chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Confidence
awscli		patch	2.34.56 → 2.34.58	2.34.64 (+5)
npm:@openai/codex (source)		minor	0.135.0 → 0.136.0	0.138.0 (+1)
npm:agent-browser (source)		patch	0.27.0 → 0.27.1
pnpm (source)	packageManager	minor	11.4.0 → 11.5.1	11.5.2
pnpm (source)		minor	11.4.0 → 11.5.1	11.5.2
vercel (source)		minor	54.6.1 → 54.7.1	54.10.2 (+5)
vite-plus (source)	devDependencies	patch	0.1.23 → 0.1.24
wrangler (source)		minor	4.95.0 → 4.96.0	4.98.0 (+1)

---

Release Notes

aws/aws-cli (awscli)

v2.34.58

Compare Source

v2.34.57

Compare Source

vercel-labs/agent-browser (npm:agent-browser)

v0.27.1

Compare Source

Improvements

• Improved vitals command output formatting for better readability (#​1404)

Documentation

• Surfaced agent-browser feature coverage in documentation (#​1403)

pnpm/pnpm (pnpm)

v11.5.1

Compare Source

Patch Changes

• Improve pnpm audit performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap.
• Avoid crashing when the workspace state cache is partially written or malformed.
• Set npm_config_user_agent for root lifecycle scripts during headless installs.
• Preserve the integrity field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example via pnpm update, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY #​12067.
• Normalize a string repository field into the { type, url } object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a string repository with a 500 Internal Server Error during pnpm publish #​12099.
• Preserve compatible optional peer versions already present in the lockfile when resolving dependencies.
• Fixed inconsistent resolution of a peer dependency that is shared through a diamond. When a package peer-depends on both another package and one of that package's own peer dependencies (for example @typescript-eslint/eslint-plugin peer-depends on both @typescript-eslint/parser and typescript, and @typescript-eslint/parser peer-depends on typescript), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version #​12079.

v11.5.0

Compare Source

Minor Changes

• Added a new hoistingLimits setting for nodeLinker: hoisted installs, mirroring yarn's nmHoistingLimits. It accepts none (the default — hoist as far as possible), workspaces (hoist only as far as each workspace package), or dependencies (hoist only up to each workspace package's direct dependencies). Originally proposed in #​6468, closing #​6457.

• Replaced enquirer with @inquirer/prompts for all interactive prompts. Fixes the update -i scrolling overflow bug where long choice lists were clipped in the terminal #​6643.

  User-facing changes:

  • pnpm update -i / pnpm update -i --latest: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination via usePagination
  • pnpm audit --fix -i: Same scrolling fix for vulnerability selection
  • pnpm approve-builds: Interactive build approval prompts updated
  • pnpm patch: Version selection and "apply to all" prompts updated
  • pnpm patch-remove: Patch removal selection updated
  • pnpm publish: Branch confirmation prompt updated
  • pnpm login: Credential prompts updated
  • pnpm run / pnpm exec (with verifyDepsBeforeRun=prompt): Confirmation prompt updated

  Vim-style j/k keys still work for up/down navigation in all interactive prompts.

  Internal: The OtpEnquirer and LoginEnquirer DI interfaces changed from { prompt } to { input } / { input, password } respectively. Plugins or custom builds that inject their own enquirer mock will need to update.

• Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an approver field, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level #​11887.

Patch Changes

• Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example, pnpm i nuxt@npm:nuxt-nightly@5x). Cycles whose members hit the findHit cache instead of running their own calculateDepPath are now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. #​11999.

• Fix pnpm dist-tag add and pnpm dist-tag rm against npmjs.org failing without --otp with [ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA.". pnpm now sends npm-auth-type: web on dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the same withOtpHandling helper used by pnpm publish), so the browser opens, the user authenticates, and the dist-tag is set on retry. --otp=<code> continues to work via the classic flow.

• Fix minimumReleaseAgeExclude handling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently during publishedBy metadata selection and cache-mtime shortcuts.

• Fix the integrity field being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent --frozen-lockfile installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY. #​12001.

• Skip dependency re-resolution when pnpm-lock.yaml is missing but node_modules/.pnpm/lock.yaml exists and still satisfies the manifest. pnpm install now reuses the materialized snapshot to regenerate pnpm-lock.yaml instead of walking the registry to rebuild it from scratch, turning the cache+node_modules variation into a near-no-op for users who deleted the lockfile but kept the install #​11993.

  --frozen-lockfile still refuses to proceed when pnpm-lock.yaml is absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI.

vercel/vercel (vercel)

v54.7.1

Compare Source

Patch Changes

• 1180675: Revert "[flags] fix dep detection for build embedding (#​16242)"
• Updated dependencies [1180675]
  • @​vercel/build-utils@​13.26.5
  • @​vercel/backends@​0.8.4
  • @​vercel/elysia@​0.1.85
  • @​vercel/express@​0.1.95
  • @​vercel/fastify@​0.1.88
  • @​vercel/go@​3.8.0
  • @​vercel/h3@​0.1.94
  • @​vercel/hono@​0.2.88
  • @​vercel/hydrogen@​1.3.8
  • @​vercel/koa@​0.1.68
  • @​vercel/nestjs@​0.2.89
  • @​vercel/next@​4.17.5
  • @​vercel/node@​5.8.9
  • @​vercel/python@​6.44.0
  • @​vercel/redwood@​2.4.15
  • @​vercel/remix-builder@​5.8.5
  • @​vercel/ruby@​2.4.0
  • @​vercel/rust@​1.3.0
  • @​vercel/static-build@​2.9.34

v54.7.0

Compare Source

Minor Changes

• 0b4e1ef: Add vercel connect revoke-tokens subcommand to revoke tokens issued from a connector.

Patch Changes

• ba6e7c6: Internal: fix _deploy eval grader passing --token "" in the Docker sandbox where VERCEL_TOKEN isn't in process env. Only pass --token when set; CLI falls back to auth.json otherwise.
• 92988c2: Handle sensitive Environment Variable pull challenges in the CLI.
• 3986bb0: Stop retrying intentionally aborted requests so the CLI exits promptly after a deployment is ready.
• 64f5484: Allow SAML re-authentication to use device-code flow in non-TTY sessions.
• 97fdbbe: [flags] fix dep detection for build embedding
• Updated dependencies [2d918b8]
  • @​vercel/remix-builder@​5.8.5

voidzero-dev/vite-plus (vite-plus)

v0.1.24: vite-plus v0.1.24

Compare Source

A new vp pm stage publishing workflow, hardened installs and upgrades, a Node-version mismatch reinstall prompt, and the bundled vite/vitest/tsdown stack moves forward.

Features

• vp pm stage: a new vp pm subcommand exposing npm's staged-publishing workflow (upload a build to a staging area without 2FA, then approve or reject it from a trusted device); it maps to pnpm stage / npm stage / yarn npm ... --staged per package manager, with an npm fallback for yarn Classic and bun (#​1715), by @​fengmk2
• vp: prompt to reinstall when up-to-date global packages were built against a different Node.js than the active one (defaults to no); adds --reinstall-node-mismatch and --ignore-node-mismatch, and skips the prompt in CI (#​1666), by @​liangmiQwQ
• vp format: add format as a visible alias of vp fmt, so the common slip vp format resolves correctly and vp format --init / --migrate apply the same vite.config.ts wiring as vp fmt (#​1727), by @​semimikoh

Fixes & Enhancements

• vp install / Node runtime download: HTTP retries now wrap the whole body stream, hash verification, and archive extraction (not just the request headers), so truncated or corrupt downloads of package managers and Node are re-fetched instead of failing on the first attempt (#​1719), by @​fengmk2
• vp upgrade --force on Windows: install into a fresh directory before repointing current, so the forced reinstall no longer fails trying to overwrite the running vp.exe (#​1714), by @​fengmk2
• vp install -g: install global packages directly into their final prefix instead of a temp dir that gets moved, so packages whose postinstall scripts bake in absolute or relative temp paths still resolve their bins; a failed package in a multi-package install no longer removes the shims of the ones that already succeeded (#​1698), by @​liangmiQwQ
• vp why: remove the -g / --global flag, which delegated to the package manager's global mode and ignored Vite+-managed global packages; vp why stays project-scoped while vp outdated -g keeps using the managed global flow (#​1720), by @​liangmiQwQ
• Windows installer: remove the existing current link via PowerShell (detecting junctions, symlinks, and stale directories) instead of cmd /c rmdir, which could fail with "The directory is not empty" (#​1726), by @​TheAlexLichter
• vp create: skip editor-config detection and package-local editor settings by default when creating a project inside an existing monorepo; --editor <name> stays an explicit opt-in and --no-editor an opt-out (#​1729), by @​jong-kyung
• vp create vite:monorepo (pnpm): keep the aliased vite/vitest in the website app's package.json so the workspace overrides.vite: catalog: has a direct consumer and vp why vite resolves to @voidzero-dev/vite-plus-core; npm/yarn/bun still drop the dead-weight keys (#​1728), by @​fengmk2
• vp pack: rewrite direct createRequire(...)("picomatch") calls in bundled tsdown output to the local bundled CJS entry, so packing no longer depends on an undeclared runtime picomatch under pnpm hoist: false (#​1732), by @​fengmk2
• vp migrate: resolve a catalog: husky pin from the workspace catalog (pnpm-workspace.yaml, .yarnrc.yml, or package.json catalogs) during the git-hooks preflight, so a compatible catalog-pinned husky no longer triggers a false "could not determine husky version" warning and skips hook setup (#​1710), by @​fengmk2

Docs

• Add a Copy Prompt button to the docs site that copies an AI-friendly getting-started prompt (intro, llms-full.txt pointer, install commands, and core vp commands) for handing straight to a coding agent (#​1706), by @​fengmk2
• Update troubleshooting.md: vite.config.ts related issues are resolved by updating oxlint and oxfmt (#​1708), by @​leaysgur
• Clarify the product and repository documentation locations and the new Run guide/config paths in AGENTS.md (#​1707), by @​leaysgur

Chore

• vp install: reduce retained vp versions from 5 to 3 across the installer, vp upgrade, and the shell/PowerShell bootstrap scripts (active and previous versions stay protected for rollback); document the 3-version retention and vp upgrade --rollback (#​1716), by @​fengmk2
• Exclude the snap-tests directory from Vitest config discovery so the VS Code Vitest extension stops generating a stray .vitest-plugin-loaded file (#​1723), by @​liangmiQwQ
• Refresh trusted stack stats on the docs homepage (#​1734), by @​voidzero-guard[bot]
• Update @​wan9chi's GitHub handle (formerly branchseer) (#​1705), by @​wan9chi
• Update GitHub Actions (#​1724, #​1730), by @​renovate[bot]
• Upgrade upstream dependencies: vite 8.0.14 → 8.0.16, vitest 4.1.7 → 4.1.8, tsdown 0.22.0 → 0.22.1, @vitejs/devtools 0.2.0 → 0.3.1 (#​1713, #​1735, #​1737), by @​voidzero-guard[bot]

Bundled Versions

Tool	Version	Source
vite	8.0.16	f94df87
rolldown	1.0.3	a287faa
tsdown	0.22.1	npm
vitest	4.1.8	npm
oxlint	1.67.0	npm
oxlint-tsgolint	0.23.0	npm
oxfmt	0.52.0	npm

New Contributors

Welcome to our new contributor @​semimikoh! 🎉

Full Changelog: voidzero-dev/vite-plus@v0.1.23...v0.1.24

Published Packages

• @voidzero-dev/vite-plus-core@0.1.24
• @voidzero-dev/vite-plus-test@0.1.24
• vite-plus@0.1.24

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

Upgrade:

vp upgrade

cloudflare/workers-sdk (wrangler)

v4.96.0

Compare Source

Minor Changes

• #​14087 e3c862a Thanks @​edmundhung! - Add support for the new web_search binding kind.

  Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in wrangler.jsonc:

  {
    "web_search": { "binding": "WEBSEARCH" }
  }

  There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single search() method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global fetch() API against the result's url.

  The binding is always remote in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the websearch.run OAuth scope to wrangler login.

  Also adds a wrangler websearch search command for running ad-hoc queries from the CLI:

  npx wrangler websearch search "cloudflare workers"
  npx wrangler websearch search "cloudflare workers" --limit 5
  npx wrangler websearch search "cloudflare workers" --json

  --limit is optional (defaults to 10, capped at 20). --json prints the raw response; without it the results render as a pretty table.

• #​13610 cbb39bd Thanks @​petebacondarwin! - Add support for agent_memory bindings

  Agent Memory bindings allow Workers to connect to Cloudflare's Agent Memory service for storing and retrieving agent conversation state. This binding is remote-only, meaning it always connects to the Cloudflare API during wrangler dev rather than using a local simulation.

  To configure an agent_memory binding, add the following to your wrangler.json:

  {
    "agent_memory": [
      {
        "binding": "MY_MEMORY",
        "namespace": "my-namespace"
      }
    ]
  }

  Wrangler will automatically provision the namespace during deployment if it does not already exist. Type generation via wrangler types is also supported.

  This change also adds the agent-memory:write OAuth scope to Wrangler's default login scopes, so wrangler login can request the permissions needed to provision and manage Agent Memory namespaces.

• #​13610 cbb39bd Thanks @​petebacondarwin! - Add wrangler agent-memory namespace commands

  The following commands have been added for managing Agent Memory namespaces:

  wrangler agent-memory namespace create <namespace>
  wrangler agent-memory namespace list [--json]
  wrangler agent-memory namespace get <namespace_name> [--json]
  wrangler agent-memory namespace delete <namespace_name> [--force]

• #​14087 e3c862a Thanks @​edmundhung! - Add confirmation prompt to wrangler containers images delete

  Previously, running wrangler containers images delete IMAGE:TAG would delete the image immediately with no confirmation. The command now prompts for confirmation before deleting. Use -y or --skip-confirmation to bypass the prompt in non-interactive or scripted environments.

• #​14087 e3c862a Thanks @​edmundhung! - Rename pipeline field to stream in pipeline bindings configuration

  The pipeline field inside pipelines bindings has been renamed to stream to align with the updated API wire format. The old pipeline field is still accepted but deprecated and will emit a warning.

  Before:

  // wrangler.json
  {
    "pipelines": [
      {
        "binding": "MY_PIPELINE",
        "pipeline": "my-stream-name"
      }
    ]
  }

  After:

  // wrangler.json
  {
    "pipelines": [
      {
        "binding": "MY_PIPELINE",
        "stream": "my-stream-name"
      }
    ]
  }

• #​14087 e3c862a Thanks @​edmundhung! - Allow pipeline, stream, and sink commands to resolve resources by name with pagination-aware lookups.

• #​14087 e3c862a Thanks @​edmundhung! - Support deleting secrets via wrangler secret bulk

  You can now delete secrets in bulk by setting their value to null in the JSON input file:

  { "SECRET_TO_DELETE": null, "SECRET_TO_UPDATE": "new-value" }

• #​14091 4c0da7b Thanks @​gpanders! - Add ProxyCommand support for wrangler containers ssh

  wrangler containers ssh now automatically switches to a stdio proxy when invoked by OpenSSH's ProxyCommand, and --stdio can force this mode. This lets users connect with ssh <instance_id> when their SSH config uses Wrangler as the proxy command.

• #​13892 13cbadb Thanks @​penalosa! - Remove the deprecated experimental.testMode option from unstable_dev

  experimental.testMode previously only affected the default logLevel (warn when testMode: true, log otherwise) and has been flagged for removal in its type-definition comment since it landed. It is now removed, and unstable_dev's default log level matches wrangler dev's (log).

  Callers that explicitly passed testMode: true to get quieter logs should now set logLevel: "warn" directly.

Patch Changes

• #​14016 408432a Thanks @​petebacondarwin! - report all failing triggers from a single deploy

  wrangler deploy deploys several kinds of trigger in parallel (routes, custom domains, schedules, queue producers/consumers, workflows). Previously, if one of those API calls failed, the first rejection short-circuited the rest, no other deployments were reported, and (in the case of custom-domain confirmation conflicts) some failures were silently logged to stdout without the deploy actually failing.

  wrangler deploy now waits for every trigger deployment to settle, prints every successfully-deployed target (so you still see what landed), and then throws a single error listing every trigger that failed.

  Note that this also turns the previously-silent "user declined to override a conflicting Custom Domain" case into a hard failure of wrangler deploy, which matches what was always implied by the message ("Publishing to Custom Domain ... was skipped, fix conflict and try again").

• #​14125 1103c07 Thanks @​dario-piotrowicz! - Bump rosie-skills from 0.7.6 to 0.8.1 and bundle it into the Wrangler output

  The new version of rosie-skills is a pure-TypeScript rewrite that removes the previously necessary ~600kb WASM binary. The package now ships only JavaScript with one minimal dependencies (modern-tar).

  Additionally, rosie-skills is now bundled directly into Wrangler's distributable rather than kept as an external runtime dependency. This eliminates the supply chain concern raised in #​14110: there is no separate package to resolve at install time, since all code is inlined into Wrangler's build output.

• #​14135 5b5cbd3 Thanks @​Refaerds! - Update the generated type for browser bindings to BrowserRun

  When running wrangler types, browser bindings were previously typed as the generic Fetcher. They now generate the more specific and accurate BrowserRun type.

• #​14087 e3c862a Thanks @​edmundhung! - Bump rosie-skills package from 0.6.3 to 0.7.6

• #​14087 e3c862a Thanks @​edmundhung! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260526.1	1.20260527.1

• #​14076 97d7d81 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260527.1	1.20260528.1

• #​14100 c647ccc Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260528.1	1.20260529.1

• #​14087 e3c862a Thanks @​edmundhung! - Disable Sentry error reporting by default

  WRANGLER_SEND_ERROR_REPORTS now defaults to false instead of prompting on every error. The current prompt produces too many false-positive reports. Users can still opt in explicitly by setting WRANGLER_SEND_ERROR_REPORTS=true.

• #​14087 e3c862a Thanks @​edmundhung! - Fix wrangler setup failing for Vite projects without a config file

  wrangler setup (and wrangler deploy --experimental-autoconfig) crashed with "Could not find Vite config file to modify" for Vite projects that don't have a vite.config.js or vite.config.ts. This affected 6 of the 16 create-vite templates: vanilla, vanilla-ts, react-swc, react-swc-ts, lit, and lit-ts.

  Autoconfig now creates a minimal Vite config with the Cloudflare plugin when no config file exists, instead of failing. The file extension (.ts or .js) is chosen based on whether the project has a tsconfig.json.

• #​14087 e3c862a Thanks @​edmundhung! - Show helpful message with URL when browser cannot be opened in headless/container environments

  Previously, running wrangler login (or any command that opens a browser) in headless Linux environments without xdg-open installed would crash with a confusing "A file or directory could not be found — Missing file or directory: xdg-open" error.

  Now wrangler catches the error and prints a clear warning with the URL so users can copy-paste it into a browser manually.

• #​14087 e3c862a Thanks @​edmundhung! - wrangler secrets-store secret create and secret update now reject secret values larger than 64 KiB (65,536 bytes) with a clear error before calling the Cloudflare API. Previously the CLI accepted them, the secret appeared in secret list, and the failure surfaced later (and confusingly) at worker deploy time as a "secret doesn't exist" error against the binding. 64 KiB is the cap enforced by the API; the CLI now enforces it at the same boundary.

• #​14059 b64b7e4 Thanks @​matingathani! - Fix wrangler kv bulk get printing "Success!" to stdout, which corrupted JSON output when piped to tools like jq

• #​14002 e4c8fd9 Thanks @​danyalahmed1995! - Show a clear error for invalid API token header characters

  Wrangler now detects API tokens containing characters that cannot be sent in the HTTP Authorization header before making an API request. This avoids a low-level ByteString conversion error and helps users recreate or recopy the token without printing the token value.

• #​14132 2dffeeb Thanks @​dario-piotrowicz! - Adapt React Router autoconfig based on v8_middleware future flag

  The React Router autoconfig (wrangler setup) now detects whether v8_middleware: true is set in the user's react-router.config.ts. When it is, the generated workers/app.ts uses a simplified fetch handler without AppLoadContext module augmentation, and the generated app/entry.server.tsx omits the _loadContext parameter. When v8_middleware is not set, the existing AppLoadContext pattern with env/ctx params is preserved.

  This avoids breaking projects that use the v8_middleware future flag (which changes the context API from AppLoadContext to RouterContextProvider), while keeping the traditional pattern for projects that haven't opted in.

• #​14133 59e43e4 Thanks @​matingathani! - Fix wrangler whoami printing a trailing period after the api-tokens URL

  The message To see token permissions visit https://...api-tokens. ended with
  a period that became part of the URL when clicked in terminals or GitHub Actions
  output, causing a 404. The period is removed and a comma added before "visit"
  so the sentence reads naturally without a trailing period on the URL.

• Updated dependencies [e3c862a, cbb39bd, 7bb5c7a, e3c862a, 97d7d81, c647ccc, e3c862a, e3c862a, 972d13d]:

  • miniflare@​4.20260529.0

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.