chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@bomb.sh/tab	^0.0.11 → ^0.0.12
@types/react (source)	^19.2.9 → ^19.2.10
@​voidzero-dev/vitepress-theme	^4.3.0 → ^4.4.1
axios (source)	^1.13.2 → ^1.13.3
d3-graph-controller (source)	^3.1.6 → ^3.1.7
fastify (source)	^5.7.1 → ^5.7.2
happy-dom	^20.3.7 → ^20.3.9
pnpm (source)	10.28.1 → 10.28.2
react (source)	^19.2.3 → ^19.2.4
react-dom (source)	^19.2.3 → ^19.2.4
react-is (source)	^19.2.3 → ^19.2.4
rollup (source)	^4.56.0 → ^4.57.0
vue-tsc (source)	^3.2.3 → ^3.2.4

---

Release Notes

bombshell-dev/tab (@​bomb.sh/tab)

v0.0.12

Compare Source

Patch Changes

• 23a6ef9: Update fish shell completion script to match latest Cobra output. (#​99)

axios/axios (axios)

v1.13.3

Compare Source

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#​7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#​6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#​5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#​5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#​7253) (#​7257) (7d19335)
• turn AxiosError into a native error (#​5394) (#​5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#​5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#​7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#​6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#​5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#​6053) (65a7584)
• add Node.js coverage script using c8 (closes #​7289) (#​7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#​6265) (860e033)
• enhance pipeFileToResponse with error handling (#​7169) (88d7884)
• types: Intellisense for string literals in a widened union (#​6134) (f73474d), closes /github.com/microsoft/TypeScript/issues/33471#issuecomment-1376364329

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#​7253) (#​7…" (#​7298) (a4230f5), closes #​7253 #​7 #​7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#​7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad
• JohnTitor
• rohit miryala
• Wilson Mun
• techcodie
• Ved Vadnere
• svihpinc
• SANDESH LENDVE
• Lubos
• Jarred Sumner
• Adam Hines
• Subhan Kumar Rai
• Joseph Frazier
• KT0803
• Albie
• Jake Hayes

DerYeger/yeger (d3-graph-controller)

v3.1.7

Compare Source

Patch Changes

• 5fed79d: handle dangling promises

fastify/fastify (fastify)

v5.7.2

Compare Source

capricorn86/happy-dom (happy-dom)

v20.3.9

Compare Source

v20.3.8

Compare Source

pnpm/pnpm (pnpm)

v10.28.2

Compare Source

facebook/react (react)

v19.2.4: 19.2.4 (January 26th, 2026)

Compare Source

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (@​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

rollup/rollup (rollup)

v4.57.0

Compare Source

2026-01-27

Features

• Add import attributes to all plugin hooks that did not provide them yet (#​5700)
• Deprecate returning import attributes from load or transform hooks as that will no longer be supported with rollup 5 (#​5700)

Pull Requests

• #​5700: extend more hooks to include import attributes and add warnings (@​TrickyPi, @​lukastaegert)
• #​6243: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #​6244: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6245: chore(deps): lock file maintenance (@​renovate[bot])
• #​6246: Refactor to reduce Rollup 5 upgrade diff (@​lukastaegert)

vuejs/language-tools (vue-tsc)

v3.2.4

Compare Source

language-core

• feat: place plugin configs under ctx.config and support type annotation via generics (#​5944) - Thanks to @​KazariEX!

workspace

• chore: publish to npm with OIDC (#​5912) - Thanks to @​ghiscoding!

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 43 workspace projects
.                                        |  WARN  There are cyclic workspace dependencies: /tmp/renovate/repos/github/vitest-dev/vitest/packages/browser, /tmp/renovate/repos/github/vitest-dev/vitest/packages/vitest, /tmp/renovate/repos/github/vitest-dev/vitest/packages/browser-playwright
Progress: resolved 1, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/vitest-dev/vitest/test/core:
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "axios@1.13.3" (possible package takeover)

This error happened while installing a direct dependency of /tmp/renovate/repos/github/vitest-dev/vitest/test/core

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.