Skip to content

fix(deps): update npm non-major dependencies#4889

Merged
Barsnes merged 3 commits into
mainfrom
renovate/npm-minor-patch
May 15, 2026
Merged

fix(deps): update npm non-major dependencies#4889
Barsnes merged 3 commits into
mainfrom
renovate/npm-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 15, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@biomejs/biome (source) 2.4.142.4.15 age confidence
@navikt/aksel-icons (source) ^8.10.3^8.10.5 age confidence
@navikt/aksel-icons (source) 8.10.38.10.5 age confidence
@react-router/dev (source) 7.14.27.15.0 age confidence
@react-router/express (source) 7.14.27.15.0 age confidence
@react-router/node (source) 7.14.27.15.0 age confidence
@types/node (source) 24.12.224.12.4 age confidence
@vitest/browser (source) 4.1.54.1.6 age confidence
@vitest/browser-playwright (source) 4.1.54.1.6 age confidence
@vitest/coverage-v8 (source) 4.1.54.1.6 age confidence
chromatic (source) 16.6.316.10.0 age confidence
cssnano 7.1.87.1.9 age confidence
express-rate-limit 8.4.18.5.1 age confidence
isbot (source) 5.1.395.1.40 age confidence
playwright (source) 1.59.11.60.0 age confidence
pnpm (source) 10.33.2+sha512.a90faf6feeab71ad6c6e57f94e0fe1a12f5dcc22cd754db40ae9593eb6a3e0b6b12e3540218bb37ae083404b1f2ce6db2a4121e979829b4aff94b99f49da1cf810.33.4 age confidence
pnpm (source) 10.33.210.33.4 age confidence
postcss (source) 8.5.138.5.14 age confidence
postcss (source) ^8.5.13^8.5.14 age confidence
react (source) 19.2.519.2.6 age confidence
react (source) ^19.2.5^19.2.6 age confidence
react-dom (source) 19.2.519.2.6 age confidence
react-dom (source) ^19.2.5^19.2.6 age confidence
react-i18next 17.0.617.0.7 age confidence
react-router (source) 7.14.27.15.0 age confidence
rollup (source) 4.60.24.60.3 age confidence
vite (source) 7.3.27.3.3 age confidence
vitest (source) 4.1.54.1.6 age confidence
zod (source) ^4.4.2^4.4.3 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.15

Compare Source

Patch Changes

  • #​9394 ba3480e Thanks @​dyc3! - Added the nursery rule useTestHooksInOrder in the test domain. The rule enforces that Jest/Vitest lifecycle hooks (beforeAll, beforeEach, afterEach, afterAll) are declared in the order they execute, making test setup and teardown easier to reason about.

  • #​10254 e0a54cc Thanks @​dyc3! - Added a new nursery rule useVueNextTickPromise, which enforces Promise syntax when using Vue nextTick.

    For example, the following snippet triggers the rule:

    import { nextTick } from "vue";

nextTick(() => {
  updateDom();
});

  • #​10219 64aee45 Thanks @​dyc3! - Added a new nursery rule noVueVOnNumberValues, that disallows deprecated number modifiers on Vue v-on directives.

    For example, the following snippet triggers the rule:

    <input @&#8203;keyup.13="submit" />

  • #​10195 7b8d4e1 Thanks @​dyc3! - Added the new nursery rule useVueValidVFor, which validates Vue v-for directives and reports invalid aliases, missing component keys, and keys that do not use iteration variables.

  • #​10238 1110256 Thanks @​dyc3! - Added the recommended nursery rule noVueImportCompilerMacros, which disallows importing Vue compiler macros such as defineProps from vue because they are automatically available.

  • #​10201 1a08f89 Thanks @​realknove! - Fixed #​10193: style/useReadonlyClassProperties no longer reports class properties as readonly-able when they are assigned inside arrow callbacks nested in class property initializers.

  • #​9574 3bd2b6a Thanks @​Conaclos! - Fixed #​9530. The diagnostics of organizeImports are now more detailed and more precise. They are also better at localizing where the issue is.

  • #​10205 a704a6c Thanks @​Conaclos! - Fixed #​10185. `organizeImports now errors when it encounters an unknown predefined group.

    The following configuration is now reported as invalid because :INEXISTENT: is an unknown predefined group.

    {
  "assist": {
    "actions": {
      "source": {
        "organizeImports": { "options": { "groups": [":INEXISTENT:"] } }
      }
    }
  }
}

  • #​10052 b565bed Thanks @​minseong0324! - Improved noMisleadingReturnType: it now flags union annotations whose extra variants are never returned, and suggests the narrower type (e.g. string | nullstring).

    These functions are now reported because null and number are included in the return annotations but never returned:

    function getUser(): string | null {
  return "hello";
} // null is never returned
function getCode(): string | number {
  return "hello";
} // number is never returned

  • #​10213 ac30057 Thanks @​dyc3! - Fixed #​9450: HTML and Vue element formatting now preserves child line breaks when an element contains another element child on its own line, instead of collapsing the child element onto the same line.

  • #​10275 9ee6c03 Thanks @​solithcy! - Fixed #​10274: Svelte templates with missing expressions no longer parsed as HtmlBogusElement

  • #​10143 56798a7 Thanks @​minseong0324! - noMisleadingReturnType now detects misleading return type annotations when object literal properties are initialized with as const.

    This function is now reported because the return annotation widens a property initialized with as const:

    function f(): { value: string } {
  return { value: "text" as const };
}

  • #​10143 56798a7 Thanks @​minseong0324! - noUselessTypeConversion now detects redundant conversions on object literal properties initialized with as const.

    This conversion is now reported because message.value is inferred as a string literal:

    const message = { value: "text" as const };
String(message.value);

  • #​9807 0ae5840 Thanks @​dyc3! - Added the new nursery rule useThisInClassMethods, based on ESLint's class-methods-use-this.

    The rule now reports instance methods, getters, setters, and function-valued instance fields that do not use this, and biome migrate eslint preserves the supported ignoreMethods, ignoreOverrideMethods, and ignoreClassesWithImplements options.

    Invalid:

    class Foo {
  bar() {
    // does not use `this`, invalid
    console.log("Hello Biome");
  }
}

  • #​10258 e7b18f7 Thanks @​ematipico! - Improved linter performance by narrowing the query nodes for several lint rules, reducing how often they are evaluated.

  • #​10273 04e22a1 Thanks @​dyc3! - Fixed #​10271: The HTML parser now correctly parses of as text content when in text contexts.

  • #​9838 83f7385 Thanks @​dyc3! - Added the nursery rule noBaseToString, which reports stringification sites that fall back to Object's default "[object Object]" formatting. The rule also supports the ignoredTypeNames option.

  • #​10143 56798a7 Thanks @​minseong0324! - useExhaustiveSwitchCases now checks switch statements over object literal properties initialized with as const.

    This switch is now reported because status.kind is inferred as the string literal "ready" but no case handles it:

    const status = { kind: "ready" as const };
switch (status.kind) {
}

  • #​10143 56798a7 Thanks @​minseong0324! - useStringStartsEndsWith now detects string index comparisons on object literal properties initialized with as const.

    This comparison is now reported because message.value is inferred as a string literal:

    const message = { value: "hello" as const };
message.value[0] === "h";
navikt/aksel (@​navikt/aksel-icons)

v8.10.5

Compare Source

v8.10.4

Compare Source

remix-run/react-router (@​react-router/dev)

v7.15.0

Compare Source

Minor Changes

  • Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize prerender.unstable_concurrency as prerender.concurrency (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize future.unstable_subResourceIntegrity as a top-level subResourceIntegrity config option in react-router.config.ts (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
Patch Changes
remix-run/react-router (@​react-router/express)

v7.15.0

Compare Source

Patch Changes
remix-run/react-router (@​react-router/node)

v7.15.0

Compare Source

Patch Changes
vitest-dev/vitest (@​vitest/browser)

v4.1.6

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub
chromaui/chromatic-cli (chromatic)

v16.10.0

Compare Source

🚀 Enhancement
🐛 Bug Fix
Authors: 4

v16.9.1

Compare Source

🐛 Bug Fix
Authors: 1

v16.9.0

Compare Source

🚀 Enhancement
Authors: 1

v16.8.0

Compare Source

🚀 Enhancement
🐛 Bug Fix
Authors: 2

v16.7.0

Compare Source

🚀 Enhancement
🐛 Bug Fix
Authors: 3
cssnano/cssnano (cssnano)

v7.1.9: v7.1.9

Compare Source

Bug Fixes

Full Changelog: https://github.com/cssnano/cssnano/compare/cssnano@7.1.8...cssnano@7.1.9

express-rate-limit/express-rate-limit (express-rate-limit)

v8.5.1

Compare Source

You can view the changelog here.

v8.5.0

Compare Source

You can view the changelog here.

omrilotan/isbot (isbot)

v5.1.40

Compare Source

  • Browser entry. Use Object.defineProperty instead of direct assignment
microsoft/playwright (playwright)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page
Locators and Assertions
Network
  • webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
  • New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.
Errors and Reporting
Test runner
  • New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
  • Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

  • HTML reporter:
    • npx playwright show-report accepts .zip files directly — no need to unzip first.
    • Steps that contain attachments inside nested children show an indicator on the parent step.
    • The repeatEachIndex is shown in the test header when non-zero.
  • Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

  • Removed long-deprecated APIs:
    • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
    • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
    • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
    • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

  • Chromium 148.0.7778.96
  • Mozilla Firefox 150.0.2
  • WebKit 26.4

This version was also tested against the following stable channels:

  • Google Chrome 147
  • Microsoft Edge 147
pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

  • Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

    A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

  • Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.3

Compare Source

postcss/postcss (postcss)

v8.5.14

Compare Source

facebook/react (react)

v19.2.6: 19.2.6 (May 6th, 2026)

Compare Source

React Server Components

i18next/react-i18next (react-i18next)

v17.0.7

Compare Source

  • feat: useTranslation([nsA, nsB, ...]) now passes its full namespace list to getFixedT via the new scopeNs opt (requires i18next ≥ v26.0.10). This makes selector calls with a secondary-namespace prefix resolve correctly under default nsMode: t($ => $.nsB.foo) previously missed silently because the bound ns was the primary string only and i18next's selector rewrite needed an array. Resolution semantics are unchanged — plain t('key') lookups still stay isolated to the primary namespace by default; use nsMode: 'fallback' to opt into multi-ns fallback resolution as before. Fixes i18next#2429 for useTranslation-based callers.
remix-run/react-router (react-router)

v7.15.0

Compare Source

Minor Changes

  • Stabilize unstable_defaultShouldRevalidate as defaultShouldRevalidate on <Link>, <Form>, useLinkClickHandler, useSubmit, fetcher.submit, and setSearchParams (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize the instrumentation APIs. unstable_instrumentations is now instrumentations and unstable_pattern is now pattern (a993f09)

    • The unstable_ServerInstrumentation, unstable_ClientInstrumentation, unstable_InstrumentRequestHandlerFunction, unstable_InstrumentRouterFunction, unstable_InstrumentRouteFunction, and unstable_InstrumentationHandlerResult types have had their unstable_ prefixes removed
    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_mask as mask on <Link>, useLinkClickHandler, and useNavigate, and rename the corresponding Location.unstable_mask field to Location.mask (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize the unstable_normalizePath option on staticHandler.query and staticHandler.queryRoute as normalizePath (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Remove unstable_subResourceIntegrity from the runtime FutureConfig type; the flag is now controlled by the top-level subResourceIntegrity option in react-router.config.ts (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_url as url on loader, action, and middleware function args (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_useTransitions as useTransitions on <BrowserRouter>, <HashRouter>, <HistoryRouter>, <MemoryRouter>, <Router>, <RouterProvider>, <HydratedRouter>, and useLinkClickHandler (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
Patch Changes

  • Add nonce to <Scripts> <link rel="modulepreload"> elements (if provided) (af5d49b)

  • Fix a bug with unstable_defaultShouldRevalidate={false} where parent routes that did not export a shouldRevalidate function could be incorrectly included in the single fetch call for new child route data (#​15012)

  • Improve server-side route matching performance by pre-computing flattened/cached route branches (#​14967) (af5d49b)

    • Performance benchmarks showed roughly a 10-15% improvement in server-side request handling performance

  • Mark mask as an optional field in Location for easier mocking in unit tests (#​14999)

  • Cache flattened/ranked route branches to optimize server-side route matching (#​14967)

  • Improve route matching performance in Framework/Data Mode (#​14971) (af5d49b)

    • Avoiding unnecessary calls to matchRoutes in data router scenarios
      • This includes adding back the optimization that was removed in 7.6.0 (#​13562)
      • The issues that prompted the revert have been addressed by using the available router matches but always updating match.route to the latest route in the manifest
    • Leverage pre-computed pre-computing flattened/cached route branches during client side route matching
    • Performance benchmarks showed roughly a 15-30% improvement in server-side request handling performance
rollup/rollup (rollup)

v4.60.3

Compare Source

2026-05-04

Bug Fixes
  • Ensure nested "exports" variables are not renamed (#​6360)
Pull Requests

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Europe/Oslo)

  • Branch creation
    • "before 07:00 on Thursday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested review from Barsnes, eirikbacker and mimarz as code owners May 15, 2026 05:45
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 15, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 46e2f51

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@digdir/designsystemet Patch
@digdir/designsystemet-css Patch
@digdir/designsystemet-react Patch
@digdir/designsystemet-web Patch
@digdir/designsystemet-types Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 15, 2026
edited
Loading

Preview deployments for this pull request:

storybook - 15. May 2026 - 08:11

themebuilder - 15. May 2026 - 08:11

www - 15. May 2026 - 08:14

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 15, 2026

Preview deployments for this pull request:

themebuilder - 15. May 2026 - 07:48

@Barsnes Barsnes merged commit f54563f into main May 15, 2026
25 checks passed
@Barsnes Barsnes deleted the renovate/npm-minor-patch branch May 15, 2026 06:30
@github-actions github-actions Bot mentioned this pull request May 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Barsnes Barsnes Barsnes approved these changes

@mimarz mimarz Awaiting requested review from mimarz mimarz is a code owner

@eirikbacker eirikbacker Awaiting requested review from eirikbacker eirikbacker is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Barsnes