Skip to content

fix(deps): update all non-major dependencies#57

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

fix(deps): update all non-major dependencies#57
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Apr 18, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update
@ai-sdk/openai (source) 3.0.93.0.63 age confidence dependencies patch
@ai-sdk/valibot (source) 2.0.52.0.28 age confidence dependencies patch
@biomejs/biome (source) 2.3.142.4.15 age confidence devDependencies minor
@cloudflare/vitest-pool-workers (source) ^0.12.0^0.16.0 age confidence devDependencies minor
@cloudflare/workers-types 4.20260113.04.20260511.1 age confidence devDependencies minor
@crxjs/vite-plugin (source) 2.3.02.4.0 age confidence devDependencies minor
@playwright/test (source) 1.57.01.60.0 age confidence devDependencies minor
@tailwindcss/vite (source) 4.1.184.3.0 age confidence devDependencies minor
@tanstack/devtools-vite (source) ^0.5.0^0.6.0 age confidence devDependencies minor
@tanstack/react-devtools (source) ^0.9.0^0.10.0 age confidence devDependencies minor
@tanstack/react-form (source) 1.27.71.32.0 age confidence dependencies minor
@tanstack/react-query (source) 5.90.165.100.10 age confidence dependencies minor
@tanstack/react-router (source) 1.156.01.169.8 age confidence dependencies minor
@tanstack/react-router-devtools (source) 1.156.01.166.19 age confidence devDependencies minor
@tanstack/router-plugin (source) 1.156.01.167.41 age confidence devDependencies minor
@testing-library/react 16.3.116.3.2 age confidence devDependencies patch
@types/chrome (source) 0.1.330.1.42 age confidence devDependencies patch
@types/node (source) 25.0.725.7.0 age confidence devDependencies minor
@types/react (source) 19.2.819.2.14 age confidence devDependencies patch
@typescript-eslint/eslint-plugin (source) 8.53.08.59.3 age confidence devDependencies minor
@typescript-eslint/parser (source) 8.53.08.59.3 age confidence devDependencies minor
@valibot/to-json-schema (source) 1.5.01.7.0 age confidence dependencies minor
@vitejs/plugin-react (source) 5.1.25.2.0 age confidence devDependencies minor
ai (source) 6.0.306.0.177 age confidence dependencies patch
ai-gateway-provider (source) 3.0.23.1.3 age confidence dependencies minor
better-auth (source) 1.4.121.6.10 age confidence dependencies minor
better-auth-cloudflare ^0.2.9^0.3.0 age confidence dependencies minor
drizzle-kit (source) 0.31.80.31.10 age confidence devDependencies patch
eslint (source) 9.39.29.39.4 age confidence devDependencies patch
eslint-plugin-boundaries 5.3.15.4.0 age confidence devDependencies minor
filepond (source) 4.32.114.32.12 age confidence dependencies patch
jsdom 28.0.028.1.0 age confidence devDependencies minor
lucide-react (source) ^0.563.0^0.577.0 age confidence dependencies minor
miniflare (source) 4.20260107.04.20260507.1 age confidence pnpm.overrides minor
node (source) 24.13.024.15.0 age confidence volta minor
pnpm (source) 10.28.210.33.4 age confidence packageManager minor
react (source) 19.2.319.2.6 age confidence dependencies patch
react-day-picker (source) 9.13.09.14.0 age confidence dependencies minor
react-dom (source) 19.2.319.2.6 age confidence dependencies patch
recharts 3.6.03.8.1 age confidence dependencies minor
tailwind-merge 3.4.03.6.0 age confidence dependencies minor
tailwindcss (source) 4.1.184.3.0 age confidence devDependencies minor
valibot (source) 1.2.01.4.0 age confidence dependencies minor
wrangler (source) 4.59.14.90.0 age confidence devDependencies minor

Release Notes

vercel/ai (@​ai-sdk/openai)

v3.0.63

Compare Source

Patch Changes

v3.0.62

Compare Source

Patch Changes
  • 65edcca: feat: add allowedTools provider option for OpenAI Responses

v3.0.61

Compare Source

Patch Changes
  • b93f9b4: feat(provider/openai): forward imageDetail providerOptions on tool-result image content

v3.0.60

Compare Source

Patch Changes
  • 6dcd8e6: feat(openai): add GPT-5.5 chat model IDs

v3.0.59

Compare Source

Patch Changes
  • 38966ab: fix(openai, openai-compatible): only send null content for assistant messages with tool calls

v3.0.58

Compare Source

Patch Changes
  • 2370948: feat(openai): preserve namespace on function_call output items

v3.0.57

Compare Source

Patch Changes
  • d33e7cc: chore(provider/openai): add type for image model options for type-safe processing

v3.0.55

Compare Source

Patch Changes

v3.0.54

Compare Source

Patch Changes

v3.0.53

Patch Changes
  • 953385d: fix(openai): default undefined tool-call input to empty object before serializing tool arguments

v3.0.52

Patch Changes
  • d42076d: Add AI Gateway hint to provider READMEs

v3.0.51

Patch Changes

v3.0.50

Patch Changes

v3.0.49

Patch Changes
  • bc01093: fix(openai): support file-url parts in tool output content

v3.0.48

Patch Changes

  • 9c548de: Add gpt-5.4-mini, gpt-5.4-mini-2026-03-17, gpt-5.4-nano, and gpt-5.4-nano-2026-03-17 models.

  • bcb04df: fix(openai): preserve raw finish reason for failed responses stream events

    Handle response.failed chunks in Responses API streaming so finishReason.raw is preserved from incomplete_details.reason (e.g. max_output_tokens), and map failed-without-reason cases to unified error instead of other.

v3.0.47

Patch Changes

v3.0.46

Compare Source

Patch Changes
  • 75fc0e7: feat(openai): add new tool search tool

v3.0.45

Compare Source

Patch Changes
  • 023088c: feat(provider/openai): add gpt-5.3-chat-latest

v3.0.44

Compare Source

Patch Changes
  • f4a734a: fix(provider/openai): drop reasoning parts without encrypted content when store: false

v3.0.43

Compare Source

Patch Changes

v3.0.42

Compare Source

Patch Changes
  • 2589004: feat(provider/openai): add GPT-5.4 model support

v3.0.41

Compare Source

Patch Changes

v3.0.40

Compare Source

Patch Changes

v3.0.39

Compare Source

Patch Changes

v3.0.38

Compare Source

Patch Changes
  • 64a8fae: chore: remove obsolete model IDs for Anthropic, Google, OpenAI, xAI

v3.0.37

Compare Source

Patch Changes

v3.0.36

Compare Source

Patch Changes

  • 53bdfa5: fix(openai): allow null/undefined type in streaming tool call deltas

    Azure AI Foundry and Mistral deployed on Azure omit the type field in
    streaming tool_calls deltas. The chat stream parser now accepts a missing
    type field (treating it as "function") instead of throwing
    InvalidResponseDataError: Expected 'function' type.

    Fixes #​12770

v3.0.35

Compare Source

Patch Changes

  • 5e18272: fix(openai): include reasoning parts without itemId when encrypted_content is present

    When providerOptions.openai.itemId is absent on a reasoning content part,
    the converter now uses encrypted_content as a fallback instead of silently
    skipping the part with a warning. The OpenAI Responses API accepts reasoning
    items without an id when encrypted_content is supplied, enabling
    multi-turn reasoning even when item IDs are stripped from provider options.

    Also makes the id field optional on the OpenAIResponsesReasoning type to
    reflect that the API does not require it.

    Fixes #​12853

v3.0.34

Compare Source

Patch Changes
  • 66a374c: Support phase parameter on Responses API message items. The phase field ('commentary' or 'final_answer') is returned by models like gpt-5.3-codex on assistant message output items and must be preserved when sending follow-up requests. The phase value is available in providerMetadata.openai.phase on text parts and is automatically included on assistant messages sent back to the API.

v3.0.33

Compare Source

Patch Changes
  • 624e651: Added missing model IDs to OpenAIChatModelId, OpenAIResponsesModelId, OpenAIImageModelId, OpenAISpeechModelId, OpenAITranscriptionModelId, and OpenAICompletionModelId types for better autocomplete support.

v3.0.32

Compare Source

Patch Changes
  • 0c9395b: feat(provider/openai): add gpt-5.3-codex

v3.0.31

Compare Source

Patch Changes
  • d5f7312: fix(openai): change web search tool action to be optional

v3.0.30

Compare Source

Patch Changes
  • ff12133: feat(provider/openai): support native skills and hosted shell

v3.0.29

Compare Source

Patch Changes
  • e2ee705: feat: differentiate text vs image input tokens

v3.0.28

Compare Source

Patch Changes

v3.0.27

Compare Source

Patch Changes
  • 99fbed8: feat: normalize provider specific model options type names and ensure they are exported

v3.0.26

Compare Source

Patch Changes

v3.0.25

Compare Source

Patch Changes

v3.0.24

Compare Source

Patch Changes

v3.0.23

Compare Source

Patch Changes

v3.0.22

Compare Source

Patch Changes
  • 1524271: chore: add skill information to README files

v3.0.21

Compare Source

Patch Changes
  • 2c70b90: chore: update provider docs

v3.0.20

Compare Source

Patch Changes

v3.0.19

Compare Source

Patch Changes

  • 04c89b1: Provide Responses API providerMetadata types at the message / reasoning level.

    • Export the following types for use in client code:
      • OpenaiResponsesProviderMetadata
      • OpenaiResponsesReasoningProviderMetadata
      • AzureResponsesProviderMetadata
      • AzureResponsesReasoningProviderMetadata

v3.0.18

Compare Source

Patch Changes

v3.0.17

Compare Source

Patch Changes
  • 4218f86: fix(openai): preserve tool id for apply patch tool

v3.0.16

Compare Source

Patch Changes
  • 2b8369d: chore: add docs to package dist

v3.0.15

Compare Source

Patch Changes
  • 8dc54db: chore: add src folders to package bundle

v3.0.14

Compare Source

Patch Changes
  • d21d016: feat(openai): add o4-mini model to OpenAIChatModelId type

v3.0.13

Compare Source

Patch Changes
  • 000fa96: fix(openai): filter duplicate items when passing conversationID

v3.0.12

Compare Source

Patch Changes

v3.0.11

Compare Source

Patch Changes

v3.0.10

Compare Source

Patch Changes
biomejs/biome (@​biomejs/biome)

v2.4.15

Compare Source

Patch Changes

  • #​9394 ba3480e Thanks @​dyc3! - Added the nursery rule useTestHooksInOrder in the test domain. The rule enforces that Jest/Vitest lifecycle hooks (beforeAll, beforeEach, afterEach, afterAll) are declared in the order they execute, making test setup and teardown easier to reason about.

  • #​10254 e0a54cc Thanks @​dyc3! - Added a new nursery rule useVueNextTickPromise, which enforces Promise syntax when using Vue nextTick.

    For example, the following snippet triggers the rule:

    import { nextTick } from "vue";

nextTick(() => {
  updateDom();
});

  • #​10219 64aee45 Thanks @​dyc3! - Added a new nursery rule noVueVOnNumberValues, that disallows deprecated number modifiers on Vue v-on directives.

    For example, the following snippet triggers the rule:

    <input @&#8203;keyup.13="submit" />

  • #​10195 7b8d4e1 Thanks @​dyc3! - Added the new nursery rule useVueValidVFor, which validates Vue v-for directives and reports invalid aliases, missing component keys, and keys that do not use iteration variables.

  • #​10238 1110256 Thanks @​dyc3! - Added the recommended nursery rule noVueImportCompilerMacros, which disallows importing Vue compiler macros such as defineProps from vue because they are automatically available.

  • #​10201 1a08f89 Thanks @​realknove! - Fixed #​10193: style/useReadonlyClassProperties no longer reports class properties as readonly-able when they are assigned inside arrow callbacks nested in class property initializers.

  • #​9574 3bd2b6a Thanks @​Conaclos! - Fixed #​9530. The diagnostics of organizeImports are now more detailed and more precise. They are also better at localizing where the issue is.

  • #​10205 a704a6c Thanks @​Conaclos! - Fixed #​10185. `organizeImports now errors when it encounters an unknown predefined group.

    The following configuration is now reported as invalid because :INEXISTENT: is an unknown predefined group.

    {
  "assist": {
    "actions": {
      "source": {
        "organizeImports": { "options": { "groups": [":INEXISTENT:"] } }
      }
    }
  }
}

  • #​10052 b565bed Thanks @​minseong0324! - Improved noMisleadingReturnType: it now flags union annotations whose extra variants are never returned, and suggests the narrower type (e.g. string | nullstring).

    These functions are now reported because null and number are included in the return annotations but never returned:

    function getUser(): string | null {
  return "hello";
} // null is never returned
function getCode(): string | number {
  return "hello";
} // number is never returned

  • #​10213 ac30057 Thanks @​dyc3! - Fixed #​9450: HTML and Vue element formatting now preserves child line breaks when an element contains another element child on its own line, instead of collapsing the child element onto the same line.

  • #​10275 9ee6c03 Thanks @​solithcy! - Fixed #​10274: Svelte templates with missing expressions no longer parsed as HtmlBogusElement

  • #​10143 56798a7 Thanks @​minseong0324! - noMisleadingReturnType now detects misleading return type annotations when object literal properties are initialized with as const.

    This function is now reported because the return annotation widens a property initialized with as const:

    function f(): { value: string } {
  return { value: "text" as const };
}

  • #​10143 56798a7 Thanks @​minseong0324! - noUselessTypeConversion now detects redundant conversions on object literal properties initialized with as const.

    This conversion is now reported because message.value is inferred as a string literal:

    const message = { value: "text" as const };
String(message.value);

  • #​9807 0ae5840 Thanks @​dyc3! - Added the new nursery rule useThisInClassMethods, based on ESLint's class-methods-use-this.

    The rule now reports instance methods, getters, setters, and function-valued instance fields that do not use this, and biome migrate eslint preserves the supported ignoreMethods, ignoreOverrideMethods, and ignoreClassesWithImplements options.

    Invalid:

    class Foo {
  bar() {
    // does not use `this`, invalid
    console.log("Hello Biome");
  }
}

  • #​10258 e7b18f7 Thanks @​ematipico! - Improved linter performance by narrowing the query nodes for several lint rules, reducing how often they are evaluated.

  • #​10273 04e22a1 Thanks @​dyc3! - Fixed #​10271: The HTML parser now correctly parses of as text content when in text contexts.

  • #​9838 83f7385 Thanks @​dyc3! - Added the nursery rule noBaseToString, which reports stringification sites that fall back to Object's default "[object Object]" formatting. The rule also supports the ignoredTypeNames option.

  • #​10143 56798a7 Thanks @​minseong0324! - useExhaustiveSwitchCases now checks switch statements over object literal properties initialized with as const.

    This switch is now reported because status.kind is inferred as the string literal "ready" but no case handles it:

    const status = { kind: "ready" as const };
switch (status.kind) {
}

  • #​10143 56798a7 Thanks @​minseong0324! - useStringStartsEndsWith now detects string index comparisons on object literal properties initialized with as const.

    This comparison is now reported because message.value is inferred as a string literal:

    const message = { value: "hello" as const };
message.value[0] === "h";

v2.4.14

Compare Source

Patch Changes

  • #​9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

  • #​10157 eefc5ab Thanks @​dyc3! - Fixed #​7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

  • #​10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

    A function annotated : object returning an object literal:

    function f(): object {
  return { retry: true };
}

  • #​10116 53269eb Thanks @​jiwon79! - Fixed

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 18, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​tanstack/​react-router-devtools@​1.156.0 ⏵ 1.166.190 -731007199100
Updated@​tanstack/​react-router@​1.156.0 ⏵ 1.169.80 -7810085 +1100 +2100
Updated@​tanstack/​router-plugin@​1.156.0 ⏵ 1.167.410 -9810078 +1100 +1100
Updatedjsdom@​28.0.0 ⏵ 28.1.066100100 +196100
Updated@​typescript-eslint/​parser@​8.53.0 ⏵ 8.59.39910071 +198 +1100
Updated@​ai-sdk/​openai@​3.0.9 ⏵ 3.0.6373 +110088 +398100
Updatedrecharts@​3.6.0 ⏵ 3.8.1731009991100
Updated@​cloudflare/​vitest-pool-workers@​0.12.1 ⏵ 0.16.396 -210079 +1100 +1100
Updated@​types/​react@​19.2.8 ⏵ 19.2.14100 +110079 +188100
Updated@​types/​chrome@​0.1.33 ⏵ 0.1.428010079 +195100
Updated@​tanstack/​devtools-vite@​0.5.0 ⏵ 0.6.09910080 +195 -2100
Updated@​ai-sdk/​valibot@​2.0.5 ⏵ 2.0.2881 +310080 +198 +1100
Updated@​typescript-eslint/​eslint-plugin@​8.53.0 ⏵ 8.59.38810080 +198 +1100
Updated@​types/​node@​25.0.7 ⏵ 25.7.01001008196 +1100
Updatedbetter-auth-cloudflare@​0.2.9 ⏵ 0.3.08310010091 +4100
Updated@​tanstack/​react-form@​1.27.7 ⏵ 1.32.0100 +110083 +1100100
Updatedtailwindcss@​4.1.18 ⏵ 4.3.0100 +110084 +198100
Updatedreact@​19.2.3 ⏵ 19.2.61001008497100
Updatedbetter-auth@​1.4.12 ⏵ 1.6.1098 +11008595 -1100
Updatedtailwind-merge@​3.4.0 ⏵ 3.6.0100 +110086 +196 +1100
Updated@​tanstack/​react-devtools@​0.9.2 ⏵ 0.10.31001008799 +3100
Updated@​testing-library/​react@​16.3.1 ⏵ 16.3.29910010087100
Updatedeslint-plugin-boundaries@​5.3.1 ⏵ 5.4.08810010090 +4100
Updated@​tanstack/​react-query@​5.90.16 ⏵ 5.100.10100 +110088 +199 -1100
Updated@​crxjs/​vite-plugin@​2.3.0 ⏵ 2.4.09710088 +192 +5100
Updatedeslint@​9.39.2 ⏵ 9.39.489 +110010095100
Updated@​tailwindcss/​vite@​4.1.18 ⏵ 4.3.0100 +110090 +198100
Updatedvalibot@​1.2.0 ⏵ 1.4.09810099 +190100
Updated@​valibot/​to-json-schema@​1.5.0 ⏵ 1.7.0100 +110010090100
Updated@​vitejs/​plugin-react@​5.1.2 ⏵ 5.2.0100 +110010092100
Updatedai-gateway-provider@​3.0.2 ⏵ 3.1.392 +210010092 -5100
Updatedwrangler@​4.59.1 ⏵ 4.90.099 +110092 -296 +1100
See 9 more rows in the dashboard

View full report

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 20 times, most recently from dcf78d4 to 033a411 Compare April 25, 2026 17:11
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 9 times, most recently from 9f368fc to abc438e Compare April 29, 2026 21:36
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 15 times, most recently from 1a7bad6 to c91c888 Compare May 5, 2026 18:49
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 5, 2026
edited
Loading

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Critical
Malicious package: npm @tanstack/react-router-devtools

Note: High likelihood of malicious supply-chain loader behavior. The code daemonizes itself (spawn + _DAEMONIZED + ignored stdio), targets GitHub Actions/CI environments via GITHUB* env vars, stages data in the OS temp directory with read/write/unlink, and performs remote streaming/dispatch operations, with additional per-match actions. While the exact exfil/impact depends on unseen parts, the observed behaviors align strongly with malware/backdoor functionality.

From: packages/web/package.jsonnpm/@tanstack/react-router-devtools@1.166.19

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/react-router-devtools@1.166.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Critical
Malicious package: npm @tanstack/react-router

Note: High likelihood of malicious supply-chain loader behavior. The code daemonizes itself (spawn + _DAEMONIZED + ignored stdio), targets GitHub Actions/CI environments via GITHUB* env vars, stages data in the OS temp directory with read/write/unlink, and performs remote streaming/dispatch operations, with additional per-match actions. While the exact exfil/impact depends on unseen parts, the observed behaviors align strongly with malware/backdoor functionality.

From: packages/web/package.jsonnpm/@tanstack/react-router@1.169.8

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/react-router@1.169.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Critical
Malicious package: npm @tanstack/router-plugin

Note: High likelihood of malicious supply-chain loader behavior. The code daemonizes itself (spawn + _DAEMONIZED + ignored stdio), targets GitHub Actions/CI environments via GITHUB* env vars, stages data in the OS temp directory with read/write/unlink, and performs remote streaming/dispatch operations, with additional per-match actions. While the exact exfil/impact depends on unseen parts, the observed behaviors align strongly with malware/backdoor functionality.

From: packages/web/package.jsonnpm/@tanstack/router-plugin@1.167.41

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/router-plugin@1.167.41. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/@typescript-eslint/eslint-plugin@8.59.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.59.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm css-tree is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/jsdom@28.1.0npm/css-tree@3.2.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm eslint-plugin-boundaries is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/eslint-plugin-boundaries@5.4.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-plugin-boundaries@5.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm immer is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/recharts@3.8.1npm/immer@11.1.8

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/immer@11.1.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm jsdom is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: packages/web/package.jsonnpm/jsdom@28.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jsdom@28.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm jsdom is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: packages/web/package.jsonnpm/jsdom@28.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jsdom@28.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm seroval is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/better-auth@1.6.10npm/@tanstack/react-devtools@0.10.3npm/@tanstack/react-router@1.169.8npm/@tanstack/router-plugin@1.167.41npm/@tanstack/react-router-devtools@1.166.19npm/seroval@1.5.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/seroval@1.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 12 times, most recently from f67c7c1 to c23fdd9 Compare May 11, 2026 15:17
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from c23fdd9 to 166f465 Compare May 11, 2026 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants