Skip to content

fix(deps): update npm non-major dependencies#5103

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-minor-patch
Open

fix(deps): update npm non-major dependencies#5103
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@biomejs/biome (source) 2.5.22.5.4 age confidence
@changesets/cli (source) 2.31.02.31.1 age confidence
@floating-ui/dom (source) ^1.7.6^1.8.0 age confidence
@navikt/aksel-icons (source) ^8.14.0^8.15.0 age confidence
@navikt/aksel-icons (source) 8.14.08.15.0 age confidence
@react-router/dev (source) 8.1.08.2.0 age confidence
@react-router/express (source) 8.1.08.2.0 age confidence
@react-router/node (source) 8.1.08.2.0 age confidence
@tanstack/react-virtual (source) ^3.14.5^3.14.6 age confidence
@tanstack/react-virtual (source) 3.14.53.14.6 age confidence
@types/express-serve-static-core (source) 5.1.15.1.2 age confidence
@types/hast (source) 3.0.43.0.5 age confidence
@types/node (source) 24.13.224.13.3 age confidence
autoprefixer 10.5.210.5.3 age confidence
i18next (source) 26.3.426.3.6 age confidence
isbot (source) 5.1.445.2.1 age confidence
pnpm (source) 10.34.4+sha512.8768be55200ae3f2226b6527fcca2687e14bc4e5f12d7721a0f25da3df47915177058648db4177baf348120fa0ba2752d8d8d93f6beaf1fe64ae18da8de961af10.34.5 age confidence
postcss (source) ^8.5.15^8.5.19 age confidence
postcss (source) 8.5.168.5.19 age confidence
postcss (source) ^8.5.16^8.5.19 age confidence
prettier (source) 3.9.43.9.5 age confidence
react-i18next 17.0.817.0.9 age confidence
react-router (source) 8.1.08.2.0 age confidence
rolldown (source) 1.1.41.2.0 age confidence
vite (source) 8.1.08.1.4 age confidence
vite (source) 8.1.38.1.4 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

biomejs/biome (@​biomejs/biome)

v2.5.4

Compare Source

Patch Changes
  • #​10665 55ff995 Thanks @​dyc3! - Improved the performance of the HTML parser slightly in our synthetic benchmarks.

  • #​10894 f4fb10e Thanks @​ematipico! - Fixed #​6392: On-type formatting no longer moves comments before an if statement into its body.

  • #​10939 f2799db Thanks @​Netail! - Fixed #​10930: noLabelWithoutControl now correctly detects text interpolation in Astro, Svelte & Vue as valid accessible content.

  • #​10945 ae15d98 Thanks @​Netail! - Fixed #​10942: Svelte directives don't throw an accidental debug log anymore.

  • #​10842 5e1abfe Thanks @​JamBalaya56562! - Fixed #​9196: biome check --write --unsafe no longer hangs forever when applying the noCommentText code fix.

    The rule's fix now wraps the comment in a real JSX expression container ({/* comment */}) instead of re-inserting the braces as plain JSX text, so the fixed code is no longer reported again by the same rule.

  • #​10891 ecca79e Thanks @​ematipico! - Fixed #10885: prevented a module-inference regression introduced by a housekeeping change.

  • #​10886 60c8043 Thanks @​dyc3! - Fixed #​10727: Biome now breaks the arguments of curried test.each, it.each, describe.each, and test.for calls when they exceed the configured line width.

    - test.each([[1, 2]])("a description that is long enough to push the hugged opening line beyond the print width", (a, b) => {
    -   expect(a).toBe(b);
    - });
    + test.each([[1, 2]])(
    +   "a description that is long enough to push the hugged opening line beyond the print width",
    +   (a, b) => {
    +     expect(a).toBe(b);
    +   },
    + );
  • #​10895 01a85f0 Thanks @​ematipico! - Biome will now remove stale Unix daemon sockets from older Biome versions when starting a newer daemon.

v2.5.3

Compare Source

Patch Changes
  • #​10815 86613d5 Thanks @​WaterWhisperer! - Fixed a parser panic reported in #​10708: Biome now recovers when unsupported CSS Modules @value rules or scoped @keyframes names end at EOF.

  • #​10534 da9b403 Thanks @​Mokto! - Fixed noUnusedVariables false positives in Svelte files: Svelte store subscriptions ($store references in templates now keep the underlying store binding from being flagged), and $bindable() props that are only written to in the script block (write-only is intentional for bindable props) are no longer reported as unused.

  • #​10827 098ba41 Thanks @​Aqu1bp! - Fixed #​10698: The noUnsafeOptionalChaining rule now reports unsafe optional chains wrapped in TypeScript as, satisfies, type assertion, and instantiation expressions, such as new (value?.constructor as Constructor)().

  • #​10773 3c6513d Thanks @​otkrickey! - Fixed #​10772: useVueValidVOn no longer reports a missing handler for v-on directives using a verb modifier (.stop / .prevent) without an expression, e.g. <div @&#8203;click.stop></div>. The rule also accepts the arg-less object syntax <div v-on="$listeners"></div> instead of reporting a missing event name.

  • #​10721 d83c66b Thanks @​minseong0324! - Improved type-aware lint rule inference for built-in globals and indexed function calls. Biome now resolves Error(...), new Error(...), optional Error#stack, and calls through indexed function values such as handlers[0]() more accurately.

  • #​10865 6450276 Thanks @​ematipico! - Fixed #​10845. Biome Language Server no longer goes in deadlock when the scanner is enabled.

  • #​10853 93d8e53 Thanks @​Netail! - Fixed #​10840: Astro shorthand attribute syntax is now correctly being parsed from embedded nodes.

  • #​10820 bba3092 Thanks @​JamBalaya56562! - Fixed #​10619: noProcessEnv now also reports computed (bracket) member access. Previously only dot access was checked, so process["env"] and env["NODE_ENV"] (where env is imported from node:process) were missed. Both static and computed accesses are now reported.

  • #​10835 3447b2f Thanks @​dyc3! - Fixed #​10824: useDomQuerySelector now supports an ignore option for receiver identifiers that should not be reported.

  • #​10875 b12e486 Thanks @​dyc3! - Fixed #​10795: --profile-rules now reports timings for each plugin separately as plugin/<pluginName>, matching the naming used by plugin suppressions, instead of aggregating all plugins under a single plugin/plugin entry.

  • #​10877 d6bc447 Thanks @​ematipico! - Fixed biome-zed#164: Biome no longer inserts stray whitespace when format-on-type runs after closing delimiters such as ), ], and }.

  • #​10867 a21463e Thanks @​dyc3! - Fixed #​10864: Biome no longer crashes when checking or linting HTML files with unquoted attribute values such as <textarea rows=4></textarea>.

changesets/changesets (@​changesets/cli)

v2.31.1

Compare Source

Patch Changes
  • #​2159 15cf592 Thanks @​ingvaldlorentzen! - Fixed already-published version detection with npm 12, which always wraps successful npm info --json output in an array. The unwrapped output made changeset publish treat every package as unpublished and fail attempting to republish existing versions.
floating-ui/floating-ui (@​floating-ui/dom)

v1.8.0

Compare Source

Minor Changes
  • feat: add 'layoutViewport' string option to rootBoundary. Unlike the visual 'viewport' boundary, it remains stable while pinch-zooming or when a mobile software keyboard is open, and unlike a manually passed Rect of the documentElement's client size, it accounts for space reserved by scrollbar-gutter: stable.
Patch Changes
  • fix: remove redundant passive options from scroll listeners
  • fix: support explicit undefined for optional properties with exactOptionalPropertyTypes
  • fix(autoUpdate): update immediately instead of waiting for the 1s layoutShift refresh throttle when the reference moved during an observer refresh
  • fix(getClippingRect): correct clipping-ancestor filtering for fixed-position elements
  • perf(dom): reduce bundle size and skip redundant per-call work in positioning utilities
  • fix(getViewportRect): account for scrollbar-gutter: stable both-edges reserved space
  • fix(getViewportRect): don't overflow past a left-side document scrollbar
  • fix(platform): don't throw in getClientRects when a virtual element without a getClientRects method is used with the inline() middleware
  • fix(autoUpdate): refresh layout shift observer on root resize
  • Update dependencies: @floating-ui/core@1.8.0, @floating-ui/utils@0.2.12
navikt/aksel (@​navikt/aksel-icons)

v8.15.0

Compare Source

Minor Changes
  • New icons: Timeline and TimelineFill (#​5050)
remix-run/react-router (@​react-router/dev)

v8.2.0

Compare Source

Minor Changes
  • Add a Web Streams default server entry for non-Node Framework mode apps (#​15290)
    • Apps using @react-router/node, @react-router/express, or @react-router/serve continue to use the renderToPipeableStream default server entry
    • Apps without those Node server adapter dependencies use a renderToReadableStream default server entry
    • Non-Node apps with their own entry.server.tsx may be able to remove it in favor of the default if it is not doing anything custom
  • Detect nub as a supported package manager when installing framework dependencies (#​15276)
Patch Changes
  • Detect user rolldownOptions config in Vite 8+ (#​15278)
Unstable Changes

⚠️ Unstable features are not recommended for production use

remix-run/react-router (@​react-router/express)

v8.2.0

Compare Source

Patch Changes
remix-run/react-router (@​react-router/node)

v8.2.0

Compare Source

Patch Changes
TanStack/virtual (@​tanstack/react-virtual)

v3.14.6

Compare Source

Patch Changes
postcss/autoprefixer (autoprefixer)

v10.5.3

Compare Source

i18next/i18next (i18next)

v26.3.6

Compare Source

  • fix: allow TypeScript 7 in the optional typescript peer dependency range (^5 || ^6 || ^7). With typescript@7.0.2 in a project, npm install failed with an ERESOLVE peer conflict. The published types are TS7-compatible as-is: every test/typescript suite produces identical results under 6.0 and 7.0.2. Reported in react-i18next#1927, thanks @​andikapradanaarif.

v26.3.5

Compare Source

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#​2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#​2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#​2442).
omrilotan/isbot (isbot)

v5.2.1

Compare Source

  • Pattern updates

v5.2.0

Compare Source

  • Rename all imports but keep backwards compatibility with the old names. The new names are more consistent with common Javascript naming conventions. No breaking changes.
  • Pattern updates
New Names Map
Old Name New Name
isbot isBot
isbotNaive isBotNaive
createIsbot createIsBot
createIsbotFromList createIsBotFromList
isbotMatch findBotMatch
isbotMatches findBotMatches
isbotPattern findBotPattern
isbotPatterns findBotPatterns

All old names are still available for backwards compatibility, but can be deprecated in future major versions.

pnpm/pnpm (pnpm)

v10.34.5: pnpm 10.34.5

Compare Source

Patch Changes

  • 78e29fe: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at iterateHashedGraphNodes, the single point every global-virtual-store slot path funnels through.
  • 78e29fe: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 47ef6f0: Fixed switching to and self-updating to pnpm v12. pnpm v12 (the Rust port) ships as the pnpm and @pnpm/exe npm packages whose bins are placeholders replaced at install time by the host's native binary from a @pnpm/exe.<platform>-<arch>[-musl] optional dependency. Because pnpm installs its own engine with --ignore-scripts, that relinking never ran, leaving a non-executable placeholder. pnpm now relinks the native binary itself for v12 (recognizing the new platform-package naming scheme and the native pnpm package), and verifies the native binary's npm registry signature before running it.
  • 36928be: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx
postcss/postcss (postcss)

v8.5.19

Compare Source

  • Fixed cleaning before for new nodes inserted to Root (by @​MahinAnowar).

v8.5.18

Compare Source

  • Restricted loading previous source maps file to the opts.from folder for security reasons (use unsafeMap: true to disable the check).

v8.5.17

Compare Source

  • Fixed Maximum call stack size exceeded error.
  • Fixed Prototype hijacking for postcss.fromJSON().
  • Fixed Input#origin() for unmapped end position (by @​chatman-media).
prettier/prettier (prettier)

v3.9.5

Compare Source

diff

Markdown: Cap ordered list mark at 999,999,999 (#​19351 by @​tats-u)

CommonMark parsers only support ordered list item numbers up to 999,999,999.

With this change, Prettier now caps the ordered list item number at 999,999,999 to ensure that the output is correctly parsed as an ordered list by CommonMark parsers. Numbers larger than 999,999,999 are not parsed as list item numbers and are left unchanged in the output:

<!-- Input -->
999999998. text
999999998. text
999999998. text
999999998. text

1234567890123456789012) text

<!-- Prettier 3.9.4 -->
999999998. text
999999999. text
1000000000. text
1000000001. text

1234567890123456789012) text

<!-- Prettier 3.9.5 -->
999999998. text
999999999. text
999999999. text
999999999. text

1234567890123456789012) text
Markdown: Avoid corrupting empty link with title (#​19487 by @​andersk)

Do not remove <> from an inline link or image with an empty URL and a title, as this removal would change its interpretation.

<!-- Input -->
[link](<> "title")

<!-- Prettier 3.9.4 -->
[link]( "title")

<!-- Prettier 3.9.5 -->
[link](<> "title")
Less: Remove extra spaces after [ in map lookups (#​19503 by @​kovsu)
// Input
.foo {
  color: #theme[ primary];
  color: #theme[@&#8203;name];
  color: #theme[@&#8203;@&#8203;name];
}

// Prettier 3.9.4
.foo {
  color: #theme[ primary];
  color: #theme[ @&#8203;name];
  color: #theme[ @&#8203;@&#8203;name];
}

// Prettier 3.9.5
.foo {
  color: #theme[primary];
  color: #theme[@&#8203;name];
  color: #theme[@&#8203;@&#8203;name];
}
CSS: Prevent addition space in type() with + (#​19516 by @​bigandy)

This fixes the addition space before + in CSS type() declaration. For example type(<number>+) was being converted into type(<number> +) which is invalid CSS and does not work.

/* Input */
div {
  border-radius: attr(br type(<length>+));
}

/* Prettier 3.9.4 */
div {
  border-radius: attr(br type(<length> +));
}

/* Prettier 3.9.5 */
div {
  border-radius: attr(br type(<length>+));
}
Less: Remove spaces between merge markers and colons (#​19517 by @​kovsu)
// Input
a {
  box-shadow  +  : 0 0 1px #&#8203;000;
}

// Prettier 3.9.4
a {
  box-shadow+  : 0 0 1px #&#8203;000;
}

// Prettier 3.9.5
a {
  box-shadow+: 0 0 1px #&#8203;000;
}
Markdown: Preserve wiki links with aliases (#​19527 by @​kovsu)
<!-- Input -->
[[Foo:Bar]]

<!-- Prettier 3.9.4 -->
[[Foo]]

<!-- Prettier 3.9.5 -->
[[Foo:Bar]]
TypeScript: Fix comments being dropped on shorthand type import/export specifiers (#​19565 by @​kirkwaiblinger)
// Input
export { type /* comment */ T } from "foo";
import { type /* comment */ T } from "foo";

// Prettier 3.9.4
Error: Comment "comment" was not printed. Please report this error!

// Prettier 3.9.5
export { type /* comment */ T } from "foo";
import { type /* comment */ T } from "foo";
Miscellaneous: Preserving comments' placement property (#​19567 by @​Janther)

Prettier@​3.9.0 deleted an undocumented property on comments, which was already used by plugins, comment.placement is now available again after comment attach.

Flow: Stop enforcing empty module declaration to break (#​19568 by @​fisker)
// Input
declare module "foo" {}

// Prettier 3.9.4
declare module "foo" {
}

// Prettier 3.9.5
declare module "foo" {}
Angular: Support expression for exhaustive typechecking (#​19571 by @​fisker)
<!-- Input -->
@&#8203;switch (state.mode) {
  @&#8203;default never(state);
}

<!-- Prettier 3.9.4 -->
@&#8203;switch (state.mode) {
  @&#8203;default never;
}

<!-- Prettier 3.9.5 -->
@&#8203;switch (state.mode) {
  @&#8203;default never(state);
}
TypeScript: Ignore comments inside mapped type when checking type parameter comments (#​19572 by @​fisker)
// Input
foo<{
  // comment
  [key in keyof Foo]: number
}>();

// Prettier 3.9.4
foo<
  {
    // comment
    [key in keyof Foo]: number;
  }
>();

// Prettier 3.9.5
foo<{
  // comment
  [key in keyof Foo]: number;
}>();
Less: Fix adjacent block comments being corrupted (#​19574 by @​kovsu)
// Input
/* a *//* b */
/* a */* {
  color: red;
}

// Prettier 3.9.4
/* a */
/* b */
/* a * {
  color: red;
}

// Prettier 3.9.5
/* a */ /* b */
/* a */
* {
  color: red;
}
JavaScript: Handle dangling comments in SwitchStatement (#​19581 by @​fisker)
// Input
switch (foo) {
 // comment
}

// Prettier 3.9.4
switch (
  foo
  // comment
) {
}

// Prettier 3.9.5
switch (foo) {
  // comment
}
TypeScript: Remove space in comment-only object type (#​19583 by @​fisker)
// Input
var foo = {
  /* comment */
};
type Foo = {
  /* comment */
};

// Prettier 3.9.4
var foo = {/* comment */};
type Foo = { /* comment */ };

// Prettier 3.9.5
var foo = {/* comment */};
type Foo = {/* comment */};
i18next/react-i18next (react-i18next)

v17.0.9

Compare Source

  • fix: allow TypeScript 7 in the optional typescript peer dependency range (^5 || ^6 || ^7). With typescript@7.0.2 in a project, npm install failed with an ERESOLVE peer conflict. Fixes #​1927, thanks @​andikapradanaarif.
  • fix(types): <Trans t={t} ns="ns" …> with a t from useTranslation(['ns']) now typechecks under TypeScript 7. TS7 intersects the Ns inference candidates coming from the t prop (readonly ['ns']) and the ns prop ('ns') into an unsatisfiable 'ns' & readonly ['ns'], where TS6 resolved them. The ns prop on TransProps, TransSelectorProps and IcuTransWithoutContextProps now also accepts a single namespace out of an array-typed Ns (Ns | (Ns extends readonly (infer S extends string)[] ? S : never)) — which matches runtime behavior and is unchanged under TS5/TS6.
remix-run/react-router (react-router)

v8.2.0

Compare Source

Patch Changes
  • Fix href() to properly stringify and URL-encode param values, matching generatePath() (#​15277)
    • splat params preserve path separators while encoding each segment individually
  • Fix dynamic param extraction for routes with optional static segments (#​15200)
    • When a route path contains optional static segments (e.g. /school?/user/:id), the internal regex's incorrectly shifted parameter indices resulting in incorrect parameter extraction
    • Consecutive optional static segments (e.g. /one?/two?) were only partially handled
  • Preserve navigation blocker state through a revalidation (#​15246)
  • Fix route ranking for dynamic parameters with static extension suffixes (#​15273)
    • These were not being detected as dynamic param segments and instead got incorrectly scored higher as a static segment
    • This meant they could potentially tie truly static routes like /sitemap.xml and outrank them based on definition order
    • These are now correctly identified as dynamic parameter segments and scored correctly
  • Use ReactFormState types instead of unknown (#​15263)
rolldown/rolldown (rolldown)

v1.2.0

Compare Source

🚀 Features
🐛 Bug Fixes
🚜 Refactor

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Europe/Oslo)

  • Branch creation
    • "before 07:00 on Thursday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@changeset-bot

changeset-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: cb2a22c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Preview deployments for this pull request:

storybook - 18. Jul 2026 - 16:03

themebuilder - 18. Jul 2026 - 16:03

www - 18. Jul 2026 - 16:05

@renovate
renovate Bot force-pushed the renovate/npm-minor-patch branch 6 times, most recently from 69ed9b4 to 02979ca Compare July 18, 2026 05:42
@renovate
renovate Bot force-pushed the renovate/npm-minor-patch branch from 02979ca to cb2a22c Compare July 18, 2026 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants