chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@commitlint/cli (source)	^20.4.0 → ^20.5.3
@commitlint/config-conventional (source)	^20.4.0 → ^20.5.3
@dotenvx/dotenvx	^1.52.0 → ^1.75.1
@inquirer/prompts (source)	^8.2.0 → ^8.5.2
@types/node (source)	^25.2.0 → ^25.9.4
@vitest/coverage-v8 (source)	^4.0.18 → ^4.1.9
citty	^0.2.0 → ^0.2.2
date-fns	^4.1.0 → ^4.4.0
eslint (source)	^9.39.2 → ^9.39.4
jiti	^2.6.1 → ^2.7.0
ora	^9.1.0 → ^9.4.1
prettier (source)	^3.8.1 → ^3.8.4
string-width	^8.1.1 → ^8.2.1
vitest (source)	^4.0.18 → ^4.1.9

---

Release Notes

conventional-changelog/commitlint (@​commitlint/cli)

v20.5.3

Compare Source

Note: Version bump only for package @​commitlint/cli

v20.5.2

Compare Source

Note: Version bump only for package @​commitlint/cli

v20.5.0

Compare Source

Bug Fixes

• cli: validate that --cwd directory exists before execution (#​4658) (cf80f75), closes #​4595

20.4.4 (2026-03-12)

Note: Version bump only for package @​commitlint/cli

20.4.3 (2026-03-03)

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

20.4.2 (2026-02-19)

Note: Version bump only for package @​commitlint/cli

20.4.1 (2026-02-02)

Note: Version bump only for package @​commitlint/cli

v20.4.4

Compare Source

Note: Version bump only for package @​commitlint/cli

v20.4.3

Compare Source

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

v20.4.2

Compare Source

Note: Version bump only for package @​commitlint/cli

v20.4.1

Compare Source

Note: Version bump only for package @​commitlint/cli

conventional-changelog/commitlint (@​commitlint/config-conventional)

v20.5.3

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.5.0

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

20.4.4 (2026-03-12)

Note: Version bump only for package @​commitlint/config-conventional

20.4.3 (2026-03-03)

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

20.4.2 (2026-02-19)

Note: Version bump only for package @​commitlint/config-conventional

20.4.1 (2026-02-02)

Note: Version bump only for package @​commitlint/config-conventional

v20.4.4

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.4.3

Compare Source

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

v20.4.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.4.1

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

dotenvx/dotenvx (@​dotenvx/dotenvx)

v1.75.1

Compare Source

Changed

• Publish as named binaries (#​851)

Removed

• Remove references to dotenvx-vlt (now dotenvx-armor) (#​849)

v1.75.0

Compare Source

Changed

• Swap in @dotenvx/primitives (#​848)
• ext commands become first-class(#​847)

v1.74.3

Compare Source

Changed

• Bundle dotenvx with @dotenvx/next-env for user convenience (#​845)

v1.74.2

Compare Source

Changed

• Fix provenance for @dotenvx/next-env (#​844)

v1.74.1

Compare Source

Added

• Add README for @dotenvx/next-env (#​843)

v1.73.1

Compare Source

Changed

• Give update available notification only for armor commands (#​840)

v1.73.0

Compare Source

Added

• Add dotenvx armor commands directly inside dotenvx (#​839)

dotenvx remains local-first: armor commands are optional under professional security section

v1.72.0

Compare Source

Added

• Move armor login command to first class dotenvx login command. (#​836)
• dotenvx remains local-first: login is optional and only needed when you want Armor features like moving keys off-device, team sharing, and audit access.
• Patch 2 high severity dependencies (#​837)

v1.71.3

Compare Source

Changed

• Forward command to Dotenvx Armor Key Guard approvals (#​835)

v1.71.2

Compare Source

Changed

• touch up get, set, and decrypt when armor installed (#​834)

v1.71.1

Compare Source

Changed

• stderr changed to inherit for dotenvx-armor integration (#​833)

v1.71.0

Compare Source

Added

• Add optional automation --token support for Armor ⛨ users (#​831)

v1.70.0

Compare Source

Changed

• Dotenvx Ops/Vlt is now Dotenvx Armor ⛨ (#​830)

v1.69.2

Compare Source

Changed

• Minor messaging improvements, especially if using armored keys (#​825)

v1.69.1

Compare Source

Changed

• Internally rename ops to vlt (#​823)

v1.69.0

Compare Source

Changed

• Remove fully-deprecated opsOff option in favor of noOps (#​822)

v1.68.1

Compare Source

Changed

• Pass -f to ops (#​821)

v1.68.0

Compare Source

Changed

• Support ignore option on parse (#​820)

v1.67.0

Compare Source

Added

• Add prompt for local storage vs armored storage (#​819)

v1.66.0

Compare Source

Added

• Add dotenvx doctor (#​815)

v1.65.3

Compare Source

Changed

• Improve spinner message blinking with simpler --no-spinner flag passed to ops (#​814)

v1.65.2

Compare Source

Changed

• Improve spinner message coordination between dotenvx and dotenvx-ops (#​813)

v1.65.1

Compare Source

Changed

• Prompts from ops should bubble up (#​812)

v1.65.0

Compare Source

Added

• Add support for replaceing duplicate keys with different values (#​806)

v1.64.0

Compare Source

Added

• Add optional dotenvx armor command.
  • armor up armor private key
  • armor down dearmor private key
  • armor push push armored key (from .env.keys)
  • armor pull pull armored key (into .env.keys)

Move private keys off device and under access control with Dotenvx Ops ⛨. Learn more

v1.63.0

Compare Source

Added

• Add support for encrypted values passed to --env flag (#​804)
• Add support for --format=colon in order to support cloudflare's wrangler --var flag format (#​804)

v1.62.0

Compare Source

Added

• Add support for config({ envs }). unlocks simpler cloudflare worker integration (#​803)

$ dotenvx encrypt -f .env.txt

// src/index.js
import envSrc from '../.env.txt'
import dotenvx from '@​dotenvx/dotenvx'

const config = dotenvx.config({ envs: [{ type: 'env', value: envSrc, privateKeyName: 'DOTENV_PRIVATE_KEY' }] })
const envx = config.parsed

export default {
  async fetch(request, env, ctx) {
    return new Response(`Hello ${envx.HELLO}`)
  }
}

"scripts": {
  "deploy": "wrangler deploy",
  "dev": "wrangler dev --var $(dotenvx keypair -f .env.txt --format=colon)",
  "start": "wrangler dev --var $(dotenvx keypair -f .env.txt --format=colon)",
  "test": "vitest"
},

v1.61.6

Compare Source

Changed

• Guard against command substitution following encrypted: (#​802)

v1.61.5

Compare Source

Changed

• Support --hostname flag to dotenvx-ops.login (#​801)

v1.61.4

Compare Source

Changed

• Respect SIGINT handler completion (#​798)

v1.61.3

Compare Source

Changed

• Tighten up ext precommit --install message (#​797)

v1.61.2

Compare Source

Changed

• For Ops ⛨ users surface stderr (#​796)

v1.61.1

Compare Source

Changed

• Faster coldstarts! (#​781)
• Patch dotenvx precommit|prebuild shorthand (#​793)

v1.61.0

Compare Source

Added

• Add login and logout method that proxy to dotenvx-ops login/logout (#​780)
• Note: dotenvx continues to make zero outgoing HTTP requests and includes no telemetry. Outgoing requests occur only if you explicitly install the dotenvx-ops SDK or CLI.

v1.60.2

Compare Source

Changed

• Communicate local key and armored key (for Ops stored keys) (#​778)

v1.60.1

Compare Source

Added

• Added missing + key ⛨ for Ops stored keys (#​777)

v1.60.0

Compare Source

Added

• Add spinner with loading messages
  • injecting (run)
  • encrypting (encrypt, set)
  • decrypting (decrypt, get)
  • rotating (rotate)
  • retrieving (keypair)

v1.59.1

Compare Source

Added

• add HELLO key to the kit sample to match most of our examples in the README

v1.59.0

Compare Source

Changed

• encrypt and set now create a .env file if one does not exist (#​771)
• pass --no-create to prevent file creation

v1.58.0

Compare Source

Changed

• Changed runtime injection message to format ⟐ injecting env (N) from FILE · dotenvx@VERSION (#​770)

v1.57.5

Compare Source

Changes

• Improve already installed message (#​768)

v1.57.4

Compare Source

Changes

• Use curl example for install dotenvx.com/ops (#​767)

v1.57.3

Compare Source

Changes

• Simplify installed success message (#​766)

v1.57.2

Compare Source

Changes

• Ran npm audit to update package-lock.json (#​763)

v1.57.1

Compare Source

Changes

• improved error logs and compacted most to a single line (#​755)

• introduced leading log glyphs as a visual status language:

  • ⟐ success action (injected)
  • ◈ success action (encrypted)
  • ◇ success action (set plain value, decrypted)
  • ⟳ success action (rotated)
  • ○ informational no-op (no changes)
  • ▣ success action for generated/updated support files
  • ⚠ warning
  • ☠ error

v1.57.0

Compare Source

Changed

• color and formatting changes to outputs (#​754)

v1.56.0

Compare Source

Changed

• ops off flag — now respected by get, keypair, rotate, and encrypt (#​750)
• --pp alias — added as shorthand for --pretty-print; toward sunsetting -pp (#​750)

Removed

• Remove support for .env.vault files (#​750)

v1.55.1

Compare Source

Added

• Respect dotenvx-ops status (on|off) (#​749)

v1.55.0

Compare Source

Added

• Add '⛨ ARMORED KEYS: Harden your private keys.' security feature when dotenvx-ops installed (#​746)

Removed

• Remove ProKeypair logic

v1.54.1

Compare Source

Changed

• Fix npm publish

v1.53.0

Compare Source

Removed

• Remove radar. It has been a year since replaced by ops. (#​743)

SBoudrias/Inquirer.js (@​inquirer/prompts)

v8.5.2

Compare Source

• Fix security warnings in external-editor

v8.5.1

Compare Source

• Rolled back mute-stream dependency from v4 to v3 to undo breaking compatible engines.
• Added tooling to prevent regression of the above in the future. This surfaced our min engines already enforced a higher limit, so adjusted the explicit limits to match the current state.

v8.5.0

Compare Source

• Feat: Read env variable INQUIRER_KEYBINDINGS to enable vim or emacs keybindings; making this a user preference instead of a library author preference. One caveat is doing so disable the search feature in the select prompt. Syntax: INQUIRER_KEYBINDINGS=vim,emacs.
• Fix: Line wraps would sometime cause the cursor to be mispositioned relative to the input.
• Chore: Bump dependencies.

v8.4.3

Compare Source

• Fix: Windows rendering bug
• Fix: Preserve exact literal types in choices array (Typescript only)
• Fix: Allow input default value to be of type undefined (Typescript only)
• Bump dependencies

v8.4.2

Compare Source

• Fix: some Windows terminals would freeze and not react to keypresses.

v8.4.1

Compare Source

• Improve expand prompt type inferrence.

v8.4.0

Compare Source

• Feat: Added a loading message while validating editor prompt input.
• Type improvement: Better type inference with checkbox, search and expand prompts.
• Fix: editor prompt not always properly handling editor path on windows.

v8.3.2

Compare Source

• Fix broken 8.3.1 release process.

v8.3.1

Compare Source

• Bump dependencies

v8.3.0

Compare Source

• Fix: Keypresses happening before a prompt is rendered are now ignored.
• Fix (checkbox): Element who're both checked and disabled are now always included in the returned array.
• Feat (select/checkbox): Cursor will now hover disabled options of the list; but they still cannot be interacted with. This prevents the cursor jumping ahead in ways that can be confusing.
• Feat: various new theme options to make all prompts content localizable.

Finally, see our new @inquirer/i18n package!

v8.2.1

Compare Source

• chore: Switch wrap-ansi with fast-wrap-ansi

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.9

Compare Source

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #​10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in #​10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in #​10497 and #​10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in #​10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in #​10543 and #​10564 (934b0)

View changes on GitHub

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

v4.1.4

Compare Source

   🚀 Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in [#​9940](https://redirect.github.com/vitest-

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "after 1am and before 5am"
• Automerge
  • "after 2am and before 5am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.