fix(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@typescript-eslint/eslint-plugin (source)	8.48.0 -> 8.49.0					dependencies	minor
@typescript-eslint/parser (source)	8.48.0 -> 8.49.0					dependencies	minor
actions/checkout	v6.0.0 -> v6.0.1					action	patch
actions/setup-node	v6.0.0 -> v6.1.0					action	minor
github.com/golangci/golangci-lint/v2	v2.6.2 -> v2.7.2					require	minor
github.com/goreleaser/goreleaser/v2	v2.12.7 -> v2.13.1					require	minor
github/codeql-action	v4.31.5 -> v4.31.7					action	patch
golang.org/x/tools	v0.39.0 -> v0.40.0					require	minor
prettier (source)	3.6.2 -> 3.7.4					devDependencies	minor
vitest (source)	4.0.14 -> 4.0.15					dependencies	patch

---

Release Notes

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.49.0

Compare Source

🚀 Features

• eslint-plugin: use Intl.Segmenter instead of graphemer (#​11804)

🩹 Fixes

• deps: update dependency prettier to v3.7.2 (#​11820)

❤️ Thank You

• Justin McBride
• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.48.1

Compare Source

🩹 Fixes

• eslint-plugin: [restrict-template-expressions] check base types in allow list (#​11764, #​11759)
• eslint-plugin: honor ignored base types on generic classes (#​11767)
• eslint-plugin: [consistent-type-exports] check value flag before resolving alias (#​11769)

❤️ Thank You

• Josh Goldberg
• OleksandraKordonets
• SangheeSon @​Higangssh
• tao

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.49.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.48.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

actions/checkout (actions/checkout)

v6.0.1

Compare Source

actions/setup-node (actions/setup-node)

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

golangci/golangci-lint (github.com/golangci/golangci-lint/v2)

v2.7.2

Compare Source

Released on 2025-12-07

1. Linter bug fixes
   • gosec: from 2.22.10 to daccba6

v2.7.1

Compare Source

Released on 2025-12-04

1. Linter bug fixes
   • modernize: disable stringscut analyzer

v2.7.0

Compare Source

1. Bug fixes
   • fix: clone args used by custom command
2. Linters new features or changes
   • no-sprintf-host-port: from 0.2.0 to 0.3.1 (ignore string literals without a colon)
   • unqueryvet: from 1.2.1 to 1.3.0 (handles const and var declarations)
   • revive: from 1.12.0 to 1.13.0 (new option: enable-default-rules, new rules: forbidden-call-in-wg-go, unnecessary-if, inefficient-map-lookup)
   • modernize: from 0.38.0 to 0.39.0 (new analyzers: plusbuild, stringscut)
3. Linters bug fixes
   • perfsprint: from 0.10.0 to 0.10.1
   • wrapcheck: from 2.11.0 to 2.12.0
   • godoc-lint: from 0.10.1 to 0.10.2
4. Misc.
   • Add some flags to the custom command
5. Documentation
   • docs: split changelog v1 and v2

goreleaser/goreleaser (github.com/goreleaser/goreleaser/v2)

v2.13.1

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.13.

Changelog

Security updates

• 9d07987: sec: update to go 1.25.5 (@​caarlos0)

Bug fixes

• 694eec5: fix(github): improve create/update file (#​6280) (@​caarlos0)
• 311253b: fix(ko): do not fail if docker daemon not available (@​caarlos0)
• 3f07552: fix(mcp): its actually the committee mcp registry (#​6283) (@​caarlos0)
• 0b98d10: fix: lint (@​caarlos0)
• 7d7986f: fix: update run script to new cosign signature check (@​caarlos0)

Documentation updates

• 95b9db9: docs: announce v2.13 (#​6270) (@​caarlos0)
• 86368f7: docs: clarify deprecation policy (@​caarlos0)
• c4fe18b: docs: update sign.md (@​caarlos0)

Other work

• 2ea7bc9: chore: issue templates (@​caarlos0)
• 4eb5b18: chore: issue templates (@​caarlos0)
• 460ebca: chore: update issue templates (@​caarlos0)
• 6914329: ci(deps): bump the actions group with 4 updates (#​6287) (@​dependabot[bot])
• 1e190b4: ci(sec): fix sbom job (@​caarlos0)
• 1072df2: ci(sec): improve sbom scan job (@​caarlos0)
• bfd04a0: ci(sec): periodically scan last release sboms (#​6281) (@​caarlos0)

Full Changelog: goreleaser/goreleaser@v2.13.0...v2.13.1

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

v2.13.0

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.13.

Changelog

New Features

• 180a7e8: feat(aur): use ${pkgver} in the URL to prevent extra diffs (#​6231) (@​caarlos0)
• f99924b: feat: add Discourse announcer (#​6199) (@​FelicianoTech)
• 7d0a94c: feat: add GitHub App signed commit support (#​6240) (@​Copilot)
• 2748003: feat: make hooks in homebrew_casks templateable (#​6222) (@​Copilot)
• 0a525ea: feat: make hooks in homebrew_casks templateable (#​6222) (@​Copilot)
• f6e37dd: feat: make signs.output and docker_signs.output templateable (#​6220) (@​Copilot)
• 5a3de94: feat: make signs.output and docker_signs.output templateable (#​6220) (@​Copilot)
• 5479cda: feat: mcp publisher (#​6234) (@​caarlos0)
• a86fca9: feat: support ko loading base image from daemon (#​6233) (@​scav)
• 8a8bf41: feat: update Go to 1.25.4 (#​6239) (@​timofurrer)
• d374725: feat: update go to 1.25.3 (#​6223) (@​caarlos0)
• 42ac564: feat: update go to 1.25.3 (#​6223) (@​caarlos0)

Bug fixes

• a5e267a: fix(announce): user agent should be goreleaser/v2 (@​caarlos0)
• 12a3492: fix(aur): prerelease versions were not being properly handled (#​6204) (@​caarlos0)
• 47b3d40: fix(dockers/v2): add warning when docker buildx uses non-container driver (dockers_v2 only) (#​6263) (@​Copilot)
• 41daedd: fix(dockers/v2): better handle error (@​caarlos0)
• de9ae24: fix(dockers/v2): check docker driver on healthcheck (#​6273) (@​caarlos0)
• aaf5877: fix(github): enterprise urls (#​6261) (@​caarlos0)
• 1099caa: fix(github): more details if sync and create ref fail (#​6255) (@​caarlos0)
• c3bfb5a: fix(go): only add .h artifact if it exists (#​6254) (@​caarlos0)
• 0f0c1ce: fix(mcp): move it all inside mcp.github (@​caarlos0)
• ed61af3: fix(mcp): reduce tool bloat, resources, prompts (@​caarlos0)
• 9d40b76: fix: change some bits of the config to make it easier to keep in sync (@​caarlos0)
• 567f022: fix: dynamically use announcer names in errors (#​6246) (@​FelicianoTech)
• 7f5f40a: fix: lint issues (@​caarlos0)
• 55e8dda: fix: move stuff around in pkg/config (@​caarlos0)
• 8291824: fix: properly mark fields deprecated in jsonschema (@​caarlos0)
• e8408f0: fix: small config improvements (@​caarlos0)
• d95f497: fix: use v3 user-agent for Bluesky announcer (#​6247) (@​FelicianoTech)
• f7fc451: fix: warn mcp experimental (@​caarlos0)
• 69dc9ae: refactor: move mcp out of main repo (#​6232) (@​caarlos0)

Documentation updates

• f9f4529: docs(deps): bump mkdocs-material from 9.6.22 to 9.6.23 in /www in the docs group (#​6242) (@​dependabot[bot])
• 140b4fe: docs(deps): bump mkdocs-rss-plugin from 1.17.6 to 1.17.7 in /www in the docs group (#​6266) (@​dependabot[bot])
• a57ccc3: docs(deps): bump the docs group in /www with 2 updates (#​6257) (@​dependabot[bot])
• ae52ca2: docs(security): update incident response document (@​caarlos0)
• 9e21891: docs: /mcp (@​caarlos0)
• a324e1d: docs: auto update (@​caarlos0)
• 61c0380: docs: auto update (@​caarlos0)
• 0d60b8c: docs: better experimental notice (@​caarlos0)
• 5f26626: docs: blog post about cosign v3 (@​caarlos0)
• 180e346: docs: fix element (@​caarlos0)
• 0c978ec: docs: fix summary (@​caarlos0)
• 14939db: docs: fix typo (@​caarlos0)
• 7e3f6d3: docs: improve wording (@​caarlos0)
• 7161abc: docs: nightly job cosign (@​caarlos0)
• a8c402f: docs: remove -unreleased (@​caarlos0)
• 8485d00: docs: small fixes (@​caarlos0)
• 3cc569f: docs: typo in nfpm.md from 'headers' to 'header' (#​6210) (@​jkroepke)
• 71b8428: docs: typo in nfpm.md from 'headers' to 'header' (#​6210) (@​jkroepke)
• e11cef3: docs: update cgo pages (@​caarlos0)
• 689b24d: docs: update schema (@​caarlos0)

Other work

• b78a41c: Update cmd/mcp.go (@​caarlos0)
• d6d8587: chore: fix typo in taskfile (@​caarlos0)
• 4e19cb7: chore: lint tests (@​caarlos0)
• 34ddcaf: ci(deps): bump the actions group with 2 updates (#​6243) (@​dependabot[bot])
• 50e3175: ci(deps): bump the actions group with 5 updates (#​6277) (@​dependabot[bot])
• eb53874: ci(deps): bump the actions group with 6 updates (#​6216) (@​dependabot[bot])
• c71a5a8: ci(deps): bump the actions group with 6 updates (#​6258) (@​dependabot[bot])
• ac0d841: ci(deps): bump the actions group with 7 updates (#​6267) (@​dependabot[bot])

Full Changelog: goreleaser/goreleaser@v2.12.7...v2.13.0

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

github/codeql-action (github/codeql-action)

v4.31.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #​3343

See the full CHANGELOG.md for more information.

v4.31.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

prettier/prettier (prettier)

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)

<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)

// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)

// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

v3.7.3

Compare Source

diff

API: Fix prettier.getFileInfo() change that breaks VSCode extension (#​18375 by @​fisker)

An internal refactor accidentally broke the VSCode extension plugin loading.

v3.7.2

Compare Source

diff

JavaScript: Fix string print when switching quotes (#​18351 by @​fisker)

// Input
console.log("A descriptor\\'s .kind must be \"method\" or \"field\".")

// Prettier 3.7.1
console.log('A descriptor\\'s .kind must be "method" or "field".');

// Prettier 3.7.2
console.log('A descriptor\\\'s .kind must be "method" or "field".');

JavaScript: Preserve quote for embedded HTML attribute values (#​18352 by @​kovsu)

// Input
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

// Prettier 3.7.1
const html = /* HTML */ ` <div class=${styles.banner}></div> `;

// Prettier 3.7.2
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

TypeScript: Fix comment in empty type literal (#​18364 by @​fisker)

// Input
export type XXX = {
  // tbd
};

// Prettier 3.7.1
export type XXX = { // tbd };

// Prettier 3.7.2
export type XXX = {
  // tbd
};

v3.7.1

Compare Source

diff

API: Fix performance regression in doc printer (#​18342 by @​fisker)

Prettier 3.7.1 can be very slow when formatting big files, the regression has been fixed.

v3.7.0

Compare Source

diff

🔗 Release Notes

vitest-dev/vitest (vitest)

v4.0.15

Compare Source

   🚀 Experimental Features

• cache: Add opt-out on a plugin level, fix internal root cache  -  by @​sheremet-va in #​9154 (a68f7)
• reporters: Print import duration breakdown  -  by @​sheremet-va in #​9105 (122ff)

   🐞 Bug Fixes

• Keep built-in id as is in bun and deno  -  by @​sheremet-va in #​9117 (075ab)
• Use optimizeDeps.rolldownOptions to fix depreated warning + fix ssr.external: true  -  by @​hi-ogawa in #​9121 (fd8bd)
• Fix external behavior with deps.optimizer  -  by @​hi-ogawa in #​9125 (4c754)
• Very minor typo in "Chrome DevTools Protocol"  -  by @​HowToTestFrontend in #​9146 (20997)
• browser: Run toMatchScreenshot only once when used with expect.element  -  by @​macarie in #​9132 (0d2e7)
• coverage: Istanbul provider to not break source maps  -  by @​AriPerkkio in #​9040 (e4ca9)
• deps: Update dependency tinyexec to v1  -  in #​9122 (fd786)
• docs: Remove --browser.provider from docs  -  by @​sheremet-va in #​9115 (120b3)
• expect: Preserve currentTestName in extended matchers  -  by @​macarie in #​9106 (e4345)
• pool: Terminate workers on CTRL+c forceful exits  -  by @​AriPerkkio in #​9140 (d57d8)
• reporters: Show project in github reporter  -  by @​sheremet-va in #​9138 (bb65e)
• spy: Do not mock overriden method, if parent was automocked  -  by @​sheremet-va in #​9116 (1a246)
• web-worker: MessagePort objects passed to Worker.postMessage work when clone === "native"  -  by @​whitphx in #​9118 (deee8)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: tools/go.sum

Command failed: go get -t ./...
go: module github.com/goreleaser/goreleaser/v2@v2.13.1 requires go >= 1.25.5; switching to go1.25.5
go: downloading go1.25.5 (linux/amd64)
go: download go1.25.5: golang.org/toolchain@v0.0.1-go1.25.5.linux-amd64: verifying module: checksum database disabled by GOSUMDB=off

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​goreleaser/​goreleaser/​v2@​v2.12.7 ⏵ v2.13.1	+1
	github.com/​golangci/​golangci-lint/​v2@​v2.6.2 ⏵ v2.7.2	+1

View full report