fix(deps): update all minor dependency bump#288
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/all-minor
branch
8 times, most recently
from
f4f53ff to
21c51d7
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
7 times, most recently
from
387386c to
d414b91
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
6 times, most recently
from
eb62c0c to
7bd6b63
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
4 times, most recently
from
1a927e7 to
7cb4303
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
4 times, most recently
from
b062db6 to
6b92299
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
from
6b92299 to
76e880e
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
3 times, most recently
from
a39f72c to
9c84de4
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
4 times, most recently
from
6890e77 to
8e7d90d
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
3 times, most recently
from
d634a69 to
29fceeb
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
3 times, most recently
from
b822bc1 to
cd6044d
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
9 times, most recently
from
9016bcc to
f94a0b0
Compare
renovate
Bot
force-pushed
the
renovate/all-minor
branch
7 times, most recently
from
e4acd2d to
91243e7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.66.0→1.84.01.38.0→1.46.011.0.7→11.2.424.10.13→24.13.2^0.3.0→^0.4.07.6.6→7.8.017.0.0→17.7.04.17.23→4.18.124.14.1→24.17.010.30.3→10.34.410.30.3→10.34.43.6.2→3.8.41.93.3→1.101.05.2.0→5.7.020.2.0→20.3.07.2.7→7.3.511.3.3→11.4.11.1.0→1.3.011.1.12→11.4.63.2.7→3.3.5Release Notes
FRSOURCE/toolkit (@frsource/eslint-config)
v1.84.0Compare Source
Bug Fixes
v1.83.0Compare Source
v1.82.0Compare Source
Bug Fixes
v1.81.0Compare Source
Bug Fixes
v1.80.0Compare Source
Bug Fixes
v1.79.0Compare Source
v1.78.0Compare Source
Bug Fixes
v1.77.0Compare Source
Bug Fixes
v1.76.0Compare Source
Bug Fixes
v1.75.0Compare Source
Bug Fixes
v1.74.0Compare Source
Bug Fixes
v1.73.0Compare Source
Bug Fixes
v1.72.0Compare Source
v1.71.0Compare Source
v1.70.0Compare Source
Bug Fixes
v1.69.0Compare Source
Bug Fixes
v1.68.0Compare Source
Bug Fixes
69519bc, closes #229v1.67.0Compare Source
Bug Fixes
69519bc, closes #229FRSOURCE/toolkit (@frsource/prettier-config)
v1.46.0Compare Source
v1.45.0Compare Source
Bug Fixes
v1.44.0Compare Source
v1.43.0Compare Source
Bug Fixes
v1.42.0Compare Source
Bug Fixes
v1.41.0Compare Source
Bug Fixes
v1.40.0Compare Source
v1.39.0Compare Source
Bug Fixes
intlify/bundle-tools (@intlify/unplugin-vue-i18n)
v11.2.4Compare Source
What's Changed
🐛 Bug Fixes
Full Changelog: intlify/bundle-tools@v11.2.3...v11.2.4
v11.2.3Compare Source
What's Changed
👕 Refactoring
Full Changelog: intlify/bundle-tools@v11.2.2...v11.2.3
v11.2.2Compare Source
What's Changed
🔒 Security Fixes
Full Changelog: intlify/bundle-tools@v11.2.1...v11.2.2
v11.2.1Compare Source
What's Changed
🐛 Bug Fixes
Full Changelog: intlify/bundle-tools@v11.2.0...v11.2.1
v11.2.0Compare Source
What's Changed
💥 Breaking Changes
👕 Refactoring
Full Changelog: intlify/bundle-tools@v11.1.2...v11.2.0
v11.1.2Compare Source
What's Changed
🐛 Bug Fixes
vite:jsonObjectHook shape for Vite 8 compatibility by @kazupon in #554Full Changelog: intlify/bundle-tools@v11.1.1...v11.1.2
v11.1.1Compare Source
What's Changed
🐛 Bug Fixes
Full Changelog: intlify/bundle-tools@v11.1.0...v11.1.1
v11.1.0Compare Source
What's Changed
🌟 Features
Full Changelog: intlify/bundle-tools@v11.0.7...v11.1.0
danielroe/beasties (beasties)
v0.4.2Compare Source
🐞 Bug Fixes
View changes on GitHub
v0.4.1Compare Source
🐞 Bug Fixes
publicPathis an absolute URL - by @alan-agius4 in #247 (4bff3)View changes on GitHub
v0.4.0Compare Source
🚨 Breaking Changes
postcss-safe-parser- by @joshfester in #225 (7dc49)🚀 Features
remoteoption to download stylesheets - by @joshfester in #223 (e0cae)🐞 Bug Fixes
as=styleforswap-highpreload strategy - by @danielroe (32d96)@mediaand@supportsblocks - by @danielroe (cb36d)View changes on GitHub
focus-trap/focus-trap (focus-trap)
v7.8.0Compare Source
Minor Changes
c214581: Adds aria-hidden support to isolateSubtrees config optionPatch Changes
bb36e15: Fix undefined method_setSubtreeIsolationcrash when usingtrapStackin DOM with older versions of Focus-trap (#1729)v7.7.1Compare Source
Patch Changes
a386578: Bump tabbable dependency for improved inert handlingv7.7.0Compare Source
Minor Changes
14b9155: Adds a new feature "isolateSubtrees", allowing focus-trap to prevent screen readers from reading content outside the trap. (#1575)sindresorhus/globals (globals)
v17.7.0Compare Source
v17.6.0Compare Source
00a4dd9v17.5.0Compare Source
5d84602v17.4.0Compare Source
d43a051v17.3.0Compare Source
295fba9v17.2.0Compare Source
jasmine: AddthrowUnlessandthrowUnlessAsyncglobals (#335)97f23a7v17.1.0Compare Source
webpackandrspackglobals (#333)65cae73lodash/lodash (lodash-es)
v4.18.1Compare Source
Bugs
Fixes a
ReferenceErrorissue inlodashlodash-eslodash-amdandlodash.templatewhen using thetemplateandfromPairsfunctions from the modular builds. See #6167 (comment)These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.
There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:
lodash: lodash/lodash@4.18.0-npm...4.18.1-npmlodash-es: lodash/lodash@4.18.0-es...4.18.1-eslodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amdlodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packagesv4.18.0Compare Source
v4.18.0
Full Changelog: lodash/lodash@4.17.23...4.18.0
Security
_.unset/_.omit: Fixed prototype pollution viaconstructor/prototypepath traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Nowconstructorandprototypeare blocked unconditionally as non-terminal path keys, matchingbaseSet. Calls that previously returnedtrueand deleted the property now returnfalseand leave the target untouched._.template: Fixed code injection viaimportskeys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. Thevariableoption was validated againstreForbiddenIdentifierCharsbutimportsKeyswas left unguarded, allowing code injection via the sameFunction()constructor sink.importskeys containing forbidden identifier characters now throw"Invalid imports option passed into _.template".Docs
_.templatein threat model and API docs (#6099)lower > upperbehavior in_.random(#6115)_.compactjsdoc (#6090)lodash.*modular packagesDiff
We have also regenerated and published a select number of the
lodash.*modular packages.These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:
nodejs/node (node)
v24.17.0: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95Compare Source
This is a security release.
Notable Changes
Commits
9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #6289166e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #638203a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #63703138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#8559224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#85431beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#8578e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @aduh95Compare Source
Notable Changes
b267f6bca3] - (SEMVER-MINOR) crypto: implementrandomUUIDv7()(nabeel378) #62553ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes tonode inspect(Joyee Cheung) #627139705f628d9] - (SEMVER-MINOR) fs: add signal option tofs.stat()(Mert Can Altin) #5777540ccfdecf9] - (SEMVER-MINOR) fs: exposefrsizefield instatfs(Jinho Jang) #62277d7188af5c9] - (SEMVER-MINOR) http: hardenClientRequestoptions merge (Matteo Collina) #63082aa1d8a9afc] - (SEMVER-MINOR) http: addreq.signaltoIncomingMessage(Akshat) #625416f37f7e240] - (SEMVER-MINOR) stream: propagate destruction induplexPair(Ahmed Elhor) #61098d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #61747d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #6282001a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support forAbortSignal.timeout(DeveloperViraj) #6075100705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #61556Commits
dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #62509add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #628881b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #626678752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #62902341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #6297428a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #6286316e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #62839eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #628759dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #59051b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #625537597d204c1] - crypto: add support forEd25519context parameter (Filip Skokan) #624744bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #63013ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes tonode inspect(Joyee Cheung) #6271383e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #63375ec8c6b939a] - deps: V8: cherry-pick657d8de(Guy Bedford) #62784722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #611875304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #60046e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #592491d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #592498b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #6309062fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #6281014a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #629623e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #6289801dfe5961c] - deps: cherry-pick libuv/libuv@439a54b(skooch) #628816cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #62699f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #62698b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #62629d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #626292faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #62594fa46c90c5d] - deps: update googletest tod72f9c8(Node.js GitHub Bot) #62593099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #625927ce95afe96] - deps: libuv: cherry-pickaabb765(Santiago Gimeno) #6256157ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #62324493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #61829b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #63011cb67a925e9] - deps: use npm undici@seven tag inupdate-undici.sh(Matteo Collina) #62739aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #62828f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #62917b6378e215c] - doc: fix node-config-schema (Сковорода Никита Андреевич) #61596233894a9ce] - doc: fix the TypeScript Execute (tsx) project link (David Thornton) #630935d97919f8f] - doc: correct diagnostics_channel built-in channel names (Bryan English) #629952a9ccc927e] - doc: use mjs/cjs blocks for callbackify null reason example (Daijiro Wachi) #62884ef413b5358] - doc: fix typo in test.md (Rich Trott) #6296076f21c5070] - doc: correct typo in PR contribution instructions (Mike McCready) #62738ca02af1f7d] - doc: fix duplicate word "of of" in postMessageToThread (Daijiro Wachi) #6291746c99ed526] - doc: fix duplicate word "for for" in compile cache (Daijiro Wachi) #629171a60851734] - doc: fix typo in dns.lookup options description (Daijiro Wachi) #62882169b5ea2ed](https://redirectConfiguration
📅 Schedule: (in timezone Europe/Warsaw)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.