Skip to content

chore(deps): update all non-major dependencies#150

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#150
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@iconify-json/lucide ^1.2.114^1.2.117 age confidence dependencies patch
@iconify-json/simple-icons ^1.2.87^1.2.90 age confidence dependencies patch
@iconify-json/vscode-icons ^1.2.59^1.2.67 age confidence devDependencies patch
@nuxt/content (source) ^3.14.0^3.15.0 age confidence dependencies minor
@nuxt/scripts (source) 1.2.11.3.1 age confidence dependencies minor
@nuxt/ui (source) ^4.9.0^4.10.0 age confidence dependencies minor
@shikijs/engine-javascript (source) ^4.2.0^4.3.1 age confidence dependencies minor
eslint (source) ^10.5.0^10.7.0 age confidence devDependencies minor
github/gh-aw-actions v0.80.9v0.82.11 age confidence action minor v0.82.12
pnpm (source) 10.34.410.34.5 age confidence packageManager patch
posthog-js (source) ^1.393.0^1.404.0 age confidence dependencies minor 1.404.1
tailwindcss (source) ^4.3.1^4.3.3 age confidence dependencies patch
vue-tsc (source) ^3.3.5^3.3.7 age confidence devDependencies patch

Release Notes

nuxt/content (@​nuxt/content)

v3.15.0

Compare Source

Features
Bug Fixes
  • content: support validator detection with pnpm enableGlobalVirtualStore (#​3791) (6b2720b)
  • hmr: update all matching collections when a file changes (#​3802) (06f8edb)
  • search: softer heading-level boost curve and tuned defaults (#​3801) (00d25a5)
  • vercel: use tmp directory to clone contents (#​3810) (793d59a)
nuxt/scripts (@​nuxt/scripts)

v1.3.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v1.3.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
nuxt/ui (@​nuxt/ui)

v4.10.0

Compare Source

Features
Bug Fixes
  • AuthForm: track password visibility per field (#​6638) (0faeb92)
  • BlogPost/ChangelogVersion: format date in UTC to prevent hydration mismatch (#​6722) (fe5bb23)
  • Button: allow inline event handlers with non-void return types (#​6668) (269080a)
  • Carousel: prevent reset when plugin props use inline objects (f41d11e), closes #​6221
  • ChatMessages: re-evaluate streaming indicator on each render (#​6673) (5c986dd)
  • components: forward $attrs to root element when to prop is absent (#​6628) (d3b5f1d)
  • components: forward data-slot to component root (#​6643) (c9c5232)
  • components: respect prefers-reduced-motion in animations (#​6723) (f951529)
  • ContentNavigation: key items by identity to prevent leading icon flash (#​6640) (09fb52b)
  • defineShortcuts: add missing arrowdown to shiftable keys (#​6702) (2128414)
  • defineShortcuts: defer standalone shortcuts that prefix a chain (#​6703) (76ee176)
  • Editor: prevent suggestion menu blinking on keystroke (#​6712) (7e6d8b0)
  • FileUpload: add aria-disabled attribute when disabled (#​6653) (c3b2996)
  • inertia: make useRoute().fullPath reactive across navigations (#​6696) (c256997)
  • Link: apply rel prop to internal links (#​6677) (276302e)
  • Link: fall back to original path when localePath fails (#​6637) (906e8fd)
  • LocaleSelect: add missing keys in emoji mapping (#​6629) (fab73ab)
  • module: avoid unhead v2-only hookOnce in colors plugin (#​6658) (e4ca579)
  • SelectMenu/InputMenu: only re-highlight first item with create-item (#​6689) (a71dece)
  • Separator: forward fall-through attributes to root (#​6641) (88baabc)
  • theme: use logical properties for RTL (#​6724) (3179012)
  • types: type prose components in app config (#​6711) (d56e39a)
  • useComponentProps: let app config defaultVariants override withDefaults (#​6686) (f5e58fb)
  • useFileUpload: keep dropzone type filter reactive to accept (#​6699) (000aba4)
  • useResizable: recover from corrupted persisted storage (#​6704) (4c60745)
  • useResizable: share resize logic between mouse and touch (#​6705) (730a54c)
  • useScrollspy: unobserve previous headings on update (#​6700) (5944067)
  • useToast: dedupe duplicate ids and handle max of 0 (#​6698) (71c623b)
Performance Improvements
  • components: drop the redundant inner in component extend (#​6647) (3bf1a92)
  • module: declare sideEffects for barrel tree-shaking (#​6729) (2cc2849)
  • types: decouple useComponentProps from the component-types barrel (#​6648) (6576fb8)
  • types: import cross-component types from source, not the barrel (#​6646) (7eab4bc)
  • vue: skip rewriting unchanged templates (#​6730) (14b6001)
shikijs/shiki (@​shikijs/engine-javascript)

v4.3.1

Compare Source

   🚀 Features
    View changes on GitHub

v4.3.0

Compare Source

   🚀 Features
    View changes on GitHub
eslint/eslint (eslint)

v10.7.0

Compare Source

Features

  • cf2a9bf feat: add errorClassNames option to preserve-caught-error rule (#​21032) (sethamus)
  • f8b873a feat: max-nested-callbacks option for constructor callbacks (#​21063) (fnx)
  • 557fde8 feat: support computed Number.parseInt member access in radix rule (#​21041) (Pixel)
  • 0b4a73b feat: add suggestions to no-compare-neg-zero (#​21034) (den$)
  • 96cdd42 feat: report invalid signed numeric radix values in radix rule (#​21030) (Pixel)

Bug Fixes

  • 3e7bf15 fix: apply ignoreClassesWithImplements to class expressions (#​21069) (Pixel)
  • 0d7d70c fix: insert cause outside wrapping parens in preserve-caught-error (#​21062) (Mahin Anowar)
  • 75ec753 fix: handle static template literals in eqeqeq rule (#​21058) (Pixel)
  • b717a22 fix: prevent eqeqeq null option from reporting non-equality operators (#​21057) (Pixel)
  • e35b05f fix: avoid no-invalid-regexp false positive for shadowed RegExp (#​21051) (Pixel)
  • a3172b6 fix: avoid no-control-regex false positive for shadowed RegExp (#​21050) (Pixel)
  • d1f637e fix: parenthesize sequence expression operands in no-implicit-coercion (#​21045) (spokodev)
  • 8859baf fix: avoid prefer-numeric-literals false positive for shadowed globals (#​21047) (한국)
  • a9e5961 fix: use-isnan false positive on shadowed NaN/Number (#​20958) (sethamus)
  • 8a240a7 fix: avoid false positives in radix rule for spread arguments (#​21044) (Pixel)

Documentation

  • c30d808 docs: Update README (GitHub Actions Bot)
  • 5139800 docs: document ESLint migration codemods in v9 and v10 guides (#​20980) (Alex Bit)
  • 04174cb docs: Update README (GitHub Actions Bot)
  • 026e130 docs: update semver policy for bug fixes (#​21048) (Milos Djermanovic)
  • 9d42fef docs: Update README (GitHub Actions Bot)
  • b230159 docs: Update README (GitHub Actions Bot)
  • 0129972 docs: correct **/.js glob to **/*.js in config files guide (#​21036) (EduardF1)

Chores

v10.6.0

Compare Source

Features

  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#​20981) (Taejin Kim)
  • f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#​20948) (sethamus)

Bug Fixes

  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#​20997) (Milos Djermanovic)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#​21013) (den$)
  • 8fd8741 fix: don't report shadowed undefined in radix rule (#​21011) (Pixel)
  • 5784980 fix: don't report shadowed undefined in no-throw-literal (#​21010) (Pixel)
  • 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#​21008) (Pixel)
  • d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#​21006) (Pixel)
  • 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#​21003) (den$)
  • 63d52d2 fix: restore max-classes-per-file report range (#​21002) (Pixel)
  • 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#​20979) (fnx)
  • 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#​20995) (Milos Djermanovic)

Documentation

  • a83683d docs: Update README (GitHub Actions Bot)
  • f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#​20986) (playgirl)
  • bea49f7 docs: Update README (GitHub Actions Bot)
  • e5f70f9 docs: update code-path diagrams (#​20984) (Tanuj Kanti)
  • 8890c2d docs: add TypeScript config guidance for MCP server (#​20796) (Pierluigi Lenoci)
  • 3eb3d9b docs: Update README (GitHub Actions Bot)
  • c5bb59c docs: Update README (GitHub Actions Bot)
  • eb3c97c docs: fix grammar in prefer-const rule description (#​20983) (lumir)

Chores

github/gh-aw-actions (github/gh-aw-actions)

v0.82.11

Compare Source

Sync of actions from gh-aw at v0.82.11.

v0.82.10

Compare Source

Sync of actions from gh-aw at v0.82.10.

v0.82.9

Compare Source

Sync of actions from gh-aw at v0.82.9.

v0.82.8

Compare Source

Sync of actions from gh-aw at v0.82.8.

v0.82.7

Compare Source

Sync of actions from gh-aw at v0.82.7.

v0.82.6

Compare Source

Sync of actions from gh-aw at v0.82.6.

v0.82.5

Compare Source

Sync of actions from gh-aw at v0.82.5.

v0.82.4

Compare Source

Sync of actions from gh-aw at v0.82.4.

v0.82.3

Compare Source

Sync of actions from gh-aw at v0.82.3.

v0.82.2

Compare Source

Sync of actions from gh-aw at v0.82.2.

v0.82.1

Compare Source

Sync of actions from gh-aw at v0.82.1.

v0.82.0

Compare Source

Sync of actions from gh-aw at v0.82.0.

v0.81.6

Compare Source

Sync of actions from gh-aw at v0.81.6.

v0.81.5

Compare Source

Sync of actions from gh-aw at v0.81.5.

v0.81.4

Compare Source

Sync of actions from gh-aw at v0.81.4.

v0.81.3

Compare Source

Sync of actions from gh-aw at v0.81.3.

v0.81.2

Compare Source

Sync of actions from gh-aw at v0.81.2.

v0.81.1

Compare Source

Sync of actions from gh-aw at v0.81.1.

v0.81.0

Compare Source

Sync of actions from gh-aw at v0.81.0.

pnpm/pnpm (pnpm)

v10.34.5: pnpm 10.34.5

Compare Source

Patch Changes

  • 78e29fe: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at iterateHashedGraphNodes, the single point every global-virtual-store slot path funnels through.
  • 78e29fe: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 47ef6f0: Fixed switching to and self-updating to pnpm v12. pnpm v12 (the Rust port) ships as the pnpm and @pnpm/exe npm packages whose bins are placeholders replaced at install time by the host's native binary from a @pnpm/exe.<platform>-<arch>[-musl] optional dependency. Because pnpm installs its own engine with --ignore-scripts, that relinking never ran, leaving a non-executable placeholder. pnpm now relinks the native binary itself for v12 (recognizing the new platform-package naming scheme and the native pnpm package), and verifies the native binary's npm registry signature before running it.
  • 36928be: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx
PostHog/posthog-js (posthog-js)

v1.404.0

Compare Source

1.404.0

Minor Changes
  • #​4149 607bf54 Thanks @​pauldambra! - Add dead swipe detection to dead clicks autocapture. When dead clicks autocapture is enabled, touch swipe gestures that produce no observable screen change (no scroll, mutation, selection or visibility change) are now captured as $dead_swipe events, surfacing failed navigations on touch devices. Configurable via capture_dead_swipes (default true) and swipe_threshold_px (default 30) on the capture_dead_clicks config. Swipes over surfaces whose response cannot be observed (canvas, video and other media elements under the finger) are skipped, and captures are limited per page load via max_dead_swipes_per_page_load (default 10).
    (2026-07-16)
Patch Changes
  • #​4171 df17ddc Thanks @​posthog! - Catch synchronous throws from a monkey-patched window.fetch so they no longer escape as unhandled exceptions. A synchronous throw is now routed through the same handling as an async rejection, so the request queue retries instead of the error leaking into error tracking.
    (2026-07-16)
  • Updated dependencies [607bf54]:

v1.403.0

Compare Source

1.403.0

Minor Changes
  • #​4159 fad6d9a Thanks @​haacked! - add $feature_flag_has_experiment to $feature_flag_called events

    $feature_flag_called events now carry a $feature_flag_has_experiment boolean sourced from the server's has_experiment flag metadata (the /flags?v=2 response for remote evaluation, the /api/feature_flag/local_evaluation definitions for posthog-node local evaluation). The property is only sent when the server explicitly reports has_experiment; it is omitted entirely when the value is unknown (older servers, missing metadata, bootstrapped or locally injected flags). (2026-07-16)

Patch Changes

v1.402.3

Compare Source

1.402.3

Patch Changes
  • #​4157 4a2ecf5 Thanks @​posthog! - Session recording no longer emits an uncaught NotAllowedError ("Sharing constructed stylesheets in multiple documents is not allowed") when a page assigns a CSSStyleSheet constructed in a different document to adoptedStyleSheets. That assignment is the host page's own invalid operation, but the recorder's patched setter sat on the call stack, so the exception was attributed to rrweb and churned fingerprints in error tracking. The recorder now contains this specific rejection (matched by its standardized NotAllowedError name, so it works even when the setter throws from an iframe realm) and skips recording those sheets, while still re-throwing any other native-setter error so host-page behaviour is preserved.
    (2026-07-15)

  • #​4158 0dc389e Thanks @​posthog! - fix(replay): session recording no longer throws TypeError: Converting circular structure to JSON when replay event data contains a circular reference. The circular-reference guard now also detects cycles that pass through an array, and affected events are captured with [Circular] markers instead of surfacing an unhandled error and being dropped.
    (2026-07-15)

  • Updated dependencies [fc2cb2e]:

v1.402.2

Compare Source

1.402.2

Patch Changes
  • #​4151 81adbfd Thanks @​posthog! - Session recording no longer emits an uncaught TypeError: Illegal invocation when a programmatic input-value change happens on an object that is not a genuine native input element (for example a proxy on the element prototype chain). The recorder drops that one replay update instead of throwing.
    (2026-07-15)

v1.402.1

[Compare Source](https:

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 11 times, most recently from ca1aa21 to 2ef8077 Compare July 6, 2026 09:12
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from c51113b to 8e88122 Compare July 9, 2026 05:53
Copilot AI requested a review from TechWatching July 9, 2026 08:19
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 10 times, most recently from f20e9fe to f12fb65 Compare July 12, 2026 11:47
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch 9 times, most recently from a7fe5d8 to c32eb3c Compare July 17, 2026 22:32
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from c32eb3c to bbc6118 Compare July 18, 2026 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants