chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@vitest/coverage-v8 (source)	4.1.1 → 4.1.8
@vue/test-utils	2.4.6 → 2.4.11
pnpm (source)	10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319 → 10.34.1
typescript (source)	6.0.2 → 6.0.3
vitest (source)	4.1.1 → 4.1.8

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

v4.1.4

Compare Source

   🚀 Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

vuejs/test-utils (@​vue/test-utils)

v2.4.11

Compare Source

compare changes

🩹 Fixes

• Drop legacy Mutation Event listener entries (#​2844)
• Handle setData() correctly for components using both setup() and data() (#​2846)
• Export GlobalMountOptions type (#​2851)
• Set spec-compliant event.code on keydown/keyup (#​2850)

❤️ Contributors

• Cédric Exbrayat (@​cexbrayat)
• Renato de Leão (@​renatodeleao)
• Matt Van Horn (@​mvanhorn)
• Carsten Brachem (@​cbrachem)
• Ahmad Hanan (@​AhmadHannan037)
• Paul Cochrane (@​paultcochrane)
• Arpit Jain (@​arpitjain099)

v2.4.10

Compare Source

v2.4.9

Compare Source

compare changes

🩹 Fixes

• Tolerate duplicate attachTo cleanup (#​2830)

📖 Documentation

• Document release process (#​2834)

🏡 Chore

• Migrate renovate config (5d37934)

🤖 CI

• Pin github actions to commit hashes (75dcef3)

❤️ Contributors

• Cédric Exbrayat (@​cexbrayat)
• Daniel Roe (@​danielroe)

v2.4.8

Compare Source

compare changes

🩹 Fixes

• Correct declaration entrypoint (#​2826)

🤖 CI

• Enable pkg.pr.new (#​2827)

❤️ Contributors

• Cédric Exbrayat (@​cexbrayat)
• Daniel Roe (@​danielroe)

v2.4.7

Compare Source

compare changes

🚀 Enhancements

• Add Chinese docs translation (#​2552)
• SetData()/shallowMount with initialData for components using the Composition API / <script setup> (#​2655)

🩹 Fixes

• Preserve code from keyboard events (#​2434)
• Switch browser and require exports definitions (#​2501)
• Re-add peer dependencies but with wider range (#​2511)
• Resolve warnings in docs:dev (30b7491)
• Resolve TypeScript type errors in .vitepress/config (#​2549)
• Accept FunctionalComponent as selector (0bb947f)
• Text() misses content for array functional component (#​2579)
• Use await in test (c5482b4)
• deps: Update dependency vue-component-type-helpers to v3 (#​2683)
• Remove wrapper div when unmount (#​2700)
• Make mount options slots compatible with noUncheckedIndexedAccess true (#​2713)
• Add missing peerDependency @​vue/compiler-dom (75801ba)
• docs: Declare css module for vitepress typecheck (ddaca97)

💅 Refactors

• Enforce consistent usage of type imports (#​2734)

📖 Documentation

• Clarify findComponent vs getComponent (#​2435)
• Update fr docs (67064ef)
• Add note about partial transition stub support (#​2431)
• Fix missing data at passing data section essentials guide (dda205e)
• Fix missing data at passing data section essentials guide fr (ae2c72c)
• Fix plugin TS declaration example (#​2466)
• Fixed incorrect checkbox value check (#​2495)
• Capital letter in sentence fix (#​2499)
• Import missing DOMWrapper on Implementation of the plugin section (#​2519)
• Add migration step for deprecated ref syntax in findAllComponents (#​2498)
• Correct anchor hash links and fix typo (#​2551)
• Center logo on home (#​2559)
• zh-cn: Review a-crash-course (#​2563)
• Use code-group for install commands (#​2571)
• zh-cn: Review event-handing.md (#​2572)
• zh-cn: Enhance conditional-rendering.md (#​2562)
• zh-cn: Review easy-to-test (#​2567)
• zh-cn: Review passing-data.md (#​2575)
• zh-cn: Review async-suspense.md (#​2576)
• zh: 优化 API 文档格式和内容 (#​2569)
• zh: 更新 Vitest 模拟日期和计时器的说明 (#​2578)
• zh-cn: Review http-requests.md (#​2580)
• zh-cn: Review forms (#​2582)
• zh-cn: Guide/advanced/slots.md (#​2565)
• zh: Review extending-vtu (#​2583)
• zh: Review index (#​2584)
• Fix modelValue test example (85bfdf4)
• Removes broken link from plugins.md (69bc1ce)
• zh: Review transitions, component-instance, and reusability-composition (#​2616)
• zh: Review v-model and vuex (#​2617)
• zh: Review all the rest advanced guide (#​2619)
• zh: Review migration (#​2623)
• Fix a typo in transitions.md (#​2635)
• Update crash-course to script setup (c81aa79)
• Update Essentials section to setup (composition api) (#​2647)
• Typos in examples (#​2678)
• Typo in easy-to-test.md (#​2710)
• Add note about mocking requestAnimationFrame for transitions (2324c65)
• Updated example TodoApp to script setup (#​2727)
• Remove "Using data" section from "Conditional Rendering" guide and fix passing data test example (#​2743)
• Follow-up fixes for the conditional rendering guide (#​2744)
• Mention shallowMount stub name changes in migration guide (80e051a)
• Update conditional rendering documentation to clarify isVisible() usage with attachTo (#​2799)
• Restore Options API component for data() mounting example (#​2804)
• Promote Vitest as recommended test runner (#​2805)
• api: Note that setValue does not accept objects on <select> (#​2819)

🏡 Chore

• Add api/index.md to docs:translation:compare (6b8681c)
• Remove unnecessary generic arguments (cfd70c6)
• Ignore TS error in config object (9d0a618)
• Simplify eslint packages (c1d0ffd)
• Use eslint v9 with flat config (2f19fdf)
• Expose Stubs type publicly (#​2492)
• Update documentation file path (9c96594)
• Use pnpm v10 (e4c2cb3)
• Pnpm approve build (81c54e9)
• Use github issue forms (#​2673)
• Exclude class components from test type-checking (0899008)
• Add explicit coverage include for vitest v4 (51672b9)
• Update to prettier v3.7 (fed9e7c)
• Migrate to oxfmt (81c1de9)
• Migrate to oxlint (a361908)
• Prepare TypeScript 6 migration settings (55e1262)
• Adjust tsd config for TypeScript 6 (7d23eb5)
• Avoid TypeScript 6 target deprecation warning (81d063c)

🤖 CI

• Remove node v22 build (7ebf58d)
• Add node v22 build (57540ee)
• Use "pool: threads" instead of vmThreads (d0cbb54)
• Remove node v18 and add v24 (fd9cf95)
• Add trusted publishing release workflow (#​2825)

❤️ Contributors

• Lachlan Miller (@​lmiller1990)
• cexbrayat (@​cexbrayat)
• Nicolas Bonamy (@​nbonamy)
• KatWorkGit (@​KatWorkGit)
• Wouter Kroes (@​wouterkroes)
• Rama Muhammad Murshal (@​ramammurshal)
• Evan You (@​yyx990803)
• Vlad Starkovsky (@​starkovsky)
• Joe (@​joaoprp)
• Priyadarshi Kumar (@​Psingh132)
• Sébastien Ronveaux (@​sronveaux)
• Gilliam (@​Gi11i4m)
• Baranov Dmytro (@​dimas7001)
• BrendonHenrique (@​BrendonHenrique)
• Lorenz van Herwaarden (@​lorenzvanherwaarden)
• wuzhiqing (@​DDDDD12138)
• 阿菜 Cai (@​RSS1102)
• Jinjiang (@​Jinjiang)
• Kylin (@​lxKylin)
• Qianhe Chen (@​chenqianhe)
• 时瑶 (@​KiritaniAyaka)
• h7ml (@​h7ml)
• Nicander (@​Nicander93)
• Take-John (@​takejohn)
• ilyasherstoboev (@​ilyasherstoboev)
• aimerie (@​aimerie)
• Miguel Rincon (@​miguelrincon)
• bcastlel (@​bcastlel)
• Claudiu (@​sofuxro)
• Artem Dragunov (@​dragunovartem99)
• Robin (@​OrbisK)
• Koen Mertens (@​KCMertens)
• meomking (@​CaptainWang98)
• Pepijn Olivier (@​pepijnolivier)
• Tomina (@​Thomaash)
• Gareth Jones (@​G-Rath)
• Jerry Hogan (@​hdJerry)
• Marco Pasqualetti (@​marcalexiei)
• guoxk (@​guoxk-me)
• kimulaco (@​kimulaco)
• Erwan IQUEL (@​Olympus5)
• Matt Van Horn (@​mvanhorn)
• Daniel Roe (@​danielroe)

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

• Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
• Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
• Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Gold Sponsors

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with `packageManager: pnpm@11.0.0-rc

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (8c6afd7) to head (dfb766e).

Additional details and impacted files

@@             Coverage Diff             @@
##             main       #46      +/-   ##
===========================================
+ Coverage   99.08%   100.00%   +0.91%     
===========================================
  Files           3         3              
  Lines         109       109              
  Branches       30        30              
===========================================
+ Hits          108       109       +1     
+ Misses          1         0       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.