Skip to content

chore(deps): update all non-major dependencies#446

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#446
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 5, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@nuxt/ui (source) ^4.8.1^4.8.2 age confidence pnpm.catalog.default patch
@paypal/paypal-js (source) ^9.7.0^9.8.0 age confidence pnpm.catalog.default minor
@shikijs/langs (source) ^4.1.0^4.2.0 age confidence pnpm.catalog.default minor
@shikijs/themes (source) ^4.1.0^4.2.0 age confidence pnpm.catalog.default minor
@types/google.maps (source) ^3.58.1^3.65.0 age confidence peerDependencies minor 3.65.1
@types/youtube (source) ^0.1.0^0.2.0 age confidence peerDependencies minor 0.3.0
@vue/test-utils ^2.4.10^2.4.11 age confidence pnpm.catalog.default patch
Hebilicious/reproduire v0.0.9-mpv0.0.9 age confidence action patch
actions/checkout v6.0.1v6.0.3 age confidence action patch
actions/stale v10.0.0v10.3.0 age confidence action minor
happy-dom ^20.9.0^20.10.1 age confidence pnpm.catalog.default minor
pnpm (source) 11.5.011.5.1 age confidence packageManager patch 11.5.2
posthog-js (source) ^1.378.1^1.380.1 age confidence pnpm.catalog.default minor 1.381.0
posthog-js (source) ^1.0.0^1.380.1 age confidence peerDependencies minor 1.381.0
rollup (source) ^4.60.4^4.61.1 age confidence pnpm.catalog.default minor
shiki (source) ^4.1.0^4.2.0 age confidence pnpm.catalog.default minor
unhead-v3-fixture>@unhead/vue (source) ^3.0.0^3.1.1 age confidence pnpm-workspace.overrides minor 3.1.3 (+1)
vitest (source) ^4.1.7^4.1.8 age confidence pnpm.catalog.default patch

Release Notes

nuxt/ui (@​nuxt/ui)

v4.8.2

Compare Source

Bug Fixes
  • Form: support setting the name attribute (#​6539) (f8186e2)
  • InputMenu/SelectMenu: re-highlight first item when items change (#​6538) (0414dd0)
  • InputNumber/InputDate/InputTime/Calendar: restore locale prop (#​6546) (ed2f955)
  • module: merge custom variants into AppConfig type (#​6531) (f0571c3)
paypal/paypal-js (@​paypal/paypal-js)

v9.8.0

Compare Source

Minor Changes
  • 0ff45b7: Consolidating the shared GooglePay types to paypal-js package.
Patch Changes
  • 9007a82: Add optional submit options to CardFields submit() method, including billingAddress and name fields for 3DS authentication support
  • 6e1de75: Fix a typescript bug that was making .start options required.
  • 164d373: Update paypal one time payment session start options to be optional.
shikijs/shiki (@​shikijs/langs)

v4.2.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
vuejs/test-utils (@​vue/test-utils)

v2.4.11

Compare Source

compare changes

🩹 Fixes
  • Drop legacy Mutation Event listener entries (#​2844)
  • Handle setData() correctly for components using both setup() and data() (#​2846)
  • Export GlobalMountOptions type (#​2851)
  • Set spec-compliant event.code on keydown/keyup (#​2850)
❤️ Contributors
Hebilicious/reproduire (Hebilicious/reproduire)

v0.0.9

Compare Source

compare changes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

v6.0.2

Compare Source

actions/stale (actions/stale)

v10.3.0

Compare Source

What's Changed

Bug Fix
Dependency Updates

New Contributors

Full Changelog: actions/stale@v10...v10.3.0

v10.2.0

Compare Source

v10.1.1

Compare Source

What's Changed

Bug Fix
Improvement
Dependency Upgrades

New Contributors

Full Changelog: actions/stale@v10...v10.1.1

v10.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/stale@v10...v10.1.0

capricorn86/happy-dom (happy-dom)

v20.10.1

Compare Source

v20.10.0

Compare Source

pnpm/pnpm (pnpm)

v11.5.1

Compare Source

Patch Changes
  • Improve pnpm audit performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap.
  • Avoid crashing when the workspace state cache is partially written or malformed.
  • Set npm_config_user_agent for root lifecycle scripts during headless installs.
  • Preserve the integrity field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example via pnpm update, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY #​12067.
  • Normalize a string repository field into the { type, url } object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a string repository with a 500 Internal Server Error during pnpm publish #​12099.
  • Preserve compatible optional peer versions already present in the lockfile when resolving dependencies.
  • Fixed inconsistent resolution of a peer dependency that is shared through a diamond. When a package peer-depends on both another package and one of that package's own peer dependencies (for example @typescript-eslint/eslint-plugin peer-depends on both @typescript-eslint/parser and typescript, and @typescript-eslint/parser peer-depends on typescript), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version #​12079.
PostHog/posthog-js (posthog-js)

v1.380.1

Compare Source

1.380.1
Patch Changes
  • #​3743 ced0039 Thanks @​robbie-c! - fix(surveys): stop the survey CSS from using :has(.survey-question:empty), which crashes some WebKit builds during text-node style invalidation while a survey renders. The empty-header margin tweak now keys off a JS-set question-header--empty class and a sibling selector instead.
    (2026-06-05)
  • Updated dependencies []:

v1.380.0

Compare Source

1.380.0

Minor Changes
  • #​3715 2387084 Thanks @​dustinbyrne! - Promote browser tracing header configuration to the public tracing_headers option while keeping addTracingHeaders and __add_tracing_headers as deprecated aliases.
    (2026-06-04)
Patch Changes

v1.379.3

Compare Source

1.379.3

Patch Changes
  • #​3741 32de5d2 Thanks @​clr182! - logs: the console-log integration now respects opt_out_capturing() — it checks is_capturing() before emitting, so log events stop on opt-out (and resume on opt-in).
    (2026-06-04)
  • Updated dependencies []:

v1.379.2

Compare Source

1.379.2

Patch Changes
  • #​3736 374962a Thanks @​arnohillen! - replay: re-apply scroll positions after fast-forward/seek. Scrolls applied mid-catch-up could clamp to 0 when the target wasn't scrollable yet (e.g. scroll-revealed sheets/modals whose content sits below the fold), leaving the content scrolled out of view on replay. The last scroll per node is now re-applied in the flush stage once layout has settled. posthog-js is bumped too so the rebuilt bundle containing the fix is published.
    (2026-06-03)
  • Updated dependencies []:

v1.379.1

Compare Source

1.379.1

Patch Changes

  • #​3570 4a27ced Thanks @​gruessi! - fix(record): release iframe documents and observers on iframe removal — same-origin iframes mounted and unmounted while session recording is active no longer leak their Document, every node serialized into the mirror, or one MutationObserver per mount. Closes eight retainer chains: load-listener disposers, named pagehide handlers, the recordCrossOriginIframes cleanup gate (now applied to same-origin too), captured Document / Window sets that survive iframe.src swap-to-about:blank before removal, and the global mutationBuffers[] / handlers[] arrays which previously accumulated forever. Validated end-to-end: a host page that mounts/unmounts 5 blob-URL iframes every 2s for 110s went from +118 MB / +390 leaked HTMLDocuments to ~0 MB / 0.
    (2026-06-03)

  • #​3717 1688b38 Thanks @​turnipdabeets! - Move the OpenTelemetry logs dependencies to devDependencies. They are only used to build the CDN-served logs extension chunk, which inlines them, so consumers no longer install the transitive protobufjs (whose eval("require") tripped unsafe-eval Content Security Policies).

    If you imported @opentelemetry/* directly while relying on it being hoisted from posthog-js, add it to your own dependencies. (2026-06-03)

  • Updated dependencies []:

v1.379.0

Compare Source

1.379.0

Minor Changes
Patch Changes
rollup/rollup (rollup)

v4.61.1

Compare Source

2026-06-04

Bug Fixes
  • Avoid extraneous newlines when adding headers via plugins (#​6403)
  • Fix a rare issue where starting Rollup would hang on Windows (#​6404)
Pull Requests

v4.61.0

Compare Source

2026-06-01

Features
  • Sort entry modules to make chunk hashes deterministic (#​6391)
Pull Requests
unjs/unhead (unhead-v3-fixture>@​unhead/vue)

v3.1.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.0

Compare Source

🛠️ Unhead CLI

To assist with migrations and overall DX a CLI has been introduced: @unhead/cli.

npx -y @​unhead/cli

It lets you do the following:

          audit    Lint your codebase for unhead misuse, type-narrowing issues, and SEO/perf foot-guns.                      
        migrate    Apply autofixes for v2-to-v3 migration: rewrite deprecated props and wrap tag literals in defineX helpers.
  validate-html    Run the runtime ValidatePlugin over prerendered HTML files (e.g. dist/, .output/, build/).                
   validate-url    Fetch a rendered URL and run unhead\'s SEO/perf validation rules over its <head>.

For example, try running audit on your own project for hints on how to improve your SEO.

✔️ Unhead ESLint

Knowing that your useHead() and useSeoMeta() code is right while your coding is important. While type-narrowing solves many broken cases, we introduce an ESLint plugin to help catch anything that the typechecker can't catch.

These rules are shared from the runtime ValidatePlugin

# flat-config ESLint plugin with v2→v3 migration autofixes
npm i -D @&#8203;unhead/eslint-plugin
```ts [eslint.config.ts]
import { configs } from '@&#8203;unhead/eslint-plugin'

export default [
  configs.recommended,
]

🌊 Streaming SSR non-Vite support

The streaming plugin lived only at unhead/stream/vite previously, leaving non-Vite users with no way to wire the bootstrap. The plugin is now a bundler-agnostic unplugin factory with first-class webpack and Vite entries, and the framework packages compose it behind Unhead({ streaming: true }).

// vite.config.ts
import { Unhead } from '@&#8203;unhead/vue/vite'
export default { plugins: [vue(), Unhead({ streaming: true })] }

// webpack.config.ts
import { Unhead } from '@&#8203;unhead/vue/bundler'
export default { plugins: [...Unhead({ streaming: true }).webpack()] }

Streaming also gains a nonce option (forwarded on every injected <script> for CSP support), a fixed async mode for production Vite builds (the IIFE is now emitted via this.emitFile() so the script src references a real hashed asset), a dev-mode warning when the client IIFE runs against an empty server queue, and a shared StreamingGlobal type so the server bootstrap, client, and injected IIFE agree on the shape of window.__unhead__. Default mode changed from async to inline for smaller TTFB.

Changelog

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.0.5

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.0.4

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.0.3

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.0.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.0.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
vitest-dev/vitest (vitest)

v4.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Apr 5, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
scripts-docs Error Error Jun 6, 2026 3:08am
scripts-playground Ready Ready Preview, Comment Jun 6, 2026 3:08am

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 9c4e39b to 5bfebea Compare April 5, 2025 00:30
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 5bfebea to 7804f68 Compare April 6, 2025 09:08
@renovate renovate Bot changed the title chore(deps): update resolutions typescript to v5.8.3 chore(deps): update all non-major dependencies Apr 6, 2025
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 7804f68 to 2d975ff Compare April 7, 2025 04:48
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 2d975ff to 0104ff1 Compare April 7, 2025 08:22
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 0104ff1 to 8120e32 Compare April 7, 2025 15:15
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 8120e32 to 5ec9f5e Compare April 7, 2025 18:22
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 5ec9f5e to efcb3b7 Compare April 8, 2025 08:39
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from efcb3b7 to 1a61aec Compare April 10, 2025 00:28
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 1a61aec to cf8e7f8 Compare April 10, 2025 09:47
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from cf8e7f8 to 2b13cf8 Compare April 11, 2025 01:12
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 6132302 to 360e116 Compare April 16, 2025 14:05
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 360e116 to aa97a8b Compare April 17, 2025 00:59
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from aa97a8b to 714cf9d Compare April 17, 2025 08:46
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 714cf9d to bdbb60c Compare April 17, 2025 18:14
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from bdbb60c to 9343bf3 Compare April 18, 2025 20:28
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 9343bf3 to fb7fea7 Compare April 21, 2025 12:46
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from fb7fea7 to 556aaae Compare April 21, 2025 16:40
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Jul 16, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/scripts@446

commit: 6b537ff

vercel[bot]
vercel Bot reviewed Sep 20, 2025
View reviewed changes
Comment thread pnpm-lock.yaml Outdated
vercel[bot]
vercel Bot reviewed Nov 25, 2025
View reviewed changes
Comment thread docs/package.json Outdated
"@nuxt/image": "^1.11.0",
"@nuxt/scripts": "workspace:*",
"@nuxt/ui": "4.0.0",
"@nuxt/ui": "4.2.1",
Copy link
Copy Markdown
Contributor

@vercel vercel Bot Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"@nuxt/ui": "4.2.1",
"@nuxt/ui": "^4.2.1",

The @nuxt/ui dependency is pinned to 4.2.1 without a caret, which is inconsistent with all other dependencies in this file that use flexible versioning with the ^ prefix.

View Details

Analysis

Inconsistent version pinning for @nuxt/ui dependency

What fails: docs/package.json line 20 specifies @nuxt/ui as pinned version 4.2.1 (without caret prefix), while all 13 other dependencies use caret versioning (^) for flexible version constraints within the major version.

How to reproduce:

cat docs/package.json | grep -A 15 '"dependencies"'

Result: Shows "@nuxt/ui": "4.2.1" (pinned) while all surrounding dependencies have caret prefix:

  • "@nuxt/content": "^3.8.2"
  • "@nuxt/fonts": "^0.12.1"
  • "@nuxthq/studio": "^2.2.1"
  • All other 10 dependencies also use ^ prefix

Expected behavior: According to npm semantic versioning, caret versioning allows compatible updates (minor/patch versions) within a major version. The project consistently uses this pattern for all other dependencies, so @nuxt/ui should be ^4.2.1 to match the established convention and allow patch/minor updates like other dependencies.

Root cause: Automated dependency update (Renovate bot commit 0b37709) preserved the previous pinned format when bumping the version from 4.0.0 to 4.2.1, rather than applying the project's standard caret versioning pattern used throughout the file.

vercel[bot]
vercel Bot reviewed Jan 15, 2026
View reviewed changes
Comment thread package.json Outdated
"posthog-js": "^1.0.0"
"@types/youtube": "^0.1.2",
"@unhead/vue": "^2.1.2",
"posthog-js": "^1.321.2"
Copy link
Copy Markdown
Contributor

@vercel vercel Bot Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"posthog-js": "^1.321.2"
"posthog-js": "^1.0.0"

The posthog-js peer dependency constraint changed from ^1.0.0 to ^1.321.2, which is unusually restrictive and appears unintentional given the patch version bump in devDependencies (1.321.1 → 1.321.2).

View Details

Analysis

Overly restrictive posthog-js peer dependency breaks backward compatibility

What fails: The posthog-js peer dependency constraint in package.json was changed from ^1.0.0 to ^1.321.2 (commit 1536ad2), restricting supported versions to 1.321.2+ and rejecting all prior versions (1.0.0-1.321.1) that would previously install.

How to reproduce:

# User has posthog-js 1.200.0 installed (legitimate version under old ^1.0.0 constraint)
npm install @nuxt/scripts
# After update, npm now rejects this version because 1.200.0 does not satisfy ^1.321.2

Result: npm/pnpm install fails with: "posthog-js@1.200.0 not satisfied by ^1.321.2"

Expected: The peer dependency should remain at ^1.0.0 (or similar permissive constraint) since:

  • Code only uses posthog.init() and basic config options (api_host, capture_pageview, disable_session_recording) available since 1.0.0
  • The devDependency update was only a patch bump (1.222.0 → 1.321.2), not a major version requiring API changes
  • Peer dependencies should be permissive to maximize compatibility
  • Semantic versioning guidance indicates patch/minor version updates within the same major version should be backward compatible

This change appears to be an error from automated dependency update tooling (Renovate) that applied the same pinpoint version to both devDependencies and peerDependencies.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 29, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 5, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedufo@​1.6.410010010084100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants