chore(deps): update all non-major dependencies (v1)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^25.5.0 → ^25.6.0
@vitest/coverage-v8 (source)	^4.1.2 → ^4.1.4
crossws (source)	^0.3.5 → ^0.4.5
defu	^6.1.6 → ^6.1.7
eslint (source)	^10.1.0 → ^10.2.0
h3 (source)	^1.15.10 → ^1.15.11
listhen	^1.9.0 → ^1.9.1
pnpm (source)	10.28.0 → 10.33.0
pnpm (source)	10.7.0 → 10.33.0
prettier (source)	^3.8.1 → ^3.8.2
react (source)	^19.2.4 → ^19.2.5
react-dom (source)	^19.2.4 → ^19.2.5
undici (source)	^7.24.7 → ^7.25.0
undocs	^0.2.30 → ^0.4.16
vitest (source)	^4.1.2 → ^4.1.4

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.4

Compare Source

   🚀 Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTagsFilter to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

h3js/crossws (crossws)

v0.4.5

Compare Source

compare changes

🚀 Enhancements

• Add createWebSocketProxy util (#​184)
• New bunny adapter (#​179)
• Add fromNodeUpgradeHandler util + socket.io example (#​185)

🩹 Fixes

• node: Do not url-encode upgrade response headers (ffbed40)

📦 Build

• Export ServerWithWSOptions and WSOptions types (#​180)

🏡 Chore

• Update deps (ae08ca9)
• Update deps (3d83ed0)
• Update undici in tests (6291e7c)
• Migrate to oxlint and oxfmt (6a1a257)
• Update docs (02427f9)

✅ Tests

• node: Add regression test for EADDRINUSE handling (#​183)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Neko (@​nekomeowww)
• Sandro Circi (@​sandros94)

v0.4.4

Compare Source

compare changes

🩹 Fixes

• Use AbortController for StubRequest.signal (#​175)

🏡 Chore

• Update deps (9f32424)

❤️ Contributors

• Alessandro De Blasis (@​deblasis)
• Pooya Parsa (@​pi0)

v0.4.3

Compare Source

compare changes

📦 Build

• Migrate to obuild (rolldown) (efdd087)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.2

Compare Source

compare changes

🩹 Fixes

• node server: Properly pass request to NodeRequest (28e5d64)
• cloudflare: Send close frame (#​177)

📖 Documentation

• Add new logo with cube style (#​171)
• Mention publish not broadcasting to sender (#​173)

🏡 Chore

• playground: Add start command (7ab898c)
• release: V0.4.1 (3a537a0)
• Update undocs (4f1e94b)
• Update undocs (8646f89)
• docs: Add missing backtick (#​169)
• Update undocs (440a088)
• Update srvx version & usage (#​178)
• Update dependencies (8761d2e)
• Lint (df7062b)
• Fix type issues (68841e6)
• Update uWebSockets.js (9ce4ce5)
• Fix lint issues (4b1b779)

❤️ Contributors

• Joseph Lee (@​jclab-joseph)
• Pooya Parsa (@​pi0)
• Nick Perez (@​nperez0111)
• Rijk Van Zanten (@​rijkvanzanten)
• Sébastien Chopin seb@nuxt.com
• Abeer0 (@​iiio2)

v0.4.1

Compare Source

compare changes

🩹 Fixes

• node server: Properly pass request to NodeRequest (28e5d64)

🏡 Chore

• playground: Add start command (7ab898c)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.0

Compare Source

compare changes

🚀 Enhancements

• Stub full request interface (#​156)
• Universal server for deno, node and bun using srvx (experimental) (#​158)
• Create PeerContext interface for type augmentation (#​159)
• ⚠️ Namespaced pub/sub peers (#​162)
• ⚠️ Support returning context from upgrade hook (#​163)
• cloudflare: Support global publish via rpc (#​166)
• Add cloudflare and default (sse) server entries (#​167)

🩹 Fixes

• ⚠️ Do not automatically accept first sec-webSocket-protocol (#​142)

💅 Refactors

• Remove uncrypto dependency (#​153)
• ⚠️ Always pass Request as first param to resolve (#​160)
• Simplify inspect values (aa49668)
• Throw error when running deno, bun and node adapters in an incompatible environment (b5fcf2a)
• Narrow down upgrade return type (d843cd0)
• ⚠️ Always terminate upgrade if Response is returned (#​164)
• ⚠️ Merge cloudflare and cloudflare-durable adapters (#​165)
• cloudflare: Show warning when pub/sub is not supported (#​144)

📖 Documentation

• Change to h3js from unjs (#​155)
• Add docs for augmenting PeerContext type (#​161)
• Prepare for v0.4 (#​168)

📦 Build

• Simplify and fix exports (0d2ceb0)
• Remove extra .d.ts files (1f389d6)

🏡 Chore

• Update deps (37889b0)
• Update deps (c6f6bd8)

⚠️ Breaking Changes

• ⚠️ Namespaced pub/sub peers (#​162)
• ⚠️ Support returning context from upgrade hook (#​163)
• ⚠️ Do not automatically accept first sec-webSocket-protocol (#​142)
• ⚠️ Always pass Request as first param to resolve (#​160)
• ⚠️ Always terminate upgrade if Response is returned (#​164)
• ⚠️ Merge cloudflare and cloudflare-durable adapters (#​165)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Tee Ming (@​eltigerchino)
• Luke Nelson luke@nelson.zone
• @​beer (@​iiio2)

unjs/defu (defu)

v6.1.7

Compare Source

compare changes

🩹 Fixes

• defu.d.cts: Export Defu types (#​157)

📦 Build

• Correct the types export entry (#​160)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

Compare Source

compare changes

📦 Build

• Fix mixed types (407b516)

❤️ Contributors

• Pooya Parsa (@​pi0)

v6.1.5

Compare Source

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#​156)
• Ignore inherited enumerable properties (11ba022)

🏡 Chore

• Add tea.yaml (70cffe5)
• Update repo (23cc432)
• Fix typecheck (89df6bb)

✅ Tests

• Add more tests for plain objects (b65f603)

🤖 CI

• Bump node (9237d9c)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)

eslint/eslint (eslint)

v10.2.0

Compare Source

Features

• 586ec2f feat: Add meta.languages support to rules (#​20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#​20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#​20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#​20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#​20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#​20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#​20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#​20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#​20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#​20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#​20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#​20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#​20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#​20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#​20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#​20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#​20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#​20645) (kuldeep kumar)

v10.1.0

Compare Source

Features

• ff4382b feat: apply fix for no-var in TSModuleBlock (#​20638) (Tanuj Kanti)
• 0916995 feat: Implement api support for bulk-suppressions (#​20565) (Blake Sager)

Bug Fixes

• 2b8824e fix: Prevent no-var autofix when a variable is used before declaration (#​20464) (Amaresh S M)
• e58b4bf fix: update eslint (#​20597) (renovate[bot])

Documentation

• b7b57fe docs: use correct JSDoc link in require-jsdoc.md (#​20641) (mkemna-clb)
• 58e4cfc docs: add deprecation notice partial (#​20639) (Milos Djermanovic)
• 7143dbf docs: update v9 migration guide for @eslint/js usage (#​20540) (fnx)
• 035fc4f docs: note that globalReturn applies only with sourceType: "script" (#​20630) (Milos Djermanovic)
• e972c88 docs: merge ESLint option descriptions into type definitions (#​20608) (Francesco Trotta)
• 7f10d84 docs: Update README (GitHub Actions Bot)
• aeed007 docs: open playground link in new tab (#​20602) (Tanuj Kanti)
• a0d1a37 docs: Add AI Usage Policy (#​20510) (Nicholas C. Zakas)

Chores

• a9f9cce chore: update dependency eslint-plugin-unicorn to ^63.0.0 (#​20584) (Milos Djermanovic)
• 1f42bd7 chore: update prettier to 3.8.1 (#​20651) (루밀LuMir)
• c0a6f4a chore: update dependency @​eslint/json to ^1.2.0 (#​20652) (renovate[bot])
• cc43f79 chore: update dependency c8 to v11 (#​20650) (renovate[bot])
• 2ce4635 chore: update dependency @​eslint/json to v1 (#​20649) (renovate[bot])
• f0406ee chore: update dependency markdownlint-cli2 to ^0.21.0 (#​20646) (renovate[bot])
• dbb4c95 chore: remove trunk (#​20478) (sethamus)
• c672a2a test: fix CLI test for empty output file (#​20640) (kuldeep kumar)
• c7ada24 ci: bump pnpm/action-setup from 4.3.0 to 4.4.0 (#​20636) (dependabot[bot])
• 07c4b8b test: fix RuleTester test without test runners (#​20631) (Francesco Trotta)
• 079bba7 test: Add tests for isValidWithUnicodeFlag (#​20601) (Manish chaudhary)
• 5885ae6 ci: unpin Node.js 25.x in CI (#​20615) (Copilot)
• f65e5d3 chore: update pnpm/action-setup digest to b906aff (#​20610) (renovate[bot])

h3js/h3 (h3)

v1.15.11

Compare Source

compare changes

🏡 Chore

• Update defu to 6.1.6 (6125485)
• Update deps (4998dd8)
• Update cookie-es (d166186)

v1.15.10

Compare Source

compare changes

🩹 Fixes

• Preserve percent-encoded req.url in app event handler (#​1355)

❤️ Contributors

• Sergio Azócar (@​sergioazoc)

v1.15.9

Compare Source

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)
• static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
• sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

Compare Source

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)

unjs/listhen (listhen)

v1.9.1

Compare Source

compare changes

🔥 Performance

• Do not call Array.push multiple times (6526551)
• Migrate to copy-paste from clipboardy (#​211)
• Migrate to tinyclip from copy-paste (#​217)

📖 Documentation

• Add jsdocs for exported functions and types (#​171)

🏡 Chore

• cli: Fix typo (#​184)
• Apply automated updates (c4114b4)
• Update deps (44f076b)
• Apply automated updates (9c11bb4)

❤️ Contributors

• Florian Lefebvre (@​florian-lefebvre)
• Pooya Parsa (@​pi0)
• Max maximogarciamtnez@gmail.com
• Daniel Roe (@​danielroe)
• Bobbie Goede bobbiegoede@gmail.com

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

		Configuration 📅 Schedule: (UTC) Branch creation "after 2am and before 3am" Automerge "after 1am and before 2am" 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.