chore(deps): update all non-major dependencies (main)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@nuxt/scripts (source)	1.0.6 → 1.1.0			devDependencies	minor
@oxc-project/types (source)	0.130.0 → 0.131.0			devDependencies	minor
@rspack/core (source)	2.0.2 → 2.0.3			devDependencies	patch
@rspack/core (source)	^2.0.2 → ^2.0.3			dependencies	patch
@types/node (source)	24.12.3 → 24.12.4			devDependencies	patch
@vitejs/plugin-vue (source)	^6.0.6 → ^6.0.7			dependencies	patch
@vitejs/plugin-vue (source)	6.0.6 → 6.0.7			devDependencies	patch
@vue/language-core (source)	3.2.8 → 3.2.9			devDependencies	patch
devalue	^5.8.0 → ^5.8.1			dependencies	patch
devalue	5.8.0 → 5.8.1			devDependencies	patch
github/codeql-action	v4.35.4 → v4.35.5			action	patch
html-validate (source)	11.1.0 → 11.2.0			devDependencies	minor
htmlnano	3.2.1 → 3.3.1			devDependencies	minor
knip (source)	6.12.2 → 6.14.1			devDependencies	minor
lru-cache	^11.3.6 → ^11.4.0			dependencies	minor
oxc-transform (source)	0.130.0 → 0.131.0			devDependencies	minor
pkg-pr-new (source)	0.0.71 → 0.0.74			devDependencies	patch
pnpm (source)	11.1.0 → 11.1.2			packageManager	patch
pnpm/action-setup	v6.0.7 → v6.0.8			action	patch
rollup (source)	4.60.3 → 4.60.4			devDependencies	patch
ts-blank-space (source)	0.8.0 → 0.9.0			devDependencies	minor
unimport	6.2.0 → 6.3.0			devDependencies	minor
unimport	^6.2.0 → ^6.3.0			dependencies	minor
vite (source)	8.0.12 → 8.0.13			pnpm-workspace.overrides	patch
vite (source)	^8.0.12 → ^8.0.13			dependencies	patch
vite (source)	8.0.12 → 8.0.13			devDependencies	patch
vue-router (source)	5.0.6 → 5.0.7			devDependencies	patch
vue-router (source)	^5.0.6 → ^5.0.7			dependencies	patch
vue-tsc (source)	3.2.8 → 3.2.9			devDependencies	patch

---

Release Notes

nuxt/scripts (@​nuxt/scripts)

v1.1.0

Compare Source

   🚀 Features

• LinkedIn Insight Tag  -  by @​zizzfizzix in #​741 (fb922)
• Ahrefs Web Analytics  -  by @​harlan-zw in #​751 (ceb4b)
• Usercentrics CMP  -  by @​harlan-zw in #​749 (d2114)
• Calendly  -  by @​harlan-zw in #​750 (e8524)
• Build-time debug flag with script-lifecycle tracing  -  by @​harlan-zw in #​760 (f6c25)
• Warn on misconfigured NUXT_PUBLIC_SCRIPTS_* env vars  -  by @​harlan-zw in #​778 (05d32)
• Env-var overrides for scripts.globals (single-build, multi-deploy)  -  by @​harlan-zw in #​780 (88869)
• gtm,ga: Consent.default() + strict GCMv2 validation  -  by @​harlan-zw in #​772 (6f74a)
• tiktokPixel: Production hardening - region, CAPI dedup, advanced matching  -  by @​harlan-zw in #​776 (c5b69)

   🐞 Bug Fixes

• Add --pnpm flag to pkg-pr-new publish command in nightly workflow  -  by @​DamianGlowala and Damian Głowala in #​755 (53810)
• Validate required registry fields after runtime merge  -  by @​tsukiyama-3 and @​harlan-zw in #​762 (61293)
• assets:
  • Set js content-type on dev bundled asset handler  -  by @​harlan-zw in #​748 (6ddc9)
• google-maps:
  • Avoid recentering on inline options  -  by @​harlan-zw in #​747 (65c3b)
• googleTagManager:
  • Push consent as arguments to dataLayer  -  by @​buffalom and motion-work in #​771 (fc398)
• plausible:
  • Honor scriptInput.src in bundle.resolve for self-hosted  -  by @​harlan-zw in #​775 (fb50b)
• proxy:
  • Allow region1.google-analytics.com  -  by @​captnCC in #​753 (58f81)
  • Surface upstream error cause and distinguish timeouts  -  by @​harlan-zw in #​757 (0cb62)
• tiktokPixel:
  • Missing types  -  by @​harlan-zw in #​773 (f73a0)

    View changes on GitHub

web-infra-dev/rspack (@​rspack/core)

v2.0.3

Compare Source

What's Changed

Performance Improvements ⚡

• perf: reduce normal module creation and rule matching overhead by @​LingyuCoder in #​13926
• perf: disable perfetto tracing in release binding by @​hardfist in #​13932
• perf: reduce parser dependency bookkeeping overhead by @​LingyuCoder in #​13936
• perf: reduce code splitter allocation and lookup overhead by @​LingyuCoder in #​13968

New Features 🎉

• feat: expose dependency import attributes by @​hardfist in #​13947
• feat(rsc): support configurable CSS link props by @​SyMind in #​13945
• feat(externals): add modern-module externals type by @​JSerFeng in #​13861
• feat: support import.meta.rspackRsc by @​SyMind in #​13840
• feat: drop inactive branch dependencies for inlined booleans by @​JSerFeng in #​13863
• feat(sourcemap): support relative paths in inline source maps by @​SyMind in #​13974

Bug Fixes 🐞

• fix(cli): use rspack-merge for config extends by @​intellild in #​13869
• fix(deps): revert mimalloc update by @​hardfist in #​13942
• fix(hash): fix base64 digest and hash salt by @​intellild in #​13977
• fix: align sync module rule resource matching by @​LingyuCoder in #​13981
• fix(ci): avoid browser e2e watcher by @​hardfist in #​13987

Refactor 🔨

• refactor(rstest): expose injectDynamicImportOrigin.functionName and resolve callee once by @​fi3ework in #​13930
• refactor: use rspack util base64 by @​intellild in #​13978
• refactor(core): remove unused exports final name metadata by @​LingyuCoder in #​14003

Document Updates 📖

• docs: replace webpack-merge references with rspack-merge by @​intellild in #​13933
• docs: correct terminology spelling by @​chenjiahan in #​13964
• docs: update HTML plugin guide by @​chenjiahan in #​13970
• docs(externals): add modern-module externals example by @​JSerFeng in #​13979
• docs: update NestJS guide by @​intellild in #​13976
• docs: invite @​intellild to Rspack core team by @​chenjiahan in #​13986
• docs: add Node app guide by @​intellild in #​13995

Other Changes

• chore: release v2.0.2 by @​SyMind in #​13922
• chore(benchmark): remove swc loader from threejs case by @​hardfist in #​13881
• ci: upload codspeed valgrind temp files by @​hardfist in #​13879
• chore: bump rslint to 0.5.2 by @​fansenze in #​13931
• chore: enable Rslint for more packages and fix lint issues by @​chenjiahan in #​13934
• chore: enable Rslint JS recommended rules by @​chenjiahan in #​13938
• chore: disable renovate updates for mimalloc by @​hardfist in #​13949
• ci: remove unused team label workflow by @​chenjiahan in #​13950
• test: configure rayon for codspeed benchmarks by @​hardfist in #​13954
• chore(deps): update patch npm dependencies by @​renovate[bot] in #​13959
• chore(deps): update rust crate tokio to 1.52.3 by @​renovate[bot] in #​13961
• chore(deps): update pnpm to v10.33.4 by @​renovate[bot] in #​13960
• chore: enable tsgo for dts generation by @​chenjiahan in #​13952
• test(benchmark): disable spawn blocking for codspeed by @​hardfist in #​13958
• chore: use mimalloc for codspeed benchmark allocator by @​hardfist in #​13966
• test: split compilation stage benchmarks by @​hardfist in #​13969
• test: split benchmark case entrypoints by @​hardfist in #​13971
• test: print benchmark compilation errors by @​hardfist in #​13984
• chore: bump swc from 65.0.1 to 65.0.4 by @​CPunisher in #​13985
• chore(deps): update dependency mermaid to v11.15.0 [security] by @​renovate[bot] in #​13997
• chore(deps): tighten pnpm install safeguards by @​chenjiahan in #​14005
• security(release): drop .npmrc NPM_TOKEN write, rely on npm trusted publishing by @​stormslowly in #​14011
• chore(ci): pin actions/{download,upload}-artifact to immutable SHAs by @​stormslowly in #​14001

Full Changelog: web-infra-dev/rspack@v2.0.2...v2.0.3

vitejs/vite-plugin-vue (@​vitejs/plugin-vue)

v6.0.7

Features

• use carets for @rolldown/pluginutils version (#​776) (941b651)

Bug Fixes

• deps: update all non-major dependencies (#​762) (9e825b8)
• deps: update all non-major dependencies (#​774) (77dc8bc)

vuejs/language-tools (@​vue/language-core)

v3.2.9

Compare Source

language-core

• fix: do not process inline markdown syntax in semantic-aware segments (#​6038) - Thanks to @​KazariEX!
• perf: rewrite a subset of template node transforms (#​5769) - Thanks to @​KazariEX!

vscode

• fix: trigger file rename edits when moving folders with Vue files (#​6046) - Thanks to @​KazariEX!

workspace

• chore: bump volar services to 0.0.71 (#​6043) - Thanks to @​TRIS-H!

sveltejs/devalue (devalue)

v5.8.1

Compare Source

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

github/codeql-action (github/codeql-action)

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

html-validate/html-validate (html-validate)

v11.2.0

Compare Source

Features

• deps: update dependency @​sidvind/better-ajv-errors to v7 (a6f4242)
• vitest: add toMatchCodeframe() and toMatchInlineCodeframe() matchers (5153c12)

maltsev/htmlnano (htmlnano)

v3.3.1

Compare Source

Fixed

• Fixed cssnano version in peerDependencies [#​432].

v3.3.0

Compare Source

Changed

• Upgraded to cssnano@8.

webpro-nl/knip (knip)

v6.14.1: Release 6.14.1

Compare Source

• Detect dynamic imports in Svelte compiler (#​1747) (e1c1b17) - thanks @​jinhyuk9714!
• Detect dynamic import attributes; share import matcher with Astro-MDX (9dae641)
• Work the docs (close #​1746) (919cba2)

v6.14.0: Release 6.14.0

Compare Source

• Resolve imports satisfied via transitive peerDeps (d654ec7)
• Don't flag undeclared sibling workspace imports as unlisted (#​1742) (e7122a1)
• Update github-actions reporter snapshots (2308b5a)
• Cache syncGlob() results like defaultGlob() does (6c34287)
• Trim redundant statSync calls in FileEntryCache (eee3b89)
• Cache parsed .gitignore patterns across --cache runs (7ffdc2f)
• Tighten cache module callsites (64e5072)
• Extract shared disk-cache helper used by glob and gitignore caches (0987421)
• Simplify CacheConsultant: replace trampoline with default arrow methods (bebe750)
• Pin pnpm minimumReleaseAge and trustPolicy (77efb32)
• Eliminate rescanFrontier polling in walkAndAnalyze (38d91b6)
• Reduce findWorkspaceByFilePath per-call overhead (9149437)
• Memoize DependencyDeputy.getDependencies (a661a21)
• Tighten module-graph map helpers (drop double-lookup + optional chains) (c11d62f)
• Add --duration flag for zero-overhead duration measurement (d4b59d8)
• Cover analysis pipeline with --performance timerify (694dbf4)
• Align --help text (6f12997)
• Add cli arg shorthands: -p, -s, -w, -D, -f, -F, -u (f21a587)
• Format (8db5346)
• This one's okay (662ceaf)

v6.13.1: Release 6.13.1

Compare Source

• Add jest.config.{cts,mts} (#​1743) (44738d6) - thanks @​joshkel!
• Update ecosystem tests (74420a6)
• Fix export * as re-exported namespace case (5923af4)
• Add .mts and .cts config files to some plugins (69d1e83)
• Docusaurus: ignore @generated/*, handle local plugin paths (ce5f767)
• Nx: expand {projectRoot} / {workspaceRoot} token variables (8715312)

v6.13.0: Release 6.13.0

Compare Source

• Add mercurial (hg) to command constants (#​1737) (abb08b0) - thanks @​unrevised6419!
• Expand wildcards in Jest projects (#​1710) (7cb2d37) - thanks @​joshkel!
• Add knex visitor to scan source files for config (resolve #​1736) (4c96fd2)
• Refactor to a better split of ast helpers (6e726a2)
• Handle package.json exports for outDir="." (resolve #​1738) (42497c2)
• Fix star re-exported namespace case (resolve #​1739) (e566c4b)
• Strip comments in scripts in compilers (resolve #​1740) (a123d5c)
• Update rolldown snapshot (edfee2b)
• Source-map subpath imports + collect pairs from referenced tsconfigs (7c5acc4)
• Tighten source-mapping utilities (0b68b81)
• Update dependencies (8788c1a)
• Remove obsolete internal jsdoc tag (0fed975)
• Add @​serhalp and @​stevennevins to sponsors (thank you!) (999a5e3)
• Fix astro config after bump (f63537a)

isaacs/node-lru-cache (lru-cache)

v11.4.0

Compare Source

stackblitz-labs/pkg.pr.new (pkg-pr-new)

v0.0.74

Compare Source

v0.0.73

Compare Source

v0.0.72

Compare Source

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

• convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

• Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

• Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

• Fix minimumReleaseAge handling for cached abbreviated metadata.

  The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

  When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

  Closes #​11619.

• Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

• Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

• Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

v11.1.1

Compare Source

Patch Changes

• Skip installability validation when scanning workspace projects in checkDepsStatus (run by verifyDepsBeforeRun). Previously the status check called findWorkspaceProjects, which validates each project's engines and os/cpu/libc and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no nodeVersion threaded through, the engine check also fell back to the system Node from PATH and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use findWorkspaceProjectsNoCheck; install paths continue to validate.
• Fixed pnpm add <alias>:@&#8203;scope/pkg for named registries. The local resolver was claiming any specifier containing / as a local directory, so pnpm add bit:@​teambit/bit (with bit configured under namedRegistries) installed a bogus link to bit:@​teambit/bit/ instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.
• Updated @zkochan/cmd-shim to 9.0.3. The sh shim it writes for .cmd / .bat targets now escapes the /C switch as //C, so it survives the path translation Git Bash applies when launching cmd.exe. Without this, a bare /C was rewritten to C:\ before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.

pnpm/action-setup (pnpm/action-setup)

v6.0.8

Compare Source

rollup/rollup (rollup)

v4.60.4

Compare Source

2026-05-14

Bug Fixes

• Improve stability of chunk hashes (#​6362)

Pull Requests

• #​6362: fix: stabilize chunk assignment across parallel file reads (@​sonukapoor, @​Sonu Kapoor, @​TrickyPi, @​lukastaegert)
• #​6370: fix(deps): update minor/patch updates (@​renovate[bot])
• #​6371: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #​6372: chore(deps): update react monorepo to v19 (major) (@​renovate[bot])
• #​6373: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #​6375: Resolve vulnerabilities (@​lukastaegert)

bloomberg/ts-blank-space (ts-blank-space)

v0.9.0

Compare Source

What's Changed

• fix: Problematic type assertions by @​acutmore in #​63. Fixes #​62 (reported by @​qnighy).

Full Changelog: bloomberg/ts-blank-space@v0.8.0...v0.9.0

unjs/unimport (unimport)

v6.3.0

Compare Source

   🚀 Features

• Support using rolldown/utils for parsing  -  by @​danielroe and danielroe in #​537 (53a96)

   🏎 Performance

• Precompile picomatch matchers once per scan  -  by @​danielroe in #​535 (2890d)

    View changes on GitHub

vitejs/vite (vite)

v8.0.13

Compare Source

Features

• bundled-dev: add lazy bundling support (#​21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#​22357) (47071ce)
• update rolldown to 1.0.1 (#​22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#​22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #​22274) (#​22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#​22439) (8e59c97)
• make isBundled per environment (#​22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#​22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#​22430) (6ea3838)
• update changelog (#​22413) (fcdc87c)

vuejs/router (vue-router)

v5.0.7

Compare Source

   🚀 Features

• Upgrade to babel 8  -  by @​posva (8d3e6)
• Make defineParamParser() more intuitive  -  by @​posva (8715b)
• Upgrade @vue/devtools-api  -  by @​posva (87c3a)
• matcher: Hint at params: {} workaround in discarded params warning  -  by @​posva and shanliuling in #​2689 (c2b13)
• param-parsers: Add include/exclude options  -  by @​posva (91cde)

   🐞 Bug Fixes

• matcher:
  • Finalize param token before processing escaped colon  -  by @​babu-ch and @​posva in #​2654 (20521)
• query:
  • Use Object.create(null) to prevent prototype pollution  -  by @​wdskuki, wdsmini and @​posva in #​2661 (be88c)
• resolve:
  • Omit empty optional params from resolved params  -  by @​babu-ch and @​posva in #​2434 (1ef09)
• types:
  • Wire RouteNamedMap via generated routes.d.ts  -  by @​posva in #​2700 (aef99)
• unplugin:
  • Avoid generating empty routes  -  by @​FrontEndDog and @​posva in #​2642 (10a8b)
  • Apply definePage path-param parser overrides  -  by @​posva in #​2699 (c8074)
• volar:
  • Drop runtime @vue/language-core import  -  by @​danielroe in #​2710 (8af50)

    View changes on GitHub

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​oxc-project/​types@​0.131.0
	@​nuxt/​scripts@​1.1.0
	@​rspack/​core@​2.0.3
	@​types/​node@​24.12.4
	@​vitejs/​plugin-vue@​6.0.7
	devalue@​5.8.1
	@​vue/​language-core@​3.2.9

View full report

[pkg-pr-new]

Open in StackBlitz

@nuxt/kit

npm i https://pkg.pr.new/@nuxt/kit@35095

@nuxt/nitro-server

npm i https://pkg.pr.new/@nuxt/nitro-server@35095

nuxt

npm i https://pkg.pr.new/nuxt@35095

@nuxt/rspack-builder

npm i https://pkg.pr.new/@nuxt/rspack-builder@35095

@nuxt/schema

npm i https://pkg.pr.new/@nuxt/schema@35095

@nuxt/vite-builder

npm i https://pkg.pr.new/@nuxt/vite-builder@35095

@nuxt/webpack-builder

npm i https://pkg.pr.new/@nuxt/webpack-builder@35095

commit: 1510db6

[codspeed-hq]

Merging this PR will degrade performance by 10.54%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

❌ 1 regressed benchmark
✅ 19 untouched benchmarks
⏩ 3 skipped benchmarks¹

Warning

Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
❌	loadNuxt in the basic test fixture	428 ms	478.4 ms	-10.54%

Tip

Investigate this regression by commenting @codspeedbot fix this regression on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing renovate/main-all-minor-patch (1510db6) with main (2312ce3)}

Footnotes

1. 3 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.