Skip to content

chore(deps): update all non-major dependencies#46

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#46
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Mar 26, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@vitest/coverage-v8 (source) 4.1.14.1.10 age confidence
@vue/test-utils 2.4.62.4.11 age confidence
pnpm (source) 10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c864931910.34.4 age confidence
typescript (source) 6.0.26.0.3 age confidence
vitest (source) 4.1.14.1.10 age confidence

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.10

   🐞 Bug Fixes
    View changes on GitHub

v4.1.9

Compare Source

🐞 Bug Fixes
  • Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #​10546 (a5180)
  • browser:
    • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in #​10555 (7fb29)
    • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in #​10497 and #​10556 (fbc62)
  • mocker:
    • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in #​10548 (2c955)
  • pool:
    • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in #​10543 and #​10564 (934b0)
View changes on GitHub

v4.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.4

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes
    View changes on GitHub
vuejs/test-utils (@​vue/test-utils)

v2.4.11

Compare Source

compare changes

🩹 Fixes
  • Drop legacy Mutation Event listener entries (#​2844)
  • Handle setData() correctly for components using both setup() and data() (#​2846)
  • Export GlobalMountOptions type (#​2851)
  • Set spec-compliant event.code on keydown/keyup (#​2850)
❤️ Contributors

v2.4.10

Compare Source

v2.4.9

Compare Source

compare changes

🩹 Fixes
  • Tolerate duplicate attachTo cleanup (#​2830)
📖 Documentation
🏡 Chore
  • Migrate renovate config (5d37934)
🤖 CI
  • Pin github actions to commit hashes (75dcef3)
❤️ Contributors

v2.4.8

Compare Source

compare changes

🩹 Fixes
  • Correct declaration entrypoint (#​2826)
🤖 CI
❤️ Contributors

v2.4.7

Compare Source

compare changes

🚀 Enhancements
  • Add Chinese docs translation (#​2552)
  • SetData()/shallowMount with initialData for components using the Composition API / <script setup> (#​2655)
🩹 Fixes
  • Preserve code from keyboard events (#​2434)
  • Switch browser and require exports definitions (#​2501)
  • Re-add peer dependencies but with wider range (#​2511)
  • Resolve warnings in docs:dev (30b7491)
  • Resolve TypeScript type errors in .vitepress/config (#​2549)
  • Accept FunctionalComponent as selector (0bb947f)
  • Text() misses content for array functional component (#​2579)
  • Use await in test (c5482b4)
  • deps: Update dependency vue-component-type-helpers to v3 (#​2683)
  • Remove wrapper div when unmount (#​2700)
  • Make mount options slots compatible with noUncheckedIndexedAccess true (#​2713)
  • Add missing peerDependency @​vue/compiler-dom (75801ba)
  • docs: Declare css module for vitepress typecheck (ddaca97)
💅 Refactors
  • Enforce consistent usage of type imports (#​2734)
📖 Documentation
  • Clarify findComponent vs getComponent (#​2435)
  • Update fr docs (67064ef)
  • Add note about partial transition stub support (#​2431)
  • Fix missing data at passing data section essentials guide (dda205e)
  • Fix missing data at passing data section essentials guide fr (ae2c72c)
  • Fix plugin TS declaration example (#​2466)
  • Fixed incorrect checkbox value check (#​2495)
  • Capital letter in sentence fix (#​2499)
  • Import missing DOMWrapper on Implementation of the plugin section (#​2519)
  • Add migration step for deprecated ref syntax in findAllComponents (#​2498)
  • Correct anchor hash links and fix typo (#​2551)
  • Center logo on home (#​2559)
  • zh-cn: Review a-crash-course (#​2563)
  • Use code-group for install commands (#​2571)
  • zh-cn: Review event-handing.md (#​2572)
  • zh-cn: Enhance conditional-rendering.md (#​2562)
  • zh-cn: Review easy-to-test (#​2567)
  • zh-cn: Review passing-data.md (#​2575)
  • zh-cn: Review async-suspense.md (#​2576)
  • zh: 优化 API 文档格式和内容 (#​2569)
  • zh: 更新 Vitest 模拟日期和计时器的说明 (#​2578)
  • zh-cn: Review http-requests.md (#​2580)
  • zh-cn: Review forms (#​2582)
  • zh-cn: Guide/advanced/slots.md (#​2565)
  • zh: Review extending-vtu (#​2583)
  • zh: Review index (#​2584)
  • Fix modelValue test example (85bfdf4)
  • Removes broken link from plugins.md (69bc1ce)
  • zh: Review transitions, component-instance, and reusability-composition (#​2616)
  • zh: Review v-model and vuex (#​2617)
  • zh: Review all the rest advanced guide (#​2619)
  • zh: Review migration (#​2623)
  • Fix a typo in transitions.md (#​2635)
  • Update crash-course to script setup (c81aa79)
  • Update Essentials section to setup (composition api) (#​2647)
  • Typos in examples (#​2678)
  • Typo in easy-to-test.md (#​2710)
  • Add note about mocking requestAnimationFrame for transitions (2324c65)
  • Updated example TodoApp to script setup (#​2727)
  • Remove "Using data" section from "Conditional Rendering" guide and fix passing data test example (#​2743)
  • Follow-up fixes for the conditional rendering guide (#​2744)
  • Mention shallowMount stub name changes in migration guide (80e051a)
  • Update conditional rendering documentation to clarify isVisible() usage with attachTo (#​2799)
  • Restore Options API component for data() mounting example (#​2804)
  • Promote Vitest as recommended test runner (#​2805)
  • api: Note that setValue does not accept objects on <select> (#​2819)
🏡 Chore
  • Add api/index.md to docs:translation:compare (6b8681c)
  • Remove unnecessary generic arguments (cfd70c6)
  • Ignore TS error in config object (9d0a618)
  • Simplify eslint packages (c1d0ffd)
  • Use eslint v9 with flat config (2f19fdf)
  • Expose Stubs type publicly (#​2492)
  • Update documentation file path (9c96594)
  • Use pnpm v10 (e4c2cb3)
  • Pnpm approve build (81c54e9)
  • Use github issue forms (#​2673)
  • Exclude class components from test type-checking (0899008)
  • Add explicit coverage include for vitest v4 (51672b9)
  • Update to prettier v3.7 (fed9e7c)
  • Migrate to oxfmt (81c1de9)
  • Migrate to oxlint (a361908)
  • Prepare TypeScript 6 migration settings (55e1262)
  • Adjust tsd config for TypeScript 6 (7d23eb5)
  • Avoid TypeScript 6 target deprecation warning (81d063c)
🤖 CI
  • Remove node v22 build (7ebf58d)
  • Add node v22 build (57540ee)
  • Use "pool: threads" instead of vmThreads (d0cbb54)
  • Remove node v18 and add v24 (fd9cf95)
  • Add trusted publishing release workflow (#​2825)
❤️ Contributors
pnpm/pnpm (pnpm)

v10.34.4: pnpm 10.34.4

Compare Source

Patch Changes
  • 352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. A pnpm-workspace.yaml with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.

  • 352ae48: Reject path-traversal and reserved dependency aliases (such as ../../../escape, .bin, .pnpm, or node_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted node_modules directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.

    The nodeLinker: hoisted graph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.

  • 352ae48: Prevent pnpm patch-remove from removing files outside the configured patches directory.

  • 217fbe0: Hardened the warning printed when a project .npmrc uses environment variables in registry/auth settings: the suggested pnpm config set command is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled .npmrc and a shell expands $(...), backticks, and $VAR even inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.

Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.3: pnpm 10.34.3

Compare Source

⚠️ Security fix — environment variables in a project .npmrc (action may be required)

Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:

  • the project/workspace .npmrcregistry, @scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken, _auth, _password, username, tokenHelper, cert, key);
  • registry URLs in pnpm-workspace.yaml.

This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).

Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.

If your authentication broke after upgrading, move the token out of the committed .npmrc:

# Writes to your user/global config, not the repository:
pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"

Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.

See https://pnpm.io/npmrc for full migration details.

Patch Changes

  • Improved the warning printed when a project .npmrc uses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by running pnpm config set "<key>" <value> to store it in the global config, or by keeping the ${...} line in the user-level ~/.npmrc — with a link to https://pnpm.io/npmrc.
  • A repository-controlled project or workspace .npmrc can no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could set userconfig, globalconfig, or prefix to point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to set tokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace .npmrc files are read. Fixed by upgrading @pnpm/npm-conf to 3.0.3.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.2: pnpm 10.34.2

Compare Source

⚠️ Security fix — environment variables in a project .npmrc (action may be required)

Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:

  • the project/workspace .npmrcregistry, @scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken, _auth, _password, username, tokenHelper, cert, key);
  • registry URLs in pnpm-workspace.yaml.

This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).

Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.

If your authentication broke after upgrading, move the token out of the committed .npmrc:

# Writes to your user/global config, not the repository:
pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"

Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.

See https://pnpm.io/npmrc for full migration details.

Patch Changes

  • Package-manager bootstrap traffic is now resolved through trusted registries and trusted network config. When pnpm downloads the pnpm version requested by a repository's packageManager field, the registry it fetches from (and the proxy/TLS settings used for that traffic) now come exclusively from trusted config sources — CLI options, env config, user and global .npmrc — defaulting to the public npm registry, instead of the repository's project/workspace settings.
  • pnpm now verifies the npm registry signature of a package-manager binary before spawning it. When the packageManager field (or pnpm self-update) makes pnpm download another pnpm version, the staged install is verified corepack-style: the integrity recorded in the staged lockfile must carry a valid npm registry signature for the exact name@version, validated against npm's public signing keys that ship embedded in the pnpm CLI. Verification fails closed — a tampered download, an unsigned package, or an unreachable registry refuses the version switch rather than running an unverified binary. It runs only when the wanted version is actually downloaded (a tools-directory cache miss), so repeated commands pay no extra network round trip.
  • Environment variable expansion

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov

codecov Bot commented Mar 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (8c6afd7) to head (e9f6724).

Additional details and impacted files
@@             Coverage Diff             @@
##             main       #46      +/-   ##
===========================================
+ Coverage   99.08%   100.00%   +0.91%     
===========================================
  Files           3         3              
  Lines         109       109              
  Branches       30        30              
===========================================
+ Hits          108       109       +1     
+ Misses          1         0       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 16084fe to 7e96df5 Compare April 1, 2026 17:43
@renovate renovate Bot changed the title chore(deps): update all non-major dependencies to v4.1.2 chore(deps): update all non-major dependencies to v4.1.3 Apr 7, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 8539e24 to cf20229 Compare April 8, 2026 20:52
@renovate renovate Bot changed the title chore(deps): update all non-major dependencies to v4.1.3 chore(deps): update all non-major dependencies to v4.1.4 Apr 9, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from cf20229 to 7b7a5af Compare April 9, 2026 09:19
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 7b7a5af to e8a9742 Compare April 17, 2026 00:13
@renovate renovate Bot changed the title chore(deps): update all non-major dependencies to v4.1.4 chore(deps): update all non-major dependencies Apr 17, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 8c574bd to 9544fc8 Compare April 27, 2026 11:29
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 030e569 to 52d8a3f Compare May 5, 2026 02:28
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 40cb925 to a13d478 Compare May 12, 2026 16:59
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 8ba7bb5 to 917400e Compare May 20, 2026 11:34
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 6426198 to fd6465a Compare June 1, 2026 19:40
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from dfb766e to 5d18259 Compare June 10, 2026 18:04
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 7ec70ea to 98fb34e Compare June 15, 2026 11:40
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 98fb34e to f1fbd3c Compare June 18, 2026 23:39
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from f1fbd3c to e9f6724 Compare July 6, 2026 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants