Skip to content

chore(deps): update all non-major dependencies#30

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#30
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@antfu/eslint-config ^8.2.0^8.3.0 age confidence
@types/node (source) ^24.12.2^24.13.3 age confidence
bumpp ^11.0.1^11.1.0 age confidence
eslint (source) ^10.3.0^10.6.0 age confidence
pnpm (source) 10.33.210.34.4 age confidence
tsx (source) ^4.21.0^4.23.0 age confidence
vitest (source) ^4.1.5^4.1.10 age confidence

Release Notes

antfu/eslint-config (@​antfu/eslint-config)

v8.3.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
  • markdown: Scope user rule overrides away from md files  -  by @​antfu and Claude Opus 4.7 (1M context) in #​844 (8d25a)
    View changes on GitHub
antfu-collective/bumpp (bumpp)

v11.1.0

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
eslint/eslint (eslint)

v10.6.0

Compare Source

Features

  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#​20981) (Taejin Kim)
  • f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#​20948) (sethamus)

Bug Fixes

  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#​20997) (Milos Djermanovic)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#​21013) (den$)
  • 8fd8741 fix: don't report shadowed undefined in radix rule (#​21011) (Pixel)
  • 5784980 fix: don't report shadowed undefined in no-throw-literal (#​21010) (Pixel)
  • 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#​21008) (Pixel)
  • d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#​21006) (Pixel)
  • 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#​21003) (den$)
  • 63d52d2 fix: restore max-classes-per-file report range (#​21002) (Pixel)
  • 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#​20979) (fnx)
  • 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#​20995) (Milos Djermanovic)

Documentation

  • a83683d docs: Update README (GitHub Actions Bot)
  • f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#​20986) (playgirl)
  • bea49f7 docs: Update README (GitHub Actions Bot)
  • e5f70f9 docs: update code-path diagrams (#​20984) (Tanuj Kanti)
  • 8890c2d docs: add TypeScript config guidance for MCP server (#​20796) (Pierluigi Lenoci)
  • 3eb3d9b docs: Update README (GitHub Actions Bot)
  • c5bb59c docs: Update README (GitHub Actions Bot)
  • eb3c97c docs: fix grammar in prefer-const rule description (#​20983) (lumir)

Chores

v10.5.0

Compare Source

Features

  • 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#​20973) (Pixel998)
  • b565783 feat: report no-with violations at the with keyword (#​20971) (Pixel998)
  • 2ce032f feat: report max-lines-per-function violations at function head (#​20966) (Pixel998)
  • 732cb3e feat: report max-nested-callbacks violations at function head (#​20967) (Pixel998)
  • f9c138a feat: report max-depth violations on keywords (#​20943) (Pixel998)
  • bdb496c feat: correct max-depth handling for else-if chains (#​20944) (Pixel998)
  • c296873 feat: update error loc in max-statements to function header (#​20907) (Taejin Kim)

Documentation

  • 8ae1b5b docs: Update README (GitHub Actions Bot)
  • ca7eb90 docs: update Node.js prerequisites to include ICU support (#​20962) (Francesco Trotta)
  • f99b47a docs: Update README (GitHub Actions Bot)
  • acf03d4 docs: clarify precedence of parserOptions over languageOptions (#​20926) (sethamus)

Chores

v10.4.1

Compare Source

Bug Fixes

  • e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
  • d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
  • f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
  • c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
  • 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

  • 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
  • 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
  • 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
  • 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
  • c91b041 docs: Update README (GitHub Actions Bot)
  • e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

v10.4.0

Compare Source

Features

  • 1a45ec5 feat: check sequence expressions in for-direction (#​20701) (kuldeep kumar)
  • 450040b feat: add includeIgnoreFile() to eslint/config (#​20735) (Kirk Waiblinger)

Bug Fixes

Documentation

  • 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#​20869) (Pavel)
  • db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#​20865) (Kirk Waiblinger)
  • 9084664 docs: Update README (GitHub Actions Bot)
  • 9cc7387 docs: Update README (GitHub Actions Bot)
  • 3d7b548 docs: Update README (GitHub Actions Bot)
  • 191ec3c docs: Update README (GitHub Actions Bot)

Chores

  • 6616856 chore: upgrade knip to v6 (#​20875) (Pixel998)
  • d13b084 ci: ensure auto-created PRs run CI (#​20860) (lumir)
  • e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#​20862) (dependabot[bot])
  • d84393d test: add unit tests for SuppressionsService.applySuppressions() (#​20863) (kuldeep kumar)
  • 24db8cb test: add tests for SuppressionsService.save() (#​20802) (kuldeep kumar)
  • 2ef0549 chore: update ecosystem plugins (#​20857) (github-actions[bot])
  • a429791 ci: remove eslint-webpack-plugin types integration test (#​20668) (Milos Djermanovic)
  • 9e37386 chore: replace recast with range approach in code-sample-minimizer (#​20682) (Copilot)
  • 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#​20845) (Francesco Trotta)
  • 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#​20716) (Pixel998)
  • 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#​20800) (xbinaryx)
  • f1dfbc9 chore: update ecosystem plugins (#​20836) (github-actions[bot])
  • c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#​20843) (dependabot[bot])
  • 5b817d6 test: add unit tests for lib/shared/ast-utils (#​20838) (kuldeep kumar)
  • 1c13ae3 test: add unit tests for lib/shared/severity (#​20835) (kuldeep kumar)
pnpm/pnpm (pnpm)

v10.34.4: pnpm 10.34.4

Compare Source

Patch Changes
  • 352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. A pnpm-workspace.yaml with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.

  • 352ae48: Reject path-traversal and reserved dependency aliases (such as ../../../escape, .bin, .pnpm, or node_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted node_modules directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.

    The nodeLinker: hoisted graph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.

  • 352ae48: Prevent pnpm patch-remove from removing files outside the configured patches directory.

  • 217fbe0: Hardened the warning printed when a project .npmrc uses environment variables in registry/auth settings: the suggested pnpm config set command is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled .npmrc and a shell expands $(...), backticks, and $VAR even inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.

Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.3: pnpm 10.34.3

Compare Source

⚠️ Security fix — environment variables in a project .npmrc (action may be required)

Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:

  • the project/workspace .npmrcregistry, @scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken, _auth, _password, username, tokenHelper, cert, key);
  • registry URLs in pnpm-workspace.yaml.

This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).

Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.

If your authentication broke after upgrading, move the token out of the committed .npmrc:

# Writes to your user/global config, not the repository:
pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"

Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.

See https://pnpm.io/npmrc for full migration details.

Patch Changes

  • Improved the warning printed when a project .npmrc uses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by running pnpm config set "<key>" <value> to store it in the global config, or by keeping the ${...} line in the user-level ~/.npmrc — with a link to https://pnpm.io/npmrc.
  • A repository-controlled project or workspace .npmrc can no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could set userconfig, globalconfig, or prefix to point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to set tokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace .npmrc files are read. Fixed by upgrading @pnpm/npm-conf to 3.0.3.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.2: pnpm 10.34.2

Compare Source

⚠️ Security fix — environment variables in a project .npmrc (action may be required)

Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:

  • the project/workspace .npmrcregistry, @scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken, _auth, _password, username, tokenHelper, cert, key);
  • registry URLs in pnpm-workspace.yaml.

This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).

Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.

If your authentication broke after upgrading, move the token out of the committed .npmrc:

# Writes to your user/global config, not the repository:
pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"

Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.

See https://pnpm.io/npmrc for full migration details.

Patch Changes

  • Package-manager bootstrap traffic is now resolved through trusted registries and trusted network config. When pnpm downloads the pnpm version requested by a repository's packageManager field, the registry it fetches from (and the proxy/TLS settings used for that traffic) now come exclusively from trusted config sources — CLI options, env config, user and global .npmrc — defaulting to the public npm registry, instead of the repository's project/workspace settings.
  • pnpm now verifies the npm registry signature of a package-manager binary before spawning it. When the packageManager field (or pnpm self-update) makes pnpm download another pnpm version, the staged install is verified corepack-style: the integrity recorded in the staged lockfile must carry a valid npm registry signature for the exact name@version, validated against npm's public signing keys that ship embedded in the pnpm CLI. Verification fails closed — a tampered download, an unsigned package, or an unreachable registry refuses the version switch rather than running an unverified binary. It runs only when the wanted version is actually downloaded (a tools-directory cache miss), so repeated commands pay no extra network round trip.
  • Environment variable expansion is now trust-aware for registry/auth config and request destinations. Repository-controlled config files (the project and workspace .npmrc and pnpm-workspace.yaml) can no longer expand ${...} placeholders in registry/proxy request destinations, URL-scoped keys, or registry credential values, preventing repository-controlled configuration from exfiltrating environment secrets through request URLs. Trusted user/global/CLI/env config keeps full env expansion, so existing token and registry setup flows continue to work.
  • Reject reserved manifest bin names ("", ".", "..", and scoped forms such as @scope/..) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted.
  • Require trusted package identity before package-name onlyBuiltDependencies (and allowBuilds) entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the key. Lockfile entries are now rejected when a registry-style dependency path (name@semver) is backed by a git, directory, or git-hosted tarball resolution (ERR_PNPM_RESOLUTION_SHAPE_MISMATCH), so the dependency path is a reliable artifact identity by the time scripts can run.
  • pnpm now verifies the detached OpenPGP signature of a Node.js release's SHASUMS256.txt against the Node.js release team's public keys (embedded in the pnpm CLI) before trusting its hashes. The Node.js download mirror is repository-configurable (node-mirror:<channel> in .npmrc), and the integrity check previously trusted a SHASUMS256.txt fetched from that same mirror — a circular check that a malicious mirror could satisfy with a tampered binary and matching hashes. A mirror that proxies the real signed SHASUMS keeps working unchanged. Only the release channel publishes signed SHASUMS files, so pre-release channels (rc, nightly, …) remain unverified.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

  • Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies label Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 1459794 to e7c356b Compare July 6, 2026 07:56
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from e7c356b to 28caae7 Compare July 8, 2026 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants