fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@tauri-apps/plugin-dialog	2.6.0 → 2.7.1			dependencies	minor
@tauri-apps/plugin-store	2.4.2 → 2.4.3			dependencies	patch
@tauri-apps/plugin-updater	2.10.0 → 2.10.1			dependencies	patch
@types/node (source)	24.11.0 → 24.12.4			devDependencies	minor
@types/sanitize-html (source)	2.16.0 → 2.16.1			devDependencies	patch
@vitejs/plugin-react (source)	5.1.4 → 5.2.0			devDependencies	minor
agent-client-protocol	0.10 → 0.11			dependencies	minor
ajv (source)	8.18.0 → 8.20.0			overrides	minor
clap	4.6.0 → 4.6.1			dependencies	patch
dialoguer	0.11 → 0.12			dependencies	minor
github.com/fsnotify/fsnotify	v1.9.0 → v1.10.1			require	minor
github.com/modelcontextprotocol/go-sdk	v1.4.1 → v1.6.0			require	minor
jsdom	29.0.2 → 29.1.1			devDependencies	minor
libc	0.2.185 → 0.2.186			dependencies	patch
marked (source)	17.0.3 → 17.0.6			dependencies	patch
mermaid	11.12.3 → 11.15.0			dependencies	minor
nanoid	0.4 → 0.5			dependencies	minor
nix	0.31.2 → 0.31.3			dependencies	patch
pnpm (source)	10.33.0 → 10.33.4			packageManager	patch
postcss (source)	8.5.6 → 8.5.14			devDependencies	patch
prettier (source)	3.8.1 → 3.8.3			devDependencies	patch
prettier-plugin-svelte	3.5.0 → 3.5.2			devDependencies	patch
rand (source)	0.9 → 0.10			dependencies	minor
reqwest	0.13.2 → 0.13.3			dependencies	patch
rustls	0.23.38 → 0.23.40			dependencies	patch
sanitize-html (source)	2.17.1 → 2.17.4			dependencies	patch
svelte (source)	5.53.6 → 5.55.5			devDependencies	minor	5.55.7 (+1)
svelte-check	4.4.4 → 4.4.8			devDependencies	patch
tauri-plugin-dialog	2.7.0 → 2.7.1			dependencies	patch
tauri-plugin-opener	2.5.3 → 2.5.4			dependencies	patch
tauri-plugin-store	2.4.2 → 2.4.3			dependencies	patch
tokio (source)	1.51.1 → 1.52.3			dependencies	minor
tower-http	0.6.8 → 0.6.10			dependencies	patch
uuid	1.23.0 → 1.23.1			dependencies	patch
vite (source)	7.3.1 → 7.3.3			devDependencies	patch

---

Release Notes

tauri-apps/plugins-workspace (@​tauri-apps/plugin-dialog)

v2.7.1

Compare Source

v2.7.0

Compare Source

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.2.0

Compare Source

agentclientprotocol/rust-sdk (agent-client-protocol)

v0.11.1: agent-client-protocol-v0.11.1

Compare Source

Fixed

• (acp) remove boxfnonce dependency in favor of Box<dyn FnOnce> (#​137)

v0.11.0

Compare Source

Added

• Migrate to new SDK design (#​117)
• Migration Guide here: https://agentclientprotocol.github.io/rust-sdk/migration_v0.11.x.html

Fixed

• (rpc) log errors when sending response to peer fails (#​101)
• (rpc) handle write failures in handle_io loop (#​99)
• (rpc) use RawValue::NULL constant instead of from_string().unwrap() (#​96)

Other

• Cleanup docs still referencing sacp (#​129)
• Add mdbook build (#​120)
• Add migration guide for next release (#​111)
• remove debug code from rpc_tests (#​100)
• (test) add conditional compilation (#​98)

Full Changelog: agentclientprotocol/rust-sdk@v0.10.4...v0.11.0

ajv-validator/ajv (ajv)

v8.20.0

Compare Source

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in #​2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in #​2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

clap-rs/clap (clap)

v4.6.1

Compare Source

Fixes

• (derive) Ensure rebuilds happen when an read env variable is changed

console-rs/dialoguer (dialoguer)

v0.12.0: 0.12.0

Compare Source

What's Changed

• Fix prompt in select.rs example by @​jwodder in #​289
• Document crate feature guarded items on docs.rs by @​robjtede in #​293
• Add conversion between error types by @​jacobtread in #​300
• Accept items by iterator instead of slice by @​jacobtread in #​299
• refactor: replace thiserror with a manual impl by @​CosmicHorrorDev in #​327
• Update console to 0.16 by @​musicinmybrain in #​329

fsnotify/fsnotify (github.com/fsnotify/fsnotify)

v1.10.1

Compare Source

Changes and fixes

• inotify: don't remove sibling watches sharing a path prefix (#​754)

• inotify, windows: don't rename sibling watches sharing a path prefix
  (#​755)

v1.10.0

Compare Source

This version of fsnotify needs Go 1.23.

Changes and fixes

• inotify: improve initialization error message (#​731)

• inotify: send Rename event if recursive watch is renamed (#​696)

• inotify: avoid copying event buffers when reading names (#​741)

• kqueue: skip dangling symlinks (ENOENT) in watchDirectoryFiles, so a bad entry no longer aborts Watcher.Add for the whole directory (#​748)

• kqueue: drop watches directly in Close() to fix a file descriptor leak when recycling watchers (#​740)

• windows: fix nil pointer dereference in remWatch (#​736)

• windows: lock watch field updates against concurrent WatchList to fix a race introduced in v1.9.0 (#​709, #​749)

modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)

v1.6.0

Compare Source

v1.5.0

Compare Source

This release is equivalent to v1.5.0-pre.1. Thank you to those who tested the pre-release.

In this release we introduce important enhancements to the client-side OAuth flows. We also introduce several smaller fixes and improvements.

Stabilization of client-side OAuth APIs

As previously communicated, we're stabilizing the client-side OAuth APIs in v1.5.0. This means that the mcp_go_client_oauth build tag will no longer be required to compile the functionality and standard backward compatibility guarantees apply from now on.

Compared to the experimental support published in v1.4.0, we made some backwards incompatible changes:

• auth.AuthorizationCodeHandlerConfig.AuthorizationCodeFetcher's type was changed from func(context.Context, *auth.AuthorizationArgs) (*auth.AuthorizationResult, error) to auth.AuthorizationCodeFetcher which is a reusable definition carrying the same underlying function type.
• auth.AuthorizationCodeHandlerConfig.PreregisteredClientConfig was removed and replaced with auth.AuthorizationCodeHandlerConfig.PreregisteredClient which uses a newly introduced oauthex.ClientCredentials type. The type used previously (auth.PreregisteredClientConfig) has been removed.
• Deprecated functionality has been removed from both auth and oauthex packages.

• all: stabilize client OAuth support by @​maciej-kisiel in #​861

Enterprise Managed Authorization support added

Support for Enterprise Managed Authorization has been added to auth/extauth package. Huge thanks to @​radar07 for the implementation!

• Enterprise managed authorization by @​radar07 in #​770

Note: this support is part of an official MCP extension and is not part of the core protocol. The support of this functionality is not covered by the principles defined in SDK tiers.

Other changes to the SDK

• examples: fix OAuth client example after latest changes. by @​maciej-kisiel in #​820
• build(deps): bump actions/upload-artifact from 4.6.1 to 7.0.0 by @​dependabot[bot] in #​824
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @​dependabot[bot] in #​825
• build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​827
• build(deps): bump actions/checkout from 4.2.2 to 6.0.2 by @​dependabot[bot] in #​826
• mcp: simplify and unify unit tests introduced for sampling with tools. by @​maciej-kisiel in #​799
• auth: fix 2025-03-26 backcompat by @​maciej-kisiel in #​821
• chore: update deps after v1.4.0 release by @​maciej-kisiel in #​829
• build(deps): bump github/codeql-action from 3 to 4 by @​dependabot[bot] in #​823
• mcp: update latestProtocolVersion to 2025-11-25 by @​findleyr in #​724
• mcp: protect ioConn.protocolVersion with a mutex by @​maciej-kisiel in #​832
• examples: add an example that display header forwarding. by @​maciej-kisiel in #​836
• internal: fix Unicode zero character handling by @​maciej-kisiel in #​841
• auth: allow passing custom http.Client to AuthorizationCodeHandler by @​maciej-kisiel in #​840
• mcp: verify 'Origin' and 'Content-Type' headers by @​maciej-kisiel in #​842
• auth: return scope in WWW-Authenticate header. by @​maciej-kisiel in #​834
• mcp: fix setProgressToken when Meta is nil by @​StevenRChen in #​846
• all: clean up Go 1.24 specific code. by @​maciej-kisiel in #​850
• mcp: re-enable race test after fixing data races by @​maciej-kisiel in #​851
• mcp: handle empty chunks in MemoryEventStore by @​jba in #​862
• oauthex: use internal JSON library for decoding. by @​maciej-kisiel in #​866
• all: fix typos by @​alexandear in #​869
• mcp: return input validation errors as tool results, not JSON-RPC errors by @​ravyg in #​863
• all: modernize code by @​alexandear in #​868
• mcp: accept parameterized Accept media types by @​kalvinnchau in #​853
• mcp: use http.ResponseController to ensure writes are flushed by @​toofishes in #​870

New Contributors

• @​StevenRChen made their first contribution in #​846
• @​radar07 made their first contribution in #​770
• @​alexandear made their first contribution in #​869
• @​ravyg made their first contribution in #​863
• @​kalvinnchau made their first contribution in #​853
• @​toofishes made their first contribution in #​870

Full Changelog: modelcontextprotocol/go-sdk@v1.4.1...v1.5.0

jsdom/jsdom (jsdom)

v29.1.1

Compare Source

v29.1.0

Compare Source

rust-lang/libc (libc)

v0.2.186

Compare Source

Added

• Apple: Add KEVENT_FLAG_* constants (#​5070)
• Linux: Add PR_SET_MEMORY_MERGE and PR_GET_MEMORY_MERGE (#​5060)

Changed

• CI: Migrate FreeBSD CI from Cirrus CI to GitHub Actions (#​5058)

markedjs/marked (marked)

v17.0.6

Compare Source

Bug Fixes

• avoid race condition in async parallel parse/parseInline with hooks (#​3924) (6e96fa7)
• cli: honor positional input file (#​3922) (a1c2617)
• cli: use file URL for config import (#​3923) (73e1f3f)

v17.0.5

Compare Source

Bug Fixes

• Fix catastrophic backtracking (ReDoS) in link/reflink label regex (#​3918) (4625980)
• prevent quadratic complexity in emStrongLDelim regex (#​3906) (c732dd2)
• prevent single-tilde strikethrough false positives (#​3910) (5e03369)
• re-assign tokenizer.lexer and renderer.parser at start of each parse call (#​3907) (f3a3ec0)
• trim trailing whitespace from lheading text (#​3920) (3ea7e88)

v17.0.4

Compare Source

Bug Fixes

• prevent ReDoS in inline link regex title group (#​3902) (46fb9b8)

mermaid-js/mermaid (mermaid)

v11.15.0

Compare Source

Minor Changes

• #​7174 0aca217 Thanks @​milesspencer35! - feat(sequence): Add support for decimal start and increment values in the autonumber directive

• #​7512 8e17492 Thanks @​aruncveli! - feat(flowchart): add datastore shape

  In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with A@{ shape: datastore, label: "Datastore" }.

• #​6440 9ad8dde Thanks @​yordis, @​lgazo! - feat: add Event Modeling diagram

• #​7707 27db774 Thanks @​txmxthy! - feat(architecture): expose four fcose layout knobs for architecture-beta diagrams (nodeSeparation, idealEdgeLengthMultiplier, edgeElasticity, numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source

• #​7604 bf9502f Thanks @​M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting

  If you have namespaces in class diagrams that use .s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set class.hierarchicalNamespaces=false in your mermaid config:

  config:
    class:
      hierarchicalNamespaces: false

• #​7272 88cdd3d Thanks @​xinbenlv! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors

Patch Changes

• #​7737 e9b0f34 Thanks @​ashishjain0512! - fix: prevent unbalanced CSS styles in classDefs

• #​7737 37ff937 Thanks @​ashishjain0512! - fix: create CSS styles using the CSSOM

  This removes some invalid CSS and normalizes some CSS formatting.

• #​7508 bfe60cc Thanks @​biiab! - fix(stateDiagram): end note now only closes a note when used on a new line

• #​7737 faafb5d Thanks @​ashishjain0512! - fix(gantt): add iteration limit for excludes field

• #​7737 65f8be2 Thanks @​ashishjain0512! - fix: disallow some CSS at-rules in custom CSS

• #​7726 1502f32 Thanks @​aloisklink! - fix(wardley): fix unnecessary sanitization of text

• #​7578 1f98db8 Thanks @​Gaston202! - fix(class): self-referential class multiplicity labels no longer rendered multiple times

  Fixes #​7560. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.

• #​7592 2343e38 Thanks @​knsv-bot! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams

• #​7589 7fb9509 Thanks @​NYCU-Chung! - fix(block): prevent column widths from shrinking when mixing different column spans

• #​7632 3f9e0f1 Thanks @​ekiauhce! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams

• #​7642 7a8fb85 Thanks @​tractorjuice! - fix(wardley): allow hyphens in unquoted component names

  Multi-word names containing hyphens — e.g. real-time processing, end-user, on-call engineer — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. A->B (no-space arrow) still tokenises correctly.

• #​7523 5144ed4 Thanks @​darshanr0107! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using :n syntax.

• #​7262 13d9bfa Thanks @​darshanr0107! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax

• #​7684 e14bb88 Thanks @​aloisklink! - fix: loosen uuid dependency range to allow v14

  Mermaid does not use any of the vulnerable code in CVE-2026-41907,
  but this allows users to silence any npm audit alerts on it.

• #​7633 9217c0d Thanks @​Felix-Garci! - fix(block): add support for all arrow types in block diagrams

• #​7587 5e7eb62 Thanks @​MaddyGuthridge! - chore: drop lodash-es in favour of es-toolkit

• #​7693 afaf306 Thanks @​dull-bird! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels.

  Previously the lexer only matched ASCII [A-Za-z]+ for text tokens, even though the grammar referenced UNICODE_TEXT. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a [^\x00-\x7F]+ lexer rule to emit UNICODE_TEXT and included it in the alphaNumToken grammar rule.

  Fixes #​7120.

• #​7737 4755553 Thanks @​ashishjain0512! - fix: improve D3 types for mermaidAPI funcs

• #​7737 6476973 Thanks @​ashishjain0512! - fix: handle & when namespacing CSS rules

• #​7520 8c1a0c1 Thanks @​RodrigojndSantos! - fix(stateDiagram): comments starting with one % are no longer treated as comments

  Switch to using two %% if you want to write a comment.

• Updated dependencies [7a8fb85, 675a64c]:

  • @​mermaid-js/parser@​1.1.1

v11.14.0

Compare Source

Thanks to our awesome mermaid community that contributed to this release: @​ashishjain0512, @​tractorjuice, @​autofix-ci[bot], @​aloisklink, @​knsv, @​kibanana, @​chandershekhar22, @​khalil, @​ytatsuno, @​sidharthv96, @​github-actions[bot], @​dripcoding, @​knsv-bot, @​jeroensmink98, @​Alex9583, @​GhassenS, @​omkarht, @​darshanr0107, @​leentaylor, @​lee-treehouse, @​veeceey, @​turntrout, @​Mermaid-Chart, @​BambioGaming, Claude

Releases

@​mermaid-js/examples@​1.2.0

Minor Changes

• #​7526 efe218a - add new TreeView diagram

mermaid@​11.14.0

Minor Changes

• #​7526 efe218a - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  • Component positioning with [visibility, evolution] coordinates (OWM format)
  • Anchors for users/customers
  • Multiple link types: dependencies, flows, labeled links
  • Evolution arrows and trend indicators
  • Custom evolution stages with optional dual labels
  • Custom stage widths using @​boundary notation
  • Pipeline components with visibility inheritance
  • Annotations, notes, and visual elements
  • Source strategy markers: build, buy, outsource, market
  • Inertia indicators
  • Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

• #​7526 efe218a - feat: implement neo look styling for state diagrams

• #​7526 efe218a - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

• #​7526 efe218a - feat: add randomize config option for architecture diagrams, defaulting to false for deterministic layout

• #​7526 efe218a - feat: Add option to change timeline direction

• #​7526 efe218a - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like #arrowhead should use attribute-ending selectors like [id$="-arrowhead"] instead.

• #​7526 efe218a - feat: implement neo look styling for ER diagrams

• #​7526 efe218a - feat: implement neo look styling for requirement diagrams

• #​7526 efe218a - feat: add theme support for data label colour in xy chart

• #​7526 efe218a - feat: implement neo look styling for mindmap diagrams

• #​7526 efe218a - feat: implement neo look for mermaid flowchart diagrams

• #​7526 efe218a - feat: implement neo look and themes for class diagram

• #​7526 efe218a - feat: add showDataLabelOutsideBar option for xy chart

• #​7526 efe218a - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

• #​7526 efe218a - feat: implement neo look and themes for gitGraph diagram

• #​7526 efe218a - add new TreeView diagram

Patch Changes

• #​7526 efe218a - add link to ishikawa diagram on mermaid.js.org

• #​7526 efe218a - docs: document valid duration token formats in gantt.md

• #​7526 efe218a - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like a many to 1 1: because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern "1"(?=\s+[0-9]) to correctly identify the cardinality alias before a numeric entity name.

  Fixes #​7472

• #​7526 efe218a - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

• #​7526 efe218a - fix: support inline annotation syntax in class diagrams (class Shape <>)

• #​7526 efe218a - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

• #​7526 efe218a - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

• #​7526 efe218a - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

• #​7526 efe218a - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

• #​7526 efe218a - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

• #​7526 efe218a - fix: warn when style statement targets a non-existent node in flowcharts

• #​7526 efe218a - fix: group state diagram SVG children under single root element

• #​7526 efe218a - fix: Allow :::className syntax inside composite state blocks

• #​7526 efe218a Thanks @​aloisklink, @​BambioGaming! - fix: prevent escaping < and & when htmlLabels: false

• #​7526 [`efe2

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: apps/penpal/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/google/jsonschema-go	v0.4.2 -> v0.4.3
golang.org/x/oauth2	v0.34.0 -> v0.35.0
golang.org/x/sys	v0.40.0 -> v0.41.0