chore(deps): update github-actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Adoption	Passing	Confidence
actions/setup-node	action	minor	v6.3.0 → v6.4.0
cargo-bins/cargo-binstall	action	digest	d125de8 → f8810ff
codecov/codecov-action	action	patch	v6.0.0 → v6.0.1
crate-ci/typos	action	patch	v1.46.2 → v1.46.3	v1.47.1 (+1)
github/codeql-action	action	digest	03e4368 → d77b13a
pnpm (source)	uses-with	minor	11.3.0 → 11.4.0	11.5.1 (+1)
pnpm/action-setup	action	patch	v6.0.5 → v6.0.8
taiki-e/install-action	action	minor	v2.75.18 → v2.79.10	v2.81.3 (+9)

---

Release Notes

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

codecov/codecov-action (codecov/codecov-action)

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

crate-ci/typos (crate-ci/typos)

v1.46.3

Compare Source

[1.46.3] - 2026-05-23

Fixes

• Don't correct to sequentials
• Don't correct to subdolder

pnpm/pnpm (pnpm)

v11.4.0

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

• pnpm runtime set <name> <version> now saves the runtime to devEngines.runtime by default instead of engines.runtime. Pass --save-prod (or -P) to save it to engines.runtime instead #​11948.

Patch Changes

• Fix a credential disclosure issue where an unscoped _authToken (or _auth, or username + _password, or tokenHelper) defined in one source — ~/.npmrc, ~/.config/pnpm/auth.ini, a workspace .npmrc, CLI flags, etc. — would be sent as an Authorization header to whichever registry a different (potentially untrusted) source named. The same fix extends to client TLS credentials (cert, key) so they aren't presented to a registry their author didn't choose.

  pnpm now rewrites each unscoped per-registry setting (_authToken, _auth, username, _password, tokenHelper, cert, key) to its URL-scoped form at load time, using the registry= value declared in the same source (or the npmjs default registry if the source declares none). A later layer overriding registry= therefore cannot pull an unscoped credential along, because it is already pinned to the URL its author intended. ca/cafile are intentionally not rescoped — they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally.

  Every rescope emits a deprecation warning telling the user where the setting was pinned and how to write it directly. npm has rejected unscoped credentials outright since npm@9, and pnpm intends to remove support in a future major release. To target a specific registry, write the setting URL-scoped (e.g. //registry.example.com/:_authToken=... or //registry.example.com/:cert=...).

  @pnpm/network.auth-header: removed the defaultRegistry parameter from createGetAuthHeaderByURI and getAuthHeadersFromCreds. Now that credentials are URL-scoped at load time, the merged configByUri never contains the empty-string "default registry" placeholder slot, so re-keying it onto the merged default registry is no longer needed.

• Fix pnpm deploy crashing with ENOENT: ... lstat '<deployDir>/node_modules' when configDependencies declares pacquet (pacquet or @pnpm/pacquet). The deploy directory never installs config dependencies, so the install engine they designate isn't on disk to invoke; the nested install now skips them.

• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.

• Limit concurrent project manifest reads while listing large workspaces to avoid EMFILE errors.

• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.

• Improve the log message that pnpm prints after auto-adding entries to minimumReleaseAgeExclude when minimumReleaseAge is set without minimumReleaseAgeStrict. The message previously referred to the internal "loose mode" terminology, which wasn't searchable in the docs; it now tells the user to set minimumReleaseAgeStrict to true if they want these updates gated behind a prompt instead #​11747.

• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

• Validate devEngines.runtime and engines.runtime version ranges for node, deno, and bun when onFail is set to error or warn. Previously these settings only had an effect with onFail: 'download' — the error and warn modes silently did nothing #​11818. Violations now throw ERR_PNPM_BAD_RUNTIME_VERSION.

• Require provenance before treating trusted publisher metadata as the strongest trust evidence.

pnpm/action-setup (pnpm/action-setup)

v6.0.8

Compare Source

v6.0.7

Compare Source

v6.0.6

Compare Source

What's Changed

• fix: bin_dest output points to self-updated pnpm, not bootstrap by @​zkochan in #​249

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

taiki-e/install-action (taiki-e/install-action)

v2.79.10: 2.79.10

Compare Source

• Update tombi@latest to 1.1.0.

• Update prek@latest to 0.4.2.

• Update editorconfig-checker@latest to 3.7.0.

v2.79.9: 2.79.9

Compare Source

• Update vacuum@latest to 0.26.7.

• Update tombi@latest to 1.0.0.

v2.79.8: 2.79.8

Compare Source

• Update parse-dockerfile@latest to 0.1.6.

• Update knope@latest to 0.23.0.

v2.79.7: 2.79.7

Compare Source

• Update typos@latest to 1.46.3.

• Update rclone@latest to 1.74.2.

• Update mise@latest to 2026.5.15.

• Update tombi@latest to 0.11.7.

v2.79.6: 2.79.6

Compare Source

• Update wasm-bindgen@latest to 0.2.122.

• Update mise@latest to 2026.5.14.

• Update cargo-deny@latest to 0.19.7.

• Update vacuum@latest to 0.26.6.

v2.79.5: 2.79.5

Compare Source

• Update jaq@latest to 3.0.0. (#​1861, thanks @​MusicalNinjaDad)

• Update wasmtime@latest to 45.0.0.

• Update wasm-tools@latest to 1.250.0.

• Update tombi@latest to 0.11.6.

• Update mise@latest to 2026.5.13.

v2.79.4: 2.79.4

Compare Source

• Update martin@latest to 1.10.1.

• Update prek@latest to 0.4.1.

• Update protoc@latest to 3.35.0.

• Update mdbook@latest to 0.5.3.

v2.79.3: 2.79.3

Compare Source

• Update mise@latest to 2026.5.12.

• Update martin@latest to 1.10.0.

• Update uv@latest to 0.11.15.

v2.79.2: 2.79.2

Compare Source

• Update mise@latest to 2026.5.11.

• Update vacuum@latest to 0.26.5.

• Update cargo-shear@latest to 1.12.4.

v2.79.1: 2.79.1

Compare Source

• Update tombi@latest to 0.11.5.

• Update cargo-nextest@latest to 0.9.136.

• Update typos@latest to 1.46.2.

• Update mise@latest to 2026.5.10.

v2.79.0: 2.79.0

Compare Source

• Support more host architectures. (#​1841, thanks @​Gelbpunkt)

• Deprecate mdbook-alerts because the feature now included in mdbook and the repository has been archived. (#​1844)

• Deprecate iai-callgrind-runner because it has been renamed to gungraun-runner. gungraun-runner is also supported by this action. (#​1844)

v2.78.3: 2.78.3

Compare Source

• Update zizmor@latest to 1.25.2.

• Update cargo-zigbuild@latest to 0.22.3. (#​1814, thanks @​simonhollingshead)

• Update wasm-tools@latest to 1.249.0.

• Update gungraun-runner@latest to 0.19.0.

v2.78.2: 2.78.2

Compare Source

• Update wasm-pack@latest to 0.15.0.

• Update zizmor@latest to 1.25.0.

• Update mise@latest to 2026.5.9.

• Update cargo-nextest@latest to 0.9.135.

• Update cyclonedx@latest to 0.32.0.

• Update prek@latest to 0.4.0.

v2.78.1: 2.78.1

Compare Source

• Update mise@latest to 2026.5.7.

• Diagnostic improvements.

v2.78.0: 2.78.0

Compare Source

• Support cargo-mutants. (#​1812, thanks @​jakewimmer)

• Update covgate@latest to 0.2.0.

• Update cargo-llvm-cov@latest to 0.8.7.

• Update uv@latest to 0.11.14.

• Update martin@latest to 1.9.1.

• Update tombi@latest to 0.11.4.

v2.77.7: 2.77.7

Compare Source

• Update mise@latest to 2026.5.6.

• Update cargo-deny@latest to 0.19.6.

v2.77.6: 2.77.6

Compare Source

• Fix wasm-pack installation failure.

• Update mise@latest to 2026.5.5.

• Update release-plz@latest to 0.3.158.

• Update just@latest to 1.51.0.

v2.77.5: 2.77.5

Compare Source

• Update biome@latest to 2.4.15.

• Update mise@latest to 2026.5.4.

• Update cargo-deny@latest to 0.19.5.

v2.77.4: 2.77.4

Compare Source

• Update tombi@latest to 0.11.1.

• Update cargo-llvm-cov@latest to 0.8.6.

• Update uv@latest to 0.11.12.

v2.77.3: 2.77.3

Compare Source

• Update typos@latest to 1.46.1.

• Update rclone@latest to 1.74.1.

• Update tombi@latest to 0.11.0.

• Update osv-scanner@latest to 2.3.8.

• Update mise@latest to 2026.5.3.

v2.77.2: 2.77.2

Compare Source

• Update martin@latest to 1.9.0.

• Update wasm-bindgen@latest to 0.2.121.

• Update uv@latest to 0.11.11.

• Update mise@latest to 2026.5.1.

• Update prek@latest to 0.3.13.

• Update tombi@latest to 0.10.6.

v2.77.1: 2.77.1

Compare Source

• Support taiki-e/install-action@rust tag.

• Update tombi@latest to 0.10.3.

• Update martin@latest to 1.8.2.

v2.77.0: 2.77.0

Compare Source

• Support rust. (#​1779)

  This installs rust using rustup.

  If rustup is not yet installed, this action downloads rustup-init for the current platform using HTTPS with tlsv1.2+, verifies SHA256 checksum, and then installs rustup using it.

  This also supports installing additional components at the same time by +<additional> syntax:

  - uses: taiki-e/install-action@v2
    with:
      # Install rust stable with rustfmt component and wasm32-wasip1 target.
      tool: rust+rustfmt+wasm32-wasip1
      # When installing another rust version:
      # tool: rust@nightly + rustfmt + wasm32-wasip1

• Fix issue where x86_64 binary will be installed on AArch64 Windows even when AArch64 Windows binary available.

• Update mise@latest to 2026.5.0.

• Diagnostic improvements.

v2.76.0: 2.76.0

Compare Source

• Support mdbook-d2. (#​1737, thanks @​nhu)

• Support cargo-apple-runner. (#​1731, thanks @​madsmtm)

• Support cargo-binstall on riscv64 Linux.

• Update cargo-deb@latest to 3.7.0.

• Update tombi@latest to 0.10.2.

v2.75.30: 2.75.30

Compare Source

• Support cargo-spellcheck on AArch64 Linux/Windows.

• Update cargo-spellcheck@latest to 0.15.7.

• Update biome@latest to 2.4.14.

v2.75.29: 2.75.29

Compare Source

• Update syft@latest to 1.44.0.

• Update rclone@latest to 1.74.0.

• Update osv-scanner@latest to 2.3.6.

v2.75.28: 2.75.28

Compare Source

• Update wasmtime@latest to 44.0.1.

• Update typos@latest to 1.46.0.

• Update tombi@latest to 0.10.1.

• Update sccache@latest to 0.15.0.

• Update mise@latest to 2026.4.28.

• Update gungraun-runner@latest to 0.18.2.

• Update cyclonedx@latest to 0.31.0.

v2.75.27: 2.75.27

Compare Source

• Update cargo-udeps@latest to 0.1.61.

• Update wasm-tools@latest to 1.248.0.

• Update cargo-deb@latest to 3.6.4.

v2.75.26: 2.75.26

Compare Source

• Update wasm-bindgen@latest to 0.2.120.

• Update mise@latest to 2026.4.25.

• Update martin@latest to 1.8.0.

• Update vacuum@latest to 0.26.4.

v2.75.25: 2.75.25

Compare Source

• Update uv@latest to 0.11.8.

• Update typos@latest to 1.45.2.

• Update tombi@latest to 0.9.25.

• Update mise@latest to 2026.4.24.

v2.75.24: 2.75.24

Compare Source

• Update prek@latest to 0.3.11.

• Update mise@latest to 2026.4.23.

• Update vacuum@latest to 0.26.3.

v2.75.23: 2.75.23

Compare Source

• Update vacuum@latest to 0.26.2.

• Update tombi@latest to 0.9.24.

• Update mise@latest to 2026.4.22.

• Update martin@latest to 1.7.0.

• Update git-cliff@latest to 2.13.1.

• Update cargo-tarpaulin@latest to 0.35.4.

• Update cargo-sort@latest to 2.1.4.

v2.75.22: 2.75.22

Compare Source

• Update tombi@latest to 0.9.22.

• Update biome@latest to 2.4.13.

v2.75.21: 2.75.21

Compare Source

• Update mise@latest to 2026.4.19.

• Update tombi@latest to 0.9.21.

• Update syft@latest to 1.43.0.

v2.75.20: 2.75.20

Compare Source

• Update prek@latest to 0.3.10.

• Update cargo-xwin@latest to 0.22.0.

v2.75.19: 2.75.19

Compare Source

• Update wasmtime@latest to 44.0.0.

• Update tombi@latest to 0.9.20.

• Update martin@latest to 1.6.0.

• Update just@latest to 1.50.0.

• Update mise@latest to 2026.4.18.

• Update rclone@latest to 1.73.5.

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codspeed-hq]

Merging this PR will improve performance by 4.1%

⚡ 1 improved benchmark
✅ 11 untouched benchmarks

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
⚡	Memory	resolver[pnp resolve]	9.1 KB	8.7 KB	+4.1%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing renovate/github-actions (8ca05fe) with main (cb42e9a)}