Skip to content

⬆️ deps: Update dependencies (non-major)#51

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/dependencies-(non-major)
Jul 13, 2026
Merged

⬆️ deps: Update dependencies (non-major)#51
renovate[bot] merged 1 commit into
mainfrom
renovate/dependencies-(non-major)

Conversation

@renovate

@renovate renovate Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@lucide/astro (source) 1.23.01.24.0 age confidence
caniuse-lite 1.0.300018001.0.30001805 age confidence
oxlint (source) 1.72.01.73.0 age confidence
pnpm (source) 11.10.011.12.0 age confidence
preact (source) 10.29.410.29.7 age confidence
vite (source) 0.2.20.2.4 age confidence
vite-plus (source) 0.2.20.2.4 age confidence
wrangler (source) 4.107.04.110.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

lucide-icons/lucide (@​lucide/astro)

v1.24.0: Version 1.24.0

Compare Source

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.23.0...1.24.0

browserslist/caniuse-lite (caniuse-lite)

v1.0.30001805

Compare Source

v1.0.30001803

Compare Source

v1.0.30001802

Compare Source

oxc-project/oxc (oxlint)

v1.73.0

Compare Source

🚀 Features
  • a2c97f3 linter/unicorn: Implement explicit-timer-delay rule (#​23612) (Mikhail Baev)
  • 85735cb linter/unicorn: Implement no-confusing-array-with rule (#​23638) (Shekhu☺️)
  • cb4fbb9 linter/eslint: Implement no-unreachable-loop rule (#​23975) (Todor Andonov)
  • dc32112 linter/eslint/no-constant-binary-expression: Check relational comparisons (#​24088) (camc314)
  • d963967 linter/unicorn/no-array-sort: Add allowAfterSpread option (#​24043) (Boshen)
  • 0a75682 linter: Add per-rule timings for type-aware linting (#​22488) (camchenry)
  • 743e222 linter/react: Add disallowedValues option for forbid-dom-props rule (#​23970) (Mikhail Baev)
🐛 Bug Fixes
  • bdb51c7 linter/jest/prefer-ending-with-an-expect: Validate config patterns (#​24122) (camc314)
  • 45d607d linter/react/forbid-component-props: Make allow/disallow lists optional in schema (#​24024) (Boshen)
pnpm/pnpm (pnpm)

v11.12.0

Compare Source

Minor Changes
  • a897ef7: Custom fetchers exported from a pnpmfile can now delegate by returning a { delegate: <resolution> } envelope: pnpm rewrites the package's resolution to the delegated shape and runs the built-in fetcher on it. This is the portable delegation form that also works in pacquet, where cafs and fetchers cannot be passed to the hook. Related to pnpm/pnpm#11685.
Patch Changes
  • 2b02764: The changed-packages filter (--filter "...[<since>]") no longer allows an option-like <since> value (such as --output=<path>) to be interpreted as a git option — git now rejects it as a bad revision. The repository root is also resolved to the nearest .git entry, so the filter works in a git worktree checked out inside another repository's tree.

  • 43711ce: pnpm outdated no longer checks the registry for dependencies that are resolved from local link:, file:, or workspace: references in the lockfile #​12827.

  • 3c6718b: Fixed a deadlock in peer dependency resolution: pnpm install hung forever when a peer dependency cycle spanned a project's own dependencies and auto-installed peer providers, for example when installing electron-builder@26.15.3 #​12921.

  • 252f15e: Fixed peer dependency auto-install picking a version the peer range rejects. In a workspace with several projects, a package declaring a peer dependency with a semver range (for example ^1.0.0) could get the highest version found anywhere in the workspace (for example a 2.0.0 resolved for another project) instead of a version that satisfies the range. Peers are now deduplicated onto the highest preferred version that satisfies the declared range, and when none does, the range is resolved from the registry.

    Also fixed re-resolving with an existing lockfile hoisting a different peer version than a fresh install of the same manifest: root dependencies reused from the lockfile were invisible to peer hoisting, so a peer that a root dependency provides could be bound to another version.

  • a38adda: pnpm self-update <version> now installs the requested pnpm version when it matches the currently running version but is missing from the global self-update directory.

  • 6a85968: pnpm stage list now stops paginating after a fail-safe cap of 1000 pages, so a misbehaving registry cannot keep the command looping forever.

  • eee7c9a: verify-deps-before-run no longer spawns a pnpm install when pnpm is executed in a directory that has no package.json. A mistyped command run outside a project (for example pnpm witch 10 login) used to crash with a confusing error from the spawned install; now it fails with the regular "no package.json found" error.

v11.11.0

Compare Source

Minor Changes
  • 508b8c2: Added the pnpm access command for managing package access and visibility on the registry, supporting listing packages and collaborators, getting and setting package status and MFA requirements, and granting or revoking team access.
Patch Changes
  • c70e33e: Allow allowBuilds entries for git-hosted packages to match by repository URL without pinning the resolved commit hash. This lets trusted git repositories keep running their build scripts after branch updates without approving each new commit, while package-name-only rules still do not approve git-hosted artifacts.
  • 3067e4f: Reduced peak memory usage during cold-cache dependency resolution. The metadata fetch is memoized for the whole resolution phase, and it was retaining each package's raw registry response body (used only to mirror the response to disk) for that entire time. The memoized cache now holds a body-less copy, so the raw body only lives as long as the call that writes the disk mirror. On large graphs that fetch full metadata (e.g. with minimumReleaseAge or trustPolicy enabled) this cuts peak RSS by roughly 30%, back in line with pnpm 10. The resolved lockfile is unchanged.
  • 51300fd: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at formatGlobalVirtualStorePath, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.
  • f8058eb: Reject symlinked pnpm-lock.yaml files when reading or writing the env lockfile document.
  • 9318a11: Allow registries and namedRegistries to be configured in the global config.yaml file.
  • 51300fd: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 14332f0: Fail instead of silently removing an optional dependency's locked entries from pnpm-lock.yaml when the registry cannot resolve it. Previously, when registry metadata lacked a version that the lockfile already pinned (for example, a mirror that had not synced a recent release yet), pnpm install and pnpm dedupe silently dropped the optional dependency's entries — emptying maps such as the platform binaries of @napi-rs/canvas — so the lockfile differed between machines and frozen installs on other hosts had nothing to link #​12853.
  • fecfe83: Fixed peer dependency resolution with autoInstallPeers when a workspace package depends on a version of a package that a transitive dependency's self-contained closure also provides for itself. The peer providers that are attached to the root project for reuse are no longer peer-resolved a second time in the root context, so packages inside such a closure no longer get their peers bound to the root project's incompatible version #​4993.
  • 5a4daec: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry, namedRegistries, and pnprServer.
  • d1da02e: pnpm publish no longer prints credentials when the target registry is configured with inline user:pass@ credentials (e.g. registry=https://user:pass@example.com/). They are now redacted both from the "publishing to registry" line and from the OIDC (trusted publishing) failure messages.
  • dcfc611: pnpm self-update now honors trustPolicy=no-downgrade. It resolves the target pnpm version against full registry metadata, so it refuses to switch to a version whose supply-chain trust evidence is weaker than an earlier-published one, the same way a regular install does.
  • a8ad82d: Register the pn alias in generated shell completion scripts.
  • 25bd5c3: Fixed standalone installer downgrades from pnpm v12 to v11.
  • 23996e9: pnpm runtime set <name> <version> now validates its arguments: the name must be node, deno, or bun, and the version must not contain a comma. Previously these were interpolated straight into a pnpm add selector, where an unsupported name or a comma (e.g. node 22,is-positive) could be misread as a list of packages or a local directory and install unintended packages or bins.
preactjs/preact (preact)

v10.29.7

Compare Source

Maintenance

v10.29.6

Compare Source

We had to revert #​5055 due to an incompatibility with useSignalEffect

v10.29.5

Compare Source

Fixes

voidzero-dev/vite-plus (vite)

v0.2.4: vite-plus v0.2.4: Vitest security hotfix

Compare Source

This hotfix updates the bundled Vitest Browser Mode packages to 4.1.10, which includes the fix for GHSA-p63j-vcc4-9vmv. The advisory is critical and affects @vitest/browser <=4.1.9.

Highlights
  • Critical Vitest Browser Mode advisory fixed: bundled vitest and @vitest/browser* move from 4.1.9 to 4.1.10, addressing GHSA-p63j-vcc4-9vmv, where provider commands could bypass the file access permission gate (#​2089), by @​voidzero-guard[bot]
Chore
  • Add the standard release-manager skill for vite-plus release operations (#​2019), by @​fengmk2
Bundled Versions
Tool Version Source
vite 8.1.3 578ffb8
rolldown 1.1.4 6cbd233
tsdown 0.22.3 npm
vitest 4.1.10 npm
oxlint 1.72.0 npm
oxlint-tsgolint 0.24.0 npm
oxfmt 0.57.0 npm
Upgrade
vp upgrade
New Contributors

No new contributors in this release.

Full Changelog: voidzero-dev/vite-plus@v0.2.3...v0.2.4

Published Packages
  • @voidzero-dev/vite-plus-core@0.2.4
  • vite-plus@0.2.4
Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

Docker:

docker run --rm -it -v "$PWD:/app" -w /app ghcr.io/voidzero-dev/vite-plus:0.2.4 vp build

Run any vp command without installing it; see the Docker guide for more.

v0.2.3: vite-plus v0.2.3: config extraction, create, and vp run reliability fixes

Compare Source

A patch release that fixes static config extraction for vite.config.ts files whose defineConfig comes from a preset or custom wrapper (no longer misread as Vite+'s own), fixes vp create for org templates on registries that strip custom package fields, cleans up terminal output after Ctrl-C during vp run, and updates bundled Vite to 8.1.3.

Highlights
  • Custom VP_HOME is honored on every run: the global vp now respects a user-set VP_HOME for its home directory instead of falling back to ~/.vite-plus, and persists it in the generated env files, so a custom install location no longer produces multiple instances or unusable packages (#​2029), by @​liangmiQwQ
Features
  • Upgrade bundled Vite from 8.1.2 to 8.1.3 (inlined CSS after the shebang line, CSS preload for nested dynamic imports, SSR stacktrace column fix) (#​2042), by @​voidzero-guard[bot]
Fixes & Enhancements
  • vp run no longer misreads a vite.config.ts when its defineConfig comes from a preset or a custom wrapper instead of vite-plus or vite. Such configs are now evaluated at runtime rather than assumed to be Vite+'s own, so projects that use them no longer wrongly report Task "build" not found (#​2060, #​2075), by @​liangmiQwQ and @​fengmk2
  • Killing a vp run task with Ctrl-C no longer leaves odd OSC escape sequences in the terminal; vp defers its own Ctrl-C handling until the child process exits (#​2079), by @​forehalo
  • vp migrate: rewriting a package.json prettier script now emits a single --check, so scripts that combined --check with --list-different / -l / -c no longer produce a duplicated vp fmt --check --check (#​2044), by @​shulaoda
  • vp create @&#8203;org:name: read the org template catalog (createConfig) from the published tarball when the registry (e.g. GitHub Packages) strips custom fields from packument metadata (#​2063), by @​hiro-daikin
  • vp run: missing env vars requested through @voidzero-dev/vite-task-client now return undefined instead of null, preserving Vite production NODE_ENV semantics when builds run through vp run (vite-task#508, via #​2076), by @​wan9chi
Refactor
  • static_config: drop the unreachable vite.config.json branch (#​2045), and remove unused exported CLI helpers (#​2046), by @​shulaoda
Docs
Chore
Bundled Versions
Tool Version Source
vite 8.1.3 578ffb8
rolldown 1.1.4 6cbd233
tsdown 0.22.3 npm
vitest 4.1.9 npm
oxlint 1.72.0 npm
oxlint-tsgolint 0.24.0 npm
oxfmt 0.57.0 npm
Upgrade
vp upgrade
New Contributors

@​wan-kong and @​hiro-daikin made their first contributions.

Full Changelog: voidzero-dev/vite-plus@v0.2.2...v0.2.3

Published Packages
  • @voidzero-dev/vite-plus-core@0.2.3
  • vite-plus@0.2.3
Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

Docker:

docker run --rm -it -v "$PWD:/app" -w /app ghcr.io/voidzero-dev/vite-plus:0.2.3 vp build

Run any vp command without installing it; see the Docker guide for more.

cloudflare/workers-sdk (wrangler)

v4.110.0

Compare Source

Minor Changes
  • #​14591 0283a1f Thanks @​dario-piotrowicz! - Send npm package dependency metadata with worker uploads

    Wrangler now collects npm package dependency information from the project's package.json at deploy and version upload time, and includes it in the upload metadata sent to the Cloudflare API. This enables dependency analytics and future features like vulnerability alerting.

    The collected data includes the package name, the version constraint from package.json, and the exact installed version from node_modules. Both dependencies and devDependencies are included, while workspace packages, local packages, and unresolvable packages are excluded. The list is capped at 200 entries per upload.

    To opt out, set dependencies_instrumentation.enabled to false in your Wrangler configuration file:

    {
      "dependencies_instrumentation": {
        "enabled": false
      }
    }
  • #​14535 1b965c5 Thanks @​Naapperas! - Support dynamic retry delays for Workflow steps in local dev

    A step's retries.delay can now be a function that computes the delay per failed attempt, in addition to a static duration. The function receives { ctx, error } and returns a delay (a number of milliseconds or a duration string like "30 seconds"), and its result is fed into the configured backoff.

    await step.do(
      "call flaky API",
      {
        retries: {
          limit: 5,
          backoff: "constant",
          delay: ({ ctx }) => ctx.attempt * 1000,
        },
      },
      async () => {
        /* ... */
      }
    );

    The function is invoked once per failed attempt with a 5 second timeout. If it throws, times out, or returns an invalid value, the step fails without further retries.

Patch Changes
  • #​14589 7b28392 Thanks @​jamesopstad! - Fix runtime type caching when wrangler dev auto-regenerates types

    When dev.generate_types (or wrangler dev --types) regenerated an out-of-date worker-configuration.d.ts, the written file omitted the // Begin runtime types marker (and the /* eslint-disable */ header) that wrangler types writes. As a result, later runs could not detect the cached runtime types and always regenerated them. The auto-regenerated file now matches wrangler types output, restoring the cache.

  • Updated dependencies [1b965c5]:

    • miniflare@​4.20260708.1

v4.109.0

Compare Source

Minor Changes
  • #​14489 e3f0cd6 Thanks @​edmundhung! - Add listDurableObjectIds() to createTestHarness Worker handles

    Tests using createTestHarness can now list persisted Durable Object instance IDs for a Durable Object binding. This helps integration tests discover objects created by app behavior without adding test-only endpoints.

  • #​14465 2fedb1f Thanks @​vaishnav-mk! - Add rollback support when terminating Workflow instances

    WorkflowInstance.terminate({ rollback: true }) now runs registered rollback handlers before marking a local Workflow instance as terminated. Wrangler also supports this via wrangler workflows instances terminate --rollback, including local mode.

    The rollback option is only sent for terminate operations and is rejected by the Local Explorer API for pause, resume, and restart actions.

  • #​14511 17d2fc1 Thanks @​juleslemee! - Add wrangler turnstile widget commands for managing Turnstile widgets

    You can now create, list, inspect, update, and delete Turnstile widgets from the CLI:

    wrangler turnstile widget create <name> --domain example.com --mode managed
    wrangler turnstile widget list
    wrangler turnstile widget get <sitekey>
    wrangler turnstile widget update <sitekey> --name "Renamed"
    wrangler turnstile widget delete <sitekey>
    

    All five subcommands accept --json for machine-readable output (get prints a formatted view by default; the rest print a short human summary). --domain accepts comma-separated values, e.g. --domain a.com,b.com. delete --json requires --skip-confirmation/-y to keep output pipeable.

    create prints the sitekey, the secret, and the canonical challenges.cloudflare.com/turnstile/v0/siteverify endpoint for backend verification. The hint is backend-agnostic; it doesn't assume Workers. The secret is redacted from list and update output but remains available via get for retrieval later. delete prompts for confirmation; pass --skip-confirmation/-y to bypass.

    The OAuth flow now requests the challenge-widgets.write scope (the existing Bach-derived scope for Turnstile widget CRUD). Existing OAuth sessions need to run wrangler login again to pick it up. API token users need a token with the Account.Turnstile:Edit permission.

Patch Changes
  • #​14596 8511ddf Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260706.1 1.20260708.1
    @​cloudflare/workers-types ^5.20260706.1 ^5.20260708.1
  • #​14604 9f74a5f Thanks @​vaishnav-mk! - Improve the deploy error for cron-triggered Workflows on free plans

    Wrangler now explains that Workflow schedules require a paid Workers plan instead of showing only the generic Workflows API request failure.

  • #​14616 c782e2a Thanks @​penalosa! - Fix wrangler deploy aborting in CI for autoconfigured projects

    A recent change guarded non-interactive deploys against overwriting a same-named Worker whenever there was no config file naming it. This was too broad: a plain wrangler deploy run in CI without a config file (for example an autoconfigured project whose generated config PR has not been merged) would fail with "A Worker named ... already exists in your account", even though re-deploying to that Worker is the intended behaviour.

    The guard is now limited to the Pages-to-Workers delegation, where the target name is a Pages project name that must not clobber an unrelated Worker. Plain deploys once again deploy normally.

  • Updated dependencies [e3f0cd6, 8511ddf, 2fedb1f]:

    • miniflare@​4.20260708.0

v4.108.0

Compare Source

Minor Changes
  • #​14312 54f74b8 Thanks @​MattieTK! - Delegate agent-driven static Pages deploys to Workers

    When wrangler pages deploy or wrangler pages project create is run by an AI coding agent against a brand-new, purely static project, Wrangler now delegates it to Workers static assets (using autoconfig) instead of Cloudflare Pages. Accounts that already have Cloudflare Pages projects, non-agent (human) sessions, and projects using Pages features that can't be carried across to Workers (Pages Functions, a _worker.js, or a _routes.json file) are unaffected and continue to use Pages. Passing --force to either command opts out of the delegation and deploys to Pages directly. Once the Workers deploy starts it is not silently swapped back to Pages: if it fails, the error is surfaced and the --force opt-out is suggested.

Patch Changes
  • #​14567 0852346 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler", "create-cloudflare"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260702.1 1.20260706.1
    @​cloudflare/workers-types 4.20260702.1 5.20260706.1
  • #​14312 54f74b8 Thanks @​MattieTK! - Avoid silently overwriting an existing Worker during non-interactive deploys that cannot prove they own the name

    A non-interactive deploy (an agent, CI, or the agent-delegated wrangler pages deploy) has no way to prompt before overwriting a Worker, so it now stops if the target name is already taken and this run cannot show it owns that Worker. This applies when there is no Wrangler configuration file naming the Worker and either the name was generated automatically or the deploy is the Pages-to-Workers delegation (where the name carried across is a Pages project name, not proof of Worker ownership). The check reuses the service metadata the deploy already fetches, so it adds no extra API calls.

    Deploys are unaffected when a configuration file names the Worker (so repeat deployments continue to update it), and interactive deploys keep their existing confirmation flow. To update an existing Worker in one of the guarded cases, add a Wrangler configuration file naming it, or deploy under a different name.

  • Updated dependencies [0852346]:

    • miniflare@​4.20260706.0

v4.107.1

Compare Source

Patch Changes
  • #​14514 d88555e Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260701.1 1.20260702.1
  • #​14564 5fd8bee Thanks @​jibin7jose! - Fix an issue where wrangler dev would not override config vars with values from .dev.vars during local development when the secrets field was defined in the configuration file.

  • #​14332 5d9990e Thanks @​Divkix! - Fix misleading error guidance when deploying a new Worker with secrets.required

    When a Worker declares secrets.required and has never been deployed before, the previous error message suggested running wrangler secret put <NAME>, which doesn't work because the Worker doesn't exist yet.

    The one path that does work — wrangler deploy --secrets-file <path> — was not mentioned anywhere in the error output.

    The pre-deploy error now explains that wrangler secret put cannot be used for a new Worker, and directs users to the --secrets-file flag instead. The post-deploy error for existing Workers now also mentions --secrets-file alongside wrangler secret put.

  • #​14507 bf49a41 Thanks @​joey727! - Fix a potential crash when displaying certain CLI output

    Previously, some CLI output with no content lines could cause a crash. This is now handled correctly.

  • #​14492 1ac96a1 Thanks @​penalosa! - Replace the CommonJS xdg-app-paths dependency with a vendored pure-ESM implementation

    xdg-app-paths (and its xdg-portable/os-paths dependencies) are CommonJS only, which caused "Dynamic require of 'path' is not supported" errors when the surrounding code was bundled to ESM. The global config/cache directory resolution is now provided by a small, dependency-free pure-ESM module in @cloudflare/workers-utils that reproduces the previous path resolution exactly (verified against the real package in unit tests), so existing config and credential locations are unchanged. This also drops the transitive fsevents optional dependency that xdg-app-paths pulled in.

    Miniflare and create-cloudflare now consume the shared helpers from @cloudflare/workers-utils instead of maintaining their own copies, importing node-only leaf entry points (@cloudflare/workers-utils/fs-helpers, @cloudflare/workers-utils/global-wrangler-config-path) where ESM bundling is required.

  • #​14572 f416dd9 Thanks @​petebacondarwin! - Key local rate limit counters by namespace_id instead of binding name

    wrangler dev and Miniflare previously tracked each rate limit binding's counter by its binding name, so two bindings that referenced the same namespace_id were treated as separate limiters. Counters are now keyed by namespace_id, matching production: bindings that share a namespace_id share a limit, while distinct namespaces stay isolated. This also re-enables rate limit bindings in multiworker wrangler dev sessions, where they were previously stripped from secondary Workers to avoid a startup crash.

  • #​14570 1ca8d8f Thanks @​penalosa! - Upgrade signal-exit from v3 to v4

    The bundled signal-exit dependency was CJS-only. Upgrading to v4 (which ships a dual ESM/CJS build) unblocks ESM output. Exit-cleanup behaviour is unchanged, though v4 no longer registers handlers for a few signals that are no longer supported by the OS (SIGUNUSED on Linux; SIGABRT/SIGALRM on Windows).

  • #​14561 b973ed3 Thanks @​martijnwalraven! - Emit an error event for watch-mode rebuild failures in unstable_startWorker

    Initial build failures already dispatch an error event (surfaced as buildFailed on the DevEnv bus), but watch-mode rebuild failures were only logged from inside the esbuild plugin, so programmatic consumers had no way to observe them while dev kept serving the previous bundle. Rebuild failures now route through the same error path as initial-build failures: terminal output is unchanged and buildFailed fires symmetrically.

  • Updated dependencies [e7e5780, d88555e, 1ac96a1, f416dd9, 16fbf81]:

    • miniflare@​4.20260702.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: medium. Cursor Bugbot was not present on this PR; skipping that signal. This Renovate bump touches vite-plus, pnpm, wrangler, and a large lockfile diff, which exceeds the low-risk approval threshold. Human review is needed; assigned zrr1999.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Approver

@cursor cursor Bot requested a review from zrr1999 July 13, 2026 02:25
@renovate renovate Bot merged commit e1befde into main Jul 13, 2026
3 checks passed
@renovate renovate Bot deleted the renovate/dependencies-(non-major) branch July 13, 2026 02:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants