chore(deps): update all non-major dependencies#241
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
eda2c64 to
84ef7fb
Compare
84ef7fb to
7e1bd7c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2.0.4→^2.0.8^2.5.1→^2.6.0^0.22.1→^0.23.2^0.6.1→^0.6.5^0.10.4→^0.11.0^4.12.25→^4.12.274.12.284.1.1→4.2.024.16.0→24.18.011.6.0→11.10.0v6.0.8→v6.0.93.8.4→3.9.4Release Notes
honojs/node-server (@hono/node-server)
v2.0.8Compare Source
What's Changed
--no-git-checksoption forpnpm stage publishby @yusukebe in #369Full Changelog: honojs/node-server@v2.0.7...v2.0.8
v2.0.6Compare Source
v2.0.5Compare Source
Security Fix
Fixed a security issue in Serve Static Middleware where prefix-mounted middleware could be bypassed on Windows. This only affects applications running on Windows that use Serve Static Middleware. Affected users are encouraged to upgrade to this version.
See GHSA-frvp-7c67-39w9 for details.
module-federation/core (@module-federation/runtime-tools)
v2.6.0Compare Source
Patch Changes
web-infra-dev/rslib (@rslib/core)
v0.23.2Compare Source
What's Changed
New Features 🎉
Bug Fixes 🐞
Refactor 🔨
Document 📖
Other Changes
Full Changelog: web-infra-dev/rslib@v0.23.1...v0.23.2
v0.23.1Compare Source
What's Changed
New Features 🎉
Bug Fixes 🐞
Other Changes
Full Changelog: web-infra-dev/rslib@v0.23.0...v0.23.1
v0.23.0Compare Source
What's Changed
New Features 🎉
Performance 🚀
Other Changes
Full Changelog: web-infra-dev/rslib@v0.22.1...v0.23.0
web-infra-dev/rslint (@rslint/core)
v0.6.5Compare Source
v0.6.4Compare Source
Highlights
Rslint Node API for In-Memory Linting
Rslint now ships a programmatic Node.js API (
@rslint/core) aligned with ESLint v10's interface. UseRslint#lintFiles/lintTextto lint from scripts, dev servers, or editor integrations — results are ESLint-shaped (LintResult[]withmessages,errorCount,warningCount,output, etc.). Auto-fix is supported viafix: trueplusRslint.outputFixes. Config resolution (overrideConfig, file discovery, normalization) all stays in JS; the Go--apiserver receives only the final resolved config and never reads disk.Fully in-memory linting is also supported through the new
virtualFilesoverlay — source, config, andtsconfig.jsoncan all live in memory with zero disk access, which makes the API a natural fit for playgrounds, web workers, and editor integrations:See the new Node.js API guide for details.
What's Changed
New Features 🎉
prefer-jest-mockedrule by @eryue0220 in #1147prefer-spy-onrule by @eryue0220 in #1148Other Changes
Full Changelog: web-infra-dev/rslint@v0.6.3...v0.6.4
v0.6.3Compare Source
What's Changed
New Features 🎉
prefer-hooks-on-toprule by @eryue0220 in #1107prefer-hooks-in-orderrule by @eryue0220 in #1110no-confusing-set-timeoutrule by @eryue0220 in #1118no-exportrule by @eryue0220 in #1124Bug Fixes 🐞
??operand position with typescript-eslint by @fansenze in #1141Other Changes
@stylisticconformance into per-category suites by @fansenze in #1113Full Changelog: web-infra-dev/rslint@v0.6.2...v0.6.3
v0.6.2Compare Source
What's Changed
New Features 🎉
prefer-equality-matcherrule by @eryue0220 in #1061Performance 🚀
Bug Fixes 🐞
Refactor 🔨
Other Changes
dd6bcebby @fansenze in #1103Full Changelog: web-infra-dev/rslint@v0.6.1...v0.6.2
web-infra-dev/rstest (@rstest/core)
v0.11.0Compare Source
What's Changed
Breaking Changes 🍭
New Features 🎉
Performance 🚀
Bug Fixes 🐞
Document 📖
Other Changes
df4cb1cby @renovate[bot] in #1444New Contributors
Full Changelog: web-infra-dev/rstest@v0.10.6...v0.11.0
v0.10.6Compare Source
What's Changed
Bug Fixes 🐞
Document 📖
Other Changes
0ac4127by @renovate in #1437Full Changelog: web-infra-dev/rstest@v0.10.5...v0.10.6
v0.10.5Compare Source
What's Changed
New Features 🎉
Bug Fixes 🐞
Document 📖
Other Changes
Full Changelog: web-infra-dev/rstest@v0.10.4...v0.10.5
honojs/hono (hono)
v4.12.27Compare Source
Security fixes
This release includes fixes for the following security issues:
hono/jsx does not isolate context per request
Affects:
hono/jsx,hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, souseContext()/useRequestContext()read after anawaitin an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfjServer-Side XSS via JSX escaping bypass in cx()
Affects:
hono/css.cx()marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSXclassattribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59API Gateway v1 adapter can drop a repeated request header value
Affects:
hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g.203.0.113.1dropped when203.0.113.10is present) — affecting logic such asX-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvcUsers of
hono/jsx/hono/jsx-renderer,hono/css(cx()), or thehono/aws-lambdaAPI Gateway v1 / VPC Lattice adapters are encouraged to upgrade.v4.12.26Compare Source
What's Changed
Full Changelog: honojs/hono@v4.12.25...v4.12.26
chimurai/http-proxy-middleware (http-proxy-middleware)
v4.2.0Compare Source
actions/node-versions (node)
v24.18.0: 24.18.0Compare Source
Node.js 24.18.0
v24.17.0: 24.17.0Compare Source
Node.js 24.17.0
pnpm/pnpm (pnpm)
v11.10.0Compare Source
Minor Changes
e2e3c81: Added theissuescommand as an alias ofbugs, sopnpm issuesopens the package's bug tracker URL in the browser.8491f8e: Added theprefixcommand which prints the current package prefix directory (or global prefix directory if-g/--globalis used).3425e80: Added an_authsetting for configuring registry authentication as a single structured (URL-keyed) value. It can be set in the global pnpm config (config.yaml) or, for CI, via thepnpm_config__authenvironment variable. The env form sidesteps the GitHub Actions / bash / zsh limitation that broke the existingpnpm_config_//host/:_authToken=…form (env var names containing/,:, or.are silently dropped). Closes #12314.The value is keyed by registry URL so each secret is explicitly bound to the host that may receive it. Registry URL keys must use
httporhttpsand must not include credentials, query strings, or fragments:The equivalent in the global
config.yaml:Within each registry URL,
@means registry-wide/default credentials and package scopes like@orgbind credentials to that scope on the same host. The only supported credential field isauthToken(maps to_authToken/ bearer auth); the deprecatedbasicAuth/username+passwordforms are intentionally not accepted here.Each entry also infers a trusted registry route:
@routes the default registry (andpnpm add <pkg>resolves there), and@orgroutes that scope. Because the credential and destination host arrive in one trusted value, repo-controlledpnpm-workspace.yamlor project.npmrccannot redirect the token to a different host._authis honored only from the env var and the global config — it is ignored in a projectpnpm-workspace.yaml/.npmrc, so repo-controlled config can never supply registry auth. Precedence: CLI flags (--registry,--@​scope:registry) >pnpm_config__auth> globalconfig.yaml_auth>pnpm-workspace.yaml.Both
pnpm_config__auth(lowercase, documented form) andPNPM_CONFIG__AUTH(all-caps, the shell convention some CI runners apply) are honored. If both are set, lowercase wins unless it is empty, in which case uppercase is used. The env var wins over the globalconfig.yaml_authon a conflicting key.tokenHelperis not supported in_auth. Parsing is strict: a malformed value (bad JSON, wrong shape, invalid registry URL or scope, an unsupported credential field) fails fast with an error rather than being silently dropped.Pacquet parity note: the pacquet (Rust) port supports the same single credential field as the TS CLI:
authToken.a33eeec:pnpm self-updateandpackageManagerversion-switching can now install and link pnpm v12 (the Rust port), published with equal content under both thepnpmand@pnpm/exenames on thenext-12dist-tag. Its native binaries ship as@pnpm/exe.<platform>-<arch>packages, which pnpm's built-in installer links directly — no Node.js launcher, so the command pays no Node startup cost. v12 is initialized exactly like@pnpm/exe, including per-platform global-virtual-store hashing. From v12 onward the install converges on the unscopedpnpmpackage (the Rust exe) — even when updating from the SEA@pnpm/exebuild.1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only the `AuConfiguration
📅 Schedule: (in timezone Asia/Shanghai)
* 0-3 1,15 * *)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.