Skip to content

chore(deps): update all non-major dependencies#39

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#39
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented May 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@commitlint/cli (source) 21.0.121.0.2 age confidence devDependencies patch
@commitlint/config-conventional (source) 21.0.121.0.2 age confidence devDependencies patch
@nestjs/common (source) 11.1.2011.1.26 age confidence devDependencies patch
@types/node (source) 25.7.025.9.2 age confidence devDependencies minor 25.9.3
@types/node (source) 25.6.225.9.2 age confidence devDependencies minor 25.9.3
@typescript-eslint/eslint-plugin (source) 8.59.38.61.0 age confidence devDependencies minor
@typescript-eslint/eslint-plugin (source) 8.59.28.61.0 age confidence devDependencies minor
@typescript-eslint/parser (source) 8.59.38.61.0 age confidence devDependencies minor
@typescript-eslint/parser (source) 8.59.28.61.0 age confidence devDependencies minor
@vitest/coverage-v8 (source) 3.2.43.2.6 age confidence devDependencies patch
actions/checkout v6.0.2v6.0.3 age confidence action patch
docker 29.4-dind29.5-dind age confidence service-image minor
eslint (source) 10.3.010.4.1 age confidence devDependencies minor
mermaid 11.14.011.15.0 age confidence devDependencies minor
pnpm (source) 11.1.311.5.2 age confidence packageManager minor 11.6.0 (+1)
tsx (source) 4.21.04.22.4 age confidence devDependencies minor
vitest (source) 3.2.43.2.6 age confidence devDependencies patch
vue (source) 3.5.343.5.35 age confidence devDependencies patch 3.5.38 (+2)
vue-i18n (source) 11.4.411.4.5 age confidence dependencies patch

Release Notes

conventional-changelog/commitlint (@​commitlint/cli)

v21.0.2

Compare Source

Bug Fixes
conventional-changelog/commitlint (@​commitlint/config-conventional)

v21.0.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

nestjs/nest (@​nestjs/common)

v11.1.26

Compare Source

What's Changed

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

Compare Source

v11.1.24

Compare Source

v11.1.24 (2026-05-25)
Bug fixes
Enhancements
Dependencies
Committers: 2

v11.1.23

Compare Source

v11.1.23 (2026-05-21)
Bug fixes
  • core
    • #​16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20
Committers: 1

v11.1.22

Compare Source

v11.1.22 (2026-05-21)
Bug fixes
Enhancements
Committers: 2

v11.1.21

Compare Source

v11.1.21 (2026-05-14)
Bug fixes
Committers: 1
typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.61.0

Compare Source

🚀 Features
  • ast-spec: change type of UnaryExpression.prefix to always true (#​12372)
❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.1

Compare Source

🩹 Fixes
  • eslint-plugin: [no-shadow] correct rule to match ESLint v10 handling (#​12182)
  • eslint-plugin: respect ECMAScript line terminators in ts-comment rules (#​12352)
❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

🩹 Fixes
  • eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#​12294)
❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.61.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitest-dev/vitest (@​vitest/coverage-v8)

v3.2.6

Compare Source

v3.2.5

Compare Source

actions/checkout (actions/checkout)

v6.0.3

Compare Source

eslint/eslint (eslint)

v10.4.1

Compare Source

Bug Fixes

  • e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
  • d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
  • f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
  • c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
  • 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

  • 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
  • 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
  • 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
  • 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
  • c91b041 docs: Update README (GitHub Actions Bot)
  • e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

v10.4.0

Compare Source

mermaid-js/mermaid (mermaid)

v11.15.0

Compare Source

Minor Changes

  • #​7174 0aca217 Thanks @​milesspencer35! - feat(sequence): Add support for decimal start and increment values in the autonumber directive

  • #​7512 8e17492 Thanks @​aruncveli! - feat(flowchart): add datastore shape

    In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with A@{ shape: datastore, label: "Datastore" }.

  • #​6440 9ad8dde Thanks @​yordis, @​lgazo! - feat: add Event Modeling diagram

  • #​7707 27db774 Thanks @​txmxthy! - feat(architecture): expose four fcose layout knobs for architecture-beta diagrams (nodeSeparation, idealEdgeLengthMultiplier, edgeElasticity, numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source

  • #​7604 bf9502f Thanks @​M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting

    If you have namespaces in class diagrams that use .s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set class.hierarchicalNamespaces=false in your mermaid config:

    config:
  class:
    hierarchicalNamespaces: false

  • #​7272 88cdd3d Thanks @​xinbenlv! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors

Patch Changes

  • #​7737 e9b0f34 Thanks @​ashishjain0512! - fix: prevent unbalanced CSS styles in classDefs

  • #​7737 37ff937 Thanks @​ashishjain0512! - fix: create CSS styles using the CSSOM

    This removes some invalid CSS and normalizes some CSS formatting.

  • #​7508 bfe60cc Thanks @​biiab! - fix(stateDiagram): end note now only closes a note when used on a new line

  • #​7737 faafb5d Thanks @​ashishjain0512! - fix(gantt): add iteration limit for excludes field

  • #​7737 65f8be2 Thanks @​ashishjain0512! - fix: disallow some CSS at-rules in custom CSS

  • #​7726 1502f32 Thanks @​aloisklink! - fix(wardley): fix unnecessary sanitization of text

  • #​7578 1f98db8 Thanks @​Gaston202! - fix(class): self-referential class multiplicity labels no longer rendered multiple times

    Fixes #​7560. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.

  • #​7592 2343e38 Thanks @​knsv-bot! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams

  • #​7589 7fb9509 Thanks @​NYCU-Chung! - fix(block): prevent column widths from shrinking when mixing different column spans

  • #​7632 3f9e0f1 Thanks @​ekiauhce! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams

  • #​7642 7a8fb85 Thanks @​tractorjuice! - fix(wardley): allow hyphens in unquoted component names

    Multi-word names containing hyphens — e.g. real-time processing, end-user, on-call engineer — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. A->B (no-space arrow) still tokenises correctly.

  • #​7523 5144ed4 Thanks @​darshanr0107! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using :n syntax.

  • #​7262 13d9bfa Thanks @​darshanr0107! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax

  • #​7684 e14bb88 Thanks @​aloisklink! - fix: loosen uuid dependency range to allow v14

    Mermaid does not use any of the vulnerable code in CVE-2026-41907,
    but this allows users to silence any npm audit alerts on it.

  • #​7633 9217c0d Thanks @​Felix-Garci! - fix(block): add support for all arrow types in block diagrams

  • #​7587 5e7eb62 Thanks @​MaddyGuthridge! - chore: drop lodash-es in favour of es-toolkit

  • #​7693 afaf306 Thanks @​dull-bird! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels.

    Previously the lexer only matched ASCII [A-Za-z]+ for text tokens, even though the grammar referenced UNICODE_TEXT. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a [^\x00-\x7F]+ lexer rule to emit UNICODE_TEXT and included it in the alphaNumToken grammar rule.

    Fixes #​7120.

  • #​7737 4755553 Thanks @​ashishjain0512! - fix: improve D3 types for mermaidAPI funcs

  • #​7737 6476973 Thanks @​ashishjain0512! - fix: handle & when namespacing CSS rules

  • #​7520 8c1a0c1 Thanks @​RodrigojndSantos! - fix(stateDiagram): comments starting with one % are no longer treated as comments

    Switch to using two %% if you want to write a comment.

  • Updated dependencies [7a8fb85, 675a64c]:

pnpm/pnpm (pnpm)

v11.5.2

Compare Source

Patch Changes

  • Peer dependency resolution now reuses the peer contexts already recorded in the lockfile when those providers are still present in the dependency graph and still satisfy the peer ranges. This avoids unnecessary peer-context rewrites during lockfile regeneration. Current manifest choices remain authoritative: a newly added, explicitly updated, or aliased direct provider, a changed nested provider, or a locked version that no longer satisfies the range still takes precedence.

  • The lockfile verifier now checks that a registry entry pinning an explicit tarball URL points at the artifact the registry's own metadata lists for that name@version. Previously a tampered lockfile could pair a trusted name@version with an attacker-chosen tarball URL (and a matching integrity for those bytes), so the install fetched the attacker's bytes. A mismatch — or any entry that can't be confirmed against the registry — is rejected with ERR_PNPM_TARBALL_URL_MISMATCH. Non-registry resolutions (file:, git-hosted, etc.) and registry entries without an explicit tarball URL (the URL is reconstructed from name+version+registry, so it is inherently bound) are unaffected; non-standard registry tarball URLs (npm Enterprise, GitHub Packages) still pass because they match the metadata.

  • Fix pnpm update --recursive --lockfile-only <pkg>@&#8203;<version> crashing with Invalid Version when the catalog entry for <pkg> is a version range (e.g. ^21.2.10) and catalogMode is strict or prefer. The catalog–version comparison now skips the equality check when either side is a range rather than passing a range to semver.eq(), so range specifiers fall through to the existing mismatch handling instead of throwing #​11570.

  • Avoided a Node.js crash when pnpm exits after network requests on Windows.

  • Fixed packages being materialized into the virtual store without their root-level files (package.json, LICENSE, README, root entrypoints) when multiple pnpm install processes ran against the same store/workspace concurrently. The fast import path used to destructively empty the shared target directory, so a concurrent importer could wipe files another importer had already written; if the surviving files included the package.json completion marker, every later install treated the broken directory as complete and never repaired it. The fast path now imports directly only when it can create the target directory exclusively, and otherwise builds the package in a private temp directory and atomically renames it into place #​12197.

  • Fix dependency build scripts not running under the global virtual store (enableGlobalVirtualStore).

    In a workspace install, dependency build scripts are deferred to a single rebuild pass (buildProjects). That pass resolved each package's location from the classic node_modules/.pnpm/<depPathToFilename> layout, which does not exist under the global virtual store — so native dependencies (e.g. packages using node-gyp / prebuild-install) were never built and failed to load at runtime (Cannot find module .../build/Release/*.node).

    buildProjects now resolves the global-virtual-store projection directory (<storeDir>/links/<hash>, computed with the same graph hash the installer uses) when enableGlobalVirtualStore is set, and serializes concurrent builds of the same shared projection so parallel workspace projects don't race on the same directory.

  • Don't promote a runtime: dependency (such as the Node.js version from devEngines.runtime or pnpm runtime set) into a catalog when catalogMode is strict or prefer. A runtime: dependency round-trips to devEngines.runtime, which only recognizes the runtime: protocol; cataloging it rewrote the manifest entry to catalog:, which broke that round-trip, stranded it in devDependencies, and left devEngines.runtime untouched.

  • Skip lockfile minimumReleaseAge/trustPolicy verification for non-registry tarball protocols (for example file:), so local tarball dependencies are not incorrectly checked against npm registry metadata.

v11.5.1

Compare Source

Patch Changes
  • Improve pnpm audit performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap.
  • Avoid crashing when the workspace state cache is partially written or malformed.
  • Set npm_config_user_agent for root lifecycle scripts during headless installs.
  • Preserve the integrity field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example via pnpm update, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY #​12067.
  • Normalize a string repository field into the { type, url } object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a string repository with a 500 Internal Server Error during pnpm publish #​12099.
  • Preserve compatible optional peer versions already present in the lockfile when resolving dependencies.
  • Fixed inconsistent resolution of a peer dependency that is shared through a diamond. When a package peer-depends on both another package and one of that package's own peer dependencies (for example @typescript-eslint/eslint-plugin peer-depends on both @typescript-eslint/parser and typescript, and @typescript-eslint/parser peer-depends on typescript), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version #​12079.

v11.5.0

Compare Source

Minor Changes

  • Added a new hoistingLimits setting for nodeLinker: hoisted installs, mirroring yarn's nmHoistingLimits. It accepts none (the default — hoist as far as possible), workspaces (hoist only as far as each workspace package), or dependencies (hoist only up to each workspace package's direct dependencies). Originally proposed in #​6468, closing #​6457.

  • Replaced enquirer with @inquirer/prompts for all interactive prompts. Fixes the update -i scrolling overflow bug where long choice lists were clipped in the terminal #​6643.

    User-facing changes:

    • pnpm update -i / pnpm update -i --latest: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination via usePagination
    • pnpm audit --fix -i: Same scrolling fix for vulnerability selection
    • pnpm approve-builds: Interactive build approval prompts updated
    • pnpm patch: Version selection and "apply to all" prompts updated
    • pnpm patch-remove: Patch removal selection updated
    • pnpm publish: Branch confirmation prompt updated
    • pnpm login: Credential prompts updated
    • pnpm run / pnpm exec (with verifyDepsBeforeRun=prompt): Confirmation prompt updated

    Vim-style j/k keys still work for up/down navigation in all interactive prompts.

    Internal: The OtpEnquirer and LoginEnquirer DI interfaces changed from { prompt } to { input } / { input, password } respectively. Plugins or custom builds that inject their own enquirer mock will need to update.

  • Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an approver field, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level #​11887.

Patch Changes

  • Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example, pnpm i nuxt@npm:nuxt-nightly@5x). Cycles whose members hit the findHit cache instead of running their own calculateDepPath are now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. #​11999.

  • Fix pnpm dist-tag add and pnpm dist-tag rm against npmjs.org failing without --otp with [ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA.". pnpm now sends npm-auth-type: web on dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the same withOtpHandling helper used by pnpm publish), so the browser opens, the user authenticates, and the dist-tag is set on retry. --otp=<code> continues to work via the classic flow.

  • Fix minimumReleaseAgeExclude handling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently during publishedBy metadata selection and cache-mtime shortcuts.

  • Fix the integrity field being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent --frozen-lockfile installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY. #​12001.

  • Skip dependency re-resolution when pnpm-lock.yaml is missing but node_modules/.pnpm/lock.yaml exists and still satisfies the manifest. pnpm install now reuses the materialized snapshot to regenerate pnpm-lock.yaml instead of walking the registry to rebuild it from scratch, turning the cache+node_modules variation into a near-no-op for users who deleted the lockfile but kept the install #​11993.

    --frozen-lockfile still refuses to proceed when pnpm-lock.yaml is absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI.

v11.4.0

Compare Source

Minor Changes

  • Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

    pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

    The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

    --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

  • pnpm runtime set <name> <version> now saves the runtime to devEngines.runtime by default instead of engines.runtime. Pass --save-prod (or -P) to save it to engines.runtime instead #​11948.

Patch Changes

  • Fix a credential disclosure issue where an unscoped _authToken (or _auth, or username + _password, or tokenHelper) defined in one source — ~/.npmrc, ~/.config/pnpm/auth.ini, a workspace .npmrc, CLI flags, etc. — would be sent as an Authorization header to whichever registry a different (potentially untrusted) source named. The same fix extends to client TLS credentials (cert, key) so they aren't presented to a registry their author didn't choose.

    pnpm now rewrites each unscoped per-registry setting (_authToken, _auth, username, _password, tokenHelper, cert, key) to its URL-scoped form at load time, using the registry= value declared in the same source (or the npmjs default registry if the source declares none). A later layer overriding registry= therefore cannot pull an unscoped credential along, because it is already pinned to the URL its author intended. ca/cafile are intentionally not rescoped — they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally.

    Every rescope emits a deprecation warning telling the user where the setting was pinned and how to write it directly. npm has rejected unscoped credentials outright since npm@9, and pnpm intends to remove support in a future major release. To target a specific registry, write the setting URL-scoped (e.g. //registry.example.com/:_authToken=... or //registry.example.com/:cert=...).

    @pnpm/network.auth-header: removed the defaultRegistry parameter from createGetAuthHeaderByURI and getAuthHeadersFromCreds. Now that credentials are URL-scoped at load time, the merged configByUri never contains the empty-string "default registry" placeholder slot, so re-keying it onto the merged default registry is no longer needed.

  • Fix pnpm deploy crashing with ENOENT: ... lstat '<deployDir>/node_modules' when configDependencies declares pacquet (pacquet or @pnpm/pacquet). The deploy directory never installs config dependencies, so the install engine they designate isn't on disk to invoke; the nested install now skips them.

  • Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.

  • Limit concurrent project manifest reads while listing large workspaces to avoid EMFILE errors.

  • Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.

  • Improve the log message that pnpm prints after auto-adding entries to minimumReleaseAgeExclude when minimumReleaseAge is set without minimumReleaseAgeStrict. The message previously referred to the internal "loose mode" terminology, which wasn't searchable in the docs; it now tells the user to set minimumReleaseAgeStrict to true if they want these updates gated behind a prompt instead #​11747.

  • Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

  • Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

  • Validate devEngines.runtime and engines.runtime version ranges for node, deno, and bun when onFail is set to error or warn. Previously these settings only had an effect with onFail: 'download' — the error and warn modes silently did nothing #​11818. Violations now throw `ERR_PNPM_BAD_RUNT

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 6am on monday"
  • Automerge
    • "after 7am and before 11am on monday"

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 9 times, most recently from 54e6234 to 7b130c4 Compare May 21, 2026 12:32
@github-actions

github-actions Bot commented May 21, 2026
edited
Loading

Copy link
Copy Markdown

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 9.17% 233 / 2539
🔵 Statements 9.17% 233 / 2539
🔵 Functions 38.7% 12 / 31
🔵 Branches 71.76% 61 / 85
File CoverageNo changed files found.
Generated in workflow #177 for commit 92777a5 by the Vitest Coverage Report Action

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 15 times, most recently from cf757c6 to 9815001 Compare May 27, 2026 07:20
@renovate renovate Bot requested a review from VaclavMiculka as a code owner May 27, 2026 07:20
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 9815001 to 92a760e Compare May 27, 2026 09:24
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from b88a5ee to 382510a Compare June 2, 2026 19:44
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 5aa4f48 to 6b9ba28 Compare June 7, 2026 07:53
@renovate renovate Bot enabled auto-merge (squash) June 7, 2026 08:06
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 15 times, most recently from 04e05be to e73215a Compare June 11, 2026 03:07
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from e73215a to 6752245 Compare June 11, 2026 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@filipkoukal filipkoukal Awaiting requested review from filipkoukal filipkoukal is a code owner

@michal-vlcek michal-vlcek Awaiting requested review from michal-vlcek michal-vlcek is a code owner

@VaclavMiculka VaclavMiculka Awaiting requested review from VaclavMiculka VaclavMiculka is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants