Skip to content

chore(deps): update all non-major dependencies (v1)#1434

Open
renovate[bot] wants to merge 2 commits into
v1from
renovate/v1-all-minor-patch
Open

chore(deps): update all non-major dependencies (v1)#1434
renovate[bot] wants to merge 2 commits into
v1from
renovate/v1-all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@types/node (source) ^25.5.0^25.9.4 age confidence
@vitest/coverage-v8 (source) ^4.1.2^4.1.9 age confidence
crossws (source) ^0.3.5^0.4.7 age confidence
defu ^6.1.6^6.1.7 age confidence
eslint (source) ^10.1.0^10.6.0 age confidence
h3 (source) ^1.15.10^1.15.11 age confidence
jiti ^2.6.1^2.7.0 age confidence
listhen ^1.9.0^1.10.0 age confidence
pnpm (source) 10.28.010.34.4 age confidence
pnpm (source) 10.7.010.34.4 age confidence
prettier (source) ^3.8.1^3.9.4 age confidence
react (source) ^19.2.4^19.2.7 age confidence
react-dom (source) ^19.2.4^19.2.7 age confidence
ufo ^1.6.3^1.6.4 age confidence
undici (source) ^7.24.7^7.28.0 age confidence
undocs ^0.2.30^0.4.16 age confidence
vitest (source) ^4.1.2^4.1.9 age confidence
zod (source) ^4.3.6^4.4.3 age confidence

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.9

Compare Source

🐞 Bug Fixes
  • Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #​10546 (a5180)
  • browser:
    • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in #​10555 (7fb29)
    • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in #​10497 and #​10556 (fbc62)
  • mocker:
    • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in #​10548 (2c955)
  • pool:
    • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in #​10543 and #​10564 (934b0)
View changes on GitHub

v4.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.4

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes
    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
h3js/crossws (crossws)

v0.4.7

Compare Source

compare changes

🚀 Enhancements
  • proxy: Support async target resolver in createWebSocketProxy (#​196)
  • peer: Backpressure support (#​195)
  • pubsub: Sync backplane (#​192)
🩹 Fixes
  • deno: Capture remoteAddress eagerly at upgrade time (29d8519)
  • deno: Read remoteAddr before upgrading the request (af5fe64)
  • deno: Snapshot request url and headers before upgrade (1499e60)
  • node: Publish non-string payloads as text frames (#​193)
📖 Documentation
🏡 Chore
❤️ Contributors

v0.4.6

Compare Source

compare changes

🚀 Enhancements
  • Add vercel adapter (internal testing) (#​191)
  • proxy: Allow forwardProtocol to rewrite the upstream subprotocol (#​190)
🩹 Fixes
  • cloudflare: Persist peer namespace in Durable Object attachment (#​188)
📦 Deps
  • Bundled ws upgraded from 8.20.0 to 8.21.0
❤️ Contributors

v0.4.5

Compare Source

compare changes

🚀 Enhancements
  • Add createWebSocketProxy util (#​184)
  • New bunny adapter (#​179)
  • Add fromNodeUpgradeHandler util + socket.io example (#​185)
🩹 Fixes
  • node: Do not url-encode upgrade response headers (ffbed40)
📦 Build
  • Export ServerWithWSOptions and WSOptions types (#​180)
🏡 Chore
✅ Tests
  • node: Add regression test for EADDRINUSE handling (#​183)
❤️ Contributors

v0.4.4

Compare Source

compare changes

🩹 Fixes
  • Use AbortController for StubRequest.signal (#​175)
🏡 Chore
❤️ Contributors

v0.4.3

Compare Source

compare changes

📦 Build
  • Migrate to obuild (rolldown) (efdd087)
❤️ Contributors

v0.4.2

Compare Source

compare changes

🩹 Fixes
  • node server: Properly pass request to NodeRequest (28e5d64)
  • cloudflare: Send close frame (#​177)
📖 Documentation
  • Add new logo with cube style (#​171)
  • Mention publish not broadcasting to sender (#​173)
🏡 Chore
❤️ Contributors

v0.4.1

Compare Source

compare changes

🩹 Fixes
  • node server: Properly pass request to NodeRequest (28e5d64)
🏡 Chore
  • playground: Add start command (7ab898c)
❤️ Contributors

v0.4.0

Compare Source

compare changes

🚀 Enhancements
  • Stub full request interface (#​156)
  • Universal server for deno, node and bun using srvx (experimental) (#​158)
  • Create PeerContext interface for type augmentation (#​159)
  • ⚠️ Namespaced pub/sub peers (#​162)
  • ⚠️ Support returning context from upgrade hook (#​163)
  • cloudflare: Support global publish via rpc (#​166)
  • Add cloudflare and default (sse) server entries (#​167)
🩹 Fixes
  • ⚠️ Do not automatically accept first sec-webSocket-protocol (#​142)
💅 Refactors
  • Remove uncrypto dependency (#​153)
  • ⚠️ Always pass Request as first param to resolve (#​160)
  • Simplify inspect values (aa49668)
  • Throw error when running deno, bun and node adapters in an incompatible environment (b5fcf2a)
  • Narrow down upgrade return type (d843cd0)
  • ⚠️ Always terminate upgrade if Response is returned (#​164)
  • ⚠️ Merge cloudflare and cloudflare-durable adapters (#​165)
  • cloudflare: Show warning when pub/sub is not supported (#​144)
📖 Documentation
  • Change to h3js from unjs (#​155)
  • Add docs for augmenting PeerContext type (#​161)
  • Prepare for v0.4 (#​168)
📦 Build
  • Simplify and fix exports (0d2ceb0)
  • Remove extra .d.ts files (1f389d6)
🏡 Chore
⚠️ Breaking Changes
  • ⚠️ Namespaced pub/sub peers (#​162)
  • ⚠️ Support returning context from upgrade hook (#​163)
  • ⚠️ Do not automatically accept first sec-webSocket-protocol (#​142)
  • ⚠️ Always pass Request as first param to resolve (#​160)
  • ⚠️ Always terminate upgrade if Response is returned (#​164)
  • ⚠️ Merge cloudflare and cloudflare-durable adapters (#​165)
❤️ Contributors
unjs/defu (defu)

v6.1.7

Compare Source

compare changes

🩹 Fixes
  • defu.d.cts: Export Defu types (#​157)
📦 Build
  • Correct the types export entry (#​160)
❤️ Contributors

v6.1.6

Compare Source

compare changes

📦 Build
❤️ Contributors

v6.1.5

Compare Source

compare changes

🩹 Fixes
  • Prevent prototype pollution via __proto__ in defaults (#​156)
  • Ignore inherited enumerable properties (11ba022)
🏡 Chore
✅ Tests
  • Add more tests for plain objects (b65f603)
🤖 CI
❤️ Contributors
eslint/eslint (eslint)

v10.6.0

Compare Source

Features

  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#​20981) (Taejin Kim)
  • f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#​20948) (sethamus)

Bug Fixes

  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#​20997) (Milos Djermanovic)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#​21013) (den$)
  • 8fd8741 fix: don't report shadowed undefined in radix rule (#​21011) (Pixel)
  • 5784980 fix: don't report shadowed undefined in no-throw-literal (#​21010) (Pixel)
  • 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#​21008) (Pixel)
  • d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#​21006) (Pixel)
  • 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#​21003) (den$)
  • 63d52d2 fix: restore max-classes-per-file report range (#​21002) (Pixel)
  • 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#​20979) (fnx)
  • 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#​20995) (Milos Djermanovic)

Documentation

  • a83683d docs: Update README (GitHub Actions Bot)
  • f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#​20986) (playgirl)
  • bea49f7 docs: Update README (GitHub Actions Bot)
  • e5f70f9 docs: update code-path diagrams (#​20984) (Tanuj Kanti)
  • 8890c2d docs: add TypeScript config guidance for MCP server (#​20796) (Pierluigi Lenoci)
  • 3eb3d9b docs: Update README (GitHub Actions Bot)
  • c5bb59c docs: Update README (GitHub Actions Bot)
  • eb3c97c docs: fix grammar in prefer-const rule description (#​20983) (lumir)

Chores

v10.5.0

Compare Source

Features

  • 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#​20973) (Pixel998)
  • b565783 feat: report no-with violations at the with keyword (#​20971) (Pixel998)
  • 2ce032f feat: report max-lines-per-function violations at function head (#​20966) (Pixel998)
  • 732cb3e feat: report max-nested-callbacks violations at function head (#​20967) (Pixel998)
  • f9c138a feat: report max-depth violations on keywords (#​20943) (Pixel998)
  • bdb496c feat: correct max-depth handling for else-if chains (#​20944) (Pixel998)
  • c296873 feat: update error loc in max-statements to function header (#​20907) (Taejin Kim)

Documentation

  • 8ae1b5b docs: Update README (GitHub Actions Bot)
  • ca7eb90 docs: update Node.js prerequisites to include ICU support (#​20962) (Francesco Trotta)
  • f99b47a docs: Update README (GitHub Actions Bot)

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "after 1am and before 5am"
  • Automerge
    • "after 2am and before 5am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@socket-security

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/undocs@0.4.16npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @internationalized/date is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/undocs@0.4.16npm/@internationalized/date@3.12.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@internationalized/date@3.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @tanstack/table-core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/undocs@0.4.16npm/@tanstack/table-core@8.21.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/table-core@8.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm embla-carousel is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/undocs@0.4.16npm/embla-carousel@8.6.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/embla-carousel@8.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm mermaid is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/undocs@0.4.16npm/mermaid@11.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm powershell-utils is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/undocs@0.4.16npm/powershell-utils@0.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/powershell-utils@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm robust-predicates is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/undocs@0.4.16npm/robust-predicates@3.0.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/robust-predicates@3.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm seroval is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/undocs@0.4.16npm/seroval@1.5.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/seroval@1.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate

renovate Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants