest@v0.10.4...v0.10.5

honojs/hono (hono)

v4.12.27

Compare Source

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

Compare Source

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

chimurai/http-proxy-middleware (http-proxy-middleware)

v4.2.0

Compare Source

  • feat(types): export OnProxyEvent type
  • feat(debug-proxy-errors-plugin): diagnostic message for POST + bodyParser + ECONNRESET error
  • chore(package.json): update to httpxy v0.5.4
actions/node-versions (node)

v24.18.0: 24.18.0

Compare Source

Node.js 24.18.0

v24.17.0: 24.17.0

Compare Source

Node.js 24.17.0

pnpm/pnpm (pnpm)

v11.10.0

Compare Source

Minor Changes
  • e2e3c81: Added the issues command as an alias of bugs, so pnpm issues opens the package's bug tracker URL in the browser.

  • 8491f8e: Added the prefix command which prints the current package prefix directory (or global prefix directory if -g / --global is used).

  • 3425e80: Added an _auth setting for configuring registry authentication as a single structured (URL-keyed) value. It can be set in the global pnpm config (config.yaml) or, for CI, via the pnpm_config__auth environment variable. The env form sidesteps the GitHub Actions / bash / zsh limitation that broke the existing pnpm_config_//host/:_authToken=… form (env var names containing /, :, or . are silently dropped). Closes #​12314.

    The value is keyed by registry URL so each secret is explicitly bound to the host that may receive it. Registry URL keys must use http or https and must not include credentials, query strings, or fragments:

    export pnpm_config__auth='{"https://registry.npmjs.org":{"@​":{"authToken":"npm-token"},"@​org":{"authToken":"org-token"}}}'

    The equivalent in the global config.yaml:

    _auth:
      https://registry.npmjs.org:
        "@​":
          authToken: npm-token
        "@​org":
          authToken: org-token

    Within each registry URL, @ means registry-wide/default credentials and package scopes like @org bind credentials to that scope on the same host. The only supported credential field is authToken (maps to _authToken / bearer auth); the deprecated basicAuth / username + password forms are intentionally not accepted here.

    Each entry also infers a trusted registry route: @ routes the default registry (and pnpm add <pkg> resolves there), and @org routes that scope. Because the credential and destination host arrive in one trusted value, repo-controlled pnpm-workspace.yaml or project .npmrc cannot redirect the token to a different host. _auth is honored only from the env var and the global config — it is ignored in a project pnpm-workspace.yaml / .npmrc, so repo-controlled config can never supply registry auth. Precedence: CLI flags (--registry, --@&#8203;scope:registry) > pnpm_config__auth > global config.yaml _auth > pnpm-workspace.yaml.

    Both pnpm_config__auth (lowercase, documented form) and PNPM_CONFIG__AUTH (all-caps, the shell convention some CI runners apply) are honored. If both are set, lowercase wins unless it is empty, in which case uppercase is used. The env var wins over the global config.yaml _auth on a conflicting key. tokenHelper is not supported in _auth. Parsing is strict: a malformed value (bad JSON, wrong shape, invalid registry URL or scope, an unsupported credential field) fails fast with an error rather than being silently dropped.

    Pacquet parity note: the pacquet (Rust) port supports the same single credential field as the TS CLI: authToken.

  • a33eeec: pnpm self-update and packageManager version-switching can now install and link pnpm v12 (the Rust port), published with equal content under both the pnpm and @pnpm/exe names on the next-12 dist-tag. Its native binaries ship as @pnpm/exe.<platform>-<arch> packages, which pnpm's built-in installer links directly — no Node.js launcher, so the command pays no Node startup cost. v12 is initialized exactly like @pnpm/exe, including per-platform global-virtual-store hashing. From v12 onward the install converges on the unscoped pnpm package (the Rust exe) — even when updating from the SEA @pnpm/exe build.

  • 1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only the `Au

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, on day 1 and 15 of the month (* 0-3 1,15 * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) June 30, 2026 16:56
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from eda2c64 to 84ef7fb Compare July 6, 2026 09:03
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 84ef7fb to 7e1bd7c Compare July 7, 2026 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants