build: update all non-major dependencies

[angular-robot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@google/genai	1.44.0 → 1.45.0
firebase-tools	15.9.1 → 15.10.0
puppeteer (source)	24.39.0 → 24.39.1
puppeteer-core (source)	24.39.0 → 24.39.1
renovate (source)	43.62.0 → 43.76.0
rollup-plugin-dts	6.3.0 → 6.4.0
undici (source)	7.22.0 → 7.24.3

---

Release Notes

googleapis/js-genai (@​google/genai)

v1.45.0

Compare Source

Features

• Add inference_generation_config to EvaluationConfig for Tuning (b4ac722)
• enable language code for audio transcription config in Live API for Vertex AI (67f39ec)

firebase/firebase-tools (firebase-tools)

v15.10.0

Compare Source

• Add support for VPC direct connect in GCF 2nd gen (#​10033)
• Added --only flag for emulators:export (#​4033)
• Added support for custom PostgreSQL schema names in Data Connect. (#​9271)
• When SSR web app features are detected in the firebase init hosting flow, offer to switch to App Hosting (#​9887)
• Removed the experimental web frameworks prompt from firebase init hosting (#​9843)
• Added studio:export command to export Firebase Studio projects to Antigravity.

puppeteer/puppeteer (puppeteer)

v24.39.1

Compare Source

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 24.39.0 to 24.39.1

🛠️ Fixes

• roll to Chrome 146.0.7680.72 (#​14764) (177e3ed)
• roll to Chrome 146.0.7680.76 (#​14777) (0751a83)
• roll to Firefox 148.0.2 (#​14763) (e658f4e)

renovatebot/renovate (renovate)

v43.76.0

Compare Source

Features

• pip_requirements: detect requirements files with underscores (#​41911) (484c2ec)

v43.75.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.25.0 (main) (#​41927) (425ca26)

v43.74.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.24.0 (main) (#​41926) (4847242)

Miscellaneous Chores

• deps: update dependency pnpm to v10.31.0 (main) (#​41925) (a70c005)

v43.73.2

Compare Source

Bug Fixes

• lint errors (#​41808) (d6c85ec)

v43.73.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.23.1 (main) (#​41920) (dd1a102)

Miscellaneous Chores

• deps: update dependency eslint to v9.39.4 (main) (#​41917) (a51cf81)

v43.73.0

Compare Source

Features

• config-migration: preserve comments when migrating renovate.json (#​38646) (e8a5c70)

v43.72.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.23.0 (main) (#​41915) (8be386e)

Miscellaneous Chores

• deps: update dependency @​eslint/js to v9.39.4 (main) (#​41914) (d327491)

v43.71.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.22.0 (main) (#​41909) (5906313)

v43.70.0

Compare Source

Features

• maven-wrapper: support checksum updates when updating versions (#​40481) (49fbc83), closes #​33444 #​40929 #​40923 #​40090 #​40911 #​40910 #​40906 #​40899 #​39979 #​40871 #​40883 #​40882 #​40880 #​40028 #​40878 #​40876 #​40877 #​40874 #​40873 #​40872 #​40669

Bug Fixes

• swift: don't use v prefix with Package.resolved (#​41782) (25c77c6), closes #​41780

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.4.1 (main) (#​41907) (ba21ce6)

v43.69.0

Compare Source

Features

• add Home Assistant Manifest manager (#​39906) (6fb659a)

v43.66.5

Compare Source

Bug Fixes

• maven-wrapper: drop explicit versioning (#​41872) (93e215f)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.2.3 (main) (#​41880) (5be6098)
• deps: update pnpm/action-setup action to v4.4.0 (main) (#​41888) (447ec1a)

v43.66.4

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.21.10 (main) (#​41871) (3145b2d)

Miscellaneous Chores

• deps: update dependency @​types/node to v24.12.0 (main) (#​41870) (6ef198c)

v43.66.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.21.9 (main) (#​41869) (4473d6c)

v43.66.2

Compare Source

Miscellaneous Chores

• deps: update dependency @​types/node to v24.11.2 (main) (#​41868) (0ba12a9)

Build System

• deps: update dependency @​renovatebot/pgp to v1.3.4 (main) (#​41867) (95de30a)

v43.66.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.21.8 (main) (#​41865) (7465ff1)

Miscellaneous Chores

• deps: update dependency @​types/node to v24.11.1 (main) (#​41864) (cabe4d3)

v43.66.0

Compare Source

Features

• git-refs: use dereferenced commit hash for annotated tags (#​41560) (74233b1)

v43.65.0

Compare Source

Features

• bazel-module,bazelisk: add lock files updating (#​41507) (2f71422), closes #​41631

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.2.2 (main) (#​41858) (98f9f1b)
• deps: update dependency @​biomejs/biome to v2.4.6 (main) (#​41853) (c0c07df)

v43.64.6

Compare Source

Bug Fixes

• datasource/rpm: accept repomd.xml without xml declaration (#​41850) (9175699)

Miscellaneous Chores

• json-schema: add $id to schemas (#​41846) (c0764fa)
• log a warning when logger isn't initialized (yet) (#​41843) (5cc5fa6), closes #​41842

v43.64.5

Compare Source

Bug Fixes

• correctly initialise logger for renovate-config-validator (#​41844) (31562cb)

Documentation

• prefix child options with their parent (#​41828) (e0ce9da)

Miscellaneous Chores

• correctly initialise logger for tools/ (#​41842) (6432d21)
• deps: update dependency tsdown to v0.21.0 (main) (#​41839) (43930e3)

v43.64.4

Compare Source

Bug Fixes

• mise: use semver-partial versioning for short java versions (#​41179) (5429e7c)

Documentation

• config: move customizeDashboard (#​41827) (0514898)

v43.64.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.21.7 (main) (#​41832) (ab1afc4)

Miscellaneous Chores

• deps: update dependency @​smithy/util-stream to v4.5.17 (main) (#​41831) (2661829)
• deps: update dependency conventional-changelog-conventionalcommits to v9.3.0 (main) (#​41830) (6ed4c32)

v43.64.2

Compare Source

Build System

• deps: update opentelemetry-js-contrib monorepo (main) (#​41829) (d1092b7)

v43.64.1

Compare Source

Bug Fixes

• datasource/docker: use custom www-authenticate parser (#​41813) (a065a3d)

Miscellaneous Chores

• deps: update actions/download-artifact action to v8.0.1 (main) (#​41823) (fc12b55)
• deps: update containerbase/internal-tools action to v4.1.23 (main) (#​41824) (d997f77)

v43.64.0

Compare Source

Features

• add home-operations replacement rule (#​41777) (4deb2dd)

Miscellaneous Chores

• deps: update pnpm/action-setup action to v4.3.0 (main) (#​41821) (58f20c2)

v43.63.0

Compare Source

Features

• gradle: add support for short dependency notation in version catalogs (#​41797) (c06b551)
• presets/replacement: Add @base-ui-components/react => @base-ui/react rename (#​41787) (9df72b1)

Documentation

• Fix typo in newDigestShort description (#​41796) (b96fbcb)

Miscellaneous Chores

• deps: update dependency memfs to v4.56.11 (main) (#​41812) (3918253)

Swatinem/rollup-plugin-dts (rollup-plugin-dts)

v6.4.0

Compare Source

Features:

• Implement proper SourceMap support with goto-definition granularity
• Support dotted namespace syntax

Fixes:

• Better naming for declare module paths
• Add compatibility with TS6

Thank you:

Features, fixes and improvements in this release have been contributed by:

• @​schoel-bis
• @​ZhangYiJiang
• @​igordanchenko
• @​privatenumber

nodejs/undici (undici)

v7.24.3

Compare Source

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in #​4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

Compare Source

What's Changed

• fix fetch path logic by @​KhafraDev in #​4890
• remove maxDecompressedMessageSize by @​KhafraDev in #​4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

Compare Source

What's Changed

• fix: proto pollution by @​rahulyadav5524 in #​4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Compare Source

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

• CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0
• CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v7.23.0

Compare Source

What's Changed

• fix: prevent AbortController GC when redirect is 'error' by @​mcollina in #​4750
• docs: clarify UndiciHeaders validation guidance by @​mcollina in #​4832
• build(deps): bump actions/checkout from 5.0.0 to 6.0.2 by @​dependabot[bot] in #​4795
• build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by @​dependabot[bot] in #​4794
• build(deps): bump github/codeql-action from 4.31.2 to 4.32.0 by @​dependabot[bot] in #​4793
• test: add unexpected disconnect guards to client test files by @​samayer12 in #​4833
• fix fetch stripping trailing ? from url by @​KhafraDev in #​4837
• fix: forward onResponseStarted through WrapHandler and UnwrapHandler by @​7rulnik in #​4840
• webidl: access keys in lexicographical order by @​KhafraDev in #​4841
• ci: disable coverage on Node.js 25 by @​mcollina in #​4852
• build(deps): bump uWebSockets.js from v20.56.0 to v20.58.0 in /benchmarks by @​dependabot[bot] in #​4855
• fix(h2): TypeError: Cannot read properties of null (reading 'servername') in _resume when H2 stream completes by @​hxinhan in #​4847
• fix(h2): ignore late data frames after request completion by @​mcollina in #​4845
• fix(handler): preserve latin1 header encoding in WrapHandler by @​theamodhshetty in #​4859
• docs(examples): add cache interceptor example with fetch by @​nthbotast in #​4864
• docs(dispatcher): clarify onResponseStart return value is ignored by @​nthbotast in #​4865
• feat: add SOCKS5 proxy support to ProxyAgent by @​mcollina in #​4385
• fix: harden header iterable checks for prototype-pollution scenarios by @​mcollina in #​4824
• fix(interceptor): preserve tuple headers in dns interceptor by @​theamodhshetty in #​4863
• docs(dispatcher): use RFC 2606 domains in interceptor examples by @​nthbotast in #​4873
• feat: add IP prioritization hints for HTTP/1.1 and HTTP/2 by @​amyssnippet in #​4831
• docs: clarify when to install undici vs using Node's built-in fetch by @​travisbreaks in #​4868
• docs(dispatcher): add cache interceptor fetch example by @​nthbotast in #​4870
• fix(dispatcher): pass socketPath to custom connect callbacks by @​theamodhshetty in #​4857

New Contributors

• @​samayer12 made their first contribution in #​4833
• @​7rulnik made their first contribution in #​4840
• @​hxinhan made their first contribution in #​4847
• @​theamodhshetty made their first contribution in #​4859
• @​nthbotast made their first contribution in #​4864
• @​amyssnippet made their first contribution in #​4831
• @​travisbreaks made their first contribution in #​4868

Full Changelog: nodejs/undici@v7.22.0...v7.23.0

---

• If you want to rebase/retry this PR, check this box

[gemini-code-assist]

Code Review

This pull request updates several non-major dependencies. The update to undici is particularly important as it includes security fixes. I've added a few comments regarding inconsistent dependency versioning practices (mixing pinned versions with ranges) which could be improved for better build predictability and maintainability. Otherwise, the dependency updates themselves look good and are ready to be merged.

[gemini-code-assist]

While updating firebase-tools to a pinned version, I noticed that @apollo/server and @as-integrations/express4 use version ranges. For consistency and more predictable builds, consider pinning all dependencies to specific versions.

[gemini-code-assist]

For consistency with this newly pinned version and other dependencies in this file, consider also pinning the rollup dependency on the line above. Using a mix of pinned versions and version ranges (^) can make dependency management less predictable.

[gemini-code-assist]

I notice that most dependencies in this file are pinned to specific versions, but @google/genai uses a version range (^1.43.0). For consistency, you might want to pin it to a specific version as well. This would make dependency resolution more predictable.

[gemini-code-assist]

This file has a mix of pinned dependencies and dependencies with version ranges (e.g., zod: ^4.3.6). For more predictable dependency resolution, it would be beneficial to consistently pin all dependencies to specific versions.

[gemini-code-assist]

This file contains a mix of pinned versions and version ranges (e.g., tslib: ^2.5.2). To ensure more predictable builds, it's a good practice to pin all dependencies to specific versions.

[alan-agius4]

This PR was merged into the repository. The changes were merged into the following branches:

• main: a2bf852