chore(deps): update all non-major dependencies#24

Open

renovate[bot] wants to merge 1 commit into

mainfrom

renovate/all-minor-patch

renovate Bot commented Feb 25, 2026 •

edited

Loading

Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@antfu/eslint-config	`^7.4.3` → `^7.7.3`			pnpm.catalog.dev	minor
@commitlint/cli (source)	`^20.4.2` → `^20.5.3`			pnpm.catalog.dev	minor
@commitlint/config-conventional (source)	`^20.4.2` → `^20.5.3`			pnpm.catalog.dev	minor
@types/node (source)	`^25.3.0` → `^25.9.3`			pnpm.catalog.types	minor
@vitest/browser-playwright (source)	`^4.0.18` → `^4.1.9`			pnpm.catalog.test	minor
@vitest/coverage-v8 (source)	`^4.0.18` → `^4.1.9`			pnpm.catalog.test	minor
eslint (source)	`^9.39.3` → `^9.39.4`			pnpm.catalog.dev	patch
lint-staged	`^16.2.7` → `^16.4.0`			pnpm.catalog.dev	minor
node (source)	`>=24.13.1` → `>=24.16.0`			engines	minor
playwright (source)	`^1.58.2` → `^1.61.0`			pnpm.catalog.test	minor
pnpm (source)	`10.30.1` → `10.34.3`			packageManager	minor
pnpm (source)	`>=10.30.1` → `>=10.34.3`			engines	minor
vitest (source)	`^4.0.18` → `^4.1.9`			pnpm.catalog.test	minor

Release Notes

antfu/eslint-config (@antfu/eslint-config)

`v7.7.3`

🐞 Bug Fixes

Disable some e18e rules - by @antfu (7edec)

View changes on GitHub

`v7.7.2`

🐞 Bug Fixes

Exclude the zed terminal from editor detection - by @mattmess1221 in #834 (9484a)
Enable typescript when tsgo installed - by @9romise in #833 (4665e)
e18e: moduleReplacements should only enable in lib - by @antfu (61658)

View changes on GitHub

`v7.7.0`

🚀 Features

Zed support - by @hyoban in #827 (30fcb)
Integrate @e18e/eslint-plugin - by @9romise in #830 (ebd46)

🐞 Bug Fixes

markdown: Disable 'markdown/fenced-code-language' rule - by @jinghaihan in #831 (0c44d)

View changes on GitHub

`v7.6.1`

🐞 Bug Fixes

Separate node plugins setup and rules, fix #817 - by @antfu in #817 (fa3b0)

View changes on GitHub

`v7.6.0`

🚀 Features

jsonc: Use jsonc/x language - by @hyoban in #824 (a9b7a)

🐞 Bug Fixes

jsdoc: Separate setup - by @hyoban in #825 (6742d)

View changes on GitHub

`v7.5.0`

🚀 Features

markdown: Use markdown language - by @hyoban and @antfu in #818 (93063)

View changes on GitHub

conventional-changelog/commitlint (@commitlint/cli)

`v20.5.3`

Note: Version bump only for package @commitlint/cli

`v20.5.2`

Note: Version bump only for package @commitlint/cli

`v20.5.0`

Bug Fixes

cli: validate that --cwd directory exists before execution (#4658) (cf80f75), closes #4595

20.4.4 (2026-03-12)

Note: Version bump only for package @commitlint/cli

20.4.3 (2026-03-03)

Bug Fixes

footer parser does not escape special chars for regex #4560 (#4634) (8ff7c7f)

20.4.2 (2026-02-19)

Note: Version bump only for package @commitlint/cli

20.4.1 (2026-02-02)

Note: Version bump only for package @commitlint/cli

`v20.4.4`

Note: Version bump only for package @commitlint/cli

`v20.4.3`

Bug Fixes

footer parser does not escape special chars for regex #4560 (#4634) (8ff7c7f)

conventional-changelog/commitlint (@commitlint/config-conventional)

`v20.5.3`

Note: Version bump only for package @commitlint/config-conventional

`v20.5.0`

Note: Version bump only for package @commitlint/config-conventional

20.4.4 (2026-03-12)

Note: Version bump only for package @commitlint/config-conventional

20.4.3 (2026-03-03)

Bug Fixes

footer parser does not escape special chars for regex #4560 (#4634) (8ff7c7f)

20.4.2 (2026-02-19)

Note: Version bump only for package @commitlint/config-conventional

20.4.1 (2026-02-02)

Note: Version bump only for package @commitlint/config-conventional

`v20.4.4`

Note: Version bump only for package @commitlint/config-conventional

`v20.4.3`

Bug Fixes

footer parser does not escape special chars for regex #4560 (#4634) (8ff7c7f)

vitest-dev/vitest (@vitest/browser-playwright)

`v4.1.9`

🐞 Bug Fixes

Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #10546 (a5180)
browser:
- Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in #10555 (7fb29)
- Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in #10497 and #10556 (fbc62)
mocker:
- Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in #10548 (2c955)
pool:
- Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in #10543 and #10564 (934b0)

View changes on GitHub

`v4.1.8`

🐞 Bug Fixes

browser:
- Disable client cdp API when allowWrite/allowExec: false [backport to v4] - by @hi-ogawa and Codex in #10450 (e4067)
- Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4] - by @toxik and @Zelys-DFKH in #10474 (675b4)

View changes on GitHub

`v4.1.7`

🐞 Bug Fixes

runner: Limit concurrency per task branch in addition to per leaf callbacks (backport) - by @hi-ogawa in #10384 (4f0f2)

View changes on GitHub

`v4.1.6`

🐞 Bug Fixes

browser: Provide project reference in ToMatchScreenshotResolvePath - by @macarie and @sheremet-va in #10138 (31882)
Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options - by @hi-ogawa, Codex and @sheremet-va in #10196 (2847d)
browser: Simplify orchestrator otel carrier - by @hi-ogawa in #10285 (18af9)

🏎 Performance

Stringify diff objects only once - by @sheremet-va in #10276 (9f7b1)

View changes on GitHub

`v4.1.5`

🚀 Experimental Features

coverage: Istanbul to support instrumenter option - by @BartWaardenburg and @AriPerkkio in #10119 (0e0ff)

🐞 Bug Fixes

--project negation excludes browser instances - by @felamaslen in #10131 (9423d)
Project color label on html reporter - by @hi-ogawa in #10142 (596f7)
Fix vi.defineHelper called as object method - by @hi-ogawa in #10163 (122c2)
Alias agent reporter to minimal - by @sheremet-va in #10157 (663b9)
Respect diff config options in soft assertions - by @Copilot, sheremet-va and @sheremet-va in #8696 (9787d)
Respect diff config options in soft assertions " - by @sheremet-va in #8696 (7dc6d)
ast-collect: Recognize _vi_import prefix in static test discovery - by @Yejneshwar in #10129 (32546)
coverage: Descriptive error message when reports directory is removed during test run - by @DaveT1991 and @AriPerkkio in #10117 (14133)
snapshot: Increase default snapshot max output length - by @hi-ogawa and Codex in #10150 (21e66)
ui: Fix jsx/tsx syntax highlight - by @hi-ogawa in #10152 (f1b1f)
web-worker: Support MessagePort objects referenced inside postMessage data - by @whitphx and Claude Opus 4.6 (1M context) in #9927 and #10124 (7ad7d)
api: Make test-specification options writable - by @sheremet-va in #10154 (6abd5)

View changes on GitHub

`v4.1.4`

🚀 Experimental Features

coverage:
- Default to text reporter skipFull if agent detected - by @hi-ogawa in #10018 (53757)
experimental:
- Expose assertion as a public field - by @sheremet-va in #10095 (a120e)
- Support aria snapshot - by @hi-ogawa, Claude Opus 4.6 (1M context), @AriPerkkio, Codex and @sheremet-va in #9668 (d4fbb)
reporter:
- Add filterMeta option to json reporter - by @nami8824 and @sheremet-va in #10078 (b77de)

🐞 Bug Fixes

Use "black" foreground for labeled terminal message to ensure contrast - by @hi-ogawa in #10076 (203f0)
Make expect(..., message) consistent as error message prefix - by @hi-ogawa and Codex in #10068 (a1b5f)
Do not hoist imports whose names match class properties . - by @SunsetFi in #10093 and #10094 (0fc4b)
browser: Spread user server options into browser Vite server in project - by @GoldStrikeArch in #10049 (65c9d)

View changes on GitHub

`v4.1.3`

🚀 Experimental Features

Add experimental.preParse flag - by @sheremet-va in #10070 (78273)
Support browser.locators.exact option - by @sheremet-va in #10013 (48799)
Add TestAttachment.bodyEncoding - by @hi-ogawa in #9969 (89ca0)
Support custom snapshot matcher - by @hi-ogawa, Claude Sonnet 4.6 and Codex in #9973 (59b0e)

🐞 Bug Fixes

Advance fake timers with expect.poll interval - by @hi-ogawa and Claude Sonnet 4.6 in #10022 (3f5bf)
Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency - by @alan-agius4 in #10025 (146d4)
Fix defineHelper for webkit async stack trace + update playwright 1.59.0 - by @hi-ogawa in #10036 (5a5fa)
Fix suite hook throwing errors for unused auto test-scoped fixture - by @hi-ogawa and Claude Sonnet 4.6 in #10035 (39865)
expect:
- Remove JestExtendError.context from verbose error reporting - by @hi-ogawa in #9983 (66751)
- Don't leak "runner" types - by @sheremet-va in #10004 (ec204)
snapshot:
- Fix flagging obsolete snapshots for snapshot properties mismatch - by @hi-ogawa and Claude Sonnet 4.6 in #9986 (6b869)
- Export custom snapshot matcher helper from vitest - by @hi-ogawa and Codex in #10042 (691d3)
ui:
- Don't leak vite types - by @sheremet-va in #10005 (fdff1)
vm:
- Fix external module resolve error with deps optimizer query - by @hi-ogawa and Claude Sonnet 4.6 in #10024 (9dbf4)

View changes on GitHub

`v4.1.2`

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#9975).

🐞 Bug Fixes

Don't resolve setupFiles from parent directory - by @hi-ogawa in #9960 (7aa93)
Ensure sequential mock/unmock resolution - by @hi-ogawa and Claude Opus 4.6 in #9830 (7c065)
browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot - by @macarie in #9847 (faace)
coverage: Correct coverageConfigDefaults values and types - by @Arthie in #9940 (b3c99)
pretty-format: Fix output limit over counting - by @hi-ogawa in #9965 (d3b7a)
Disable colors if agent is detected - by @sheremet-va and @AriPerkkio in #9851 (6f97b)

View changes on GitHub

`v4.1.1`

🚀 Features

experimental:
- Expose matchesTags to test if the current filter matches tags - by @sheremet-va in #9913 (eec53)
- Introduce experimental.vcsProvider - by @sheremet-va in #9928 (56115)

🐞 Bug Fixes

Mark TestProject.testFilesList internal properly - by @sapphi-red in #9867 (54f26)
Detect fixture that returns without calling use - by @oilater in #9831 and #9861 (633ae)
Drop vite 8.beta support - by @AriPerkkio in #9862 (b78f5)
Type regression in vi.mocked() static class methods - by @purepear and @hi-ogawa in #9857 (90926)
Properly re-evaluate actual modules of mocked external - by @hi-ogawa in #9898 (ae5ec)
Preserve coverage report when html reporter overlaps - by @hi-ogawa in #9889 (2d81a)
Provide vi.advanceTimers to the preview provider - by @sheremet-va in #9891 (1bc3e)
Don't leak event listener in playwright provider - by @sheremet-va in #9910 (d9355)
Open browser in --standalone mode without running tests - by @sheremet-va in #9911 (e78ad)
Guard disposable and optional body - by @sheremet-va in #9912 (6fdb2)
Resolve retry.condition RegExp serialization issue - by @nstepien and @hi-ogawa in #9942 (7b605)
collect:
- Don't treat extra props on test return as tests - by @sheremet-va in #9871 (141e7)
coverage:
- Simplify provider types - by @AriPerkkio in #9931 (aaf9f)
- Load built-in provider without module runner - by @AriPerkkio in #9939 (bf892)
expect:
- Soft assertions continue after .resolves/.rejects promise errors - by @mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @hi-ogawa in #9843 (6d74b)
- Fix sinon-chai style API - by @hi-ogawa in #9943 (0f08d)
pretty-format:
- Limit output for large object - by @hi-ogawa and Claude Opus 4.6 (1M context) in #9949 (0d5f9)

View changes on GitHub

`v4.1.0`

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

🚀 Features

Return a disposable from doMock() - by @kirkwaiblinger in #9332 (e3e65)
Added chai style assertions - by @ronnakamoto and @sheremet-va in #8842 (841df)
Update to sinon/fake-timers v15 and add setTickMode to timer controls - by @atscott and @sheremet-va in #8726 (4b480)
Expose matcher types - by @sheremet-va in #9448 (3e4b9)
Add toTestSpecification to reported tasks - by @sheremet-va in #9464 (1a470)
Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module - by @sheremet-va in #9387 (5db54)
Track and display expectedly failed tests (.fails) in UI and CLI - by @Copilot, sheremet-va and @sheremet-va in #9476 (77d75)
Support tags - by @sheremet-va in #9478 (de7c8)
Implement aroundEach and aroundAll hooks - by @sheremet-va in #9450 (2a8cb)
Stabilize experimental features - by @sheremet-va in #9529 (b5fd2)
Accept new or all in --update flag - by @sheremet-va in #9543 (a5acf)
Support meta in test options - by @sheremet-va in #9535 (7d622)
Support type inference with a new test.extend syntax - by @sheremet-va in #9550 (e5385)
Support vite 8 beta, fix type issues in the config with different vite versions - by @sheremet-va in #9587 (99028)
Add assertion helper to hide internal stack traces - by @hi-ogawa and Claude Opus 4.6 in #9594 (eeb0a)
Store failure screenshots using artifacts API - by @macarie in #9588 (24603)
Allow vitest list to statically collect tests instead of running files to collect them - by @sheremet-va in #9630 (7a8e7)
Add --detect-async-leaks - by @AriPerkkio in #9528 (c594d)
Implement mockThrow and mockThrowOnce - by @thor-juhasz and @sheremet-va in #9512 (61917)
Support update: "none" and add docs about snapshots behavior on CI - by @hi-ogawa in #9700 (05f18)
Support playwright launchOptions with connectOptions - by @hi-ogawa in #9702 (f0ff1)
Add page/locator.mark API to enhance playwright trace - by @hi-ogawa in #9652 (d0ee5)
api:
- Support tests starting or ending with test in experimental_parseSpecification - by @jgillick and Jeremy Gillick in #9235 (2f367)
- Add filters to createSpecification - by @sheremet-va in #9336 (c8e6c)
- Expose runTestFiles as alternative to runTestSpecifications - by @sheremet-va in #9443 (43d76)
- Add allowWrite and allowExec options to api - by @sheremet-va in #9350 (20e00)
- Allow passing down test cases to toTestSpecification - by @sheremet-va in #9627 (6f17d)
browser:
- Add userEvent.wheel API - by @macarie in #9188 (66080)
- Add filterNode option to prettyDOM for filtering browser assertion error output - by @Copilot, sheremet-va and @sheremet-va in #9475 (d3220)
- Support playwright persistent context - by @hi-ogawa, Claude Opus 4.6 and @sheremet-va in #9229 (f865d)
- Added detailsPanelPosition option and button - by @shairez in #9525 (c8a31)
- Use BlazeDiff instead of pixelmatch - by @macarie in #9514 (30936)
- Add findElement and enable strict mode in webdriverio and preview - by @sheremet-va in #9677 (c3f37)
cli:
- Add @bomb.sh/tab completions - by @AmirSa12 and @sheremet-va in #8639 (200f3)
coverage:
- Support ignore start/stop ignore hints - by @AriPerkkio in #9204 (e59c9)
- Add coverage.changed option to report only changed files - by @kykim00 and @AriPerkkio in #9521 (1d939)
experimental:
- Add onModuleRunner hook to worker.init - by @sheremet-va in #9286 (e977f)
- Option to disable the module runner - by @sheremet-va and @AriPerkkio in #9210 (9be61)
- Add importDurations: { limit, print } options - by @hi-ogawa, Claude Opus 4.6 and @sheremet-va in #9401 (7e10f)
- Add print and fail thresholds for importDurations - by @hi-ogawa and Claude Opus 4.6 in #9533 (3f7a5)
fixtures:
- Pass down file context to beforeAll/afterAll - by @sheremet-va in #9572 (c8339)
reporters:
- Add agent reporter to reduce ai agent token usage - by @cpojer in #9779 (3e9e0)
runner:
- Enhance retry options - by @MazenSamehR, Matan Shavit, @AriPerkkio and [@sheremet-va](https://redirect.githu

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- "after 2am and before 3am"
Automerge
- "after 1am and before 2am"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot added the dependencies label

renovate Bot requested a review from hmbanan666 as a code owner

February 25, 2026 02:45

renovate Bot added the dependencies label

cubic-dev-ai Bot reviewed

View reviewed changes

cubic-dev-ai Bot left a comment

No issues found across 3 files

renovate Bot force-pushed the renovate/all-minor-patch branch 8 times, most recently from 613f8d0 to 3affd4a Compare

March 3, 2026 18:36

renovate Bot force-pushed the renovate/all-minor-patch branch 10 times, most recently from a912f7c to 0380248 Compare

March 12, 2026 12:43

renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from d302317 to 8207bd1 Compare

March 17, 2026 04:51

renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from d1de61d to 5903fce Compare

March 24, 2026 22:02

renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 63d4ea9 to d064ab5 Compare

April 22, 2026 15:47

renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 3ae4d37 to b56aa49 Compare

April 30, 2026 11:57

renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from c485017 to 2893fe3 Compare

May 11, 2026 17:58

renovate Bot force-pushed the renovate/all-minor-patch branch from 2893fe3 to 50e53e7 Compare

May 11, 2026 22:33

socket-security Bot commented May 11, 2026 •

edited

Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `@typescript-eslint/eslint-plugin` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → `npm/@antfu/eslint-config@7.7.3` → `npm/@typescript-eslint/eslint-plugin@8.61.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `eslint-plugin-jsdoc` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → `npm/@antfu/eslint-config@7.7.3` → `npm/eslint-plugin-jsdoc@62.9.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/eslint-plugin-jsdoc@62.9.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `js-yaml` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → `npm/eslint@9.39.4` → `npm/js-yaml@4.2.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/js-yaml@4.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 63e23e2 to 80ba2fb Compare

May 18, 2026 20:54

renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 2814f99 to d1e5238 Compare

May 21, 2026 14:38

renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 0532ec1 to 007945a Compare

June 1, 2026 22:57

renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from b50445b to fa54f40 Compare

June 12, 2026 00:55


          chore(deps): update all non-major dependencies

cdb8755

renovate Bot force-pushed the renovate/all-minor-patch branch from fa54f40 to cdb8755 Compare

June 15, 2026 12:43

socket-security Bot commented Jun 15, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@commitlint/cli@20.5.3
	@vitest/coverage-v8@4.1.9
	@types/node@25.9.3
	@vitest/browser-playwright@4.1.9
	@antfu/eslint-config@7.7.3
	@commitlint/config-conventional@20.5.3
	lint-staged@16.4.0
	eslint@9.39.4
	playwright@1.61.0
	vitest@4.1.9

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels