chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/workers-types	^4.20260316.1 → ^4.20260409.1
@electric-sql/pglite (source)	^0.3.16 → ^0.4.4
@libsql/client (source)	^0.17.0 → ^0.17.2
@planetscale/database	^1.19.0 → ^1.20.1
@types/bun (source)	^1.3.10 → ^1.3.11
@types/pg (source)	^8.18.0 → ^8.20.0
@vitest/coverage-v8 (source)	^4.1.0 → ^4.1.4
dotenv	^17.3.1 → ^17.4.1
drizzle-orm (source)	^0.45.1 → ^0.45.2
eslint (source)	^10.0.3 → ^10.2.0
kysely (source)	^0.28.14 → ^0.28.15
mlly	^1.8.1 → ^1.8.2
mysql2 (source)	^3.20.0 → ^3.21.0
obuild	^0.4.32 → ^0.4.33
pnpm (source)	10.28.1 → 10.33.0
pnpm (source)	10.19.0 → 10.33.0
undocs	^0.4.10 → ^0.4.16
vitest (source)	^4.1.0 → ^4.1.4
wrangler (source)	^4.74.0 → ^4.81.1

---

Release Notes

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260409.1

Compare Source

v4.20260408.1

Compare Source

v4.20260405.1

Compare Source

v4.20260404.1

Compare Source

v4.20260403.1

Compare Source

v4.20260402.1

Compare Source

v4.20260401.1

Compare Source

v4.20260331.1

Compare Source

v4.20260329.1

Compare Source

v4.20260317.1

Compare Source

electric-sql/pglite (@​electric-sql/pglite)

v0.4.4

Compare Source

Patch Changes

• b88c5c3: Disable checkpointer

v0.4.3

Compare Source

Patch Changes

• 2ae666f: Default database, user and role are now all "postgres"
• fb95e66: Allow setting initial memory size.
• 65fc101: Disable background workers.

v0.4.2

Compare Source

Patch Changes

• 41632c4: Allow passing initdb.wasm asset for bundlers that need it.

v0.4.1

Patch Changes

• 37fb39e: clear timers on exit; remove pglite-socket dependency on pglite-postgis

v0.4.0

Minor Changes

• d848955: New simplified PGlite with separate initdb.
  New included extension: pg_textsearch (experimental).
  New package for postgis (experimental) as extension.
  Breaking changes: 'postgres' is the default database instead of 'template1'.

tursodatabase/libsql-client-ts (@​libsql/client)

v0.17.2

Compare Source

v0.17.1

Compare Source

planetscale/database-js (@​planetscale/database)

v1.20.1

Compare Source

What's Changed

• Add npm trusted publisher workflow by @​mattrobenolt in #​197
• Detect Cloudflare errors in UnknownError messaging by @​mattrobenolt in #​198

Full Changelog: planetscale/database-js@v1.20.0...v1.20.1

v1.20.0

Compare Source

What's Changed

• README: remove extra docs by @​nickvanw in #​184
• Update README by @​iheanyi in #​189
• Add link to postgres documentation by @​SimeonGriggs in #​194
• Add UnknownError with full response context for non-JSON API errors by @​mattrobenolt in #​196

New Contributors

• @​SimeonGriggs made their first contribution in #​194

Full Changelog: planetscale/database-js@v1.19.0...v1.20.0

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.4

Compare Source

   🚀 Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTagsFilter to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

motdotla/dotenv (dotenv)

v17.4.1

Compare Source

Changed

• Change text injecting to injected (#​1005)

v17.4.0

Compare Source

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#​1003)

drizzle-team/drizzle-orm (drizzle-orm)

v0.45.2

Compare Source

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped
  causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

eslint/eslint (eslint)

v10.2.0

Compare Source

Features

• 586ec2f feat: Add meta.languages support to rules (#​20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#​20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#​20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#​20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#​20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#​20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#​20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#​20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#​20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#​20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#​20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#​20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#​20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#​20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#​20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#​20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#​20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#​20645) (kuldeep kumar)

v10.1.0

Compare Source

Features

• ff4382b feat: apply fix for no-var in TSModuleBlock (#​20638) (Tanuj Kanti)
• 0916995 feat: Implement api support for bulk-suppressions (#​20565) (Blake Sager)

Bug Fixes

• 2b8824e fix: Prevent no-var autofix when a variable is used before declaration (#​20464) (Amaresh S M)
• e58b4bf fix: update eslint (#​20597) (renovate[bot])

Documentation

• b7b57fe docs: use correct JSDoc link in require-jsdoc.md (#​20641) (mkemna-clb)
• 58e4cfc docs: add deprecation notice partial (#​20639) (Milos Djermanovic)
• 7143dbf docs: update v9 migration guide for @eslint/js usage (#​20540) (fnx)
• 035fc4f docs: note that globalReturn applies only with sourceType: "script" (#​20630) (Milos Djermanovic)
• e972c88 docs: merge ESLint option descriptions into type definitions (#​20608) (Francesco Trotta)
• 7f10d84 docs: Update README (GitHub Actions Bot)
• aeed007 docs: open playground link in new tab (#​20602) (Tanuj Kanti)
• a0d1a37 docs: Add AI Usage Policy (#​20510) (Nicholas C. Zakas)

Chores

• a9f9cce chore: update dependency eslint-plugin-unicorn to ^63.0.0 (#​20584) (Milos Djermanovic)
• 1f42bd7 chore: update prettier to 3.8.1 (#​20651) (루밀LuMir)
• c0a6f4a chore: update dependency @​eslint/json to ^1.2.0 (#​20652) (renovate[bot])
• cc43f79 chore: update dependency c8 to v11 (#​20650) (renovate[bot])
• 2ce4635 chore: update dependency @​eslint/json to v1 (#​20649) (renovate[bot])
• f0406ee chore: update dependency markdownlint-cli2 to ^0.21.0 (#​20646) (renovate[bot])
• dbb4c95 chore: remove trunk (#​20478) (sethamus)
• c672a2a test: fix CLI test for empty output file (#​20640) (kuldeep kumar)
• c7ada24 ci: bump pnpm/action-setup from 4.3.0 to 4.4.0 (#​20636) (dependabot[bot])
• 07c4b8b test: fix RuleTester test without test runners (#​20631) (Francesco Trotta)
• 079bba7 test: Add tests for isValidWithUnicodeFlag (#​20601) (Manish chaudhary)
• 5885ae6 ci: unpin Node.js 25.x in CI (#​20615) (Copilot)
• f65e5d3 chore: update pnpm/action-setup digest to b906aff (#​20610) (renovate[bot])

kysely-org/kysely (kysely)

v0.28.15: 0.28.15

Compare Source

Hey 👋

The introduction of dehydration in JSON functions/helpers caused an unexpected bug for consumers that have some columns defined as '${number}', e.g. '1' | '2' (also when wrapped in ColumnType or similar). Such columns, when participating in a JSON function/helper would dehydrate to number instead of staying as string.

Why dehydrate numeric strings to numbers in the first place? Select types in kysely describe the data after underlying driver's (e.g. pg) data transformation. Some drivers transform numeric columns to strings to be safe. When these columns participate in JSON functions, they lose original column data types - drivers don't know they need to transform to string - they return as-is.

This release introduces a special helper type that wraps your column type definition and tells kysely to NOT dehydrate it in JSON functions/helpers.

import type { NonDehydrateable } from 'kysely'

interface Database {
  my_table: {
    a_column: '1' | '2' | '3', // dehydrates to `number`
    another_column: NonDehydrateable<'1' | '2' | '3'>, // stays `'1' | '2' | '3'`
    column_too: NonDehydrateable<ColumnType<'1' | '2' | '3'>> // stays `'1' | '2' | '3'`
  }
}

🚀 Features

• feat: add NonDehydrateable<T> to allow opt-out from dehydration in JSON functions/helpers. by @​igalklebanov in #​1697

🐞 Bugfixes

PostgreSQL 🐘

• fix: PostgreSQL introspector unnecessarily slow in result processing. by @​igalklebanov & @​rubenferreira97 in #​1774

📖 Documentation

• Add complex function helpers section to documentation by @​mifi & @​igalklebanov in #​1758

📦 CICD & Tooling

• chore: bump TypeScript to 6. by @​igalklebanov in #​1769
• chore: bump dependencies. by @​igalklebanov in #​1775

⚠️ Breaking Changes

🐤 New Contributors

• @​rubenferreira97 made their first contribution in #​1774

Full Changelog: kysely-org/kysely@v0.28.14...v0.28.15

unjs/mlly (mlly)

v1.8.2

Compare Source

compare changes

🩹 Fixes

• Extract variable names ignoring function calls (#​336)
• Generic angle bracket parsing (#​341)

📖 Documentation

• Fix typo (#​333)

🏡 Chore

• Update deps (12913db)
• Lint (33495f9)
• release: V1.8.1 (ed17783)
• Update deps (1b09363)

❤️ Contributors

• Florian Heuberger (@​Flo0806)
• Pooya Parsa (@​pi0)
• AngelHdz <angel.hernandez.12@​live.com>
• Daniel Roe (@​danielroe)

sidorares/node-mysql2 (mysql2)

v3.21.0

Compare Source

Features

• add support for query attributes (#​4223) (d732f78)
• types: export ExecuteValues and QueryValues from entry point (9fafd6f)

unjs/obuild (obuild)

v0.4.33

Compare Source

compare changes

🚀 Enhancements

• bundle: Add build output optimizations (380c961)

💅 Refactors

• Extract removeComments to utils and apply to transform builder (ac5ab2d)

🏡 Chore

• Update lockfile (07bf9e0)
• Update deps (249101c)
• Update rolldown-plugin-dts (3165c66)
• Rename fmt script (9d34c00)

❤️ Contributors

• Pooya Parsa (@​pi0)

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

Configuration 📅 Schedule: (UTC) Branch creation "after 2am and before 3am" Automerge "after 1am and before 2am" 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.