chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@ai-sdk/vue (source)	^3.0.116 → ^3.0.137
@libsql/client (source)	^0.17.0 → ^0.17.2
@nuxt/devtools (source)	^3.2.3 → ^3.2.4
@nuxt/ui (source)	^4.5.1 → ^4.6.0
ai (source)	>=6.0.116 → >=6.0.137
ai (source)	^6.0.116 → ^6.0.137
bun (source)	1.3.10 → 1.3.11
drizzle-kit (source)	^0.31.9 → ^0.31.10
elysia	>=1.4.27 → >=1.4.28
elysia	^1.4.27 → ^1.4.28
evlog (source)	^2.8.0 → ^2.9.0
fastify (source)	>=5.8.2 → >=5.8.4
fastify (source)	^5.8.2 → ^5.8.4
h3 (source)	^1.15.6 → ^1.15.10
motion-v	^2.0.1 → ^2.2.0
next (source)	>=16.1.6 → >=16.2.1
next (source)	^16.1.6 → ^16.2.1
nitropack	^2.13.1 → ^2.13.2
nuxt-studio	^1.4.0 → ^1.5.1
react-router (source)	>=7.9.0 → >=7.13.2
react-router (source)	^7.9.0 → ^7.13.2
shaders	^2.4.77 → ^2.4.78
tailwindcss (source)	^4.2.1 → ^4.2.2
turbo (source)	^2.8.17 → ^2.8.20
vite (source)	^8.0.0 → ^8.0.2
vitest (source)	^4.1.0 → ^4.1.1
vue-tsc (source)	^3.2.5 → ^3.2.6

---

Release Notes

vercel/ai (@​ai-sdk/vue)

v3.0.137

Compare Source

v3.0.136

Compare Source

Patch Changes

• Updated dependencies [ed6876b]
  • ai@​6.0.134

v3.0.135

Compare Source

Patch Changes

• 055cd68: fix: publish v6 to latest npm dist tag
• Updated dependencies [055cd68]
  • @​ai-sdk/provider-utils@​4.0.21
  • ai@​6.0.133

v3.0.134

Compare Source

Patch Changes

• Updated dependencies [28fd5a5]
  • ai@​6.0.132

v3.0.133

Compare Source

Patch Changes

• Updated dependencies [14f25f9]
  • ai@​6.0.131

v3.0.132

Compare Source

Patch Changes

• ai@​6.0.130

v3.0.131

Compare Source

Patch Changes

• ai@​6.0.129

v3.0.130

Compare Source

Patch Changes

• ai@​6.0.128

v3.0.129

Compare Source

Patch Changes

• ai@​6.0.127

v3.0.128

Compare Source

Patch Changes

• Updated dependencies [578615a]
  • ai@​6.0.126

v3.0.127

Compare Source

Patch Changes

• ai@​6.0.125

v3.0.126

Compare Source

Patch Changes

• ai@​6.0.124

v3.0.125

Compare Source

Patch Changes

• ai@​6.0.125

v3.0.124

Patch Changes

• ai@​6.0.122

v3.0.123

Patch Changes

• ai@​6.0.121

v3.0.122

Compare Source

Patch Changes

• Updated dependencies [78c0e26]
  • ai@​6.0.120

v3.0.121

Compare Source

Patch Changes

• Updated dependencies [ab286f1]
• Updated dependencies [d68b122]
  • ai@​6.0.119

v3.0.120

Compare Source

Patch Changes

• Updated dependencies [64ac0fd]
  • @​ai-sdk/provider-utils@​4.0.20
  • ai@​6.0.118

v3.0.119

Compare Source

Patch Changes

• Updated dependencies [d23121f]
  • ai@​6.0.117

v3.0.118

Compare Source

Patch Changes

• Updated dependencies [ad4cfc2]
  • @​ai-sdk/provider-utils@​4.0.19
  • ai@​6.0.116

v3.0.117

Compare Source

Patch Changes

• Updated dependencies [824b295]
  • @​ai-sdk/provider-utils@​4.0.18
  • ai@​6.0.115

tursodatabase/libsql-client-ts (@​libsql/client)

v0.17.2

Compare Source

v0.17.1

Compare Source

nuxt/devtools (@​nuxt/devtools)

v3.2.4

Compare Source

   🚀 Features

• Use ua-parser-modern  -  by @​antfu (114aa)

   🐞 Bug Fixes

• Nuxt devtools inspector style  -  by @​antfu (91f09)

    View changes on GitHub

nuxt/ui (@​nuxt/ui)

v4.6.0

Compare Source

⚠ BREAKING CHANGES

• module: use moduleDependencies to manipulate options (#​5384)

Features

• add standalone Vue REPL playground (#​6209) (390c4bd)
• ChatMessage: add files slot (12d6020)
• ChatReasoning: new component (#​6175) (6db594e)
• ChatShimmer: new component (#​6171) (8db9c54)
• ChatTool: new component (#​6176) (7849534)
• Checkbox/Switch: add support for trueValue / falseValue props (#​6150) (91c6356)
• ContentToc: add highlight-variant prop (#​5746) (df080ce)
• DropdownMenu: add filter prop (#​6153) (a529b43)
• FileUpload: add fileImage prop (#​5935) (40f9c2e)
• Icon: add global options on Vue-only side (#​5354) (566fbee)
• InputMenu: add autocomplete prop (#​6026) (ee8a248)
• InputTime: add range prop (#​6203) (c124f29)
• locale: add Icelandic language (#​6149) (f3ddc60)
• module: use moduleDependencies to manipulate options (#​5384) (dd3f5c5)
• Sidebar: new component (#​6038) (51a1f85)
• Table: implement row pinning (#​6115) (fbd60d9)
• Tooltip: support global content configuration via App tooltip prop (#​6152) (83afd9c)
• unplugin: add support for prose components (#​6198) (c58b9b2)

Bug Fixes

• Avatar: use resolved size for image width/height (#​6008) (6dd0fc4)
• ChatShimmer: handle RTL mode (#​6180) (51793a8)
• ContentNavigation: prevent toggling disabled parent items (#​6122) (0f1074f)
• ContentSurround: handle RTL mode (#​6148) (6921f13)
• ContentToc: reset start margin at lg breakpoint (8f24f79)
• DashboardSearchButton: use valid HTML structure for trailing slot (#​6194) (578a12f)
• Editor: guard lift calls for unavailable list extensions (#​6100) (065db6b)
• Error: support status and statusText properties (1350d62), closes #​6134
• FileUpload: make multiple, accept and reset options reactive (#​6204) (ae093df)
• Modal/Slideover/Popover/Drawer: prevent double close:prevent emit (#​6226) (9a0d501)
• module: only auto-import public composables and allow Vite opt-out (#​6197) (886f5fb)
• NavigationMenu: improve RTL support for viewport and indicator (#​6164) (755867b)
• NavigationMenu: propagate disabled state to item in vertical orientation (6d4d651)
• ProsePre: move shiki line highlight styles to theme (d663950)

oven-sh/bun (bun)

v1.3.11: Bun v1.3.11

Compare Source

To install Bun v1.3.11

curl -fsSL https://bun.sh/install | bash

# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.11:

bun upgrade

Read Bun v1.3.11's release notes on Bun's blog

Thanks to 15 contributors!

• @​alii
• @​anthonybaldwin
• @​baboon-king
• @​c-stoeckl
• @​cirospaciari
• @​dylan-conway
• @​gaowhen
• @​hona
• @​igorkofman
• @​jarred-sumner
• @​km-anthropic
• @​robobun
• @​sosukesuzuki
• @​ssing2
• @​whiteminds

drizzle-team/drizzle-orm (drizzle-kit)

v0.31.10

Compare Source

• Updated to hanji@0.0.8 - native bun stringWidth, stripANSI support, errors for non-TTY environments
• We've migrated away from esbuild-register to tsx loader, it will now allow to use drizzle-kit seamlessly with both ESM and CJS modules
• We've also added native Bun and Deno launch support, which will not trigger tsx loader and utilise native bun and deno imports capabilities and faster startup times

elysiajs/elysia (elysia)

v1.4.28

Compare Source

Feature:

• #​1803 stream response with pull based backpressure
• #​1802 handle range header for file/blob response
• #​1722, #​1741 direct ReadableStream perf blow-up

Bug fix:

• #​1805 dynamic imports inside .guard not registering routes
• #​1771 breaks Bun HTML imports
• #​1797 await mapped error response promise
• #​1794 merge app cookie config into route cookie validator config
• #​1796 check custom parser by full name
• #​1795 write transformed cookie value to cookie entry directly
• #​1793 use cookie schema for cookie noValidate check
• #​1792 throw ValidationError instead of boolean in response encode path
• detect HTML bundle when inline response is Promise

Change:

• #​1613 export ElysiaTypeCustomErrors
• remove Bun specific built
• export AnySchema, UnwrapSchema, ModelsToTypes from root
• conditional set headers of String and Object when no set.headers is set

HugoRCD/evlog (evlog)

v2.9.0

Compare Source

What's Changed

Features 🚀

• feat: add react-router support by @​MrLightful in #​212
• feat(ai): add toolInputs option, and stepsUsage by @​HugoRCD in #​222

Enhancements 🌈

• enhancement(elysia): use afterResponse instead of afterHandle by @​SaltyAom in #​207

Bug Fixes 🐞

• fix(nitro): allow useLogger() in server middleware by @​HugoRCD in #​215
• fix(evlog): respect status/statusCode on Error instances by @​benhid in #​218
• fix(nitro): make evlogErrorHandler compatible with TanStack Start middleware API by @​HugoRCD in #​220

Documentation 📚

• docs(tanstack-start): improve TanStack Start documentation coverage by @​HugoRCD in #​219

Dependency Updates 📦

• chore(deps): update codspeedhq/action action to v4 by @​renovate[bot] in #​201
• chore(deps): update actions/github-script action to v8 by @​renovate[bot] in #​200
• chore(deps): update marocchino/sticky-pull-request-comment action to v3 by @​renovate[bot] in #​204
• chore(deps): update peter-evans/create-pull-request action to v8 by @​renovate[bot] in #​205
• chore(deps): update all non-major dependencies by @​renovate[bot] in #​199

Performance Improvements ⚡️

• chore(bench): update size baseline by @​github-actions[bot] in #​208
• chore(bench): update size baseline by @​github-actions[bot] in #​221

New Contributors

• @​SaltyAom made their first contribution in #​207
• @​MrLightful made their first contribution in #​211
• @​benhid made their first contribution in #​218

Full Changelog: https://github.com/HugoRCD/evlog/compare/evlog@2.8.0...evlog@2.9.0

fastify/fastify (fastify)

v5.8.4

Compare Source

v5.8.3

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @​Tony133 to plugin team by @​Tony133 in #​6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @​kyrylchenko in #​6566
• test: use fastify.test in test case by @​climba03003 in #​6568
• docs: use fastify.example in documentation by @​climba03003 in #​6567
• docs: add common performance degradation guidance by @​maxpetrusenko in #​6520
• docs(server): fix camelCase anchor links in TOC by @​Deepvamja in #​6530
• ci(link-checker): fix root-relative links resolution by @​barba-rossa in #​6535
• docs: update syntax markdown, absolute paths and links by @​Tony133 in #​6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @​mcollina in #​6537
• docs: fix incorrect code examples in Reply and Request reference by @​mahmoodhamdi in #​6582
• docs: replace redirected npm.im http-errors link by @​mcollina in #​6588
• types: Allow port to be null in request type definition by @​TristanBarlow in #​6589
• docs: update links by @​Tony133 in #​6593
• ci(lock-threads): use shared lock-threads workflow by @​Fdawgs in #​6592

New Contributors

• @​kyrylchenko made their first contribution in #​6566
• @​maxpetrusenko made their first contribution in #​6520
• @​Deepvamja made their first contribution in #​6530
• @​barba-rossa made their first contribution in #​6535
• @​mahmoodhamdi made their first contribution in #​6582
• @​TristanBarlow made their first contribution in #​6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

h3js/h3 (h3)

v1.15.10

Compare Source

compare changes

🩹 Fixes

• Preserve percent-encoded req.url in app event handler (#​1355)

❤️ Contributors

• Sergio Azócar (@​sergioazoc)

v1.15.9

Compare Source

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)
• static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
• sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

Compare Source

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)

v1.15.7

Compare Source

compare changes

🩹 Fixes

• static: Narrow path traversal check to match .. as a path segment only (c049dc0)
• app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

• Remove implicit event handler conversion warning (#​1340)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Wind (@​productdevbook)

motiondivision/motion-vue (motion-v)

v2.2.0

Compare Source

Added

• useTransform: accelerate propagation on value changes

v2.1.0

Compare Source

Added

• useScroll: ScrollOffset presets, scroll timeline acceleration, rest pass-through, MaybeRefOrGetter options typing.

Changed

• useSpring: rewrite with motion-dom attachFollow.

vercel/next.js (next)

v16.2.1

Compare Source

v16.2.0

Compare Source

v16.1.7

Compare Source

nitrojs/nitro (nitropack)

v2.13.2

Compare Source

compare changes

[!NOTE]
This release upgrades h3 to latest 1.15.9 which contains security fixes.

🩹 Fixes

• prerender: Skip writing routes with .. or outside of public dir (81f76800)
• prerender: Mark invalid routes as skipped (9cb795c7)

📖 Documentation

• Fix icon assets (#​4022)

Preset Changes

• vercel: Add types and docs for isr.exposeErrBody (f7753152)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Restent Ou (@​gxres042)
• Kricsleo (@​kricsleo)

nuxt-content/nuxt-studio (nuxt-studio)

v1.5.1

Compare Source

Bug Fixes

• medias: ipx protocol normalization with S3 providers (#​392) (90b0485)
• module: user options override CI values (#​393) (1f44cdf)
• sw: remove keyPath (#​391) (5d8d4ac)

v1.5.0

Compare Source

Features

• editor: callout tiptap extension (#​362) (842adc8)
• i18n: add Hungarian (hu) locale (#​377) (a92e1fd)
• i18n: add slovak (sk) locale (#​359) (ca86377)
• media: improve media picker selection and integrate ipx optimization (#​369) (50d0e87)
• review: add commit message prefix (#​367) (a2e9290)
• skills: make content editable skill (#​364) (ddd9834)
• tiptap: custom suggestion groups for components (#​358) (7b6b852)

Bug Fixes

• document: json comparison (#​388) (5d63fff)
• host: use singleton instance (#​386) (a15ae1f)
• skills: make content editable improvment (d38ad18)

remix-run/react-router (react-router)

v7.13.2

Compare Source

Patch Changes

• Fix clientLoader.hydrate when an ancestor route is also hydrating a clientLoader (#​14835)

• Fix type error when passing Framework Mode route components using Route.ComponentProps to createRoutesStub (#​14892)

• Fix percent encoding in relative path navigation (#​14786)

• Add future.unstable_passThroughRequests flag (#​14775)

  By default, React Router normalizes the request.url passed to your loader, action, and middleware functions by removing React Router's internal implementation details (.data suffixes, index + _routes query params).

  Enabling this flag removes that normalization and passes the raw HTTP request instance to your handlers. This provides a few benefits:

  • Reduces server-side overhead by eliminating multiple new Request() calls on the critical path
  • Allows you to distinguish document from data requests in your handlers base don the presence of a .data suffix (useful for observability purposes)

  If you were previously relying on the normalization of request.url, you can switch to use the new sibling unstable_url parameter which contains a URL instance representing the normalized location:

  // ❌ Before: you could assume there was no `.data` suffix in `request.url`
  export async function loader({ request }: Route.LoaderArgs) {
    let url = new URL(request.url);
    if (url.pathname === "/path") {
      // This check will fail with the flag enabled because the `.data` suffix will
      // exist on data requests
    }
  }
  
  // ✅ After: use `unstable_url` for normalized routing logic and `request.url`
  // for raw routing logic
  export async function loader({ request, unstable_url }: Route.LoaderArgs) {
    if (unstable_url.pathname === "/path") {
      // This will always have the `.data` suffix stripped
    }
  
    // And now you can distinguish between document versus data requests
    let isDataRequest = new URL(request.url).pathname.endsWith(".data");
  }

• Internal refactor to consolidate framework-agnostic/React-specific route type layers - no public API changes (#​14765)

• Sync protocol validation to rsc flows (#​14882)

• Add a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.datasuffix, index/_routes query params) (#​14775)

  This is being added alongside the new future.unstable_passthroughRequests future flag so that users still have a way to access the normalized URL when that flag is enabled and non-normalized request's are being passed to your handlers. When adopting this flag, you will only need to start leveraging this new parameter if you are relying on the normalization of request.url in your application code.

  If you don't have the flag enabled, then unstable_url will match request.url.

v7.13.1

Compare Source

Patch Changes

• fix null reference exception in bad codepath leading to invalid route tree comparisons (#​14780)

• fix: clear timeout when turbo-stream encoding completes (#​14810)

• Improve error message when Origin header is invalid (#​14743)

• Fix matchPath optional params matching without a "/" separator. (#​14689)

  • matchPath("/users/:id?", "/usersblah") now returns null.
  • matchPath("/test_route/:part?", "/test_route_more") now returns null.

• add RSC unstable_getRequest (#​14758)

• Fix HydrateFallback rendering during initial lazy route discovery with matching splat route (#​14740)

• [UNSTABLE] Add support for <Link unstable_mask> in Data Mode which allows users to navigate to a URL in the router but "mask" the URL displayed in the browser. This is useful for contextual routing usages such as displaying an image in a model on top of a gallery, but displaying a browser URL directly to the image that can be shared and loaded without the contextual gallery in the background. (#​14716)

  // routes/gallery.tsx
  export function clientLoader({ request }: Route.LoaderArgs) {
    let sp = new URL(request.url).searchParams;
    return {
      images: getImages(),
      // When the router location has the image param, load the modal data
      modalImage: sp.has("image") ? getImage(sp.get("image")!) : null,
    };
  }
  
  export default function Gallery({ loaderData }: Route.ComponentProps) {
    return (
      <>
        <GalleryGrid>
          {loaderData.images.map((image) => (
            <Link
              key={image.id}
              {/* Navigate the router to /galley?image=N */}}
              to={`/gallery?image=${image.id}`}
              {/* But display /images/N in the URL bar */}}
              unstable_mask={`/images/${image.id}`}
            >
              <img src={image.url} alt={image.alt} />
            </Link>
          ))}
        </GalleryGrid>
  
        {/* When the modal data exists, display the modal */}
        {data.modalImage ? (
          <dialog open>
            <img src={data.modalImage.url} alt={data.modalImage.alt} />
          </dialog>
        ) : null}
      </>
    );
  }

  Notes:

  • The masked location, if present, will be available on useLocation().unstable_mask so you can detect whether you are currently masked or not.
  • Masked URLs only work for SPA use cases, and will be removed from history.state during SSR.
  • This provides a first-class API to mask URLs in Data Mode to achieve the same behavior you could do in Declarative Mode via manual backgroundLocation management.

• RSC: Update failed origin checks to return a 400 status and appropriate UI instead of a generic 500 (#​14755)

• Preserve query parameters and hash on manifest version mismatch reload (#​14813)

v7.13.0

Compare Source

Minor Changes

• Add crossOrigin prop to Links component (#​14687)

Patch Changes

• Fix double slash normalization for useNavigate colon urls (#​14718)
• Update failed origin checks to return a 400 status instead of a 500 (#​14737)
• Bugfix #​14666: Inline criticalCss is missing nonce (#​14691)
• Loosen allowedActionOrigins glob check so ** matches all domains (#​14722)

v7.12.0

Compare Source

Minor Changes

• Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#​14708)

Patch Changes

• Fix generatePath when used with suffixed params (i.e., "/books/:id.json") (#​14269)

• Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency. These are not intended to be used for new apps but intended to help apps usiong unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs. (#​14663)

• Escape HTML in scroll restoration keys (#​14705)

• Validate redirect locations (#​14706)

• [UNSTABLE] Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#​14675)

• [UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#​14644)

  Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

  URL /a/b/c	HTTP pathname	request pathname`
  Document	/a/b/c	/a/b/c ✅
  Data	/a/b/c.data	/a/b/c ✅

  URL /a/b/c/	HTTP pathname	request pathname`
  Document	/a/b/c/	/a/b/c/ ✅
  Data	/a/b/c.data	/a/b/c ⚠️

  With this flag enabled, these p

---

Configuration

📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
evlog-docs	Ready	Preview, Comment, Open in v0	Mar 30, 2026 1:09am

[pkg-pr-new]

npm i https://pkg.pr.new/evlog@229

npm i https://pkg.pr.new/@evlog/nuxthub@229

commit: 7a73ac0

[github-actions]

Thank you for following the naming conventions! 🙏