Skip to content

fix(deps): update all non-major dependencies#222

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

fix(deps): update all non-major dependencies#222
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@commitlint/cli (source) ^21.0.2^21.2.1 age confidence
@commitlint/config-conventional (source) ^21.0.2^21.2.0 age confidence
@sentry/node (source) ^10.62.0^10.64.0 age confidence
@vitest/coverage-v8 (source) ^4.1.9^4.1.10 age confidence
evlog (source) ^2.19.2^2.20.0 age confidence
oxfmt (source) ^0.56.0^0.58.0 age confidence
oxlint (source) ^1.71.0^1.73.0 age confidence
pnpm (source) 11.9.011.10.0 age confidence
prettier (source) ^3.8.4^3.9.4 age confidence
tsdown (source) ^0.22.3^0.22.4 age confidence
vitest (source) ^4.1.9^4.1.10 age confidence

Release Notes

conventional-changelog/commitlint (@​commitlint/cli)

v21.2.1

Compare Source

Note: Version bump only for package @​commitlint/cli

v21.2.0

Compare Source

Features
  • resolve-extends: resolve pure-ESM presets (conventional-changelog v7/v9/v10) (#​4859) (fdb566f)

v21.1.0

Compare Source

Features

21.0.2 (2026-05-29)

Bug Fixes

21.0.1 (2026-05-12)

Note: Version bump only for package @​commitlint/cli

conventional-changelog/commitlint (@​commitlint/config-conventional)

v21.2.0

Compare Source

Features
  • resolve-extends: resolve pure-ESM presets (conventional-changelog v7/v9/v10) (#​4859) (fdb566f)

v21.1.0

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

21.0.2 (2026-05-29)

Note: Version bump only for package @​commitlint/config-conventional

21.0.1 (2026-05-12)

Note: Version bump only for package @​commitlint/config-conventional

getsentry/sentry-javascript (@​sentry/node)

v10.64.0

Compare Source

Important Changes
  • feat(cloudflare): Add nodejs_compat entrypoint (#​21881)

    The Cloudflare SDK now ships a dedicated @sentry/cloudflare/nodejs_compat entrypoint for Workers running with the nodejs_compat flag. This entrypoint unlocks Node SDK features on Cloudflare, including the prismaIntegration (#​21882) and AI v7 support for the vercelAiIntegration (#​21917).

    This entrypoint is a drop-in replacement, so you can switch your imports from @sentry/cloudflare directly to @sentry/cloudflare/nodejs_compat. To use it, your Worker must set the nodejs_compat compatibility flag in wrangler.toml/wrangler.jsonc. This will become the default entrypoint in v11.

  • feat: Use Sentry's minimal OpenTelemetry tracer provider by default (#​21666, #​21680, #​21842)

    The Node SDK now registers Sentry's own minimal SentryTracerProvider by default, which creates native Sentry spans directly instead of routing them through the full OpenTelemetry SDK span pipeline. This reduces overhead for the common case where you don't need the full OpenTelemetry tracing stack.

    If you rely on OpenTelemetry SDK features that the minimal provider doesn't support, you can opt out and fall back to the full OpenTelemetry BasicTracerProvider by setting openTelemetryBasicTracerProvider: true in your Sentry.init() options. Providing custom openTelemetrySpanProcessors also forces the full provider automatically.

Other Changes
  • feat(bun,deno,node): pg orchestrion instrumentation (#​21826)
  • feat(bun): enable new mysql, pg integrations in 'bun build' (#​21828)
  • feat(cloudflare): Enable AI v7 support for Cloudflare in the /nodejs_compat entrypoint (#​21917)
  • feat(cloudflare): Expose prismaIntegration in nodejs_compat export (#​21882)
  • feat(core): Add sentry.trace_lifecycle attribute (#​21850)
  • feat(core): Add deferred segment-span transaction capture (#​21839)
  • feat(deps): Bump OpenTelemetry dependencies to latest (#​21988)
  • feat(mongoose): Instrument mongoose >= 9.7 via native tracing channels (#​21803)
  • feat(replays): Record segment names that occur during replay (#​21851)
  • fix(browser): Accept precisely-typed GrowthBook class in growthbookIntegration (#​21825)
  • fix(browser): Flush telemetry when page is hidden (#​21862)
  • fix(cloudflare): Catch potential errors during flush and dispose (#​21976)
  • fix(core): Capture Anthropic stream stop_reason from message_delta (#​21907)
  • fix(core): Print getTraceMetaTags in 1 line to prevent hydration errors (#​22004)
  • fix(nextjs): Add immutable browser chunks to upload assets (#​21978)
  • fix(nextjs): Handle Middleware.execute root spans on Node.js runtime (#​22013)
  • fix(react/solid/vue): Instrument TanStack Router navigations via onBeforeLoad/onResolved (#​21975)
Internal Changes
  • chore: Add experimentalUseDiagnosticsChannelInjection in node size-limit (#​21992)
  • chore: Add external contributor to CHANGELOG.md (#​21945)
  • chore: Clarify usage of hoistTransitiveImports option (#​21888)
  • chore: Make @​sentry/conventions sideEffect free during bundling (#​22015)
  • chore: Remove runtime ESM/CJS switching (#​21761)
  • chore(ci): Replace app-id with client-id in GH workflows (#​21914)
  • chore(cloudflare): Disallow Node SDK usage outside of nodejs_compat (#​21884)
  • chore(cloudflare): Disallow server-utils usage outside of nodejs_compat (#​21918)
  • chore(node-core): Move isCjs to its own file to prevent sideEffects (#​21856)
  • ci: Increase Node integration test timeout to 20 minutes (#​21903)
  • deps(server-utils): Bump @​apm-js-collab/tracing-hooks to 0.10.1 (#​21892)
  • feat(server-utils): Implement orchestrion-based instrumentation for vercel-ai v6 (#​21658)
  • feat(server-utils): Migrate @opentelemetry/instrumentation-ioredis to orchestrion (#​21849)
  • feat(server-utils): Migrate Anthropic integration to orchestrion (#​21902)
  • feat(server-utils): Migrate OpenAI integration to orchestrion (#​21877)
  • feat(server-utils): Rewrite @opentelemetry/instrumentation-hapi to orchestrion (#​21866)
  • ref(core): Add @sentry/conventions to @sentry/core and align versions (#​21855)
  • ref(deno): add deno-integration-tests dev-package (#​21827)
  • ref(node-core): Move node fetch instrumentation into node-core (#​21873)
  • ref(node): Fold breadcrumb & trace propagation into node fetch instrumentation (#​21872)
  • ref(node): Refactor orchestrion config into separate files (#​21957)
  • ref(node): Streamline Prisma v5 instrumentation (#​21980)
  • ref(node): Use @sentry/conventions and vendor remaining semantic conventions (#​21893)
  • test(browser): Fix web worker route-registration race in debug ID test (#​21920)
  • test(e2e): Fix failing nitro-3 e2e test due to broken dependency (#​21895)
  • test(e2e): Revert nf3 dependency override in nitro-3 e2e test (#​21951)
  • test(e2e): Use injectDiagnostics for orchestrion marker (#​21987)
  • test(google-genai): Move google-genai integration tests to use a real client (#​21909)
  • test(nextjs): Tolerate aborted navigation in streaming RSC error E2E test (#​21847)
  • test(node): Attempt to unflake docker-based node integration tests (#​21905)
  • test(node): Automatically run all node-integration tests with orchestrion (#​21911)
  • test(node): Collapse mysql span streaming tests into same suite (#​21890)
  • test(node): Ensure logs are auto-printed when a test fails (#​21887)
  • test(node): Improve tests for Prisma v5 (#​21876)
  • test(node): Migrate fs & contextLines-filename integration tests to helpers (#​21958)
  • test(node): Migrate http client span tests to createCjsTests (#​21956)
  • test(node): Migrate logging integration tests to create*Tests helpers (#​21955)
  • test(node): Refactor remaining express integrations tests to new runner (#​21949)
  • test(node): Update pg-native tests to use additionalDependencies (#​21878)
  • tests(core): Move anthropic node integration tests to use a real client (#​21906)

Work in this release was contributed by @​codr and @​zenato. Thank you for your contribution!

Bundle size 📦

Path Size
@​sentry/browser 26.94 KB
@​sentry/browser - with treeshaking flags 25.42 KB
@​sentry/browser (incl. Tracing) 45.16 KB
@​sentry/browser (incl. Tracing + Span Streaming) 46.89 KB
@​sentry/browser (incl. Tracing, Profiling) 49.82 KB
@​sentry/browser (incl. Tracing, Replay) 83.53 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 73.38 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 88.12 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 100.48 KB
@​sentry/browser (incl. Feedback) 43.71 KB
@​sentry/browser (incl. sendFeedback) 31.62 KB
@​sentry/browser (incl. FeedbackAsync) 36.63 KB
@​sentry/browser (incl. Metrics) 28 KB
@​sentry/browser (incl. Logs) 28.23 KB
@​sentry/browser (incl. Metrics & Logs) 28.9 KB
@​sentry/react 28.7 KB
@​sentry/react (incl. Tracing) 47.38 KB
@​sentry/vue 32.25 KB
@​sentry/vue (incl. Tracing) 46.98 KB
@​sentry/svelte 26.97 KB
CDN Bundle 29.3 KB
CDN Bundle (incl. Tracing) 47.11 KB
CDN Bundle (incl. Logs, Metrics) 30.83 KB
CDN Bundle (incl. Tracing, Logs, Metrics) 48.38 KB
CDN Bundle (incl. Replay, Logs, Metrics) 69.15 KB
CDN Bundle (incl. Tracing, Replay) 83.73 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 84.99 KB
CDN Bundle (incl. Tracing, Replay, Feedback) 89.38 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 90.64 KB
CDN Bundle - uncompressed 87.26 KB
CDN Bundle (incl. Tracing) - uncompressed 142.54 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed 91.85 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 146.42 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 213.62 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed 258.91 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 262.78 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 272.29 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 276.15 KB
@​sentry/nextjs (client) 49.75 KB
@​sentry/sveltekit (client) 45.56 KB
@​sentry/core/server 76.54 KB
@​sentry/core/browser 63.21 KB
@​sentry/node-core 61.73 KB
@​sentry/node 120.85 KB
@​sentry/node (incl. diagnostics channel injection) 126.65 KB
@​sentry/node/import (ESM hook with diagnostics-channel injection) 68.31 KB
@​sentry/node/light 49.53 KB
@​sentry/node - without tracing 73.06 KB
@​sentry/aws-serverless 83.59 KB
@​sentry/cloudflare (withSentry) - minified 177.42 KB
@​sentry/cloudflare (withSentry) 438.86 KB

v10.63.0

Compare Source

  • feat(browser): Add url.full attribute to resource spans (#​21846)
  • feat(core): Add extendIntegration method (#​21759)
  • feat(core): Add isTracingSuppressed to the async context strategy (#​21785)
  • feat(core): Pass normalizedRequest to the sampling context for root spans (#​21833)
  • feat(node): Add lru-memoizer diagnostics-channel integration to experimentalUseDiagnosticsChannelInjection (#​21786)
  • feat(node): Expose channel-based, streamlined fastifyIntegration (#​21706)
  • fix(browser): Defer sending session envelope until browser is idle (#​21844)
  • fix(core): Improve waiting for tracing channel bindings (#​21815)
  • fix(core): Serialize streamed span status message to sentry.status.message attribute (#​21811)
  • fix(nextjs): Don't inject trace meta tags when Cache Components is enabled (#​21141)
  • fix(opentelemetry): Strip leading ? and # from inferred http.query and http.fragment (#​21848)
  • fix(tanstackstart-react): Drop server transactions for tunnel route requests (#​21769)
Internal Changes
  • chore: Add external contributor to CHANGELOG.md (#​21832)
  • chore: Hoist transitive imports for bundles (#​21858)
  • chore: Mark http.query/http.fragment stripping for v11 url.query migration (#​21852)
  • docs: Use Cloudflare nodejs_compat flag (#​21659)
  • feat(server-utils): Add lru-memoizer diagnostics-channel integration (#​21786)
  • feat(server-utils): Expose channel-based, streamlined fastifyIntegration (#​21706)
  • feat(server-utils): Restore caller context for callback tracing channels (#​21863)
  • ref(core): Move spanStreamingIntegration setup into ServerRuntimeClient (#​21814)
  • ref(node): Infer orchestrion integration names (#​21834)
  • ref(node): Move node-fetch instrumentation away from InstrumentBase (#​21778)
  • ref(node): Streamline Prisma instrumentation (v6 and v7) (#​21819)
  • ref(node): Streamline vendored mysql instrumentation (#​21568)
  • ref(server-utils): Ensure ts3.8 has diagnostics channel shim (#​21845)
  • ref(server-utils): Move mysql orchestrion integration onto bindTracingChannelToSpan (#​21865)
  • ref(server-utils): Set error attributes on span and simplify error info extraction (#​21822)
  • test: Introduce .unordered in node-integration-tests (#​21697)
  • test(cloudflare): Align CF types and compat flags (#​21835)
  • test(e2e/hono): Isolate request-data extraction tests onto a dedicated route (#​21869)
  • test(node-integration): Harden knex mysql2 healthcheck to fix flaky test (#​21868)
  • test(node-integration-tests): Fix flaky postgresjs basic transaction/error ordering (#​21870)
  • test(node-integration-tests): Retry transient docker compose up failures (#​21860)
  • test(nuxt): Test mysql instrumentation with orchestrion bundler plugin (#​21782)

Work in this release was contributed by @​suzunn. Thank you for your contribution!

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
HugoRCD/evlog (evlog)

v2.20.0

Compare Source

What's Changed

Features 🚀
Bug Fixes 🐞

Full Changelog: https://github.com/HugoRCD/evlog/compare/evlog@2.19.2...evlog@2.20.0

oxc-project/oxc (oxfmt)

v0.58.0

Compare Source

v0.57.0

Compare Source

oxc-project/oxc (oxlint)

v1.73.0

Compare Source

🚀 Features
  • a2c97f3 linter/unicorn: Implement explicit-timer-delay rule (#​23612) (Mikhail Baev)
  • 85735cb linter/unicorn: Implement no-confusing-array-with rule (#​23638) (Shekhu☺️)
  • cb4fbb9 linter/eslint: Implement no-unreachable-loop rule (#​23975) (Todor Andonov)
  • dc32112 linter/eslint/no-constant-binary-expression: Check relational comparisons (#​24088) (camc314)
  • d963967 linter/unicorn/no-array-sort: Add allowAfterSpread option (#​24043) (Boshen)
  • 0a75682 linter: Add per-rule timings for type-aware linting (#​22488) (camchenry)
  • 743e222 linter/react: Add disallowedValues option for forbid-dom-props rule (#​23970) (Mikhail Baev)
🐛 Bug Fixes
  • bdb51c7 linter/jest/prefer-ending-with-an-expect: Validate config patterns (#​24122) (camc314)
  • 45d607d linter/react/forbid-component-props: Make allow/disallow lists optional in schema (#​24024) (Boshen)

v1.72.0

Compare Source

🚀 Features
  • 1c8f50c linter: Add schema for eslint/no-restricted-import (#​23642) (Sysix)
🐛 Bug Fixes
  • 742be36 refactor/node/handle-callback-err: Reject invalid regex config (#​23740) (camc314)
pnpm/pnpm (pnpm)

v11.10.0

Compare Source

Minor Changes
  • e2e3c81: Added the issues command as an alias of bugs, so pnpm issues opens the package's bug tracker URL in the browser.

  • 8491f8e: Added the prefix command which prints the current package prefix directory (or global prefix directory if -g / --global is used).

  • 3425e80: Added an _auth setting for configuring registry authentication as a single structured (URL-keyed) value. It can be set in the global pnpm config (config.yaml) or, for CI, via the pnpm_config__auth environment variable. The env form sidesteps the GitHub Actions / bash / zsh limitation that broke the existing pnpm_config_//host/:_authToken=… form (env var names containing /, :, or . are silently dropped). Closes #​12314.

    The value is keyed by registry URL so each secret is explicitly bound to the host that may receive it. Registry URL keys must use http or https and must not include credentials, query strings, or fragments:

    export pnpm_config__auth='{"https://registry.npmjs.org":{"@​":{"authToken":"npm-token"},"@​org":{"authToken":"org-token"}}}'

    The equivalent in the global config.yaml:

    _auth:
      https://registry.npmjs.org:
        "@​":
          authToken: npm-token
        "@​org":
          authToken: org-token

    Within each registry URL, @ means registry-wide/default credentials and package scopes like @org bind credentials to that scope on the same host. The only supported credential field is authToken (maps to _authToken / bearer auth); the deprecated basicAuth / username + password forms are intentionally not accepted here.

    Each entry also infers a trusted registry route: @ routes the default registry (and pnpm add <pkg> resolves there), and @org routes that scope. Because the credential and destination host arrive in one trusted value, repo-controlled pnpm-workspace.yaml or project .npmrc cannot redirect the token to a different host. _auth is honored only from the env var and the global config — it is ignored in a project pnpm-workspace.yaml / .npmrc, so repo-controlled config can never supply registry auth. Precedence: CLI flags (--registry, --@&#8203;scope:registry) > pnpm_config__auth > global config.yaml _auth > pnpm-workspace.yaml.

    Both pnpm_config__auth (lowercase, documented form) and PNPM_CONFIG__AUTH (all-caps, the shell convention some CI runners apply) are honored. If both are set, lowercase wins unless it is empty, in which case uppercase is used. The env var wins over the global config.yaml _auth on a conflicting key. tokenHelper is not supported in _auth. Parsing is strict: a malformed value (bad JSON, wrong shape, invalid registry URL or scope, an unsupported credential field) fails fast with an error rather than being silently dropped.

    Pacquet parity note: the pacquet (Rust) port supports the same single credential field as the TS CLI: authToken.

  • a33eeec: pnpm self-update and packageManager version-switching can now install and link pnpm v12 (the Rust port), published with equal content under both the pnpm and @pnpm/exe names on the next-12 dist-tag. Its native binaries ship as @pnpm/exe.<platform>-<arch> packages, which pnpm's built-in installer links directly — no Node.js launcher, so the command pays no Node startup cost. v12 is initialized exactly like @pnpm/exe, including per-platform global-virtual-store hashing. From v12 onward the install converges on the unscoped pnpm package (the Rust exe) — even when updating from the SEA @pnpm/exe build.

  • 1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only the Authorization header identifying the caller to pnpr is sent. The pnpr server now selects upstream credentials from its own route policy (operator-configured upstream credential aliases), so private dependencies resolve through a pnpr-managed alias the caller is authorized to use, rather than by sending the client's registry tokens to the server.

  • 1e81761: Expose web authentication authUrl and doneUrl in JSON error output when OTP is required in a non-interactive terminal #​12724.

Patch Changes
  • 2f389d6: Added the Node.js release team's new signing key (Stewart X Addison, 655F3B5C1FB3FA8D1A0CA6BDE4A7D232B936D2FD) to the embedded Node.js release keys, so runtimes whose SHASUMS256.txt is signed by the new releaser verify successfully.

  • acbdb94: Fixed shell tab completion not suggesting workspaces after the -F alias for --filter option.

  • dcabb78: Fixed pnpm up -r <pkg> bumping unrelated packages that have open semver ranges. Previously, any update mutation nullified the lockfile-derived preferredVersions globally, so packages with ^x.y.z ranges could re-resolve to newer compatible versions even though the user only asked to update a specific package. The install layer now always seeds preferredVersions from the lockfile, and caller-supplied preferred versions (such as the vulnerability penalties of pnpm audit --fix) layer on top of the seed instead of replacing it. The targeted package still bumps: the per-resolve updateRequested flag makes the resolver ignore the target's own lockfile pins.

    Closes #​10662.

  • d539172: Fixed pnpm pack and pnpm publish failing when prepack generates files that are included in the package and postpack cleans them up.

  • be6505a: Hardened global package management:

    • On Windows, removing or updating a global package now also cleans up the node.exe flavor of a bin, so a stale node.exe no longer survives on PATH after uninstall, and a new global install no longer silently overwrites an existing node.exe.
    • pnpm add -g pnpm@<version> (and @pnpm/exe@<version>) is now rejected like the bare pnpm form, pointing to pnpm self-update.
    • Dependency aliases read from a global package's manifest are validated before being joined onto node_modules paths, preventing a tampered manifest from escaping the install directory.
    • Each global install group is created in its own freshly-made directory (no longer reusing a colliding or pre-existing path).
    • Removing or updating a global package no longer unlinks a bin that belongs to a different globally installed package.
  • 25c7388: pnpm now rejects jsr: specifiers whose package name is not a valid npm package name — an empty scope or name (e.g. jsr:@&#8203;scope/), path separators inside the name, or any other shape validate-npm-package-name rejects — with ERR_PNPM_INVALID_JSR_PACKAGE_NAME instead of silently converting them into a malformed @jsr/... npm package name.

  • 25c7388: pnpm now rejects named-registry specifiers (e.g. gh:) whose package name is not a valid npm package name — an empty scope (e.g. gh:@&#8203;/bar), path separators inside the name (e.g. gh:@&#8203;scope/../name), or any other shape validate-npm-package-name rejects — with ERR_PNPM_INVALID_NAMED_REGISTRY_PACKAGE_NAME instead of passing the name through to registry URLs and metadata cache file paths.

  • 96da7c5: node-gyp's gyp_main.py and gyp entrypoints are now packed with the executable bit in the pnpm and @pnpm/exe tarballs. Without it, building native addons from source could fail with a permission error.

  • 99982b9: Sped up resolution and reduced memory use against registries that ignore npm's abbreviated metadata format and always return the full package document (for example, Azure DevOps Artifacts). pnpm now strips such documents down to the abbreviated field set before caching them. Resolution output is unchanged, and registries that honor the abbreviated format (such as the npm registry) pay no extra cost.

  • 11a7fdd: Sped up offline and --prefer-offline resolution on large workspaces (e.g. pnpm dedupe --offline, pnpm install --offline). Package metadata loaded from the local cache is now kept in memory, so each package's metadata is parsed once per command instead of once per dependent that references it.

  • 2c7369d: pnpm pack-app now rejects --entry / pnpm.app.entry and --output-dir / pnpm.app.outputDir values that are absolute paths or escape the project directory via .. (or a symlink that resolves outside it), and refuses to write the produced executable when its target path already exists as a symlink (or other non-regular file). This prevents a repository-controlled package.json from embedding host files (such as an SSH key) into the produced executable, writing build artifacts outside the project, or overwriting an arbitrary file through a committed symlink. The new error codes are ERR_PNPM_PACK_APP_ENTRY_OUTSIDE_PROJECT, ERR_PNPM_PACK_APP_OUTPUT_DIR_OUTSIDE_PROJECT, and ERR_PNPM_PACK_APP_OUTPUT_FILE_NOT_REGULAR.

    When ad-hoc signing macOS targets, pnpm pack-app now runs the system codesign by absolute path and resolves ldid to a location outside the project, so a repository-controlled node_modules/.bin on PATH cannot hijack the signer.

  • ce5d5a5: Relative paths in patchedDependencies are now resolved against the lockfile directory when computing patch file hashes, so running pnpm install from a subdirectory no longer fails with ENOENT looking for the patch file in the wrong location #​12762.

  • ebb4096: pnpm peers no longer reports a conflict for a missing peer dependency that is ignored via pnpm.peerDependencyRules.ignoreMissing.

  • dcabb78: Fixed a prototype-pollution hazard when seeding preferred versions: a dependency named __proto__ in a manifest or in pnpm-lock.yaml could write through Object.prototype (or crash the install) while the preferred-versions map was being built. The maps are now null-prototype objects, so crafted package names land as plain keys.

  • f38e696: Hardened pnpm deploy --force so it refuses unsafe deploy targets such as workspace roots, parent directories, out-of-workspace paths, and symlinked target parents.

  • 806c3ec: pnpm no longer warns about ignored project-level auth settings when PNPM_CONFIG_NPMRC_AUTH_FILE points at the project .npmrc — setting it to that file is an explicit opt-in to trusting it, so auth env variables in it are expanded pnpm/pnpm#12480.

  • 991405e: Restore differential rendering (ansi-diff) to fix duplicated output lines introduced by #​12351.

  • c121235: Fixed the topological order of --filtered commands (pnpm run, pnpm exec, pnpm publish, pnpm pack, pnpm rebuild) when the selected projects depend on each other only transitively through projects that were not selected. Previously such selected projects could run concurrently or in the wrong order; now a project always runs after the selected projects it transitively depends on, while projects without a real dependency relationship still run concurrently. This now also holds for prod-only filters (--filter-prod), which resolve order through the production dependency graph so transitive production dependencies are respected without pulling back the dev dependencies the filter drops, and for selections that mix --filter with --filter-prod #​8335.

  • d539172: pnpm pack and pnpm publish no longer follow a symlinked workspace LICENSE file when injecting it into a package that has no license of its own. Following the symlink could pack bytes from outside the workspace into the published tarball.

  • dcabb78: Fixed pnpm up <pkg> producing a different result than a fresh install of the same manifests would. The resolver now distinguishes updateRequested (true only for packages that match the user's update target) from the broader update flag, and for the targeted package ignores only its own lockfile-derived preferred-version pins — so the target re-resolves exactly as if its lockfile entries were deleted and pnpm install ran. Preferred versions a fresh install applies (manifest pins, versions propagated down the dependency chain, and the vulnerability-avoidance penalties of pnpm audit --fix) stay in effect, so an update never installs duplicate versions that a reinstall from scratch would not reproduce. When a preferred version holds the update target below the newest version its range admits, pnpm now prints a warning explaining that reaching the newer version everywhere requires an override.

  • dcabb78: pnpm update <dep>@&#8203;<version> now prints a warning when <dep> is only present as a transitive dependency: the requested version cannot be applied there (updates resolve the target the way a fresh install would), and the warning recommends adding the version to pnpm.overrides instead, which is the mechanism that does pin transitive dependencies. Closes #​12744.

  • a6c4d5f: When a dependency cannot be found in the registry (404) or the registry has no matching version, and a workspace project with the same name exists only at non-matching versions, the error now reports the available workspace versions (ERR_PNPM_NO_MATCHING_VERSION_INSIDE_WORKSPACE) instead of the raw registry failure pnpm/pnpm#1379. Other registry failures (authorization, network, server errors) still propagate unchanged. The pacquet (Rust) resolver applies the same behavior.

prettier/prettier (prettier)

v3.9.4

Compare Source

v3.9.3

Compare Source

v3.9.2

Compare Source

v3.9.1

Compare Source

v3.9.0

Compare Source

diff

🔗 Release Notes

v3.8.5

Compare Source

rolldown/tsdown (tsdown)

v0.22.4

Compare Source

   🚀 Features
   🐞 Bug Fixes

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 12pm on Sunday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@renovate renovate Bot added the dependencies label Jul 5, 2026
@renovate
renovate Bot requested a review from RedStar071 as a code owner July 5, 2026 02:08
@renovate renovate Bot added the dependencies label Jul 5, 2026
@github-project-automation github-project-automation Bot moved this to Todo in Wolfstar Jul 5, 2026
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from d7d274d to a68b758 Compare July 6, 2026 09:00
@renovate

renovate Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
? Verifying lockfile against supply-chain policies (890 entries)...
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 20, reused 0, downloaded 0, added 0
Progress: resolved 31, reused 0, downloaded 0, added 0
Progress: resolved 45, reused 0, downloaded 0, added 0
Progress: resolved 55, reused 0, downloaded 0, added 0
Progress: resolved 60, reused 0, downloaded 0, added 0
Progress: resolved 63, reused 0, downloaded 0, added 0
Progress: resolved 64, reused 0, downloaded 0, added 0
Progress: resolved 65, reused 0, downloaded 0, added 0
Progress: resolved 66, reused 0, downloaded 0, added 0
[WARN] Request took 11756ms: https://registry.npmjs.org/typescript
Progress: resolved 67, reused 0, downloaded 0, added 0
[WARN] Request took 10767ms: https://registry.npmjs.org/@prisma%2Fengines
Progress: resolved 68, reused 0, downloaded 0, added 0
[WARN] Request took 12715ms: https://registry.npmjs.org/@prisma%2Fdebug
[WARN] Request took 13516ms: https://registry.npmjs.org/@prisma%2Fget-platform
[WARN] Request took 13853ms: https://registry.npmjs.org/@prisma%2Fgenerator-helper
[WARN] Request took 14502ms: https://registry.npmjs.org/@prisma%2Ffetch-engine
[WARN] Request took 17322ms: https://registry.npmjs.org/prisma
Progress: resolved 69, reused 0, downloaded 0, added 0
[WARN] Request took 18761ms: https://registry.npmjs.org/@prisma%2Fclient
Progress: resolved 71, reused 0, downloaded 0, added 0
Progress: resolved 253, reused 0, downloaded 0, added 0
[WARN] Request took 18999ms: https://registry.npmjs.org/@prisma%2Fclient
✓ Lockfile passes supply-chain policies (890 entries in 21.7s)
Progress: resolved 273, reused 0, downloaded 0, added 0
Progress: resolved 477, reused 0, downloaded 0, added 0
Progress: resolved 504, reused 0, downloaded 0, added 0
Progress: resolved 514, reused 0, downloaded 0, added 0
Progress: resolved 582, reused 0, downloaded 0, added 0
Progress: resolved 848, reused 0, downloaded 0, added 0
Progress: resolved 854, reused 0, downloaded 0, added 0
Progress: resolved 906, reused 0, downloaded 0, added 0
[ERR_PNPM_NO_MATURE_MATCHING_VERSION] 3 versions do not meet the minimumReleaseAge constraint:
  @commitlint/cli@21.2.1 was published at 2026-07-08T07:48:07.331Z, within the minimumReleaseAge cutoff (2026-07-07T10:56:46.771Z)
  @commitlint/read@21.2.1 was published at 2026-07-08T07:48:05.596Z, within the minimumReleaseAge cutoff (2026-07-07T10:56:46.771Z)
  tsdown@0.22.4 was published at 2026-07-08T07:31:34.336Z, within the minimumReleaseAge cutoff (2026-07-07T10:56:46.771Z)

@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from f133774 to 9ef068a Compare July 7, 2026 16:58
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from 9ef068a to b03eed9 Compare July 8, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

0 participants