Skip to content

chore(deps): update all non-major dependencies#556

Merged
jerome-benoit merged 1 commit into
mainfrom
renovate/all-minor-patch
May 15, 2026
Merged

chore(deps): update all non-major dependencies#556
jerome-benoit merged 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented May 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
pnpm (source) 11.1.111.1.2 age confidence
tsx (source) ^4.21.0^4.22.0 age confidence

Release Notes

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes
  • convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

  • Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

  • Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

  • Fix minimumReleaseAge handling for cached abbreviated metadata.

    The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

    When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

    Closes #​11619.

  • Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

  • Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

  • Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

privatenumber/tsx (tsx)

v4.22.0

Compare Source

v4.21.1

Compare Source

Bug Fixes
  • support Node 20.11/21.2 import.meta paths (acf3d8f)
  • support Node.js 24.15.0 (c1d2d45)
  • support Node.js 26.1.0 and 25.9.0 (1d7e528)

This release is also available on:


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested review from Uzlopak and jerome-benoit as code owners May 15, 2026 00:28
@pkg-pr-new

pkg-pr-new Bot commented May 15, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/tinylibs/tinybench@556

commit: a0eb568

@github-actions

Copy link
Copy Markdown

size-limit report 📦

Path Size Loading time (3g) Running time (snapdragon) Total time
dist/index.js 10.13 KB (0%) 203 ms (0%) 32 ms (+0.98% 🔺) 234 ms

@jerome-benoit jerome-benoit added this pull request to the merge queue May 15, 2026
Merged via the queue into main with commit 629bca5 May 15, 2026
34 checks passed
@jerome-benoit jerome-benoit deleted the renovate/all-minor-patch branch May 15, 2026 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant