⬆️ deps: Update dependencies (non-major)#51
Merged
Conversation
There was a problem hiding this comment.
Risk: medium. Cursor Bugbot was not present on this PR; skipping that signal. This Renovate bump touches vite-plus, pnpm, wrangler, and a large lockfile diff, which exceeds the low-risk approval threshold. Human review is needed; assigned zrr1999.
Sent by Cursor Approval Agent: Pull Request Approver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


This PR contains the following updates:
1.23.0→1.24.01.0.30001800→1.0.300018051.72.0→1.73.011.10.0→11.12.010.29.4→10.29.70.2.2→0.2.40.2.2→0.2.44.107.0→4.110.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
lucide-icons/lucide (@lucide/astro)
v1.24.0: Version 1.24.0Compare Source
What's Changed
toBeRemovedInVersionmetadata and make it optional in schema by @ericfennis with @Copilot in #4513optionicon by @jamiemlaw in #4326doticon by @cnlancehu in #4492circle-euro-signicon by @Guido3000 in #4353server-plusicon by @Turboman3000 in #4232New Contributors
Full Changelog: lucide-icons/lucide@1.23.0...1.24.0
browserslist/caniuse-lite (caniuse-lite)
v1.0.30001805Compare Source
v1.0.30001803Compare Source
v1.0.30001802Compare Source
oxc-project/oxc (oxlint)
v1.73.0Compare Source
🚀 Features
a2c97f3linter/unicorn: Implementexplicit-timer-delayrule (#23612) (Mikhail Baev)85735cblinter/unicorn: Implementno-confusing-array-withrule (#23638) (Shekhucb4fbb9linter/eslint: Implement no-unreachable-loop rule (#23975) (Todor Andonov)dc32112linter/eslint/no-constant-binary-expression: Check relational comparisons (#24088) (camc314)d963967linter/unicorn/no-array-sort: AddallowAfterSpreadoption (#24043) (Boshen)0a75682linter: Add per-rule timings for type-aware linting (#22488) (camchenry)743e222linter/react: AdddisallowedValuesoption forforbid-dom-propsrule (#23970) (Mikhail Baev)🐛 Bug Fixes
bdb51c7linter/jest/prefer-ending-with-an-expect: Validate config patterns (#24122) (camc314)45d607dlinter/react/forbid-component-props: Make allow/disallow lists optional in schema (#24024) (Boshen)pnpm/pnpm (pnpm)
v11.12.0Compare Source
Minor Changes
a897ef7: Custom fetchers exported from a pnpmfile can now delegate by returning a{ delegate: <resolution> }envelope: pnpm rewrites the package's resolution to the delegated shape and runs the built-in fetcher on it. This is the portable delegation form that also works in pacquet, wherecafsandfetcherscannot be passed to the hook. Related to pnpm/pnpm#11685.Patch Changes
2b02764: The changed-packages filter (--filter "...[<since>]") no longer allows an option-like<since>value (such as--output=<path>) to be interpreted as a git option — git now rejects it as a bad revision. The repository root is also resolved to the nearest.gitentry, so the filter works in a git worktree checked out inside another repository's tree.43711ce:pnpm outdatedno longer checks the registry for dependencies that are resolved from locallink:,file:, orworkspace:references in the lockfile #12827.3c6718b: Fixed a deadlock in peer dependency resolution:pnpm installhung forever when a peer dependency cycle spanned a project's own dependencies and auto-installed peer providers, for example when installingelectron-builder@26.15.3#12921.252f15e: Fixed peer dependency auto-install picking a version the peer range rejects. In a workspace with several projects, a package declaring a peer dependency with a semver range (for example^1.0.0) could get the highest version found anywhere in the workspace (for example a2.0.0resolved for another project) instead of a version that satisfies the range. Peers are now deduplicated onto the highest preferred version that satisfies the declared range, and when none does, the range is resolved from the registry.Also fixed re-resolving with an existing lockfile hoisting a different peer version than a fresh install of the same manifest: root dependencies reused from the lockfile were invisible to peer hoisting, so a peer that a root dependency provides could be bound to another version.
a38adda:pnpm self-update <version>now installs the requested pnpm version when it matches the currently running version but is missing from the global self-update directory.6a85968:pnpm stage listnow stops paginating after a fail-safe cap of 1000 pages, so a misbehaving registry cannot keep the command looping forever.eee7c9a:verify-deps-before-runno longer spawns apnpm installwhen pnpm is executed in a directory that has nopackage.json. A mistyped command run outside a project (for examplepnpm witch 10 login) used to crash with a confusing error from the spawned install; now it fails with the regular "no package.json found" error.v11.11.0Compare Source
Minor Changes
508b8c2: Added thepnpm accesscommand for managing package access and visibility on the registry, supporting listing packages and collaborators, getting and setting package status and MFA requirements, and granting or revoking team access.Patch Changes
c70e33e: AllowallowBuildsentries for git-hosted packages to match by repository URL without pinning the resolved commit hash. This lets trusted git repositories keep running their build scripts after branch updates without approving each new commit, while package-name-only rules still do not approve git-hosted artifacts.3067e4f: Reduced peak memory usage during cold-cache dependency resolution. The metadata fetch is memoized for the whole resolution phase, and it was retaining each package's raw registry response body (used only to mirror the response to disk) for that entire time. The memoized cache now holds a body-less copy, so the raw body only lives as long as the call that writes the disk mirror. On large graphs that fetch full metadata (e.g. withminimumReleaseAgeortrustPolicyenabled) this cuts peak RSS by roughly 30%, back in line with pnpm 10. The resolved lockfile is unchanged.51300fd: Prevent a craftedpnpm-lock.yamlfrom writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g.../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshotversion: "../../x") is now rejected atformatGlobalVirtualStorePath, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.f8058eb: Reject symlinkedpnpm-lock.yamlfiles when reading or writing the env lockfile document.9318a11: AllowregistriesandnamedRegistriesto be configured in the globalconfig.yamlfile.51300fd: Fixed a path traversal vulnerability where a dependency whose manifestnamewas a scoped path traversal (e.g.@x/../../../<path>) could be written outsidenode_modulesto an attacker-controlled location duringpnpm install, even with--ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.14332f0: Fail instead of silently removing an optional dependency's locked entries frompnpm-lock.yamlwhen the registry cannot resolve it. Previously, when registry metadata lacked a version that the lockfile already pinned (for example, a mirror that had not synced a recent release yet),pnpm installandpnpm dedupesilently dropped the optional dependency's entries — emptying maps such as the platform binaries of@napi-rs/canvas— so the lockfile differed between machines and frozen installs on other hosts had nothing to link #12853.fecfe83: Fixed peer dependency resolution withautoInstallPeerswhen a workspace package depends on a version of a package that a transitive dependency's self-contained closure also provides for itself. The peer providers that are attached to the root project for reuse are no longer peer-resolved a second time in the root context, so packages inside such a closure no longer get their peers bound to the root project's incompatible version #4993.5a4daec:${...}environment-variable placeholders in thehttpProxy,httpsProxy,noProxy,proxy, andnoproxysettings are no longer expanded when these settings come from a project'spnpm-workspace.yaml. They now receive the same protection already applied toregistry,namedRegistries, andpnprServer.d1da02e:pnpm publishno longer prints credentials when the target registry is configured with inlineuser:pass@credentials (e.g.registry=https://user:pass@example.com/). They are now redacted both from the "publishing to registry" line and from the OIDC (trusted publishing) failure messages.dcfc611:pnpm self-updatenow honorstrustPolicy=no-downgrade. It resolves the target pnpm version against full registry metadata, so it refuses to switch to a version whose supply-chain trust evidence is weaker than an earlier-published one, the same way a regular install does.a8ad82d: Register thepnalias in generated shell completion scripts.25bd5c3: Fixed standalone installer downgrades from pnpm v12 to v11.23996e9:pnpm runtime set <name> <version>now validates its arguments: the name must benode,deno, orbun, and the version must not contain a comma. Previously these were interpolated straight into apnpm addselector, where an unsupported name or a comma (e.g.node 22,is-positive) could be misread as a list of packages or a local directory and install unintended packages or bins.preactjs/preact (preact)
v10.29.7Compare Source
Maintenance
v10.29.6Compare Source
We had to revert #5055 due to an incompatibility with
useSignalEffectv10.29.5Compare Source
Fixes
voidzero-dev/vite-plus (vite)
v0.2.4: vite-plus v0.2.4: Vitest security hotfixCompare Source
This hotfix updates the bundled Vitest Browser Mode packages to
4.1.10, which includes the fix for GHSA-p63j-vcc4-9vmv. The advisory is critical and affects@vitest/browser <=4.1.9.Highlights
vitestand@vitest/browser*move from4.1.9to4.1.10, addressing GHSA-p63j-vcc4-9vmv, where provider commands could bypass the file access permission gate (#2089), by @voidzero-guard[bot]Chore
Bundled Versions
8.1.3578ffb81.1.46cbd2330.22.34.1.101.72.00.24.00.57.0Upgrade
New Contributors
No new contributors in this release.
Full Changelog: voidzero-dev/vite-plus@v0.2.3...v0.2.4
Published Packages
@voidzero-dev/vite-plus-core@0.2.4vite-plus@0.2.4Installation
macOS/Linux:
curl -fsSL https://vite.plus | bashWindows:
Or download and run
vp-setup.exefrom the assets below.Docker:
docker run --rm -it -v "$PWD:/app" -w /app ghcr.io/voidzero-dev/vite-plus:0.2.4 vp buildRun any
vpcommand without installing it; see the Docker guide for more.v0.2.3: vite-plus v0.2.3: config extraction, create, and vp run reliability fixesCompare Source
A patch release that fixes static config extraction for
vite.config.tsfiles whosedefineConfigcomes from a preset or custom wrapper (no longer misread as Vite+'s own), fixesvp createfor org templates on registries that strip custom package fields, cleans up terminal output after Ctrl-C duringvp run, and updates bundled Vite to 8.1.3.Highlights
VP_HOMEis honored on every run: the globalvpnow respects a user-setVP_HOMEfor its home directory instead of falling back to~/.vite-plus, and persists it in the generated env files, so a custom install location no longer produces multiple instances or unusable packages (#2029), by @liangmiQwQFeatures
8.1.2to8.1.3(inlined CSS after the shebang line, CSS preload for nested dynamic imports, SSR stacktrace column fix) (#2042), by @voidzero-guard[bot]Fixes & Enhancements
vp runno longer misreads avite.config.tswhen itsdefineConfigcomes from a preset or a custom wrapper instead ofvite-plusorvite. Such configs are now evaluated at runtime rather than assumed to be Vite+'s own, so projects that use them no longer wrongly reportTask "build" not found(#2060, #2075), by @liangmiQwQ and @fengmk2vp runtask with Ctrl-C no longer leaves odd OSC escape sequences in the terminal;vpdefers its own Ctrl-C handling until the child process exits (#2079), by @forehalovp migrate: rewriting apackage.jsonprettier script now emits a single--check, so scripts that combined--checkwith--list-different/-l/-cno longer produce a duplicatedvp fmt --check --check(#2044), by @shulaodavp create @​org:name: read the org template catalog (createConfig) from the published tarball when the registry (e.g. GitHub Packages) strips custom fields from packument metadata (#2063), by @hiro-daikinvp run: missing env vars requested through@voidzero-dev/vite-task-clientnow returnundefinedinstead ofnull, preserving Vite productionNODE_ENVsemantics when builds run throughvp run(vite-task#508, via #2076), by @wan9chiRefactor
static_config: drop the unreachablevite.config.jsonbranch (#2045), and remove unused exported CLI helpers (#2046), by @shulaodaDocs
Dockerfile.alpinecomment (#2068), by @fengmk2pnpm-workspace.yamlto the docs Dockerfile (#2059), by @wan-kongChore
vp runoutput for docs builds (#2006), by @wan9chiBundled Versions
8.1.3578ffb81.1.46cbd2330.22.34.1.91.72.00.24.00.57.0Upgrade
New Contributors
@wan-kong and @hiro-daikin made their first contributions.
Full Changelog: voidzero-dev/vite-plus@v0.2.2...v0.2.3
Published Packages
@voidzero-dev/vite-plus-core@0.2.3vite-plus@0.2.3Installation
macOS/Linux:
curl -fsSL https://vite.plus | bashWindows:
Or download and run
vp-setup.exefrom the assets below.Docker:
docker run --rm -it -v "$PWD:/app" -w /app ghcr.io/voidzero-dev/vite-plus:0.2.3 vp buildRun any
vpcommand without installing it; see the Docker guide for more.cloudflare/workers-sdk (wrangler)
v4.110.0Compare Source
Minor Changes
#14591
0283a1fThanks @dario-piotrowicz! - Send npm package dependency metadata with worker uploadsWrangler now collects npm package dependency information from the project's
package.jsonat deploy and version upload time, and includes it in the upload metadata sent to the Cloudflare API. This enables dependency analytics and future features like vulnerability alerting.The collected data includes the package name, the version constraint from
package.json, and the exact installed version fromnode_modules. BothdependenciesanddevDependenciesare included, while workspace packages, local packages, and unresolvable packages are excluded. The list is capped at 200 entries per upload.To opt out, set
dependencies_instrumentation.enabledtofalsein your Wrangler configuration file:{ "dependencies_instrumentation": { "enabled": false } }#14535
1b965c5Thanks @Naapperas! - Support dynamic retry delays for Workflow steps in local devA step's
retries.delaycan now be a function that computes the delay per failed attempt, in addition to a static duration. The function receives{ ctx, error }and returns a delay (a number of milliseconds or a duration string like"30 seconds"), and its result is fed into the configuredbackoff.The function is invoked once per failed attempt with a 5 second timeout. If it throws, times out, or returns an invalid value, the step fails without further retries.
Patch Changes
#14589
7b28392Thanks @jamesopstad! - Fix runtime type caching whenwrangler devauto-regenerates typesWhen
dev.generate_types(orwrangler dev --types) regenerated an out-of-dateworker-configuration.d.ts, the written file omitted the// Begin runtime typesmarker (and the/* eslint-disable */header) thatwrangler typeswrites. As a result, later runs could not detect the cached runtime types and always regenerated them. The auto-regenerated file now matcheswrangler typesoutput, restoring the cache.Updated dependencies [
1b965c5]:v4.109.0Compare Source
Minor Changes
#14489
e3f0cd6Thanks @edmundhung! - AddlistDurableObjectIds()tocreateTestHarnessWorker handlesTests using
createTestHarnesscan now list persisted Durable Object instance IDs for a Durable Object binding. This helps integration tests discover objects created by app behavior without adding test-only endpoints.#14465
2fedb1fThanks @vaishnav-mk! - Add rollback support when terminating Workflow instancesWorkflowInstance.terminate({ rollback: true })now runs registered rollback handlers before marking a local Workflow instance as terminated. Wrangler also supports this viawrangler workflows instances terminate --rollback, including local mode.The rollback option is only sent for terminate operations and is rejected by the Local Explorer API for pause, resume, and restart actions.
#14511
17d2fc1Thanks @juleslemee! - Addwrangler turnstile widgetcommands for managing Turnstile widgetsYou can now create, list, inspect, update, and delete Turnstile widgets from the CLI:
All five subcommands accept
--jsonfor machine-readable output (getprints a formatted view by default; the rest print a short human summary).--domainaccepts comma-separated values, e.g.--domain a.com,b.com.delete --jsonrequires--skip-confirmation/-yto keep output pipeable.createprints the sitekey, the secret, and the canonicalchallenges.cloudflare.com/turnstile/v0/siteverifyendpoint for backend verification. The hint is backend-agnostic; it doesn't assume Workers. The secret is redacted fromlistandupdateoutput but remains available viagetfor retrieval later.deleteprompts for confirmation; pass--skip-confirmation/-yto bypass.The OAuth flow now requests the
challenge-widgets.writescope (the existing Bach-derived scope for Turnstile widget CRUD). Existing OAuth sessions need to runwrangler loginagain to pick it up. API token users need a token with theAccount.Turnstile:Editpermission.Patch Changes
#14596
8511ddfThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14604
9f74a5fThanks @vaishnav-mk! - Improve the deploy error for cron-triggered Workflows on free plansWrangler now explains that Workflow schedules require a paid Workers plan instead of showing only the generic Workflows API request failure.
#14616
c782e2aThanks @penalosa! - Fixwrangler deployaborting in CI for autoconfigured projectsA recent change guarded non-interactive deploys against overwriting a same-named Worker whenever there was no config file naming it. This was too broad: a plain
wrangler deployrun in CI without a config file (for example an autoconfigured project whose generated config PR has not been merged) would fail with "A Worker named ... already exists in your account", even though re-deploying to that Worker is the intended behaviour.The guard is now limited to the Pages-to-Workers delegation, where the target name is a Pages project name that must not clobber an unrelated Worker. Plain deploys once again deploy normally.
Updated dependencies [
e3f0cd6,8511ddf,2fedb1f]:v4.108.0Compare Source
Minor Changes
#14312
54f74b8Thanks @MattieTK! - Delegate agent-driven static Pages deploys to WorkersWhen
wrangler pages deployorwrangler pages project createis run by an AI coding agent against a brand-new, purely static project, Wrangler now delegates it to Workers static assets (using autoconfig) instead of Cloudflare Pages. Accounts that already have Cloudflare Pages projects, non-agent (human) sessions, and projects using Pages features that can't be carried across to Workers (Pages Functions, a_worker.js, or a_routes.jsonfile) are unaffected and continue to use Pages. Passing--forceto either command opts out of the delegation and deploys to Pages directly. Once the Workers deploy starts it is not silently swapped back to Pages: if it fails, the error is surfaced and the--forceopt-out is suggested.Patch Changes
#14567
0852346Thanks @dependabot! - Update dependencies of "miniflare", "wrangler", "create-cloudflare"The following dependency versions have been updated:
#14312
54f74b8Thanks @MattieTK! - Avoid silently overwriting an existing Worker during non-interactive deploys that cannot prove they own the nameA non-interactive deploy (an agent, CI, or the agent-delegated
wrangler pages deploy) has no way to prompt before overwriting a Worker, so it now stops if the target name is already taken and this run cannot show it owns that Worker. This applies when there is no Wrangler configuration file naming the Worker and either the name was generated automatically or the deploy is the Pages-to-Workers delegation (where the name carried across is a Pages project name, not proof of Worker ownership). The check reuses the service metadata the deploy already fetches, so it adds no extra API calls.Deploys are unaffected when a configuration file names the Worker (so repeat deployments continue to update it), and interactive deploys keep their existing confirmation flow. To update an existing Worker in one of the guarded cases, add a Wrangler configuration file naming it, or deploy under a different name.
Updated dependencies [
0852346]:v4.107.1Compare Source
Patch Changes
#14514
d88555eThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14564
5fd8beeThanks @jibin7jose! - Fix an issue wherewrangler devwould not override configvarswith values from.dev.varsduring local development when thesecretsfield was defined in the configuration file.#14332
5d9990eThanks @Divkix! - Fix misleading error guidance when deploying a new Worker withsecrets.requiredWhen a Worker declares
secrets.requiredand has never been deployed before, the previous error message suggested runningwrangler secret put <NAME>, which doesn't work because the Worker doesn't exist yet.The one path that does work —
wrangler deploy --secrets-file <path>— was not mentioned anywhere in the error output.The pre-deploy error now explains that
wrangler secret putcannot be used for a new Worker, and directs users to the--secrets-fileflag instead. The post-deploy error for existing Workers now also mentions--secrets-filealongsidewrangler secret put.#14507
bf49a41Thanks @joey727! - Fix a potential crash when displaying certain CLI outputPreviously, some CLI output with no content lines could cause a crash. This is now handled correctly.
#14492
1ac96a1Thanks @penalosa! - Replace the CommonJSxdg-app-pathsdependency with a vendored pure-ESM implementationxdg-app-paths(and itsxdg-portable/os-pathsdependencies) are CommonJS only, which caused "Dynamic require of 'path' is not supported" errors when the surrounding code was bundled to ESM. The global config/cache directory resolution is now provided by a small, dependency-free pure-ESM module in@cloudflare/workers-utilsthat reproduces the previous path resolution exactly (verified against the real package in unit tests), so existing config and credential locations are unchanged. This also drops the transitivefseventsoptional dependency thatxdg-app-pathspulled in.Miniflare and create-cloudflare now consume the shared helpers from
@cloudflare/workers-utilsinstead of maintaining their own copies, importing node-only leaf entry points (@cloudflare/workers-utils/fs-helpers,@cloudflare/workers-utils/global-wrangler-config-path) where ESM bundling is required.#14572
f416dd9Thanks @petebacondarwin! - Key local rate limit counters bynamespace_idinstead of binding namewrangler devand Miniflare previously tracked each rate limit binding's counter by its binding name, so two bindings that referenced the samenamespace_idwere treated as separate limiters. Counters are now keyed bynamespace_id, matching production: bindings that share anamespace_idshare a limit, while distinct namespaces stay isolated. This also re-enables rate limit bindings in multiworkerwrangler devsessions, where they were previously stripped from secondary Workers to avoid a startup crash.#14570
1ca8d8fThanks @penalosa! - Upgradesignal-exitfrom v3 to v4The bundled
signal-exitdependency was CJS-only. Upgrading to v4 (which ships a dual ESM/CJS build) unblocks ESM output. Exit-cleanup behaviour is unchanged, though v4 no longer registers handlers for a few signals that are no longer supported by the OS (SIGUNUSEDon Linux;SIGABRT/SIGALRMon Windows).#14561
b973ed3Thanks @martijnwalraven! - Emit an error event for watch-mode rebuild failures inunstable_startWorkerInitial build failures already dispatch an error event (surfaced as
buildFailedon the DevEnv bus), but watch-mode rebuild failures were only logged from inside the esbuild plugin, so programmatic consumers had no way to observe them while dev kept serving the previous bundle. Rebuild failures now route through the same error path as initial-build failures: terminal output is unchanged andbuildFailedfires symmetrically.Updated dependencies [
e7e5780,d88555e,1ac96a1,f416dd9,16fbf81]:Configuration
📅 Schedule: (UTC)
* 0-3 * * 1)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.