chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@ai-sdk/mcp (source)	^1.0.42 → ^1.0.43
@ai-sdk/mcp (source)	^1.0.42 → ^1.0.43
@iconify-json/lucide	^1.2.108 → ^1.2.109
@nuxt/ui (source)	^4.7.1 → ^4.8.0
@nuxt/ui (source)	^4.7.1 → ^4.8.0
agents (source)	>=0.12.4 → >=0.13.2
ai (source)	^6.0.185 → ^6.0.191
pnpm (source)	11.1.3 → 11.2.2
shaders	^2.5.124 → ^2.5.128
vite (source)	^8.0.13 → ^8.0.14
vitest (source)	^4.1.6 → ^4.1.7
vue-tsc (source)	^3.3.0 → ^3.3.1

---

Release Notes

vercel/ai (@​ai-sdk/mcp)

v1.0.43

Compare Source

Patch Changes

• e2b923f: fix(mcp): deduplicate auth refresh on http transport

nuxt/ui (@​nuxt/ui)

v4.8.0

Compare Source

⚠ BREAKING CHANGES

• InputMenu: rename autocomplete prop to mode to free up HTML attribute (#​6474)

Features

• Avatar/AvatarGroup: add color prop (#​6405) (6f2396f)
• Breadcrumb: add color prop (#​6406) (955dac1)
• ChatMessage: add body slot and improve actions alignment (#​6460) (48685b6)
• ChatMessage: add color prop and header slot (#​6407) (c6ce8ca)
• ChatPrompt: add submitOnEnter prop to control Enter behavior (b597f90), closes #​6177
• Checkbox/RadioGroup/Switch: add highlight prop for error ring styling (a0deee4)
• CommandPalette: search and highlight description field (524c34d)
• ContentSearch/DashboardSearch: enable Fuse.js token search by default (ba08220)
• ContentSearch: add async search support via useSearchCollection (#​6432) (a1bef8b)
• DashboardGroup: add storageOptions prop (8f0101b), closes #​6170
• Error: add icon prop and leading slot (e6ea707), closes #​6119
• Separator: add position prop (#​6415) (844660a)
• Theme: override component prop defaults (#​6031) (71c008e)

Bug Fixes

• ChatMessage: add wrap-break-word to content slot (#​6476) (eb468e6)
• CommandPalette: only split tokens in highlight when useTokenSearch is enabled (898fbce)
• CommandPalette: preserve relative order of ignoreFilter groups (e4c1787)
• CommandPalette: re-highlight first item after debounced results render (efd7b8e)
• CommandPalette: update default fuse keys in docs and search components (0d9cc0d)
• components: apply theme.prefix to hardcoded utility classes (f51b1e8)
• components: constrain popper content to available viewport height (007b136), closes #​6449
• ContentSearch: preserve intermediate ancestors in breadcrumb prefix (#​6466) (f639b19)
• ContentToc: apply ui.trigger prop to trigger elements (252b906), closes #​6428
• defineShortcuts: use e.code for alt shortcuts to handle macOS key remapping (231f156), closes #​6444
• FileUpload: pass disabled attribute to button variant (2890c83), closes #​6420
• Form: improve errors type (#​6208) (c1090ab)
• InputMenu/Select/SelectMenu: respect trailing: false over default trailingIcon (#​6457) (65b47ce)
• InputMenu: rename autocomplete prop to mode to free up HTML attribute (#​6474) (2799fa6)
• module: don't require @nuxtjs/mdc when using content option (89f7778)
• module: pass computed ref directly to useHead innerHTML (00b7476)
• module: ship stripped [#build](https://redirect.github.com/nuxt/ui/issues/build)/ui.css fallback for tooling (083c2a9), closes #​5504
• ProseKbd: add default slot and make value optional (f317c7f)
• Textarea: autoresize on mount with pre-filled value (e96a0b6), closes #​5962
• useComponentProps: treat array-typed theme values as ClassValue leaves (cac3860)

cloudflare/agents (agents)

v0.13.2

Compare Source

Patch Changes

• #​1570 4f14b9c Thanks @​threepointone! - Add agents/chat-sdk, a Chat SDK StateAdapter backed by Agents sub-agents.

  This new package entrypoint exports:

  • createChatSdkState(), a convenience factory for Chat SDK state.
  • ChatSdkStateAdapter, the concrete adapter implementation.
  • ChatSdkStateAgent, the default sub-agent used for durable Chat SDK state.
  • defaultThreadShard() and defaultKeyShard(), the default sharding helpers used by the adapter.

  The adapter stores Chat SDK subscriptions, concurrency locks, pending queues, generic cache entries, callback metadata, thread and channel state, persisted message history, and transcript lists in Durable Object SQLite. State is sharded through parent.subAgent() so a messenger ingress Agent can keep Chat SDK infrastructure state inside child facets instead of requiring a separate top-level Durable Object binding for every state shard.

  createChatSdkState() now works with the default ChatSdkStateAgent class when it is re-exported from the Worker entrypoint. It also defaults parent from getCurrentAgent() when called inside an Agent lifecycle method or request handler, so the common setup is:

  export { ChatSdkStateAgent } from "agents/chat-sdk";
  
  const chat = new Chat({
    adapters,
    state: createChatSdkState(),
  });

  Applications that need custom state behavior can still pass a custom agent subclass and explicit parent.

  This also documents the sub-agent configuration model more clearly: production Workers should export facet classes, but facet-only child classes do not belong in new_sqlite_classes unless they are also used as top-level Durable Objects. Test wrangler configs may still include facet classes as test-only Durable Object bindings for @cloudflare/vitest-pool-workers compatibility, while keeping them out of new_sqlite_classes.

v0.13.1

Compare Source

Patch Changes

• #​1563 32cde40 Thanks @​threepointone! - Add managed fiber jobs with idempotent acceptance, optional completion waiting, inspection, cancellation, explicit recovery outcomes, and retained terminal status records.

v0.13.0

Compare Source

Minor Changes

• #​1297 d151e6d Thanks @​mattzcarey! - Add experimental Postgres-backed session, context, and search providers for external session storage via Hyperdrive-compatible pg clients.

  Session APIs now consistently return promises so callers can use the same surface with local SQLite or external storage providers. Think's session integration has been updated for the async session API, including cache-aware handling for idempotent appends and compaction overlays.

Patch Changes

• #​1532 0a2d6df Thanks @​threepointone! - Revert the Streamable HTTP server-to-client MCP routing change from PR #​1514, which routed related messages such as elicitation requests over the originating POST response when no standalone SSE stream was open.

• #​1546 c935d7c Thanks @​threepointone! - Fix nested sub-agent bootstrap so facet parents do not need to be bound as top-level Durable Object namespaces.

• #​1533 8f699fe Thanks @​mattzcarey! - McpAgent.elicitInput now accepts an optional options.relatedRequestId, forwarded to the underlying transport so the elicitation request routes through the originating POST response stream per the Streamable HTTP spec. Callers should pass { relatedRequestId: extra.requestId } from inside a tool handler.

• #​1548 ce2af34 Thanks @​threepointone! - Allow parentAgent() to resolve facet-only direct parents through a root RPC bridge.

pnpm/pnpm (pnpm)

v11.2.2

Compare Source

Patch Changes

• When the install engine is delegated to pacquet via configDependencies, the user's CLI flags passed to pnpm install (e.g. --no-runtime, --prod, --dev, --no-optional, --node-linker, --cpu/--os/--libc, --offline, --prefer-offline) are now forwarded to pacquet's install subcommand verbatim. Previously pacquet was invoked with a fixed argument list, so flags like --no-runtime were silently dropped. Flag forwarding is gated on the command being install/i; add, update, and dedupe still don't forward (their flag surface doesn't line up with pacquet's install).
• Fixed pnpm up (and pnpm add / pnpm remove) failing with pacquet_package_manager::outdated_lockfile when pacquet is declared in configDependencies. pnpm now passes --ignore-manifest-check to pacquet so its --frozen-lockfile check doesn't fire against the (pre-mutation) package.json pnpm hasn't written yet #​11797. Requires a pacquet release that supports the flag — bump PACQUET_VERSION in the e2e tests once it ships.

v11.2.1

Compare Source

Patch Changes

• Mark optional subdependency snapshots of config dependencies with optional: true in the env lockfile, matching how optional dependencies are recorded elsewhere in pnpm-lock.yaml. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's optionalDependencies were written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required.
• Fix pickRegistryForPackage returning the wrong registry for an unscoped npm: alias under a scoped local name. A manifest entry like "@​private/foo": "npm:lodash@^1" was routing the lodash fetch through registries["@​private"], even though lodash is unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (or null for an unscoped target, falling through to registries.default) instead of leaking into the local key's scope.
• Don't print "Installing config dependencies..." when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed.

v11.2.0

Compare Source

Minor Changes

• Experimental: Adding @pnpm/pacquet (the Rust port of pnpm) to configDependencies in pnpm-workspace.yaml now delegates the materialization phase of pnpm install to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine #​11723.

  To configure pacquet in a project, run:

  pnpm add @​pnpm/pacquet --config
  

  You'll see changes in pnpm-workspace.yaml and pnpm-lock.yaml that should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create.

• configDependencies now resolve and install one level of optionalDependencies declared by the config dependency, with os/cpu/libc platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via optionalDependencies — a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so require('pkg-platform-arch') from inside the config dependency resolves correctly.

  The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's optionalDependencies must declare an exact version — ranges and tags are rejected to keep installs reproducible.

• Implement the documented pnpm login --scope <scope> flag. The scope is normalized (a leading @ is added if missing; blank values are ignored) and an @<scope>:registry=<registry> mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of @<scope>/* packages then route to the chosen registry. Previously pnpm login --scope foo errored with Unknown option: 'scope' despite the flag being listed in the online documentation #​11716.

• pnpm outdated and pnpm update --interactive now report Node.js, Deno, and Bun runtimes installed as project dependencies (runtime: specifiers). Previously these were silently skipped.

Patch Changes

• Fix cafile=<relative-path> in .npmrc being read from the wrong directory when pnpm is invoked from a different cwd (e.g. pnpm --dir <project> install from a CI wrapper or monorepo script). The path is now resolved against the directory of the .npmrc that declared it, not process.cwd(). Before this fix the CA file silently failed to load — the install proceeded without the configured CA and the user only saw TLS errors against a private registry, with no log line tying back to the wrongly resolved path #​11624.

• Fix config.registry getting a trailing slash appended when registry is set in .npmrc and no registries.default is provided by pnpm-workspace.yaml. The sync from registries.default to config.registry introduced in #​11744 now only fires when the workspace manifest actually contributes a different default.

• Fix global add/update to handle minimumReleaseAge policy violations instead of surfacing an internal resolver guardrail error.

• Fix two crashes with injectWorkspacePackages: true when the lockfile has been pruned (e.g. by turbo prune --docker):

  • Cannot use 'in' operator to search for 'directory' in undefined: a peer-dependency-variant injected snapshot inherits its resolution from the base packages: entry; when a pruner drops that base entry the readers crash. convertToLockfileObject now reconstructs the directory resolution from the file: depPath at load time — a single normalization point, so every reader sees a fully-formed snapshot.
  • ERR_PNPM_ENOENT on node_modules/.bin/<tool>: after prepare/postinstall, runLifecycleHooksConcurrently re-imported each injected workspace package; the scanDir-into-filesMap workaround fed target-internal paths to the importer, which the makeEmptyDir fast path (#​11088) then wiped. Drop the workaround and pass keepModulesDir: true so the importer preserves the target's existing node_modules (bin links + transitive deps) and source files keep their hardlinks.

• Fixed pnpm login and pnpm logout ignoring registries.default from pnpm-workspace.yaml #​10099.

• Fix the minimumReleaseAge (publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whose modified field equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or a MISSING_TIME error when full metadata wasn't permitted). Since modified is an upper bound on every version's publish time, modified == publishedBy already implies every version passes the per-version <= filter in filterPkgMetadataByPublishDate, so the shortcut now accepts the boundary case directly. Strictly > (was >=) at the rejection branch.

• Honor publishConfig.access when publishing packages.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: apps/playground/pnpm-lock.yaml

Scope: all 5 workspace projects
? Verifying lockfile against supply-chain policies (1980 entries)...

   ╭─────────────────────────────────────────╮
   │                                         │
   │   Update available! 11.2.2 → 11.3.0.    │
   │   Changelog: https://pnpm.io/v/11.3.0   │
   │    To update, run: pnpm add -g pnpm     │
   │                                         │
   ╰─────────────────────────────────────────╯

✓ Lockfile passes supply-chain policies (1980 entries in 18.3s)
../..                                    | Progress: resolved 1, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 41, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 77, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 239, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 312, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 504, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 519, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 644, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 752, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 817, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 840, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1017, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1075, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1156, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1337, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1550, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1565, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1612, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1675, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1925, reused 0, downloaded 0, added 0
../..                                    | Progress: resolved 1980, reused 0, downloaded 0, added 0
[WARN] Request took 15564ms: https://registry.npmjs.org/drizzle-orm
[ERR_PNPM_NO_MATURE_MATCHING_VERSION] 1 version does not meet the minimumReleaseAge constraint:
  shaders@2.5.128 was published at 2026-05-23T17:31:57.922Z, within the minimumReleaseAge cutoff (2026-05-23T02:54:30.798Z)

File name: pnpm-lock.yaml

Scope: all 5 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 42, reused 0, downloaded 0, added 0
Progress: resolved 170, reused 0, downloaded 0, added 0
Progress: resolved 288, reused 0, downloaded 0, added 0
Progress: resolved 468, reused 0, downloaded 0, added 0
Progress: resolved 548, reused 0, downloaded 0, added 0
Progress: resolved 618, reused 0, downloaded 0, added 0
Progress: resolved 755, reused 0, downloaded 0, added 0
Progress: resolved 951, reused 0, downloaded 0, added 0
Progress: resolved 1118, reused 0, downloaded 0, added 0
Progress: resolved 1140, reused 0, downloaded 0, added 0
Progress: resolved 1204, reused 0, downloaded 0, added 0
Progress: resolved 1425, reused 0, downloaded 0, added 0
Progress: resolved 1758, reused 0, downloaded 0, added 0
Progress: resolved 1974, reused 0, downloaded 0, added 0
Progress: resolved 1980, reused 0, downloaded 0, added 0
[WARN] Request took 10578ms: https://registry.npmjs.org/drizzle-orm
[ERR_PNPM_NO_MATURE_MATCHING_VERSION] 1 version does not meet the minimumReleaseAge constraint:
  shaders@2.5.128 was published at 2026-05-23T17:31:57.922Z, within the minimumReleaseAge cutoff (2026-05-23T02:55:19.801Z)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nuxt-mcp-toolkit-docs	Ready	Preview, Comment	May 25, 2026 10:06am

[github-actions]

Thank you for following the naming conventions! 🙏