mirror of
https://github.com/go-gitea/gitea
synced 2026-06-11 05:03:08 +00:00
main
100
Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
   
|
5fe77ad309 |
fix(deps): update go dependencies (#37967)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.5` → `v1.0.6` |  |  | | [github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.19.16` → `v1.19.17` |  |  | | [github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi) | `v0.138.0` → `v0.139.0` |  |  | | [github.com/go-chi/chi/v5](https://redirect.github.com/go-chi/chi) | `v5.2.5` → `v5.3.0` |  |  | | [github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn) | `v0.17.3` → `v0.17.4` |  |  | | [github.com/minio/minio-go/v7](https://redirect.github.com/minio/minio-go) | `v7.1.0` → `v7.2.0` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.30.0` → `v2.34.0` |  |  | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.6`](https://gitea.com/gitea/runner/releases/tag/v1.0.6) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.5...v1.0.6) #### Changelog - fix(deps): update module github.com/opencontainers/selinux to v1.15.0 ([#​990](https://redirect.github.com/gitea/runner/issues/990)) - chore: pin Docker base images to explicit versions ([#​992](https://redirect.github.com/gitea/runner/issues/992)) - chore(deps): update actions/setup-node action to v6 ([#​991](https://redirect.github.com/gitea/runner/issues/991)) - test: make TestRunEvent integration suite runnable locally ([#​987](https://redirect.github.com/gitea/runner/issues/987)) - ci: add PR title linting against Conventional Commits ([#​988](https://redirect.github.com/gitea/runner/issues/988)) - fix: clean up job network and container when container start fails ([#​986](https://redirect.github.com/gitea/runner/issues/986)) </details> <details> <summary>getkin/kin-openapi (github.com/getkin/kin-openapi)</summary> ### [`v0.139.0`](https://redirect.github.com/getkin/kin-openapi/releases/tag/v0.139.0) [Compare Source](https://redirect.github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0) #### What's Changed - feat(openapi3): batch-convert long-tail RequiredFieldError sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1170](https://redirect.github.com/getkin/kin-openapi/pull/1170) - feat(openapi3): typed validation error clusters (combined: [#​1171](https://redirect.github.com/getkin/kin-openapi/issues/1171)-[#​1179](https://redirect.github.com/getkin/kin-openapi/issues/1179)) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1180](https://redirect.github.com/getkin/kin-openapi/pull/1180) - openapi3gen: skip component export for anonymous types by [@​0-don](https://redirect.github.com/0-don) in [#​1163](https://redirect.github.com/getkin/kin-openapi/pull/1163) - feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTimestamps by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1181](https://redirect.github.com/getkin/kin-openapi/pull/1181) - openapi3: typed context errors for Validate() wrapper chain by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1183](https://redirect.github.com/getkin/kin-openapi/pull/1183) - openapi3: track Origin on the document root (T) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1184](https://redirect.github.com/getkin/kin-openapi/pull/1184) - openapi3: tests flakiness corrected by [@​fenollp](https://redirect.github.com/fenollp) in [#​1159](https://redirect.github.com/getkin/kin-openapi/pull/1159) - openapi3: aggregate independent validation errors via EnableMultiError by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1185](https://redirect.github.com/getkin/kin-openapi/pull/1185) - openapi3: fix validation of duplicated path templates by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1189](https://redirect.github.com/getkin/kin-openapi/pull/1189) - openapi3: type the remaining bare-error validation sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1187](https://redirect.github.com/getkin/kin-openapi/pull/1187) **Full Changelog**: <https://github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0> </details> <details> <summary>go-chi/chi (github.com/go-chi/chi/v5)</summary> ### [`v5.3.0`](https://redirect.github.com/go-chi/chi/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/go-chi/chi/compare/v5.2.5...v5.3.0) #### What's Changed - Use strings.ReplaceAll where applicable by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1046](https://redirect.github.com/go-chi/chi/pull/1046) - Propagate inline middlewares across mounted subrouters by [@​LukasJenicek](https://redirect.github.com/LukasJenicek) in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - add go 1.26 to ci by [@​pkieltyka](https://redirect.github.com/pkieltyka) in [#​1052](https://redirect.github.com/go-chi/chi/pull/1052) - Remove last uses of io/ioutil by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1054](https://redirect.github.com/go-chi/chi/pull/1054) - Simplify chi.walk with slices.Concat by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1053](https://redirect.github.com/go-chi/chi/pull/1053) - Apply the stringscutprefix modernizer by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1051](https://redirect.github.com/go-chi/chi/pull/1051) - Bump minimum Go to 1.23, always use request.Pattern by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1048](https://redirect.github.com/go-chi/chi/pull/1048) - middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by [@​alliasgher](https://redirect.github.com/alliasgher) in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - Fix typo in Route doc comment by [@​gouwazi](https://redirect.github.com/gouwazi) in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - fix: set Request.Pattern from RoutePattern() by [@​leno23](https://redirect.github.com/leno23) in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) - feat: middleware.ClientIP, a replacement for middleware.RealIP by [@​VojtechVitek](https://redirect.github.com/VojtechVitek) in [#​967](https://redirect.github.com/go-chi/chi/pull/967) #### New Contributors - [@​LukasJenicek](https://redirect.github.com/LukasJenicek) made their first contribution in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - [@​alliasgher](https://redirect.github.com/alliasgher) made their first contribution in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - [@​gouwazi](https://redirect.github.com/gouwazi) made their first contribution in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - [@​leno23](https://redirect.github.com/leno23) made their first contribution in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) #### SECURITY: middleware.ClientIP, a replacement for middleware.RealIP [@​VojtechVitek](https://redirect.github.com/VojtechVitek) submitted PR [#​967](https://redirect.github.com/go-chi/chi/issues/967), which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories: - [GHSA-9g5q-2w5x-hmxf](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-9g5q-2w5x-hmxf) — IP spoofing via XFF in `RemoteAddr` resolution (convto) - [GHSA-rjr7-jggh-pgcp](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp) — RealIP allows IP spoofing via unvalidated XFF (rezmoss) - [GHSA-3fxj-6jh8-hvhx](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-3fxj-6jh8-hvhx) — IP spoofing in `middleware.RealIP` (Saku0512, Critical / 9.3) It also addresses issues outlined at: - [#​708](https://redirect.github.com/go-chi/chi/issues/708) - <https://adam-p.ca/blog/2022/03/x-forwarded-for/> - [#​711](https://redirect.github.com/go-chi/chi/issues/711) - [#​453](https://redirect.github.com/go-chi/chi/issues/453) - [#​908](https://redirect.github.com/go-chi/chi/pull/908) `middleware.RealIP` is deprecated in this PR with pointers to the new API. The deprecation only adds a `// Deprecated:` doc comment; the function keeps working for backward compatibility. ##### Why a new middleware (not "fix RealIP in place") `RealIP` has two unfixable design choices: it mutates `r.RemoteAddr`, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per [adam-p's "The perils of the 'real' client IP"](https://adam-p.ca/blog/2022/03/x-forwarded-for/) (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly. ##### The new API Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors: ```go // One of the four. There is no safe default — pick exactly one. func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler func ClientIPFromRemoteAddr(h http.Handler) http.Handler // Read the result. func GetClientIP(ctx context.Context) string // for logs, rate-limit keys func GetClientIPAddr(ctx context.Context) netip.Addr // for typed work ``` #### Example usage: ```go // Pick a single ClientIP middleware based on your deployment // Cloudflare. r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP")) // Nginx with ngx_http_realip_module. r.Use(middleware.ClientIPFromHeader("X-Real-IP")) // Apache with mod_remoteip. r.Use(middleware.ClientIPFromHeader("X-Client-IP")) // AWS CloudFront, or any proxy fleet with known CIDRs. r.Use(middleware.ClientIPFromXFF( "13.32.0.0/15", // CloudFront IPv4 "52.46.0.0/18", // CloudFront IPv4 "2600:9000::/28", // CloudFront IPv6 )) // Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools, // ephemeral containers, dynamic CDN edges). r.Use(middleware.ClientIPFromXFFTrustedProxies(2)) // Server directly on the public internet, no proxy in front. r.Use(middleware.ClientIPFromRemoteAddr) ``` And in your handler or downstream middleware: ```go clientIP := middleware.GetClientIP(r.Context()) // log it, use it as a rate-limit key, etc. ``` *** Thanks to [@​adam-p](https://redirect.github.com/adam-p), [@​c2h5oh](https://redirect.github.com/c2h5oh), [@​rezmoss](https://redirect.github.com/rezmoss), [@​Saku0512](https://redirect.github.com/Saku0512), [@​convto](https://redirect.github.com/convto), [@​Dirbaio](https://redirect.github.com/Dirbaio), [@​jawnsy](https://redirect.github.com/jawnsy), [@​lrstanley](https://redirect.github.com/lrstanley), [@​mfridman](https://redirect.github.com/mfridman), [@​n33pm](https://redirect.github.com/n33pm), [@​pkieltyka](https://redirect.github.com/pkieltyka) for the prior discussions, detailed reviews, advisory reports, and test contributions that shaped this PR. **Full Changelog**: <https://github.com/go-chi/chi/compare/v5.2.5...v5.3.0> </details> <details> <summary>go-webauthn/webauthn (github.com/go-webauthn/webauthn)</summary> ### [`v0.17.4`](https://redirect.github.com/go-webauthn/webauthn/blob/HEAD/CHANGELOG.md#v0174-2026-05-22) [Compare Source](https://redirect.github.com/go-webauthn/webauthn/compare/v0.17.3...v0.17.4) ##### Dependency Updates This release just contains updates to dependencies. </details> <details> <summary>minio/minio-go (github.com/minio/minio-go/v7)</summary> ### [`v7.2.0`](https://redirect.github.com/minio/minio-go/releases/tag/v7.2.0) [Compare Source](https://redirect.github.com/minio/minio-go/compare/v7.1.0...v7.2.0) #### What's Changed - Use go tool for ci-lint check by [@​klauspost](https://redirect.github.com/klauspost) in [#​2229](https://redirect.github.com/minio/minio-go/pull/2229) - Rename github.com/go-ini/ini to gopkg.in/ini.v1 by [@​ramondeklein](https://redirect.github.com/ramondeklein) in [#​2232](https://redirect.github.com/minio/minio-go/pull/2232) - Add RDMA / NVIDIA GPU Direct Storage support by [@​harshavardhana](https://redirect.github.com/harshavardhana) in [#​2233](https://redirect.github.com/minio/minio-go/pull/2233) **Full Changelog**: <https://github.com/minio/minio-go/compare/v7.1.0...v7.2.0> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.34.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.34.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) #### 2.34.0 ##### 🚀 Features - Extend DeploymentDeployablePipeline with web_url ([!2902](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2902)) by [Jan Berge Sommerdahl](https://gitlab.com/sommerdahl) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.5.1 ([!2903](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2903)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.34.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) (2026-05-27) ### [`v2.33.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.33.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) #### 2.33.0 ##### 🚀 Features - feat(work-items): add ListWorkItemTypes to WorkItemsService ([!2864](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2864)) by [Emmanuel 326](https://gitlab.com/Emmanuel326) ##### 🔄 Other Changes - chore(deps): update module cel.dev/expr to v0.25.2 ([!2881](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2881)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.33.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) (2026-05-27) ##### Features * **work-items:** add ListWorkItemTypes to WorkItemsService ([e71cb99](https://gitlab.com/gitlab-org/api/client-go/commit/e71cb994482aa882eb8eb9fc4140ca1e4aac25ab)) ### [`v2.32.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.32.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.31.0...v2.32.0) #### 2.32.0 ##### 🚀 Features - feat(ci-job-cancel): force cancel ([!2872](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2872)) by [Filip Aleksic](https://gitlab.com/faleksic) ### [2.32.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.31.0...v2.32.0) (2026-05-23) ##### Features * **ci-job-cancel:** force cancel ([aa46bd1](https://gitlab.com/gitlab-org/api/client-go/commit/aa46bd18428834eebdb42622f2523c64686021e8)) ### [`v2.31.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.31.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.30.0...v2.31.0) #### 2.31.0 ##### 🚀 Features - Adds project service accounts API ([!2899](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2899)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) - feat(gitlaboauth2): support ephemeral ports in CallbackServer ([!2877](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2877)) by [Raphael Rösch](https://gitlab.com/raphael.roesch) ### [2.31.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.30.0...v2.31.0) (2026-05-22) ##### Features * **gitlaboauth2:** support ephemeral ports in CallbackServer ([c8c388d](https://gitlab.com/gitlab-org/api/client-go/commit/c8c388d56663a8f2e27b4c74f1323d3671a6bbaf)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: silverwind <me@silverwind.io> |
||
|
GiteabotandGitHub
|
a91c88428b |
chore(deps): update dependency happy-dom to v20.10.1 (#38043)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.9.0` → `20.10.1`](https://renovatebot.com/diffs/npm/happy-dom/20.9.0/20.10.1) |  |  | --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.1`](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) ### [`v20.10.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.0) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.9.0...v20.10.0) ##### 🎨 Features - Adds support for setting a canvas adapter for handling the canvas rendering using the browser setting [canvasAdapter](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds new package [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) is a pluggable canvas adapter for Happy DOM using [node-canvas](https://redirect.github.com/Automattic/node-canvas). - Adds support for loading image files when enabling the browser setting [enableImageFileLoading](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for loading image data URLs - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageData](https://developer.mozilla.org/en-US/docs/Web/API/ImageData) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageBitmap](https://developer.mozilla.org/en-US/docs/Web/API/ImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [Window.createImageBitmap()](https://developer.mozilla.org/en-US/docs/Web/API/Window/createImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
60abea17a2 |
chore(deps): update module github.com/go-swagger/go-swagger to v0.34.0 (#38028)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-swagger/go-swagger](https://redirect.github.com/go-swagger/go-swagger) | `v0.33.2` → `v0.34.0` |  |  | --- ### Release Notes <details> <summary>go-swagger/go-swagger (github.com/go-swagger/go-swagger)</summary> ### [`v0.34.0`](https://redirect.github.com/go-swagger/go-swagger/releases/tag/v0.34.0) [Compare Source](https://redirect.github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0) go-swagger release 0.34.0 *** Released on 2026 May 29 ##### [0.34.0](https://redirect.github.com/go-swagger/go-swagger/tree/v0.34.0) - 2026-05-28 Major refactoring. Focus on improving runtime (e.g.generated client) and codescan (e.g. generated spec). **Full Changelog**: <https://github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0> 42 commits in this release. *** ##### <!-- 00 -->Implemented enhancements - feat(client): added method to configure client-side custom producers/consumers by [@​fredbi](https://redirect.github.com/fredbi) in [#​3351](https://redirect.github.com/go-swagger/go-swagger/pull/3351) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4068f65b0403f90092e78269f89ef7cb26d6eb2f) ##### <!-- 01 -->Fixed bugs - fix(client): moved internal fields in generated Params (timeout, Context) to their own struct. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3349](https://redirect.github.com/go-swagger/go-swagger/pull/3349) [...](https://redirect.github.com/go-swagger/go-swagger/commit/a81068f5d52d4b560654f8e17748b6a79ec1425e) - fix(client): added operation with context to client interface. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3348](https://redirect.github.com/go-swagger/go-swagger/pull/3348) [...](https://redirect.github.com/go-swagger/go-swagger/commit/d5e5d3020b83f4a9b895ae31a93cb121f989e4a6) - fix(codescan): upgraded codescan for swagger generate spec. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3347](https://redirect.github.com/go-swagger/go-swagger/pull/3347) [...](https://redirect.github.com/go-swagger/go-swagger/commit/971f2aa56ad48d927ab9d21de794edf1c43d22b7) - fix(client): generated client uses more idiomatic SubmitContext by [@​fredbi](https://redirect.github.com/fredbi) in [#​3342](https://redirect.github.com/go-swagger/go-swagger/pull/3342) [...](https://redirect.github.com/go-swagger/go-swagger/commit/01d8f1358f8ab94c4b7c3a1caf50e1d0b11b26c6) - fix: adapted to runtime v0.32.x by [@​fredbi](https://redirect.github.com/fredbi) in [#​3341](https://redirect.github.com/go-swagger/go-swagger/pull/3341) [...](https://redirect.github.com/go-swagger/go-swagger/commit/ba25bfa2cc0822973d9f48f5976721ffc8c499fc) - fix: handle operator characters in enum constants (fixes [#​1047](https://redirect.github.com/go-swagger/go-swagger/issues/1047)) by [@​Abzaek](https://redirect.github.com/Abzaek) in [#​3330](https://redirect.github.com/go-swagger/go-swagger/pull/3330) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4856feb230eba01352d2bb310f03b26827d34a5e) ##### <!-- 02 -->Refactor - refact(codegen): more concise server binding of form parameters. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3339](https://redirect.github.com/go-swagger/go-swagger/pull/3339) [...](https://redirect.github.com/go-swagger/go-swagger/commit/036e31515a687b8a237bcf2d938a7ae36dc55fd1) - refact(generator): split template repository, funcmaps and langage by [@​fredbi](https://redirect.github.com/fredbi) in [#​3316](https://redirect.github.com/go-swagger/go-swagger/pull/3316) [...](https://redirect.github.com/go-swagger/go-swagger/commit/4d659c0b5e0724cb78b413a564619792fe4dd23e) ##### <!-- 03 -->Documentation - doc: announcements before cutting v0.34.0 by [@​fredbi](https://redirect.github.com/fredbi) in [#​3352](https://redirect.github.com/go-swagger/go-swagger/pull/3352) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9b15dfe858b6b20747fb24b672707ee817481f11) - doc(faq): added explanations about why mixin can't support yaml anchors by [@​fredbi](https://redirect.github.com/fredbi) in [#​3340](https://redirect.github.com/go-swagger/go-swagger/pull/3340) [...](https://redirect.github.com/go-swagger/go-swagger/commit/0dd20f7852a35f3ebf4ea552cef66ae7296801a2) - codegen(cli): fixed missing dependencies in CLI doc template by [@​fredbi](https://redirect.github.com/fredbi) in [#​3309](https://redirect.github.com/go-swagger/go-swagger/pull/3309) [...](https://redirect.github.com/go-swagger/go-swagger/commit/b1cc87b266a8351b4fc4534d5116c11a1daadbc1) ##### <!-- 05 -->Code quality - chore: move generated code to use the new swag api. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3336](https://redirect.github.com/go-swagger/go-swagger/pull/3336) [...](https://redirect.github.com/go-swagger/go-swagger/commit/ba47cff06d55b38579a1f2e34a2e4e8691dd90b0) - chore(generator): migrated to the new go-openapi/swag api. by [@​fredbi](https://redirect.github.com/fredbi) in [#​3335](https://redirect.github.com/go-swagger/go-swagger/pull/3335) [...](https://redirect.github.com/go-swagger/go-swagger/commit/83bced44f9c028141dd698838da0e5409d0ed49b) - chore(lint): relint code base (pass 1) by [@​fredbi](https://redirect.github.com/fredbi) in [#​3331](https://redirect.github.com/go-swagger/go-swagger/pull/3331) [...](https://redirect.github.com/go-swagger/go-swagger/commit/8a020f05985758bcb2535e36984ab03c62109fed) - ci: reenact linting (was temporarily disabled to swallow large diffs) by [@​fredbi](https://redirect.github.com/fredbi) in [#​3304](https://redirect.github.com/go-swagger/go-swagger/pull/3304) [...](https://redirect.github.com/go-swagger/go-swagger/commit/8cd187ba00b80a021c0493e55906b6835a985458) - doc: post-release by [@​fredbi](https://redirect.github.com/fredbi) in [#​3302](https://redirect.github.com/go-swagger/go-swagger/pull/3302) [...](https://redirect.github.com/go-swagger/go-swagger/commit/746308f71fe2d5e722b151a0ede49f84ecfaa3ea) ##### <!-- 07 -->Miscellaneous tasks - test: fix fake flaky test reporting by [@​fredbi](https://redirect.github.com/fredbi) in [#​3350](https://redirect.github.com/go-swagger/go-swagger/pull/3350) [...](https://redirect.github.com/go-swagger/go-swagger/commit/747db03403e881e53baecd5c2f40a074e15697bf) - ci: drop peter-evans sign-commits to avoid per-file API uploads by [@​fredbi](https://redirect.github.com/fredbi) in [#​3346](https://redirect.github.com/go-swagger/go-swagger/pull/3346) [...](https://redirect.github.com/go-swagger/go-swagger/commit/480a0bdbf54484562cef642132b929a9e5c03d4a) - ci: checkout examples before configuring bot credentials by [@​fredbi](https://redirect.github.com/fredbi) in [#​3345](https://redirect.github.com/go-swagger/go-swagger/pull/3345) [...](https://redirect.github.com/go-swagger/go-swagger/commit/6dda1280feee830fadbed93e6c896000fe92acdf) - ci: fix cross-workflow artifact download permission by [@​fredbi](https://redirect.github.com/fredbi) in [#​3344](https://redirect.github.com/go-swagger/go-swagger/pull/3344) [...](https://redirect.github.com/go-swagger/go-swagger/commit/5981d75858c489b8f82974c47f7fa7089deb66d2) - ci: fix examples regeneration auto-PR by [@​fredbi](https://redirect.github.com/fredbi) in [#​3343](https://redirect.github.com/go-swagger/go-swagger/pull/3343) [...](https://redirect.github.com/go-swagger/go-swagger/commit/f50d895b3a304b8a0657a4e8612fc53e6ff370dc) - chore(diff): moved cmd/swagger/commands/diff to its own package by [@​fredbi](https://redirect.github.com/fredbi) in [#​3308](https://redirect.github.com/go-swagger/go-swagger/pull/3308) [...](https://redirect.github.com/go-swagger/go-swagger/commit/6e059188a45c84e64591b7cb915f4205d6f7a8a1) - chore(codescan): moved the codescan package in a separate repo by [@​fredbi](https://redirect.github.com/fredbi) in [#​3307](https://redirect.github.com/go-swagger/go-swagger/pull/3307) [...](https://redirect.github.com/go-swagger/go-swagger/commit/eeca5fc9ff118d7be5d76d52855a082b04f13d91) - ci: added workflow to regen examples and push the changes to the exam… by [@​fredbi](https://redirect.github.com/fredbi) in [#​3305](https://redirect.github.com/go-swagger/go-swagger/pull/3305) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9203e37e731b131c5d89a78209d549960b7c0a1c) ##### <!-- 08 -->Security - docs: add comprehensive documentation for API Browser (issue [#​2401](https://redirect.github.com/go-swagger/go-swagger/issues/2401)) by [@​dashitongzhi](https://redirect.github.com/dashitongzhi) in [#​3338](https://redirect.github.com/go-swagger/go-swagger/pull/3338) [...](https://redirect.github.com/go-swagger/go-swagger/commit/b594d144ef999cb830cc9cb32d1c3617d5d93a36) - ci: enhanced regen examples workflow by [@​fredbi](https://redirect.github.com/fredbi) in [#​3306](https://redirect.github.com/go-swagger/go-swagger/pull/3306) [...](https://redirect.github.com/go-swagger/go-swagger/commit/e1c611ed9e0739d0395b8e08922ddfb48a6e257d) - doc: move examples by [@​fredbi](https://redirect.github.com/fredbi) in [#​3303](https://redirect.github.com/go-swagger/go-swagger/pull/3303) [...](https://redirect.github.com/go-swagger/go-swagger/commit/c32e2d574a1272c97c18aaddbeed294f62fdca31) ##### <!-- 0A -->Updates - chore(deps): bump the development-dependencies group with 10 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3337](https://redirect.github.com/go-swagger/go-swagger/pull/3337) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9f68bcccf8a6ab943fa954764e749bd8e3b67684) - chore(deps): bump the development-dependencies group with 2 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3329](https://redirect.github.com/go-swagger/go-swagger/pull/3329) [...](https://redirect.github.com/go-swagger/go-swagger/commit/9286ac262e487f54fbeea64798790b463f27a7cc) - chore(deps): bump golang from `f853308` to `91eda97` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3328](https://redirect.github.com/go-swagger/go-swagger/pull/3328) [...](https://redirect.github.com/go-swagger/go-swagger/commit/a4f355cfded251a4d9fc4a3f06b0aed72314c2a4) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3327](https://redirect.github.com/go-swagger/go-swagger/pull/3327) [...](https://redirect.github.com/go-swagger/go-swagger/commit/1078819e42db2fdf56b7fd724f911b5b32f0ed42) - chore(deps): bump the development-dependencies group with 3 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3326](https://redirect.github.com/go-swagger/go-swagger/pull/3326) [...](https://redirect.github.com/go-swagger/go-swagger/commit/e4b5c8fe1fe5869e2da495e9e363032cfee9b85f) - chore(deps): bump the development-dependencies group with 5 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3325](https://redirect.github.com/go-swagger/go-swagger/pull/3325) [...](https://redirect.github.com/go-swagger/go-swagger/commit/30da59f48a8baf6a04a667191355c5aacbb1f6f1) - chore(deps): bump golang from `27f8293` to `f853308` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3324](https://redirect.github.com/go-swagger/go-swagger/pull/3324) [...](https://redirect.github.com/go-swagger/go-swagger/commit/faffaccee8fc0843fa35ce757b19643b15b20551) - chore(deps): bump the development-dependencies group with 6 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3323](https://redirect.github.com/go-swagger/go-swagger/pull/3323) [...](https://redirect.github.com/go-swagger/go-swagger/commit/5bbf90b257203d40a28d40d68f38411b0b0ab06e) - chore(deps): bump golang from `c2a1f7b` to `27f8293` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3322](https://redirect.github.com/go-swagger/go-swagger/pull/3322) [...](https://redirect.github.com/go-swagger/go-swagger/commit/d25d6f2da06f02c38565d2bed1a4c45c41b4b539) - chore(deps): bump the development-dependencies group with 2 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3321](https://redirect.github.com/go-swagger/go-swagger/pull/3321) [...](https://redirect.github.com/go-swagger/go-swagger/commit/cedb38213dc4bfeb6c6f2fccb0211e596c777faf) - chore(deps): bump golang from `2389ebf` to `c2a1f7b` in the development-dependencies group across 1 directory by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3320](https://redirect.github.com/go-swagger/go-swagger/pull/3320) [...](https://redirect.github.com/go-swagger/go-swagger/commit/3815953bf63523fd72c9f9dad337f3d7990fd7bd) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3318](https://redirect.github.com/go-swagger/go-swagger/pull/3318) [...](https://redirect.github.com/go-swagger/go-swagger/commit/126ceeb6180966caba0429435d94b0fb1a1e8c14) - chore(deps): bump the development-dependencies group with 6 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3317](https://redirect.github.com/go-swagger/go-swagger/pull/3317) [...](https://redirect.github.com/go-swagger/go-swagger/commit/af43211eec84e29e817f3e990cf8084fb45ebec0) - chore(deps): bump the development-dependencies group with 4 updates by [@​dependabot\[bot\]](https://redirect.github.com/dependabot\[bot]) in [#​3315](https://redirect.github.com/go-swagger/go-swagger/pull/3315) [...](https://redirect.github.com/go-swagger/go-swagger/commit/0f32c03e4982ed564cfd9d9593a4cfa1c1304d40) *** ##### People who contributed to this release - [@​Abzaek](https://redirect.github.com/Abzaek) - [@​dashitongzhi](https://redirect.github.com/dashitongzhi) - [@​fredbi](https://redirect.github.com/fredbi) *** ##### New Contributors - [@​dashitongzhi](https://redirect.github.com/dashitongzhi) made their first contribution in [#​3338](https://redirect.github.com/go-swagger/go-swagger/pull/3338) - [@​Abzaek](https://redirect.github.com/Abzaek) made their first contribution in [#​3330](https://redirect.github.com/go-swagger/go-swagger/pull/3330) *** **[go-swagger](https://redirect.github.com/go-swagger/go-swagger) license terms** [![License][license-badge]][license-url] [license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg [license-url]: https://redirect.github.com/go-swagger/go-swagger/?tab=Apache-2.0-1-ov-file#readme *** Released by [GoReleaser](https://redirect.github.com/goreleaser/goreleaser). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
GiteabotandGitHub
|
ee9f31e9c9 |
chore(deps): update dependency @eslint/json to v2 (#38030)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@eslint/json](https://redirect.github.com/eslint/json) | [`1.2.0` →
`2.0.0`](https://renovatebot.com/diffs/npm/@eslint%2fjson/1.2.0/2.0.0) |
|
|
---
### Release Notes
<details>
<summary>eslint/json (@​eslint/json)</summary>
###
[`v2.0.0`](https://redirect.github.com/eslint/json/blob/HEAD/CHANGELOG.md#200-2026-05-28)
[Compare
Source](https://redirect.github.com/eslint/json/compare/72eb947ec708d1326047977c165670582ce58a26...804ffc4911bf489cea025a829f65ee98c975b7ee)
##### ⚠ BREAKING CHANGES
- add `meta.languages` to JSON rules
([#​238](https://redirect.github.com/eslint/json/issues/238))
##### Features
- add `meta.languages` to JSON rules
([#​238](https://redirect.github.com/eslint/json/issues/238))
([
|
||
|
GiteabotandGitHub
|
e01af366e2 |
fix(deps): update npm dependencies (#38035)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/autocomplete | [`6.20.2` → `6.20.3`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.2/6.20.3) |  |  | | [eslint-plugin-vue](https://eslint.vuejs.org) ([source](https://redirect.github.com/vuejs/eslint-plugin-vue)) | [`10.9.1` → `10.9.2`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.1/10.9.2) |  |  | --- ### Release Notes <details> <summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary> ### [`v10.9.2`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1092) [Compare Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.1...v10.9.2) ##### Patch Changes - Fixed [`vue/custom-event-name-casing`](https://eslint.vuejs.org/rules/custom-event-name-casing.html) to check segments of colon-separated event names like `update:foo-bar` ([#​3079](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3079)) - Fixed [`vue/one-component-per-file`](https://eslint.vuejs.org/rules/one-component-per-file.html) to not report functions not imported from Vue ([#​3063](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3063)) - Fixed [`vue/prefer-import-from-vue`](https://eslint.vuejs.org/rules/prefer-import-from-vue.html) to not report imports/exports of names that are not re-exported by `vue` ([#​3081](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3081)) - Fixed [`vue/return-in-computed-property`](https://eslint.vuejs.org/rules/return-in-computed-property.html) and [`vue/require-render-return`](https://eslint.vuejs.org/rules/require-render-return.html) to not report exhaustive switch statements when TypeScript type information is available ([#​3067](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3067)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
2a84831400 |
chore(deps): update astral-sh/setup-uv action to v8.2.0 (#38036)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) | action | minor | `v8.1.0` → `v8.2.0` | --- ### Release Notes <details> <summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary> ### [`v8.2.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v8.2.0): 🌈 New inputs `quiet` and `download-from-astral-mirror` [Compare Source](https://redirect.github.com/astral-sh/setup-uv/compare/v8.1.0...v8.2.0) #### Changes This release brings two new inputs and a few bug fixes. ##### New inputs Lets talk about the new inputs first. ##### quiet Pretty simple. It turns of all `info` loggings. Useful if you use this in a composite action and are not interested in all the details. In the upcoming releases we will add log groups to fully implement support for "less noise" > \[!NOTE]\ > Warnings and errors are always logged. ##### download-from-astral-mirror In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting `download-from-astral-mirror: false` allows you to do that. ##### Bugfixes When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token. All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults. We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down. #### 🐛 Bug fixes - fix: report unexpected cache save failures [@​eifinger](https://redirect.github.com/eifinger) ([#​896](https://redirect.github.com/astral-sh/setup-uv/issues/896)) - fix: report unexpected setup failures [@​eifinger](https://redirect.github.com/eifinger) ([#​895](https://redirect.github.com/astral-sh/setup-uv/issues/895)) - fix: add timeout to fetch to prevent silent hangs [@​eifinger-bot](https://redirect.github.com/eifinger-bot) ([#​883](https://redirect.github.com/astral-sh/setup-uv/issues/883)) - Limit GitHub tokens to github.com download URLs [@​zsol](https://redirect.github.com/zsol) ([#​878](https://redirect.github.com/astral-sh/setup-uv/issues/878)) - increase libuv-workaround timeout to 100ms [@​eifinger](https://redirect.github.com/eifinger) ([#​880](https://redirect.github.com/astral-sh/setup-uv/issues/880)) #### 🚀 Enhancements - Add quiet input to suppress info-level log output [@​eifinger](https://redirect.github.com/eifinger) ([#​898](https://redirect.github.com/astral-sh/setup-uv/issues/898)) - feat: add `download-from-astral-mirror` input [@​eifinger](https://redirect.github.com/eifinger) ([#​897](https://redirect.github.com/astral-sh/setup-uv/issues/897)) #### 🧰 Maintenance - docs: update dependabot rollup biome guidance [@​eifinger](https://redirect.github.com/eifinger) ([#​902](https://redirect.github.com/astral-sh/setup-uv/issues/902)) - chore: update known checksums for 0.11.18 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​899](https://redirect.github.com/astral-sh/setup-uv/issues/899)) - chore: update known checksums for 0.11.17 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​892](https://redirect.github.com/astral-sh/setup-uv/issues/892)) - chore: update known checksums for 0.11.16 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​889](https://redirect.github.com/astral-sh/setup-uv/issues/889)) - chore: update known checksums for 0.11.15 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​885](https://redirect.github.com/astral-sh/setup-uv/issues/885)) - chore: update known checksums for 0.11.14 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​879](https://redirect.github.com/astral-sh/setup-uv/issues/879)) - chore: update known checksums for 0.11.13 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​877](https://redirect.github.com/astral-sh/setup-uv/issues/877)) - chore: update known checksums for 0.11.12 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​876](https://redirect.github.com/astral-sh/setup-uv/issues/876)) - chore: update known checksums for 0.11.11 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​873](https://redirect.github.com/astral-sh/setup-uv/issues/873)) - chore: update known checksums for 0.11.9/0.11.10 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​871](https://redirect.github.com/astral-sh/setup-uv/issues/871)) - chore: update known checksums for 0.11.8 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​867](https://redirect.github.com/astral-sh/setup-uv/issues/867)) - Bump setup-uv references to v8.1.0 SHA in docs [@​eifinger](https://redirect.github.com/eifinger) ([#​862](https://redirect.github.com/astral-sh/setup-uv/issues/862)) - Add update-docs.yml workflow [@​eifinger](https://redirect.github.com/eifinger) ([#​861](https://redirect.github.com/astral-sh/setup-uv/issues/861)) #### ⬆️ Dependency updates - chore(deps): roll up dependabot updates [@​eifinger](https://redirect.github.com/eifinger) ([#​903](https://redirect.github.com/astral-sh/setup-uv/issues/903)) - chore(deps): roll up dependabot updates [@​eifinger](https://redirect.github.com/eifinger) ([#​901](https://redirect.github.com/astral-sh/setup-uv/issues/901)) - chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​900](https://redirect.github.com/astral-sh/setup-uv/issues/900)) - chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​842](https://redirect.github.com/astral-sh/setup-uv/issues/842)) - chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​893](https://redirect.github.com/astral-sh/setup-uv/issues/893)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​891](https://redirect.github.com/astral-sh/setup-uv/issues/891)) - chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​884](https://redirect.github.com/astral-sh/setup-uv/issues/884)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​888](https://redirect.github.com/astral-sh/setup-uv/issues/888)) - chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​881](https://redirect.github.com/astral-sh/setup-uv/issues/881)) - chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​875](https://redirect.github.com/astral-sh/setup-uv/issues/875)) - chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​866](https://redirect.github.com/astral-sh/setup-uv/issues/866)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​864](https://redirect.github.com/astral-sh/setup-uv/issues/864)) - chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​863](https://redirect.github.com/astral-sh/setup-uv/issues/863)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
|
1e9ea9c8f5 |
fix(deps): update npm dependencies (#38029)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.27.0` → `19.28.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.27.0/19.28.0) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.60.0` → `8.60.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.60.0/8.60.1) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.18` → `1.6.19`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.18/1.6.19) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.4.0` → `10.4.1`](https://renovatebot.com/diffs/npm/eslint/10.4.0/10.4.1) |  |  | | [eslint-import-resolver-typescript](https://redirect.github.com/import-js/eslint-import-resolver-typescript) | [`4.4.4` → `4.4.5`](https://renovatebot.com/diffs/npm/eslint-import-resolver-typescript/4.4.4/4.4.5) |  |  | | [eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/) ([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css)) | [`3.1.0` → `3.1.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.1.0/3.1.1) |  |  | | [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.1.1` → `4.2.0`](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.4.0` → `11.5.1`](https://renovatebot.com/diffs/npm/pnpm/11.4.0/11.5.1) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.8` → `3.0.9`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.8/3.0.9) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.0` → `8.60.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.0/8.60.1) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.17.2` → `17.17.3`](https://renovatebot.com/diffs/npm/updates/17.17.2/17.17.3) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.14` → `8.0.16`](https://renovatebot.com/diffs/npm/vite/8.0.14/8.0.16) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.7` → `4.1.8`](https://renovatebot.com/diffs/npm/vitest/4.1.7/4.1.8) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.3.2` → `3.3.3`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.2/3.3.3) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.28.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19280) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.27.0...v19.28.0) ##### Minor Changes - [#​1208](https://redirect.github.com/primer/octicons/pull/1208) [`eddab3ff`](https://redirect.github.com/primer/octicons/commit/eddab3ff19f1450eb1d60c78b1d20c2c4bc3fd15) Thanks [@​dylanatsmith](https://redirect.github.com/dylanatsmith)! - Fix vscode icon: update 16px, add 24px, remove 32px and 48px </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8601-2026-06-01) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitest-dev/eslint-plugin-vitest (@​vitest/eslint-plugin)</summary> ### [`v1.6.19`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.19) [Compare Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19) *No significant changes* ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19) </details> <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.1`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.1) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.4.0...v10.4.1) #### Bug Fixes - [`e557467`](https://redirect.github.com/eslint/eslint/commit/e557467db7496220eebcbe2ac5ea6d38c12bb1ec) fix: update `@eslint/plugin-kit` version to 0.7.2 ([#​20930](https://redirect.github.com/eslint/eslint/issues/20930)) (Francesco Trotta) - [`d4ce898`](https://redirect.github.com/eslint/eslint/commit/d4ce898796ca22c3b96aa70d3014cb85f4bac1cd) fix: propagate failures from delegated commands ([#​20917](https://redirect.github.com/eslint/eslint/issues/20917)) (Minh Vu) - [`f4f3507`](https://redirect.github.com/eslint/eslint/commit/f4f3507460bc016b5be979c05d2969793f570cbf) fix: prefer-arrow-callback invalid autofix with newline after `async` ([#​20916](https://redirect.github.com/eslint/eslint/issues/20916)) (kuldeep kumar) - [`c5bc78b`](https://redirect.github.com/eslint/eslint/commit/c5bc78b37e08b9054a11f0cc2d81808bb24acb85) fix: false positive for reference in `finally` block ([#​20655](https://redirect.github.com/eslint/eslint/issues/20655)) (Tanuj Kanti) - [`27538c0`](https://redirect.github.com/eslint/eslint/commit/27538c01f5df4e9306f6f4ba867b2dd6307fae59) fix: add missing CodePath and CodePathSegment types ([#​20853](https://redirect.github.com/eslint/eslint/issues/20853)) (Pixel998) #### Documentation - [`61b0add`](https://redirect.github.com/eslint/eslint/commit/61b0add61ffc52665562be7bb96f526690a78b30) docs: remove deprecated rule from related rules of `max-params` ([#​20921](https://redirect.github.com/eslint/eslint/issues/20921)) (Tanuj Kanti) - [`305d5b9`](https://redirect.github.com/eslint/eslint/commit/305d5b91aeac24d36fde42f75625a8f183d4ce43) docs: remove deprecated rules from related rules section ([#​20911](https://redirect.github.com/eslint/eslint/issues/20911)) (Tanuj Kanti) - [`49b0202`](https://redirect.github.com/eslint/eslint/commit/49b0202d01918b8061720d586dffd7c68047090c) docs: fix `display: none` of ad ([#​20901](https://redirect.github.com/eslint/eslint/issues/20901)) (Tanuj Kanti) - [`9067f94`](https://redirect.github.com/eslint/eslint/commit/9067f9492ec998afc5b4f057a477ecf6ebd45e44) docs: switch build to Node.js 24 ([#​20893](https://redirect.github.com/eslint/eslint/issues/20893)) (Milos Djermanovic) - [`c91b041`](https://redirect.github.com/eslint/eslint/commit/c91b0417e3420c76807ce1fa2aea76e2de87ab86) docs: Update README (GitHub Actions Bot) - [`e349265`](https://redirect.github.com/eslint/eslint/commit/e349265cb37f3ebc837e178e48a725bb782bd870) docs: clarify semver strings in rule deprecation objects ([#​20885](https://redirect.github.com/eslint/eslint/issues/20885)) (Milos Djermanovic) #### Chores - [`b0e466b`](https://redirect.github.com/eslint/eslint/commit/b0e466b6ab47bfc7de43d8de0c315d8ee83aa584) test: add `data` property to invalid tests cases for rules ([#​20924](https://redirect.github.com/eslint/eslint/issues/20924)) (Tanuj Kanti) - [`f78838b`](https://redirect.github.com/eslint/eslint/commit/f78838bc4c86d487e1bcc7cede260c4467721c46) test: add CodePath type coverage ([#​20904](https://redirect.github.com/eslint/eslint/issues/20904)) (Pixel998) - [`1daa4bd`](https://redirect.github.com/eslint/eslint/commit/1daa4bd734b79a62e317d0394394a6b38cff49f9) chore: update `eslint-plugin-eslint-comments` test data to latest commit ([#​20922](https://redirect.github.com/eslint/eslint/issues/20922)) (Francesco Trotta) - [`002942c`](https://redirect.github.com/eslint/eslint/commit/002942ce988ea28b78e0a2f3b074081e638b552c) ci: declare contents:read on update-readme workflow ([#​20919](https://redirect.github.com/eslint/eslint/issues/20919)) (Arpit Jain) - [`64bca24`](https://redirect.github.com/eslint/eslint/commit/64bca24e7bed35bc3c864fc625cb2d89eca87d5b) chore: update ecosystem plugins ([#​20912](https://redirect.github.com/eslint/eslint/issues/20912)) (ESLint Bot) - [`6d7c832`](https://redirect.github.com/eslint/eslint/commit/6d7c832950d5e92499d88e504080661f888f8f56) chore: ignore fflate updates in renovate ([#​20908](https://redirect.github.com/eslint/eslint/issues/20908)) (Pixel998) - [`b2c8638`](https://redirect.github.com/eslint/eslint/commit/b2c86382164d87c6203b78d52068cd6a2a6ffe30) ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 ([#​20889](https://redirect.github.com/eslint/eslint/issues/20889)) (dependabot\[bot]) - [`a9b8d7f`](https://redirect.github.com/eslint/eslint/commit/a9b8d7f74c50211701cfc49710fa541fd91b2aa5) chore: increase maxBuffer for ecosystem tests ([#​20881](https://redirect.github.com/eslint/eslint/issues/20881)) (sethamus) - [`b702ead`](https://redirect.github.com/eslint/eslint/commit/b702ead5e1ed7cb9f28238a454797662efb37396) chore: update ecosystem update PR settings ([#​20884](https://redirect.github.com/eslint/eslint/issues/20884)) (Pixel998) - [`507f60e`](https://redirect.github.com/eslint/eslint/commit/507f60e9a78c9a902bc8759f066ae17a1ea6cd81) chore: update ecosystem plugins ([#​20882](https://redirect.github.com/eslint/eslint/issues/20882)) (ESLint Bot) - [`92f5c5b`](https://redirect.github.com/eslint/eslint/commit/92f5c5bb6bf3a5d167c8ee53a430833410295c6d) test: add unit test for message-count ([#​20878](https://redirect.github.com/eslint/eslint/issues/20878)) (kuldeep kumar) - [`df32108`](https://redirect.github.com/eslint/eslint/commit/df321080af5758b1fa25e4b9a40e26135642dd6e) chore: add [@​eslint/markdown](https://redirect.github.com/eslint/markdown) and typescript-eslint ecosystem tests ([#​20837](https://redirect.github.com/eslint/eslint/issues/20837)) (sethamus) - [`327f91d`](https://redirect.github.com/eslint/eslint/commit/327f91d36aa49f2a50ded931d841a16374fd875f) chore: use includeIgnoreFile internally ([#​20876](https://redirect.github.com/eslint/eslint/issues/20876)) (Kirk Waiblinger) - [`f0dc4bd`](https://redirect.github.com/eslint/eslint/commit/f0dc4bd893fb3a9f44e4ddc3ad7063ffb0beacd3) chore: pin fflate\@​0.8.2 ([#​20877](https://redirect.github.com/eslint/eslint/issues/20877)) (Milos Djermanovic) - [`0f4bd25`](https://redirect.github.com/eslint/eslint/commit/0f4bd257a67a082b756de746d9e0c4842ab764ca) ci: run Discord alert for ecosystem test failures ([#​20873](https://redirect.github.com/eslint/eslint/issues/20873)) (Copilot) </details> <details> <summary>import-js/eslint-import-resolver-typescript (eslint-import-resolver-typescript)</summary> ### [`v4.4.5`](https://redirect.github.com/import-js/eslint-import-resolver-typescript/blob/HEAD/CHANGELOG.md#445) [Compare Source](https://redirect.github.com/import-js/eslint-import-resolver-typescript/compare/v4.4.4...v4.4.5) ##### Patch Changes - [#​473](https://redirect.github.com/import-js/eslint-import-resolver-typescript/pull/473) [`32c61ab`](https://redirect.github.com/import-js/eslint-import-resolver-typescript/commit/32c61abccf26bd2a2267f2e0e67d82e6f88d149a) Thanks [@​leey0818](https://redirect.github.com/leey0818)! - fix: check tsconfig matching before using resolver </details> <details> <summary>future-architect/eslint-plugin-vue-scoped-css (eslint-plugin-vue-scoped-css)</summary> ### [`v3.1.1`](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/blob/HEAD/CHANGELOG.md#311) [Compare Source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/compare/v3.1.0...v3.1.1) ##### Patch Changes - Fix false positives in `vue-scoped-css/require-selector-used-inside` for selectors that start with ignored pseudo-classes such as `:has(...)`. ([#​496](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/pull/496)) </details> <details> <summary>nodeca/js-yaml (js-yaml)</summary> ### [`v4.2.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#420---2026-06-01) [Compare Source](https://redirect.github.com/nodeca/js-yaml/compare/4.1.1...590dbabadd172b099c07654fab2eabec8c7a07b9) ##### Added - Added `docs/safety.md` with notes about processing untrusted YAML. - Added `maxDepth` (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow. - Added `maxMergeSeqLength` (20) loader option. Not a problem after `merge` fix, but an additional restriction for safety. - Added sourcemaps to `dist/` builds. ##### Changed - Stop resolving numbers with underscores as numeric scalars, [#​627](https://redirect.github.com/nodeca/js-yaml/issues/627). - Switched dev toolchains to Vite / neostandard. - Updated demo. - Reorganized tests. - `dist/` files are no longer kept in the repository. ##### Fixed - Fix parsing of properties on the first implicit block mapping key, [#​62](https://redirect.github.com/nodeca/js-yaml/issues/62). - Fix trailing whitespace handling when folding flow scalar lines, [#​307](https://redirect.github.com/nodeca/js-yaml/issues/307). - Reject top-level block scalars without content indentation, [#​280](https://redirect.github.com/nodeca/js-yaml/issues/280). - Ensure numbers survive round-trip, [#​737](https://redirect.github.com/nodeca/js-yaml/issues/737). - Fix test coverage for issue [#​221](https://redirect.github.com/nodeca/js-yaml/issues/221). - Fix flow scalar trailing whitespace folding, [#​307](https://redirect.github.com/nodeca/js-yaml/issues/307). - Fix digits in YAML named tag handles. ##### Security - Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K). </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.5.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1151) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.0...v11.5.1) ##### Patch Changes - Improve `pnpm audit` performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap. - Avoid crashing when the workspace state cache is partially written or malformed. - Set `npm_config_user_agent` for root lifecycle scripts during headless installs. - Preserve the `integrity` field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example via `pnpm update`, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail with `ERR_PNPM_MISSING_TARBALL_INTEGRITY` [#​12067](https://redirect.github.com/pnpm/pnpm/issues/12067). - Normalize a string `repository` field into the `{ type, url }` object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a string `repository` with a 500 Internal Server Error during `pnpm publish` [#​12099](https://redirect.github.com/pnpm/pnpm/issues/12099). - Preserve compatible optional peer versions already present in the lockfile when resolving dependencies. - Fixed inconsistent resolution of a peer dependency that is shared through a diamond. When a package peer-depends on both another package and one of that package's own peer dependencies (for example `@typescript-eslint/eslint-plugin` peer-depends on both `@typescript-eslint/parser` and `typescript`, and `@typescript-eslint/parser` peer-depends on `typescript`), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version [#​12079](https://redirect.github.com/pnpm/pnpm/issues/12079). ### [`v11.5.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1150) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.4.0...v11.5.0) ##### Minor Changes - Added a new `hoistingLimits` setting for `nodeLinker: hoisted` installs, mirroring yarn's `nmHoistingLimits`. It accepts `none` (the default — hoist as far as possible), `workspaces` (hoist only as far as each workspace package), or `dependencies` (hoist only up to each workspace package's direct dependencies). Originally proposed in [#​6468](https://redirect.github.com/pnpm/pnpm/pull/6468), closing [#​6457](https://redirect.github.com/pnpm/pnpm/issues/6457). - Replaced `enquirer` with `@inquirer/prompts` for all interactive prompts. Fixes the `update -i` scrolling overflow bug where long choice lists were clipped in the terminal [#​6643](https://redirect.github.com/pnpm/pnpm/issues/6643). **User-facing changes:** - `pnpm update -i` / `pnpm update -i --latest`: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination via `usePagination` - `pnpm audit --fix -i`: Same scrolling fix for vulnerability selection - `pnpm approve-builds`: Interactive build approval prompts updated - `pnpm patch`: Version selection and "apply to all" prompts updated - `pnpm patch-remove`: Patch removal selection updated - `pnpm publish`: Branch confirmation prompt updated - `pnpm login`: Credential prompts updated - `pnpm run` / `pnpm exec` (with `verifyDepsBeforeRun=prompt`): Confirmation prompt updated Vim-style `j`/`k` keys still work for up/down navigation in all interactive prompts. **Internal:** The `OtpEnquirer` and `LoginEnquirer` DI interfaces changed from `{ prompt }` to `{ input }` / `{ input, password }` respectively. Plugins or custom builds that inject their own enquirer mock will need to update. - Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an `approver` field, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level [#​11887](https://redirect.github.com/pnpm/pnpm/issues/11887). ##### Patch Changes - Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example, `pnpm i nuxt@npm:nuxt-nightly@5x`). Cycles whose members hit the `findHit` cache instead of running their own `calculateDepPath` are now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. [#​11999](https://redirect.github.com/pnpm/pnpm/issues/11999). - Fix `pnpm dist-tag add` and `pnpm dist-tag rm` against npmjs.org failing without `--otp` with `[ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA."`. pnpm now sends `npm-auth-type: web` on dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the same `withOtpHandling` helper used by `pnpm publish`), so the browser opens, the user authenticates, and the dist-tag is set on retry. `--otp=<code>` continues to work via the classic flow. - Fix `minimumReleaseAgeExclude` handling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently during `publishedBy` metadata selection and cache-mtime shortcuts. - Fix the `integrity` field being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent `--frozen-lockfile` installs fail with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. [#​12001](https://redirect.github.com/pnpm/pnpm/issues/12001). - Skip dependency re-resolution when `pnpm-lock.yaml` is missing but `node_modules/.pnpm/lock.yaml` exists and still satisfies the manifest. `pnpm install` now reuses the materialized snapshot to regenerate `pnpm-lock.yaml` instead of walking the registry to rebuild it from scratch, turning the cache+node\_modules variation into a near-no-op for users who deleted the lockfile but kept the install [#​11993](https://redirect.github.com/pnpm/pnpm/issues/11993). `--frozen-lockfile` still refuses to proceed when `pnpm-lock.yaml` is absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI. </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.9`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.9) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.8...3.0.9) - update deps (silverwind) - make: collapse patch/minor/major into one rule (silverwind) - simplify generateBundle: pair dir+raw, rename shadow, inline single-use const (silverwind) - make update a combination target, split out update-js (silverwind) - add update-actions make target (silverwind) - remove authorship attribution rule from AGENTS.md (silverwind) - docs: use defineConfig in README usage example (silverwind) </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8601-2026-06-01) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.17.3`](https://redirect.github.com/silverwind/updates/releases/tag/17.17.3) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.17.2...17.17.3) - fix prerelease drop in updateVersionRange and scope regex (silverwind) - fix 1.2.x ranges, docker tag corruption, and per-file cooldown (silverwind) - fix go +incompatible, cargo inline-table, and prerelease selection (silverwind) - fix --pin range parsing, url tag deps, and -s flag docs (silverwind) - make update a combination target, split out update-js (silverwind) - add update-actions make target (silverwind) - remove authorship attribution rule from AGENTS.md (silverwind) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.16`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.15...v8.0.16) ##### Bug Fixes - **deps:** reject UNC paths for launch-editor-middleware ([#​22571](https://redirect.github.com/vitejs/vite/issues/22571)) ([50b9512](https://redirect.github.com/vitejs/vite/commit/50b951225bbf6151eb84a3ad5a454908ab4a76c9)) - reject windows alternate paths ([#​22572](https://redirect.github.com/vitejs/vite/issues/22572)) ([dc245c7](https://redirect.github.com/vitejs/vite/commit/dc245c71e5007ea4d891a025e2d69ac96c736546)) ### [`v8.0.15`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.14...v8.0.15) ##### Features - send 408 on request timeout ([#​22476](https://redirect.github.com/vitejs/vite/issues/22476)) ([c85c9ee](https://redirect.github.com/vitejs/vite/commit/c85c9eeb9aaf41f477b48b057146887bd5620797)) - update rolldown to 1.0.3 ([#​22538](https://redirect.github.com/vitejs/vite/issues/22538)) ([646dbed](https://redirect.github.com/vitejs/vite/commit/646dbedd2870f8ec48df0321177d8aa64bbd1575)) ##### Bug Fixes - capitalize error messages and remove spurious space in parse error ([#​22488](https://redirect.github.com/vitejs/vite/issues/22488)) ([85a0eff](https://redirect.github.com/vitejs/vite/commit/85a0eff1c82bbb7c99a0fe8e63704316578a40d3)) - **deps:** update all non-major dependencies ([#​22511](https://redirect.github.com/vitejs/vite/issues/22511)) ([2686d7d](https://redirect.github.com/vitejs/vite/commit/2686d7d0b722402204d3bcc687a87adea1bcf9fa)) - **dev:** fix html-proxy cache key mismatch for /@​fs/ HTML paths ([#​21762](https://redirect.github.com/vitejs/vite/issues/21762)) ([47c4213](https://redirect.github.com/vitejs/vite/commit/47c4213f134f562c41ed7c031e4788510cf7e31e)) - **glob:** error on relative glob in virtual module when no files match ([#​22497](https://redirect.github.com/vitejs/vite/issues/22497)) ([5c8e98f](https://redirect.github.com/vitejs/vite/commit/5c8e98f8b584ac5d42f0f9b8580c49792213b13c)) - **optimizer:** close the rolldown bundle when write() rejects ([#​22528](https://redirect.github.com/vitejs/vite/issues/22528)) ([e3cfb9d](https://redirect.github.com/vitejs/vite/commit/e3cfb9deecff563550fa1b8abd27656b8b292815)) - **resolve:** provide onWarn for viteResolvePlugin in JS plugin containers ([#​22509](https://redirect.github.com/vitejs/vite/issues/22509)) ([40985f1](https://redirect.github.com/vitejs/vite/commit/40985f1c09b7696e594e6c5695fbc315d2da2c83)) ##### Miscellaneous Chores - **deps:** update rolldown-related dependencies ([#​22566](https://redirect.github.com/vitejs/vite/issues/22566)) ([3052a67](https://redirect.github.com/vitejs/vite/commit/3052a67d9350f4c5076ab1c222c4a21a589cbcdd)) ##### Code Refactoring - correct logic in `collectAllModules` function ([#​22562](https://redirect.github.com/vitejs/vite/issues/22562)) ([6978a9c](https://redirect.github.com/vitejs/vite/commit/6978a9ceb942c4f5e211d52b8a1e569f8a65c80c)) </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.8`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.8) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8) ##### 🐞 Bug Fixes - **browser**: - Disable client `cdp` API when `allowWrite/allowExec: false` \[backport to v4] - by [@​hi-ogawa](https://redirect.github.com/hi-ogawa) and **Codex** in [#​10450](https://redirect.github.com/vitest-dev/vitest/issues/10450) [<samp>(e4067)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/e4067b3b1) - Remove orphaned Playwright route when same module is mocked via multiple ids \[backport to v4] - by [@​toxik](https://redirect.github.com/toxik) and [@​Zelys-DFKH](https://redirect.github.com/Zelys-DFKH) in [#​10474](https://redirect.github.com/vitest-dev/vitest/issues/10474) [<samp>(675b4)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/675b4343f) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8) </details> <details> <summary>vuejs/language-tools (vue-tsc)</summary> ### [`v3.3.3`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#333-2026-05-30) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.2...v3.3.3) ##### vscode - **fix:** prevent grammar scopes leakage in capitalized tags ([#​6073](https://redirect.github.com/vuejs/language-tools/issues/6073)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** preserve TS auto imports behavior in Vue files ([#​6072](https://redirect.github.com/vuejs/language-tools/issues/6072)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### workspace - **fix:** read PR title from env in `auto-version` workflow to prevent injection ([#​6074](https://redirect.github.com/vuejs/language-tools/issues/6074)) - Thanks to [@​arpitjain099](https://redirect.github.com/arpitjain099)! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
GiteabotandGitHub
|
6dcae57b54 | chore(deps): update action dependencies (#38027) | ||
|
GiteaBot
|
7a26d5a2ae | [skip ci] Updated translations via Crowdin | ||
|
|
9619d93e3b |
chore(deps): update action dependencies (#37964)
This PR contains the following updates: | Package | Type | Update | Change | Pending | |---|---|---|---|---| | [aws-actions/configure-aws-credentials](https://redirect.github.com/aws-actions/configure-aws-credentials) | action | patch | `v6.1.1` → `v6.1.2` | `v6.1.3` | | [docker/build-push-action](https://redirect.github.com/docker/build-push-action) | action | minor | `v7.1.0` → `v7.2.0` | | | [docker/login-action](https://redirect.github.com/docker/login-action) | action | minor | `v4.1.0` → `v4.2.0` | | | [docker/metadata-action](https://redirect.github.com/docker/metadata-action) | action | minor | `v6.0.0` → `v6.1.0` | | | [docker/setup-buildx-action](https://redirect.github.com/docker/setup-buildx-action) | action | minor | `v4.0.0` → `v4.1.0` | | | [docker/setup-qemu-action](https://redirect.github.com/docker/setup-qemu-action) | action | minor | `v4.0.0` → `v4.1.0` | | | redis | service | digest | `48e78eb` → `e74c9b9` | | --- ### Release Notes <details> <summary>aws-actions/configure-aws-credentials (aws-actions/configure-aws-credentials)</summary> ### [`v6.1.2`](https://redirect.github.com/aws-actions/configure-aws-credentials/releases/tag/v6.1.2) [Compare Source](https://redirect.github.com/aws-actions/configure-aws-credentials/compare/v6.1.1...v6.1.2) ##### Bug Fixes - additional filesystem checks ([#​1799](https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1799)) ([c39f282](https://redirect.github.com/aws-actions/configure-aws-credentials/commit/c39f282697aca8a78c522ecf1f7da9899a31432c)) </details> <details> <summary>docker/build-push-action (docker/build-push-action)</summary> ### [`v7.2.0`](https://redirect.github.com/docker/build-push-action/releases/tag/v7.2.0) [Compare Source](https://redirect.github.com/docker/build-push-action/compare/v7.1.0...v7.2.0) - Bump [@​actions/core](https://redirect.github.com/actions/core) from 3.0.0 to 3.0.1 in [#​1525](https://redirect.github.com/docker/build-push-action/pull/1525) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.87.0 to 0.90.0 in [#​1517](https://redirect.github.com/docker/build-push-action/pull/1517) - Bump brace-expansion from 2.0.2 to 5.0.6 in [#​1534](https://redirect.github.com/docker/build-push-action/pull/1534) - Bump fast-xml-builder from 1.1.4 to 1.2.0 in [#​1529](https://redirect.github.com/docker/build-push-action/pull/1529) - Bump fast-xml-parser from 5.5.7 to 5.8.0 in [#​1521](https://redirect.github.com/docker/build-push-action/pull/1521) - Bump postcss from 8.5.6 to 8.5.10 in [#​1526](https://redirect.github.com/docker/build-push-action/pull/1526) - Bump tar from 6.2.1 to 7.5.15 in [#​1533](https://redirect.github.com/docker/build-push-action/pull/1533) **Full Changelog**: <https://github.com/docker/build-push-action/compare/v7.1.0...v7.2.0> </details> <details> <summary>docker/login-action (docker/login-action)</summary> ### [`v4.2.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.2.0) [Compare Source](https://redirect.github.com/docker/login-action/compare/v4.1.0...v4.2.0) - Bump [@​actions/core](https://redirect.github.com/actions/core) from 3.0.0 to 3.0.1 in [#​976](https://redirect.github.com/docker/login-action/pull/976) - Bump [@​aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr) and [@​aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public) to 3.1050.0 in [#​960](https://redirect.github.com/docker/login-action/pull/960) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.86.0 to 0.90.0 in [#​970](https://redirect.github.com/docker/login-action/pull/970) - Bump brace-expansion from 2.0.1 to 5.0.6 in [#​993](https://redirect.github.com/docker/login-action/pull/993) - Bump fast-xml-builder from 1.1.4 to 1.2.0 in [#​985](https://redirect.github.com/docker/login-action/pull/985) - Bump fast-xml-parser from 5.3.6 to 5.8.0 in [#​963](https://redirect.github.com/docker/login-action/pull/963) - Bump http-proxy-agent and https-proxy-agent to 9.0.0 in [#​961](https://redirect.github.com/docker/login-action/pull/961) - Bump postcss from 8.5.6 to 8.5.10 in [#​979](https://redirect.github.com/docker/login-action/pull/979) - Bump tar from 6.2.1 to 7.5.15 in [#​991](https://redirect.github.com/docker/login-action/pull/991) - Bump vite from 7.3.1 to 7.3.3 in [#​986](https://redirect.github.com/docker/login-action/pull/986) **Full Changelog**: <https://github.com/docker/login-action/compare/v4.1.0...v4.2.0> </details> <details> <summary>docker/metadata-action (docker/metadata-action)</summary> ### [`v6.1.0`](https://redirect.github.com/docker/metadata-action/releases/tag/v6.1.0) [Compare Source](https://redirect.github.com/docker/metadata-action/compare/v6...v6.1.0) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.79.0 to 0.90.0 in [#​613](https://redirect.github.com/docker/metadata-action/pull/613) - Bump brace-expansion from 1.1.12 to 5.0.6 in [#​658](https://redirect.github.com/docker/metadata-action/pull/658) [#​630](https://redirect.github.com/docker/metadata-action/pull/630) - Bump csv-parse from 6.1.0 to 6.2.1 in [#​617](https://redirect.github.com/docker/metadata-action/pull/617) - Bump fast-xml-parser from 5.4.2 to 5.8.0 in [#​620](https://redirect.github.com/docker/metadata-action/pull/620) - Bump flatted from 3.3.3 to 3.4.2 in [#​623](https://redirect.github.com/docker/metadata-action/pull/623) - Bump glob from 10.3.15 to 10.5.0 in [#​621](https://redirect.github.com/docker/metadata-action/pull/621) - Bump handlebars from 4.7.8 to 4.7.9 in [#​629](https://redirect.github.com/docker/metadata-action/pull/629) - Bump lodash from 4.17.23 to 4.18.1 in [#​639](https://redirect.github.com/docker/metadata-action/pull/639) - Bump moment-timezone from 0.6.0 to 0.6.1 in [#​619](https://redirect.github.com/docker/metadata-action/pull/619) - Bump picomatch from 4.0.3 to 4.0.4 in [#​626](https://redirect.github.com/docker/metadata-action/pull/626) - Bump postcss from 8.5.6 to 8.5.10 in [#​649](https://redirect.github.com/docker/metadata-action/pull/649) - Bump tar from 6.2.1 to 7.5.15 in [#​657](https://redirect.github.com/docker/metadata-action/pull/657) - Bump undici from 6.23.0 to 6.25.0 in [#​614](https://redirect.github.com/docker/metadata-action/pull/614) - Bump vite from 7.3.1 to 7.3.2 in [#​637](https://redirect.github.com/docker/metadata-action/pull/637) **Full Changelog**: <https://github.com/docker/metadata-action/compare/v6.0.0...v6.1.0> </details> <details> <summary>docker/setup-buildx-action (docker/setup-buildx-action)</summary> ### [`v4.1.0`](https://redirect.github.com/docker/setup-buildx-action/releases/tag/v4.1.0) [Compare Source](https://redirect.github.com/docker/setup-buildx-action/compare/v4...v4.1.0) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.79.0 to 0.90.0 in [#​489](https://redirect.github.com/docker/setup-buildx-action/pull/489) - Bump brace-expansion from 1.1.12 to 5.0.6 in [#​547](https://redirect.github.com/docker/setup-buildx-action/pull/547) [#​508](https://redirect.github.com/docker/setup-buildx-action/pull/508) - Bump fast-xml-builder from 1.0.0 to 1.2.0 in [#​540](https://redirect.github.com/docker/setup-buildx-action/pull/540) - Bump fast-xml-parser from 5.4.2 to 5.8.0 in [#​496](https://redirect.github.com/docker/setup-buildx-action/pull/496) - Bump flatted from 3.3.3 to 3.4.2 in [#​499](https://redirect.github.com/docker/setup-buildx-action/pull/499) - Bump glob from 10.3.12 to 13.0.6 in [#​495](https://redirect.github.com/docker/setup-buildx-action/pull/495) - Bump handlebars from 4.7.8 to 4.7.9 in [#​504](https://redirect.github.com/docker/setup-buildx-action/pull/504) - Bump lodash from 4.17.23 to 4.18.1 in [#​523](https://redirect.github.com/docker/setup-buildx-action/pull/523) - Bump picomatch from 4.0.3 to 4.0.4 in [#​503](https://redirect.github.com/docker/setup-buildx-action/pull/503) - Bump postcss from 8.5.6 to 8.5.10 in [#​537](https://redirect.github.com/docker/setup-buildx-action/pull/537) - Bump tar from 6.2.1 to 7.5.15 in [#​545](https://redirect.github.com/docker/setup-buildx-action/pull/545) - Bump undici from 6.23.0 to 6.25.0 in [#​492](https://redirect.github.com/docker/setup-buildx-action/pull/492) - Bump vite from 7.3.1 to 7.3.2 in [#​520](https://redirect.github.com/docker/setup-buildx-action/pull/520) **Full Changelog**: <https://github.com/docker/setup-buildx-action/compare/v4.0.0...v4.1.0> </details> <details> <summary>docker/setup-qemu-action (docker/setup-qemu-action)</summary> ### [`v4.1.0`](https://redirect.github.com/docker/setup-qemu-action/releases/tag/v4.1.0) [Compare Source](https://redirect.github.com/docker/setup-qemu-action/compare/v4...v4.1.0) - Add `reset` input to uninstall current emulators by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​21](https://redirect.github.com/docker/setup-qemu-action/pull/21) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.77.0 to 0.91.0 in [#​250](https://redirect.github.com/docker/setup-qemu-action/pull/250) [#​247](https://redirect.github.com/docker/setup-qemu-action/pull/247) - Bump brace-expansion from 1.1.12 to 1.1.15 in [#​265](https://redirect.github.com/docker/setup-qemu-action/pull/265) - Bump fast-xml-builder from 1.0.0 to 1.2.0 in [#​286](https://redirect.github.com/docker/setup-qemu-action/pull/286) - Bump fast-xml-parser from 5.4.2 to 5.8.0 in [#​255](https://redirect.github.com/docker/setup-qemu-action/pull/255) - Bump flatted from 3.3.3 to 3.4.2 in [#​257](https://redirect.github.com/docker/setup-qemu-action/pull/257) - Bump glob from 10.3.15 to 10.5.0 in [#​254](https://redirect.github.com/docker/setup-qemu-action/pull/254) - Bump handlebars from 4.7.8 to 4.7.9 in [#​262](https://redirect.github.com/docker/setup-qemu-action/pull/262) - Bump lodash from 4.17.23 to 4.18.1 in [#​273](https://redirect.github.com/docker/setup-qemu-action/pull/273) - Bump postcss from 8.5.6 to 8.5.10 in [#​285](https://redirect.github.com/docker/setup-qemu-action/pull/285) - Bump tar from 6.2.1 to 7.5.15 in [#​287](https://redirect.github.com/docker/setup-qemu-action/pull/287) - Bump tmp from 0.2.5 to 0.2.6 in [#​291](https://redirect.github.com/docker/setup-qemu-action/pull/291) - Bump undici from 6.23.0 to 6.26.0 in [#​251](https://redirect.github.com/docker/setup-qemu-action/pull/251) - Bump vite from 7.3.1 to 7.3.2 in [#​271](https://redirect.github.com/docker/setup-qemu-action/pull/271) **Full Changelog**: <https://github.com/docker/setup-qemu-action/compare/v4.0.0...v4.1.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: silverwind <me@silverwind.io> |
||
|
|
798578115b |
fix(deps): update npm dependencies, remove nolyfill (#37968)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@eslint-community/eslint-plugin-eslint-comments](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments)
| [`4.7.1` →
`4.7.2`](https://renovatebot.com/diffs/npm/@eslint-community%2feslint-plugin-eslint-comments/4.7.1/4.7.2)
|
|
|
| [@primer/octicons](https://primer.style/octicons)
([source](https://redirect.github.com/primer/octicons)) | [`19.26.0` →
`19.27.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.26.0/19.27.0)
|
|
|
|
[@typescript-eslint/parser](https://typescript-eslint.io/packages/parser)
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser))
| [`8.59.4` →
`8.60.0`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.4/8.60.0)
|
|
|
|
[@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest)
| [`1.6.17` →
`1.6.18`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.17/1.6.18)
|
|
|
| [dayjs](https://day.js.org)
([source](https://redirect.github.com/iamkun/dayjs)) | [`1.11.20` →
`1.11.21`](https://renovatebot.com/diffs/npm/dayjs/1.11.20/1.11.21) |
|
|
| [katex](https://katex.org)
([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.47` →
`0.17.0`](https://renovatebot.com/diffs/npm/katex/0.16.47/0.17.0) |
|
|
|
[material-icon-theme](https://redirect.github.com/material-extensions/vscode-material-icon-theme/blob/main/README.md)
([source](https://redirect.github.com/material-extensions/vscode-material-icon-theme))
| [`5.34.0` →
`5.35.0`](https://renovatebot.com/diffs/npm/material-icon-theme/5.34.0/5.35.0)
|
|
|
| [pnpm](https://pnpm.io)
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) |
[`11.2.1` →
`11.4.0`](https://renovatebot.com/diffs/npm/pnpm/11.2.1/11.4.0) |
|
|
|
[rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin)
| [`3.0.7` →
`3.0.8`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.7/3.0.8)
|
|
|
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint)
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint))
| [`8.59.4` →
`8.60.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.4/8.60.0)
|
|
|
| [updates](https://redirect.github.com/silverwind/updates) |
[`17.16.13` →
`17.17.2`](https://renovatebot.com/diffs/npm/updates/17.16.13/17.17.2) |
|
|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`8.0.13` →
`8.0.14`](https://renovatebot.com/diffs/npm/vite/8.0.13/8.0.14) |
|
|
| [vue](https://vuejs.org/)
([source](https://redirect.github.com/vuejs/core)) | [`3.5.34` →
`3.5.35`](https://renovatebot.com/diffs/npm/vue/3.5.34/3.5.35) |
|
|
| [vue-tsc](https://redirect.github.com/vuejs/language-tools)
([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc))
| [`3.3.1` →
`3.3.2`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.1/3.3.2) |
|
|
---
### Release Notes
<details>
<summary>eslint-community/eslint-plugin-eslint-comments
(@​eslint-community/eslint-plugin-eslint-comments)</summary>
###
[`v4.7.2`](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/releases/tag/v4.7.2)
[Compare
Source](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/compare/v4.7.1...v4.7.2)
##### Bug Fixes
- **deps:** pin `modern-monaco` version to 0.4.0
([#​320](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/issues/320))
([62a2c3a](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/commit/62a2c3a4ee304a8383f170369c9999198d9bdac8))
- **docs:** use `modern-monaco` instead of `monaco-editor`
([#​311](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/issues/311))
([42919d0](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/commit/42919d06d8a221e061de3ec98e35bf508ea2b5d2))
</details>
<details>
<summary>primer/octicons (@​primer/octicons)</summary>
###
[`v19.27.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19270)
[Compare
Source](https://redirect.github.com/primer/octicons/compare/v19.26.0...v19.27.0)
##### Minor Changes
- [#​1203](https://redirect.github.com/primer/octicons/pull/1203)
[`a69618e4`](https://redirect.github.com/primer/octicons/commit/a69618e4b64988784c9c0a06bbf809a3fa343642)
Thanks [@​ericwbailey](https://redirect.github.com/ericwbailey)! -
Add flag icon
##### Patch Changes
- [#​1212](https://redirect.github.com/primer/octicons/pull/1212)
[`02bd1ef8`](https://redirect.github.com/primer/octicons/commit/02bd1ef8d15abffaa45be8e00c5fbc896e276c54)
Thanks [@​ericwbailey](https://redirect.github.com/ericwbailey)! -
remove hardcoded fill from flag icon
</details>
<details>
<summary>typescript-eslint/typescript-eslint
(@​typescript-eslint/parser)</summary>
###
[`v8.60.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8600-2026-05-25)
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.4...v8.60.0)
This was a version bump only for parser to align it with other projects,
there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.0)
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning) and
[releases](https://typescript-eslint.io/users/releases) on our website.
</details>
<details>
<summary>vitest-dev/eslint-plugin-vitest
(@​vitest/eslint-plugin)</summary>
###
[`v1.6.18`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.18)
[Compare
Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.17...v1.6.18)
##### 🐞 Bug Fixes
- Correct `requiresTypeChecking` metadata for four rules - by
[@​inglec-arista](https://redirect.github.com/inglec-arista) in
[#​905](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/905)
[<samp>(e06a3)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/e06a3dc)
##### [View changes on
GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.17...v1.6.18)
</details>
<details>
<summary>iamkun/dayjs (dayjs)</summary>
###
[`v1.11.21`](https://redirect.github.com/iamkun/dayjs/blob/HEAD/CHANGELOG.md#11121-2026-05-26)
[Compare
Source](https://redirect.github.com/iamkun/dayjs/compare/v1.11.20...v1.11.21)
##### Bug Fixes
- preserve unsupported year tokens in format
([#​3015](https://redirect.github.com/iamkun/dayjs/issues/3015))
([#​3016](https://redirect.github.com/iamkun/dayjs/issues/3016))
([8fda602](https://redirect.github.com/iamkun/dayjs/commit/8fda602beac5abbc64230ddc49085aa532320f26))
</details>
<details>
<summary>KaTeX/KaTeX (katex)</summary>
###
[`v0.17.0`](https://redirect.github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#0170-2026-05-22)
[Compare
Source](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.47...v0.17.0)
##### Performance Improvements
- simplify `defineFunction` to avoid destructuring, improve typing
([#​4222](https://redirect.github.com/KaTeX/KaTeX/issues/4222))
([fb604e6](https://redirect.github.com/KaTeX/KaTeX/commit/fb604e6ba63e99809e242d37f9c8359209d55431))
##### BREAKING CHANGES
- The internal API for `__defineFunction` changed: you should no longer
wrap properties in `props`.
####
[0.16.47](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.46...v0.16.47)
(2026-05-16)
##### Bug Fixes
- correct size of `[` big delimiter
([#​4217](https://redirect.github.com/KaTeX/KaTeX/issues/4217))
([7ba0027](https://redirect.github.com/KaTeX/KaTeX/commit/7ba0027d2f04abddd3b215362f867ab8260b09d7)),
closes
[#​4215](https://redirect.github.com/KaTeX/KaTeX/issues/4215)
####
[0.16.46](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.45...v0.16.46)
(2026-05-13)
##### Bug Fixes
- preserve math font in some styling commands
([#​4214](https://redirect.github.com/KaTeX/KaTeX/issues/4214))
([e9ee046](https://redirect.github.com/KaTeX/KaTeX/commit/e9ee0464ddb31da9bf9649eeb70e52236e7a974a)),
closes
[#​4213](https://redirect.github.com/KaTeX/KaTeX/issues/4213)
####
[0.16.45](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.44...v0.16.45)
(2026-04-05)
##### Bug Fixes
- wrap vcenter mpadded in mrow for valid MathML
([#​4193](https://redirect.github.com/KaTeX/KaTeX/issues/4193))
([ee66b78](https://redirect.github.com/KaTeX/KaTeX/commit/ee66b78d24340edbbd05b08a4a429ce9ed158b25)),
closes
[#​4078](https://redirect.github.com/KaTeX/KaTeX/issues/4078)
####
[0.16.44](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.43...v0.16.44)
(2026-03-27)
##### Bug Fixes
- remove extra \jot space at bottom of align/gather/etc.
([#​4184](https://redirect.github.com/KaTeX/KaTeX/issues/4184))
([3870ee9](https://redirect.github.com/KaTeX/KaTeX/commit/3870ee913e27fdde7bce244e4c6c5d63e2b28a62))
####
[0.16.43](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.42...v0.16.43)
(2026-03-26)
##### Bug Fixes
- use makeEm() consistently to truncate long CSS decimals
([#​4181](https://redirect.github.com/KaTeX/KaTeX/issues/4181))
([0967dcc](https://redirect.github.com/KaTeX/KaTeX/commit/0967dcc0278f20d4501a93f01c7343c70abb3fcd))
####
[0.16.42](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.41...v0.16.42)
(2026-03-24)
##### Features
- \underbracket and \overbracket
([#​4147](https://redirect.github.com/KaTeX/KaTeX/issues/4147))
([5be9abb](https://redirect.github.com/KaTeX/KaTeX/commit/5be9abb0b4d687a2a196b8adf9b5b9deeb60f7bc))
####
[0.16.41](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.40...v0.16.41)
(2026-03-24)
##### Bug Fixes
- \sout in text mode
([#​4173](https://redirect.github.com/KaTeX/KaTeX/issues/4173))
([e748578](https://redirect.github.com/KaTeX/KaTeX/commit/e748578b63e07ad30d5e404e60b04e5e794c0a5a))
####
[0.16.40](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.39...v0.16.40)
(2026-03-20)
##### Bug Fixes
- **css:** specify position: relative for .katex
([#​4170](https://redirect.github.com/KaTeX/KaTeX/issues/4170))
([020f0d8](https://redirect.github.com/KaTeX/KaTeX/commit/020f0d89567d59229bac5fc8d8f5832a9508a85f))
####
[0.16.39](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.38...v0.16.39)
(2026-03-19)
##### Bug Fixes
- middle dot in text mode
([#​4169](https://redirect.github.com/KaTeX/KaTeX/issues/4169))
([edb45b0](https://redirect.github.com/KaTeX/KaTeX/commit/edb45b0b17c7b33349ce5142fe39156da05cb4d8)),
closes
[#​3641](https://redirect.github.com/KaTeX/KaTeX/issues/3641)
####
[0.16.38](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.37...v0.16.38)
(2026-03-08)
##### Bug Fixes
- accent skew mixed with font specifiers
([#​4159](https://redirect.github.com/KaTeX/KaTeX/issues/4159))
([aea3375](https://redirect.github.com/KaTeX/KaTeX/commit/aea33758d6c98896017007d0244885301773856a)),
closes
[#​4121](https://redirect.github.com/KaTeX/KaTeX/issues/4121)
####
[0.16.37](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.36...v0.16.37)
(2026-03-06)
##### Bug Fixes
- negative-width `\hphantom` and symmetric `\smash`
([#​4153](https://redirect.github.com/KaTeX/KaTeX/issues/4153))
([d4799ca](https://redirect.github.com/KaTeX/KaTeX/commit/d4799cae585d909e2a4e3dedbebdc2f142998ca9))
####
[0.16.36](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.35...v0.16.36)
(2026-03-06)
##### Bug Fixes
- contrib esm bloat
([#​4157](https://redirect.github.com/KaTeX/KaTeX/issues/4157))
([2bde1ad](https://redirect.github.com/KaTeX/KaTeX/commit/2bde1adab2a23f61519145923329c915b04d4778))
####
[0.16.35](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.34...v0.16.35)
(2026-03-05)
##### Bug Fixes
- version number regression
([#​4155](https://redirect.github.com/KaTeX/KaTeX/issues/4155))
([db26b73](https://redirect.github.com/KaTeX/KaTeX/commit/db26b733805f2d0d71e82596475b313c8706557e))
####
[0.16.34](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.34)
(2026-03-05)
##### Bug Fixes
- emoji with variation selector
([#​4151](https://redirect.github.com/KaTeX/KaTeX/issues/4151))
([c2606e5](https://redirect.github.com/KaTeX/KaTeX/commit/c2606e5db91ae199ee1ff0c8c2f7f9f70fcf589b))
####
[0.16.33](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.32...v0.16.33)
(2026-02-23)
##### Bug Fixes
- **scss:** forward variables to fonts module
([#​4146](https://redirect.github.com/KaTeX/KaTeX/issues/4146))
([9349a64](https://redirect.github.com/KaTeX/KaTeX/commit/9349a64a051ca408da713baf061e32ade80ed22a))
####
[0.16.32](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.31...v0.16.32)
(2026-02-22)
##### Bug Fixes
- italic separation in \mathnormal
([#​4143](https://redirect.github.com/KaTeX/KaTeX/issues/4143))
([71305a0](https://redirect.github.com/KaTeX/KaTeX/commit/71305a05140ca6203092bfdc14f689168b26ab8c))
####
[0.16.31](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.30...v0.16.31)
(2026-02-22)
##### Bug Fixes
- `\*frac` sizing
([#​4137](https://redirect.github.com/KaTeX/KaTeX/issues/4137))
([ef51f18](https://redirect.github.com/KaTeX/KaTeX/commit/ef51f18ded4ab9ba54ba750f2866241c4676c41c))
####
[0.16.30](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.29...v0.16.30)
(2026-02-22)
##### Bug Fixes
- no line breaks after `\not`
([#​4140](https://redirect.github.com/KaTeX/KaTeX/issues/4140))
([2d1ba86](https://redirect.github.com/KaTeX/KaTeX/commit/2d1ba86143bd45540d5a773cfa456081318f3f33))
####
[0.16.29](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.28...v0.16.29)
(2026-02-22)
##### Bug Fixes
- `\imath` and other `\html@mathml` macros in arguments
([#​4139](https://redirect.github.com/KaTeX/KaTeX/issues/4139))
([a850cce](https://redirect.github.com/KaTeX/KaTeX/commit/a850cce7ccbf95a0b187313d1e54d8d40dfc7273))
####
[0.16.28](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.27...v0.16.28)
(2026-01-25)
##### Bug Fixes
- **type:** add missing types definition path to package.json
([#​4125](https://redirect.github.com/KaTeX/KaTeX/issues/4125))
([0ef8921](https://redirect.github.com/KaTeX/KaTeX/commit/0ef8921d189346b0ff8f84a77f7f552349b76893))
####
[0.16.27](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.26...v0.16.27)
(2025-12-07)
##### Features
- support equals sign and surrounding whitespace in \htmlData attribute
values
([#​4112](https://redirect.github.com/KaTeX/KaTeX/issues/4112))
([c77aaec](https://redirect.github.com/KaTeX/KaTeX/commit/c77aaec00c766f5bb02e332a1dc416b82a65fe8f))
####
[0.16.26](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.25...v0.16.26)
(2025-12-07)
##### Bug Fixes
- \mathop followed by integral symbol
([6fbad18](https://redirect.github.com/KaTeX/KaTeX/commit/6fbad18857351e4d2a88ed3e3348bd76caad9be3))
####
[0.16.25](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.24...v0.16.25)
(2025-10-13)
##### Features
- **css:** provide `katex-swap.css` that uses `font-display: swap`
([#​3940](https://redirect.github.com/KaTeX/KaTeX/issues/3940))
([b3f9ce6](https://redirect.github.com/KaTeX/KaTeX/commit/b3f9ce691e89a52dea7ec8f10cc6ed4ddc8fc161)),
closes
[#​2242](https://redirect.github.com/KaTeX/KaTeX/issues/2242)
####
[0.16.24](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.23...v0.16.24)
(2025-10-12)
##### Features
- support hex colors with alpha
([#​4090](https://redirect.github.com/KaTeX/KaTeX/issues/4090))
([8c9b306](https://redirect.github.com/KaTeX/KaTeX/commit/8c9b3063965acc0d6e6a0b6df4d051169de9e1a9)),
closes
[#​4067](https://redirect.github.com/KaTeX/KaTeX/issues/4067)
[#fA6](https://redirect.github.com/KaTeX/KaTeX/issues/fA6)
[#fA6f1](https://redirect.github.com/KaTeX/KaTeX/issues/fA6f1)
####
[0.16.23](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.22...v0.16.23)
(2025-10-03)
##### Bug Fixes
- Support `\def` with arguments via `macros` option
([#​4087](https://redirect.github.com/KaTeX/KaTeX/issues/4087))
([80a8158](https://redirect.github.com/KaTeX/KaTeX/commit/80a815856a8c26d78b3669e9c05fff00efe82247))
####
[0.16.22](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.21...v0.16.22)
(2025-04-09)
##### Bug Fixes
- \relax in base or exponent of super/subscript
([#​4045](https://redirect.github.com/KaTeX/KaTeX/issues/4045))
([1f43c84](https://redirect.github.com/KaTeX/KaTeX/commit/1f43c84a175fb689f8c8d1d72b1e8b896a8b43d1))
####
[0.16.21](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.20...v0.16.21)
(2025-01-17)
##### Bug Fixes
- escape \htmlData attribute name
([57914ad](https://redirect.github.com/KaTeX/KaTeX/commit/57914ad91eff401357f44bf364b136d37eba04f8))
####
[0.16.20](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.19...v0.16.20)
(2025-01-12)
##### Bug Fixes
- \providecommand does not overwrite existing macro
([#​4000](https://redirect.github.com/KaTeX/KaTeX/issues/4000))
([6d30fe4](https://redirect.github.com/KaTeX/KaTeX/commit/6d30fe47b06f9da9b836fe518d5cbbecf6a6a3a1)),
closes
[#​3928](https://redirect.github.com/KaTeX/KaTeX/issues/3928)
####
[0.16.19](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.18...v0.16.19)
(2024-12-29)
##### Bug Fixes
- **types:** improve `strict` function type
([#​4009](https://redirect.github.com/KaTeX/KaTeX/issues/4009))
([4228b4e](https://redirect.github.com/KaTeX/KaTeX/commit/4228b4eb529b8e35def66cc6e4fa467383b98c86))
####
[0.16.18](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.17...v0.16.18)
(2024-12-18)
##### Bug Fixes
- Actually publish TypeScript type definitions
([#​4008](https://redirect.github.com/KaTeX/KaTeX/issues/4008))
([629b873](https://redirect.github.com/KaTeX/KaTeX/commit/629b87354fdfc04a3769f09b69f6bbadebcb9ae8))
####
[0.16.17](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.16...v0.16.17)
(2024-12-17)
##### Bug Fixes
- MathML combines multidigit numbers with sup/subscript, comma
separators, and multicharacter text when outputting to DOM
([#​3999](https://redirect.github.com/KaTeX/KaTeX/issues/3999))
([7d79e22](https://redirect.github.com/KaTeX/KaTeX/commit/7d79e220f465c42d4334dc95f1c41e333667e168)),
closes
[#​3995](https://redirect.github.com/KaTeX/KaTeX/issues/3995)
####
[0.16.16](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.15...v0.16.16)
(2024-12-17)
##### Features
- ESM exports, TypeScript types
([#​3992](https://redirect.github.com/KaTeX/KaTeX/issues/3992))
([ea9c173](https://redirect.github.com/KaTeX/KaTeX/commit/ea9c173a0de953b49b2ce5d131e88b785f5dffa1))
####
[0.16.15](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.14...v0.16.15)
(2024-12-09)
##### Features
- italic sans-serif in math mode via `\mathsfit` command
([#​3998](https://redirect.github.com/KaTeX/KaTeX/issues/3998))
([2218901](https://redirect.github.com/KaTeX/KaTeX/commit/22189018b63c9312ec4ad126804514a7390d60b5))
####
[0.16.14](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.13...v0.16.14)
(2024-12-08)
##### Features
- \dddot and \ddddot support
([#​3834](https://redirect.github.com/KaTeX/KaTeX/issues/3834))
([bda35cd](https://redirect.github.com/KaTeX/KaTeX/commit/bda35cdb0a6bbbc52dd27c79e4d984688be3b745)),
closes
[#​2744](https://redirect.github.com/KaTeX/KaTeX/issues/2744)
####
[0.16.13](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.12...v0.16.13)
(2024-12-08)
##### Bug Fixes
- `\vdots` and `\rule` support in text mode
([#​3997](https://redirect.github.com/KaTeX/KaTeX/issues/3997))
([0e08352](https://redirect.github.com/KaTeX/KaTeX/commit/0e0835262345d991df61a435800a16b069a4d5c7)),
closes
[#​3990](https://redirect.github.com/KaTeX/KaTeX/issues/3990)
####
[0.16.12](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.11...v0.16.12)
(2024-12-08)
##### Features
- **css:** configurable margin for display math
([#​3638](https://redirect.github.com/KaTeX/KaTeX/issues/3638))
([3405001](https://redirect.github.com/KaTeX/KaTeX/commit/3405001225b8ee0cf8b35b2e3a6c1fa2191e5fef))
####
[0.16.11](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.10...v0.16.11)
(2024-07-02)
##### Features
- add \emph
([#​3963](https://redirect.github.com/KaTeX/KaTeX/issues/3963))
([9f34da4](https://redirect.github.com/KaTeX/KaTeX/commit/9f34da4b3cf228a7af8134c394394d780a089f2b)),
closes
[#​3566](https://redirect.github.com/KaTeX/KaTeX/issues/3566)
####
[0.16.10](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.9...v0.16.10)
(2024-03-24)
##### Bug Fixes
- \edef bypassing maxExpand via exponential blowup
([e88b4c3](https://redirect.github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34))
- escape \includegraphics src and alt
([c5897fc](https://redirect.github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770))
- force protocol to be lowercase for better protocol filtering
([fc5af64](https://redirect.github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de)),
closes
[/datatracker.ietf.org/doc/html/rfc3986#section-3](https://redirect.github.com//datatracker.ietf.org/doc/html/rfc3986/issues/section-3)
- maxExpand limit with Unicode sub/superscripts
([085e21b](https://redirect.github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2))
####
[0.16.9](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.8...v0.16.9)
(2023-10-02)
##### Features
- Support bold Fraktur
([#​3777](https://redirect.github.com/KaTeX/KaTeX/issues/3777))
([
|
||
|
GiteabotandGitHub
|
ab2a72fe04 |
fix(deps): update module github.com/google/go-github/v87 to v88 (#37971)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/google/go-github/v87](https://redirect.github.com/google/go-github) | `v87.0.0` → `v88.0.0` |  |  | --- ### Release Notes <details> <summary>google/go-github (github.com/google/go-github/v87)</summary> ### [`v88.0.0`](https://redirect.github.com/google/go-github/releases/tag/v88.0.0) [Compare Source](https://redirect.github.com/google/go-github/compare/v87.0.0...v88.0.0) This release contains the following breaking API changes: - refactor!: Change app installation `Find*` methods to `Get*` ([#​4243](https://redirect.github.com/google/go-github/issues/4243)) BREAKING CHANGE: App installation methods are renamed from `Find*` to `Get*`. ...and the following additional changes: - chore: Bump version of go-github to v88.0.0 ([#​4245](https://redirect.github.com/google/go-github/issues/4245)) - chore: Update `openapi_operations.yaml` ([#​4242](https://redirect.github.com/google/go-github/issues/4242)) - feat: Add support for setting client URLs ([#​4240](https://redirect.github.com/google/go-github/issues/4240)) - refactor: Add constants for API versions ([#​4236](https://redirect.github.com/google/go-github/issues/4236)) - docs: Formatting and punctuation changes ([#​4235](https://redirect.github.com/google/go-github/issues/4235)) - feat: Add `GetParentIssue` for sub-issues ([#​4232](https://redirect.github.com/google/go-github/issues/4232)) - chore: Bump go-github from v86 to v87 in /scrape ([#​4234](https://redirect.github.com/google/go-github/issues/4234)) </details> --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
|
9aa4e897e7 |
chore(deps): update tool dependencies (#37965)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/air-verse/air](https://redirect.github.com/air-verse/air) | `v1.65.2` → `v1.65.3` |  |  | | [github.com/editorconfig-checker/editorconfig-checker/v3](https://redirect.github.com/editorconfig-checker/editorconfig-checker) | `v3.6.1` → `v3.7.0` |  |  | --- ### Release Notes <details> <summary>air-verse/air (github.com/air-verse/air)</summary> ### [`v1.65.3`](https://redirect.github.com/air-verse/air/releases/tag/v1.65.3) [Compare Source](https://redirect.github.com/air-verse/air/compare/v1.65.2...v1.65.3) ##### What's Changed - Extend stale workflow timeout by [@​xiantang](https://redirect.github.com/xiantang) in [#​903](https://redirect.github.com/air-verse/air/pull/903) - Increase stale workflow operation limit by [@​xiantang](https://redirect.github.com/xiantang) in [#​904](https://redirect.github.com/air-verse/air/pull/904) - Add review guidelines for coding agents by [@​xiantang](https://redirect.github.com/xiantang) in [#​905](https://redirect.github.com/air-verse/air/pull/905) - Add configurable color output mode by [@​xiantang](https://redirect.github.com/xiantang) in [#​907](https://redirect.github.com/air-verse/air/pull/907) - fix: rewatch files after atomic saves by [@​xiantang](https://redirect.github.com/xiantang) in [#​908](https://redirect.github.com/air-verse/air/pull/908) - follow-up: fix watcher recovery after atomic saves by [@​xiantang](https://redirect.github.com/xiantang) in [#​909](https://redirect.github.com/air-verse/air/pull/909) - Accept .config/air.toml by [@​bersace](https://redirect.github.com/bersace) in [#​716](https://redirect.github.com/air-verse/air/pull/716) - fix: keep built binary after app shutdown by [@​mariusvniekerk](https://redirect.github.com/mariusvniekerk) in [#​911](https://redirect.github.com/air-verse/air/pull/911) ##### New Contributors - [@​bersace](https://redirect.github.com/bersace) made their first contribution in [#​716](https://redirect.github.com/air-verse/air/pull/716) **Full Changelog**: <https://github.com/air-verse/air/compare/v1.65.2...v1.65.3> </details> <details> <summary>editorconfig-checker/editorconfig-checker (github.com/editorconfig-checker/editorconfig-checker/v3)</summary> ### [`v3.7.0`](https://redirect.github.com/editorconfig-checker/editorconfig-checker/releases/tag/v3.7.0) [Compare Source](https://redirect.github.com/editorconfig-checker/editorconfig-checker/compare/v3.6.1...v3.7.0) ##### Features - **files:** expand glob patterns in passed-file args ([#​190](https://redirect.github.com/editorconfig-checker/editorconfig-checker/issues/190)) ([#​558](https://redirect.github.com/editorconfig-checker/editorconfig-checker/issues/558)) ([4c0f326](https://redirect.github.com/editorconfig-checker/editorconfig-checker/commit/4c0f326cfa71fb0dd80c0c71b1844b2550ed799e)) ##### Bug Fixes - **cli:** auto-enable no-color when output format is github-actions ([#​557](https://redirect.github.com/editorconfig-checker/editorconfig-checker/issues/557)) ([9f4014c](https://redirect.github.com/editorconfig-checker/editorconfig-checker/commit/9f4014ce0944f601472e5cbfaec31f711890c780)) - detect binary files before decoding to prevent false text ([#​550](https://redirect.github.com/editorconfig-checker/editorconfig-checker/issues/550)) ([f47b30c](https://redirect.github.com/editorconfig-checker/editorconfig-checker/commit/f47b30c96713107bc4fe0b7a05e79a293c4874dd)) </details> --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
GiteaBot
|
5c084c883c | [skip ci] Updated translations via Crowdin | ||
|
GiteabotandGitHub
|
d07a42e777 |
fix(deps): update module golang.org/x/image to v0.41.0 [security] (#37904)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) | [`v0.40.0` → `v0.41.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.40.0...refs/tags/v0.41.0) |  |  | --- ### Panic when reading out of bound palette index in golang.org/x/image/bmp [CVE-2026-42500](https://nvd.nist.gov/vuln/detail/CVE-2026-42500) / [GO-2026-5031](https://pkg.go.dev/vuln/GO-2026-5031) <details> <summary>More information</summary> #### Details Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image. #### Severity Unknown #### References - [https://go.dev/issue/79576](https://go.dev/issue/79576) - [https://groups.google.com/g/golang-announce/c/uhYX90BlBvI](https://groups.google.com/g/golang-announce/c/uhYX90BlBvI) - [https://go.dev/cl/781500](https://go.dev/cl/781500) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5031) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff [CVE-2026-46599](https://nvd.nist.gov/vuln/detail/CVE-2026-46599) / [GO-2026-5032](https://pkg.go.dev/vuln/GO-2026-5032) <details> <summary>More information</summary> #### Details The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data. #### Severity Unknown #### References - [https://go.dev/issue/79577](https://go.dev/issue/79577) - [https://go.dev/cl/759960](https://go.dev/cl/759960) - [https://groups.google.com/g/golang-announce/c/uhYX90BlBvI](https://groups.google.com/g/golang-announce/c/uhYX90BlBvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5032) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteaBot
|
e5ce5bfae5 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
9e7fadb089 | [skip ci] Updated translations via Crowdin | ||
|
GiteabotandGitHub
|
5badd1bdee |
fix(deps): update go dependencies (#37851)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [connectrpc.com/connect](https://redirect.github.com/connectrpc/connect-go) | `v1.19.2` → `v1.20.0` |  |  | | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.4` → `v1.0.5` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.29.0` → `v2.30.0` |  |  | --- ### Release Notes <details> <summary>connectrpc/connect-go (connectrpc.com/connect)</summary> ### [`v1.20.0`](https://redirect.github.com/connectrpc/connect-go/releases/tag/v1.20.0) [Compare Source](https://redirect.github.com/connectrpc/connect-go/compare/v1.19.2...v1.20.0) #### What's Changed ##### Other changes - Bump minimum supported Go version to 1.25 by [@​jonbodner-buf](https://redirect.github.com/jonbodner-buf) in [#​922](https://redirect.github.com/connectrpc/connect-go/issues/922) - Update Unary-Get query parameter order to match spec recommendation by [@​oliversun9](https://redirect.github.com/oliversun9) in [#​926](https://redirect.github.com/connectrpc/connect-go/issues/926) #### New Contributors - [@​jonbodner-buf](https://redirect.github.com/jonbodner-buf) made their first contribution in [#​922](https://redirect.github.com/connectrpc/connect-go/issues/922) **Full Changelog**: <https://github.com/connectrpc/connect-go/compare/v1.19.2...v1.20.0> </details> <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.5`](https://gitea.com/gitea/runner/releases/tag/v1.0.5) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.4...v1.0.5) #### Changelog - fix(deps): update module connectrpc.com/connect to v1.20.0 ([#​985](https://redirect.github.com/gitea/runner/issues/985)) - update docker cli to v29.5.2 ([#​984](https://redirect.github.com/gitea/runner/issues/984)) - feat: add cache.offline\_mode to reuse cached actions ([#​966](https://redirect.github.com/gitea/runner/issues/966)) - Remove stale Gitea 1.20 compatibility shims ([#​978](https://redirect.github.com/gitea/runner/issues/978)) - fix(deps): update module github.com/docker/cli to v29.5.1+incompatible ([#​979](https://redirect.github.com/gitea/runner/issues/979)) - fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 ([#​980](https://redirect.github.com/gitea/runner/issues/980)) </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.30.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.30.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.29.0...v2.30.0) #### 2.30.0 ##### 🚀 Features - feat(orbit): add GetDsl for /api/v4/orbit/schema/dsl ([!2901](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2901)) by [Michael Angelo Rivera](https://gitlab.com/michaelangeloio) ### [2.30.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.29.0...v2.30.0) (2026-05-20) ##### Features * **orbit:** add GetDsl for /api/v4/orbit/schema/dsl ([530031c](https://gitlab.com/gitlab-org/api/client-go/commit/530031c2854b05d05f69815ea3a7ca8fb65341a5)) </details> --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
326db5c932 |
chore(deps): update dependency @stylistic/stylelint-plugin to v5.2.0 (#37852)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@stylistic/stylelint-plugin](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic) | [`5.1.0` → `5.2.0`](https://renovatebot.com/diffs/npm/@stylistic%2fstylelint-plugin/5.1.0/5.2.0) |  |  | --- ### Release Notes <details> <summary>stylelint-stylistic/stylelint-stylistic (@​stylistic/stylelint-plugin)</summary> ### [`v5.2.0`](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/blob/HEAD/CHANGELOG.md#520--20260520) [Compare Source](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/compare/v5.1.0...v5.2.0) ##### Added - The `declaration-block-semicolon-newline-before` rule is now autofixable. ##### Fixed - An exception for an empty custom property value has been added to the `declaration-block-semicolon-newline-before` and `declaration-colon-space-after` rules: the `--custom-prop: ;` and `--custom-prop:;` variants are now considered valid (see [#​50](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/issues/50)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
1c130d2eb6 |
chore(deps): update npm dependencies (#37848)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.1.3` → `11.2.1`](https://renovatebot.com/diffs/npm/pnpm/11.1.3/11.2.1) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.1` → `17.12.0`](https://renovatebot.com/diffs/npm/stylelint/17.11.1/17.12.0) |  |  | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.2.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1121) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.0...v11.2.1) ##### Patch Changes - Mark optional subdependency snapshots of config dependencies with `optional: true` in the env lockfile, matching how optional dependencies are recorded elsewhere in `pnpm-lock.yaml`. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's `optionalDependencies` were written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required. - Fix `pickRegistryForPackage` returning the wrong registry for an unscoped `npm:` alias under a scoped local name. A manifest entry like `"@​private/foo": "npm:lodash@^1"` was routing the `lodash` fetch through `registries["@​private"]`, even though `lodash` is unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (or `null` for an unscoped target, falling through to `registries.default`) instead of leaking into the local key's scope. - Don't print "Installing config dependencies..." when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed. ### [`v11.2.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1120) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.3...v11.2.0) ##### Minor Changes - **Experimental:** Adding [`@pnpm/pacquet`](https://npmx.dev/package/@​pnpm/pacquet) (the Rust port of pnpm) to `configDependencies` in `pnpm-workspace.yaml` now delegates the materialization phase of `pnpm install` to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine [#​11723](https://redirect.github.com/pnpm/pnpm/issues/11723). To configure pacquet in a project, run: ``` pnpm add @​pnpm/pacquet --config ``` You'll see changes in `pnpm-workspace.yaml` and `pnpm-lock.yaml` that should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create. - `configDependencies` now resolve and install one level of `optionalDependencies` declared by the config dependency, with `os`/`cpu`/`libc` platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via `optionalDependencies` — a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so `require('pkg-platform-arch')` from inside the config dependency resolves correctly. The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's `optionalDependencies` must declare an exact version — ranges and tags are rejected to keep installs reproducible. - Implement the documented `pnpm login --scope <scope>` flag. The scope is normalized (a leading `@` is added if missing; blank values are ignored) and an `@<scope>:registry=<registry>` mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of `@<scope>/*` packages then route to the chosen registry. Previously `pnpm login --scope foo` errored with `Unknown option: 'scope'` despite the flag being listed in the online documentation [#​11716](https://redirect.github.com/pnpm/pnpm/issues/11716). - `pnpm outdated` and `pnpm update --interactive` now report Node.js, Deno, and Bun runtimes installed as project dependencies (`runtime:` specifiers). Previously these were silently skipped. ##### Patch Changes - Fix `cafile=<relative-path>` in `.npmrc` being read from the wrong directory when pnpm is invoked from a different cwd (e.g. `pnpm --dir <project> install` from a CI wrapper or monorepo script). The path is now resolved against the directory of the `.npmrc` that declared it, not `process.cwd()`. Before this fix the CA file silently failed to load — the install proceeded without the configured CA and the user only saw TLS errors against a private registry, with no log line tying back to the wrongly resolved path [#​11624](https://redirect.github.com/pnpm/pnpm/issues/11624). - Fix `config.registry` getting a trailing slash appended when `registry` is set in `.npmrc` and no `registries.default` is provided by `pnpm-workspace.yaml`. The sync from `registries.default` to `config.registry` introduced in [#​11744](https://redirect.github.com/pnpm/pnpm/issues/11744) now only fires when the workspace manifest actually contributes a different default. - Fix global add/update to handle minimumReleaseAge policy violations instead of surfacing an internal resolver guardrail error. - Fix two crashes with `injectWorkspacePackages: true` when the lockfile has been pruned (e.g. by `turbo prune --docker`): - `Cannot use 'in' operator to search for 'directory' in undefined`: a peer-dependency-variant injected snapshot inherits its `resolution` from the base `packages:` entry; when a pruner drops that base entry the readers crash. `convertToLockfileObject` now reconstructs the directory resolution from the `file:` depPath at load time — a single normalization point, so every reader sees a fully-formed snapshot. - `ERR_PNPM_ENOENT` on `node_modules/.bin/<tool>`: after `prepare`/`postinstall`, `runLifecycleHooksConcurrently` re-imported each injected workspace package; the `scanDir`-into-`filesMap` workaround fed target-internal paths to the importer, which the `makeEmptyDir` fast path ([#​11088](https://redirect.github.com/pnpm/pnpm/issues/11088)) then wiped. Drop the workaround and pass `keepModulesDir: true` so the importer preserves the target's existing `node_modules` (bin links + transitive deps) and source files keep their hardlinks. - Fixed `pnpm login` and `pnpm logout` ignoring `registries.default` from `pnpm-workspace.yaml` [#​10099](https://redirect.github.com/pnpm/pnpm/issues/10099). - Fix the `minimumReleaseAge` (publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whose `modified` field equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or a `MISSING_TIME` error when full metadata wasn't permitted). Since `modified` is an upper bound on every version's publish time, `modified == publishedBy` already implies every version passes the per-version `<=` filter in `filterPkgMetadataByPublishDate`, so the shortcut now accepts the boundary case directly. Strictly `>` (was `>=`) at the rejection branch. - Honor `publishConfig.access` when publishing packages. </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.12.0`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17120---2026-05-20) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.11.1...17.12.0) It fixes 3 bugs, including a false negative one. - Fixed: `block-no-empty` reported range when using comments ([#​9294](https://redirect.github.com/stylelint/stylelint/pull/9294)) ([@​romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `declaration-property-value-no-unknown` false negatives for custom properties defined in reference files ([#​9292](https://redirect.github.com/stylelint/stylelint/pull/9292)) ([@​romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `value-keyword-layout-mappings` false positives for `caption-side` ([#​9293](https://redirect.github.com/stylelint/stylelint/pull/9293)) ([@​romainmenke](https://redirect.github.com/romainmenke)). </details> --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
821d3c4672 | fix(deps): update module github.com/google/go-github/v86 to v87 (#37845) | ||
|
GiteabotandGitHub
|
2775158024 |
chore(deps): update module github.com/air-verse/air to v1.65.2 (#37840)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/air-verse/air](https://redirect.github.com/air-verse/air) | `v1.65.1` → `v1.65.2` |  |  | --- ### Release Notes <details> <summary>air-verse/air (github.com/air-verse/air)</summary> ### [`v1.65.2`](https://redirect.github.com/air-verse/air/releases/tag/v1.65.2) [Compare Source](https://redirect.github.com/air-verse/air/compare/v1.65.1...v1.65.2) ##### What's Changed - docs: clarify Go install binary path by [@​xiantang](https://redirect.github.com/xiantang) in [#​900](https://redirect.github.com/air-verse/air/pull/900) - fix: keep app running until rebuild succeeds by [@​mariusvniekerk](https://redirect.github.com/mariusvniekerk) in [#​897](https://redirect.github.com/air-verse/air/pull/897) - docs: add Scoop install instructions by [@​xiantang](https://redirect.github.com/xiantang) in [#​901](https://redirect.github.com/air-verse/air/pull/901) - Resolve root directory if symlinked by [@​caleb-fringer](https://redirect.github.com/caleb-fringer) in [#​742](https://redirect.github.com/air-verse/air/pull/742) - Add stale issue workflow by [@​xiantang](https://redirect.github.com/xiantang) in [#​902](https://redirect.github.com/air-verse/air/pull/902) ##### New Contributors - [@​mariusvniekerk](https://redirect.github.com/mariusvniekerk) made their first contribution in [#​897](https://redirect.github.com/air-verse/air/pull/897) - [@​caleb-fringer](https://redirect.github.com/caleb-fringer) made their first contribution in [#​742](https://redirect.github.com/air-verse/air/pull/742) **Full Changelog**: <https://github.com/air-verse/air/compare/v1.65.1...v1.65.2> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
7daab82344 |
chore(deps): update redis:latest docker digest to 48e78eb (#37838)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | redis | service | digest | `94ea4f5` → `48e78eb` | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
1b1113b509 |
fix(deps): update go dependencies (#37841)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.3` → `v1.0.4` |  |  | | [github.com/SaveTheRbtz/zstd-seekable-format-go/pkg](https://redirect.github.com/SaveTheRbtz/zstd-seekable-format-go) | `v0.8.0` → `v0.8.3` |  |  | | [github.com/jhillyerd/enmime/v2](https://redirect.github.com/jhillyerd/enmime) | `v2.3.0` → `v2.4.0` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.26.0` → `v2.29.0` |  |  | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.4`](https://gitea.com/gitea/runner/releases/tag/v1.0.4) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.3...v1.0.4) #### Changelog - Fix token use with schemaless Gitea instance ([#​977](https://redirect.github.com/gitea/runner/issues/977)) - Add OCI `source` and `version` labels to images ([#​975](https://redirect.github.com/gitea/runner/issues/975)) - fix(parse\_env\_file): support env-file lines larger than 64 KiB ([#​974](https://redirect.github.com/gitea/runner/issues/974)) - Fix host cleanup, volume allowlist, cache upload, and action host edge cases ([#​970](https://redirect.github.com/gitea/runner/issues/970)) - Remove dead code from `act/` ([#​971](https://redirect.github.com/gitea/runner/issues/971)) - fix: Return if executors length is zero in ParallelExecutor ([#​960](https://redirect.github.com/gitea/runner/issues/960)) - feat: make pseudo-TTY allocation opt-in ([#​961](https://redirect.github.com/gitea/runner/issues/961)) - fix(deps): update module github.com/docker/cli to v29.5.0+incompatible ([#​969](https://redirect.github.com/gitea/runner/issues/969)) - Simplify kubernetes dind example allowing for default docker config in workflows ([#​709](https://redirect.github.com/gitea/runner/issues/709)) - chore(deps): bump `retry-go`, `golangci-lint`, `govulncheck` ([#​965](https://redirect.github.com/gitea/runner/issues/965)) - fix(deps): bump `docker` deps, switch to `moby/moby` ([#​943](https://redirect.github.com/gitea/runner/issues/943)) - fix: respect proxy env vars in runner client ([#​962](https://redirect.github.com/gitea/runner/issues/962)) </details> <details> <summary>jhillyerd/enmime (github.com/jhillyerd/enmime/v2)</summary> ### [`v2.4.0`](https://redirect.github.com/jhillyerd/enmime/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/jhillyerd/enmime/compare/v2.3.0...v2.4.0) #### What's Changed - feat!: Refactor EnvelopeFromPart()'s scope by [@​bgedney](https://redirect.github.com/bgedney) in [#​392](https://redirect.github.com/jhillyerd/enmime/pull/392) - chore: rm unused func by [@​aleksandr4842](https://redirect.github.com/aleksandr4842) in [#​393](https://redirect.github.com/jhillyerd/enmime/pull/393) - chore: bump Go (1.25.x) & deps by [@​jhillyerd](https://redirect.github.com/jhillyerd) in [#​394](https://redirect.github.com/jhillyerd/enmime/pull/394) #### New Contributors - [@​bgedney](https://redirect.github.com/bgedney) made their first contribution in [#​392](https://redirect.github.com/jhillyerd/enmime/pull/392) - [@​aleksandr4842](https://redirect.github.com/aleksandr4842) made their first contribution in [#​393](https://redirect.github.com/jhillyerd/enmime/pull/393) **Full Changelog**: <https://github.com/jhillyerd/enmime/compare/v2.3.0...v2.4.0> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.29.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.29.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.28.0...v2.29.0) #### 2.29.0 ##### 🚀 Features - Add support for project setting `protect_merge_request_pipelines` ([!2896](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2896)) by [Gatla Vishweshwar Reddy](https://gitlab.com/gatlavishweshwarreddy26) ##### 🐛 Bug Fixes - fix(orbit): add QueryRaw for streaming llm/GOON response body verbatim ([!2897](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2897)) by [Dmitry Gruzd](https://gitlab.com/dgruzd) ### [2.29.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.28.0...v2.29.0) (2026-05-19) ##### Bug Fixes * **orbit:** add QueryRaw for streaming llm/GOON response body verbatim ([a849302](https://gitlab.com/gitlab-org/api/client-go/commit/a8493022225b928aaa340df86fc4d09c2d22c1f4)) ### [`v2.28.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.28.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.27.1...v2.28.0) #### 2.28.0 ##### 🚀 Features - Add signing_token and related fields to group_hook and project_hook ([!2891](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2891)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) ##### 🔄 Other Changes - WithPath already escapes, escaping again causes bad requests ([!2898](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2898)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) ### [2.28.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.27.1...v2.28.0) (2026-05-18) ### [`v2.27.1`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.27.1) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.27.0...v2.27.1) #### 2.27.1 ##### 🐛 Bug Fixes - fix: handle string-encoded and null durations in webhooks that happen when Sidekiq runs in compress mode with large payloads ([!2862](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2862)) by [Emmanuel 326](https://gitlab.com/Emmanuel326) ##### 🔄 Other Changes - chore(deps): update module buf.build/go/protoyaml to v0.7.0 ([!2894](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2894)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) #### [2.27.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.27.0...v2.27.1) (2026-05-18) ##### Bug Fixes * handle string-encoded and null durations in webhooks that happen when Sidekiq runs in compress mode with large payloads ([8bfe7d3](https://gitlab.com/gitlab-org/api/client-go/commit/8bfe7d3effc77dc370ceee9939b13d81c6d383d0)) ### [`v2.27.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.27.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.26.1...v2.27.0) #### 2.27.0 ##### 🚀 Features - feat(users): add SCIMIdentities field to User type ([!2888](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2888)) by [dragonrider.](https://gitlab.com/junevm) ##### 🔄 Other Changes - chore(deps): update node docker tag to v26 ([!2890](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2890)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update docker docker tag to v29.4.3 ([!2892](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2892)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.27.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.26.1...v2.27.0) (2026-05-18) ##### Features * **users:** add SCIMIdentities field to User type ([ccb318d](https://gitlab.com/gitlab-org/api/client-go/commit/ccb318dc531df3a2d3bf641bb273eb1a777555a4)) ### [`v2.26.1`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.26.1) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.26.0...v2.26.1) #### 2.26.1 ##### 🐛 Bug Fixes - Use a sentinel ErrorResponse for 404 errors, so both `Is()` and `HasStatusCode` work properly ([!2884](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2884)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) #### [2.26.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.26.0...v2.26.1) (2026-05-15) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
953090fda4 |
fix(deps): update npm dependencies (#37844)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/legacy-modes | [`6.5.2` → `6.5.3`](https://renovatebot.com/diffs/npm/@codemirror%2flegacy-modes/6.5.2/6.5.3) |  |  | | @​codemirror/view | [`6.42.1` → `6.43.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.42.1/6.43.0) |  |  | | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.25.0` → `19.26.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.25.0/19.26.0) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.7.0` → `25.9.1`](https://renovatebot.com/diffs/npm/@types%2fnode/25.7.0/25.9.1) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.3/8.59.4) |  |  | | [@vitejs/plugin-vue](https://redirect.github.com/vitejs/vite-plugin-vue/tree/main/packages/plugin-vue#readme) ([source](https://redirect.github.com/vitejs/vite-plugin-vue/tree/HEAD/packages/plugin-vue)) | [`6.0.6` → `6.0.7`](https://renovatebot.com/diffs/npm/@vitejs%2fplugin-vue/6.0.6/6.0.7) |  |  | | [clippie](https://redirect.github.com/silverwind/clippie) | [`4.1.15` → `4.2.0`](https://renovatebot.com/diffs/npm/clippie/4.1.15/4.2.0) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.3.0` → `10.4.0`](https://renovatebot.com/diffs/npm/eslint/10.3.0/10.4.0) |  |  | | [eslint-plugin-playwright](https://redirect.github.com/mskelton/eslint-plugin-playwright) | [`2.10.2` → `2.10.4`](https://renovatebot.com/diffs/npm/eslint-plugin-playwright/2.10.2/2.10.4) |  |  | | [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.46` → `0.16.47`](https://renovatebot.com/diffs/npm/katex/0.16.46/0.16.47) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.1.1` → `11.1.3`](https://renovatebot.com/diffs/npm/pnpm/11.1.1/11.1.3) |  |  | | [postcss](https://postcss.org/) ([source](https://redirect.github.com/postcss/postcss)) | [`8.5.14` → `8.5.15`](https://renovatebot.com/diffs/npm/postcss/8.5.14/8.5.15) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.5` → `3.0.7`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.5/3.0.7) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.0` → `17.11.1`](https://renovatebot.com/diffs/npm/stylelint/17.11.0/17.11.1) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.3/8.59.4) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.11` → `17.16.13`](https://renovatebot.com/diffs/npm/updates/17.16.11/17.16.13) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.12` → `8.0.13`](https://renovatebot.com/diffs/npm/vite/8.0.12/8.0.13) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.6` → `4.1.7`](https://renovatebot.com/diffs/npm/vitest/4.1.6/4.1.7) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.2.9` → `3.3.1`](https://renovatebot.com/diffs/npm/vue-tsc/3.2.9/3.3.1) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.26.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19260) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.25.0...v19.26.0) ##### Minor Changes - [#​1197](https://redirect.github.com/primer/octicons/pull/1197) [`b45f1d35`](https://redirect.github.com/primer/octicons/commit/b45f1d35477402da4df64ae3a38dae8e95477dc4) Thanks [@​lukasoppermann](https://redirect.github.com/lukasoppermann)! - Add repo-forked-locked icon ##### Patch Changes - [#​1209](https://redirect.github.com/primer/octicons/pull/1209) [`9a7e2146`](https://redirect.github.com/primer/octicons/commit/9a7e2146907d2b0bf06d2dd65d2d17d4c3959108) Thanks [@​siddharthkp](https://redirect.github.com/siddharthkp)! - fix: remove hardcoded fill from sandbox icon </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitejs/vite-plugin-vue (@​vitejs/plugin-vue)</summary> ### [`v6.0.7`](https://redirect.github.com/vitejs/vite-plugin-vue/blob/HEAD/packages/plugin-vue/CHANGELOG.md#small-607-2026-05-15-small) ##### Features - use carets for `@rolldown/pluginutils` version ([#​776](https://redirect.github.com/vitejs/vite-plugin-vue/issues/776)) ([941b651](https://redirect.github.com/vitejs/vite-plugin-vue/commit/941b651d8329559fce9231aad4e178f54cccb013)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#​762](https://redirect.github.com/vitejs/vite-plugin-vue/issues/762)) ([9e825b8](https://redirect.github.com/vitejs/vite-plugin-vue/commit/9e825b85ebe9b6006dc5927aaa8aabc0bcc7eceb)) - **deps:** update all non-major dependencies ([#​774](https://redirect.github.com/vitejs/vite-plugin-vue/issues/774)) ([77dc8bc](https://redirect.github.com/vitejs/vite-plugin-vue/commit/77dc8bc935216bb7ed13f1c2653a80ffdc99fd45)) </details> <details> <summary>silverwind/clippie (clippie)</summary> ### [`v4.2.0`](https://redirect.github.com/silverwind/clippie/releases/tag/4.2.0) [Compare Source](https://redirect.github.com/silverwind/clippie/compare/4.1.15...4.2.0) - tests: make fallback block concurrent-safe (silverwind) - add ClippieCopyable type (silverwind) - fallback: use el.value.length for setSelectionRange end (silverwind) - update deps, replace describe.sequential with concurrent: false (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) - simplify and fix minor issues (silverwind) </details> <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.0`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.0) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.3.0...v10.4.0) #### Features - [`1a45ec5`](https://redirect.github.com/eslint/eslint/commit/1a45ec596af1dd5f880e6874cb8f24dafb6a7ecf) feat: check sequence expressions in `for-direction` ([#​20701](https://redirect.github.com/eslint/eslint/issues/20701)) (kuldeep kumar) - [`450040b`](https://redirect.github.com/eslint/eslint/commit/450040bd89b989b3531824c6be45feb5fe3d936b) feat: add `includeIgnoreFile()` to `eslint/config` ([#​20735](https://redirect.github.com/eslint/eslint/issues/20735)) (Kirk Waiblinger) #### Bug Fixes - [`544c0c3`](https://redirect.github.com/eslint/eslint/commit/544c0c3da589166ad8e5d634f35d3d06701c57be) fix: escape code path DOT labels in debug output ([#​20866](https://redirect.github.com/eslint/eslint/issues/20866)) (Pixel998) - [`6799431`](https://redirect.github.com/eslint/eslint/commit/6799431203f2579632d0870f98ba132067f4040c) fix: update dependency [@​eslint/config-helpers](https://redirect.github.com/eslint/config-helpers) to ^0.6.0 ([#​20850](https://redirect.github.com/eslint/eslint/issues/20850)) (renovate\[bot]) - [`f078fef`](https://redirect.github.com/eslint/eslint/commit/f078fef5005dceb14fc162aab7c7200e027688dd) fix: handle non-array deprecated rule replacements ([#​20825](https://redirect.github.com/eslint/eslint/issues/20825)) (xbinaryx) #### Documentation - [`7e52a71`](https://redirect.github.com/eslint/eslint/commit/7e52a7151fb92eec0e0f67fe4e5ddbd1ccce796f) docs: add mention of `@eslint-react/eslint-plugin` ([#​20869](https://redirect.github.com/eslint/eslint/issues/20869)) (Pavel) - [`db3468b`](https://redirect.github.com/eslint/eslint/commit/db3468ba746407d7f286f18f7ea9db6df0e3bc08) docs: tweak wording around ambiguous CJS-vs-ESM config ([#​20865](https://redirect.github.com/eslint/eslint/issues/20865)) (Kirk Waiblinger) - [`9084664`](https://redirect.github.com/eslint/eslint/commit/90846643ec6e97d447ae0d831fabe6d17b0a998a) docs: Update README (GitHub Actions Bot) - [`9cc7387`](https://redirect.github.com/eslint/eslint/commit/9cc73875046e3c4b8313644cbb1e99e26b36bd3f) docs: Update README (GitHub Actions Bot) - [`3d7b548`](https://redirect.github.com/eslint/eslint/commit/3d7b5484407403817aa9071a394d336d8ea96eb5) docs: Update README (GitHub Actions Bot) - [`191ec3c`](https://redirect.github.com/eslint/eslint/commit/191ec3c0a3f94ce0f110df761f0b2b8949011ccb) docs: Update README (GitHub Actions Bot) #### Chores - [`6616856`](https://redirect.github.com/eslint/eslint/commit/6616856f28fa514a30f87b5539fc100d739a94bf) chore: upgrade knip to v6 ([#​20875](https://redirect.github.com/eslint/eslint/issues/20875)) (Pixel998) - [`d13b084`](https://redirect.github.com/eslint/eslint/commit/d13b084a3ad02f926e9addaa35fc383759ea5554) ci: ensure auto-created PRs run CI ([#​20860](https://redirect.github.com/eslint/eslint/issues/20860)) (lumir) - [`e71c7af`](https://redirect.github.com/eslint/eslint/commit/e71c7af86dce9acc1d18cb12d2184309f6841594) ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 ([#​20862](https://redirect.github.com/eslint/eslint/issues/20862)) (dependabot\[bot]) - [`d84393d`](https://redirect.github.com/eslint/eslint/commit/d84393dea170f54191fd20c8268b52c81c0ccd99) test: add unit tests for SuppressionsService.applySuppressions() ([#​20863](https://redirect.github.com/eslint/eslint/issues/20863)) (kuldeep kumar) - [`24db8cb`](https://redirect.github.com/eslint/eslint/commit/24db8cb8e6f07fba667121777a15b1785486be94) test: add tests for SuppressionsService.save() ([#​20802](https://redirect.github.com/eslint/eslint/issues/20802)) (kuldeep kumar) - [`2ef0549`](https://redirect.github.com/eslint/eslint/commit/2ef0549cac4a9537e4c3a26b9f3edd4c99476bf6) chore: update ecosystem plugins ([#​20857](https://redirect.github.com/eslint/eslint/issues/20857)) (github-actions\[bot]) - [`a429791`](https://redirect.github.com/eslint/eslint/commit/a4297918d264d229a06cd96051ef9b91c7b86732) ci: remove `eslint-webpack-plugin` types integration test ([#​20668](https://redirect.github.com/eslint/eslint/issues/20668)) (Milos Djermanovic) - [`9e37386`](https://redirect.github.com/eslint/eslint/commit/9e37386aa7f2ce220b2ef74a6afbac5f6b3527c5) chore: replace `recast` with range approach in code-sample-minimizer ([#​20682](https://redirect.github.com/eslint/eslint/issues/20682)) (Copilot) - [`0dd1f9f`](https://redirect.github.com/eslint/eslint/commit/0dd1f9ffc9a07704d46e2a4c8d4ccc0d0908b0c0) test: disable warning for `vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER` ([#​20845](https://redirect.github.com/eslint/eslint/issues/20845)) (Francesco Trotta) - [`9da3c7b`](https://redirect.github.com/eslint/eslint/commit/9da3c7bc92d9579f8db19ecb56e718538d09db2b) refactor: remove deprecated `meta.language` and migrate `meta.dialects` ([#​20716](https://redirect.github.com/eslint/eslint/issues/20716)) (Pixel998) - [`2099ed1`](https://redirect.github.com/eslint/eslint/commit/2099ed12a0a74c3d7f0808514362af2499b4fe2b) refactor: add `meta.defaultOptions` to more rules, enable linting ([#​20800](https://redirect.github.com/eslint/eslint/issues/20800)) (xbinaryx) - [`f1dfbc9`](https://redirect.github.com/eslint/eslint/commit/f1dfbc9ca57196de7092e1888cc99427bd6fe06e) chore: update ecosystem plugins ([#​20836](https://redirect.github.com/eslint/eslint/issues/20836)) (github-actions\[bot]) - [`c759413`](https://redirect.github.com/eslint/eslint/commit/c75941390c14728806cd4baef4f6072f6de78318) ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 ([#​20843](https://redirect.github.com/eslint/eslint/issues/20843)) (dependabot\[bot]) - [`5b817d6`](https://redirect.github.com/eslint/eslint/commit/5b817d6fdc9ae2c35b528dc662b2eca8f40f64aa) test: add unit tests for lib/shared/ast-utils ([#​20838](https://redirect.github.com/eslint/eslint/issues/20838)) (kuldeep kumar) - [`1c13ae3`](https://redirect.github.com/eslint/eslint/commit/1c13ae3934c198c494e5958fa3a68b33244ff06a) test: add unit tests for lib/shared/severity ([#​20835](https://redirect.github.com/eslint/eslint/issues/20835)) (kuldeep kumar) </details> <details> <summary>mskelton/eslint-plugin-playwright (eslint-plugin-playwright)</summary> ### [`v2.10.4`](https://redirect.github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.4) [Compare Source](https://redirect.github.com/mskelton/eslint-plugin-playwright/compare/v2.10.3...v2.10.4) ##### Bug Fixes - **valid-title:** Skip title checks for anonymous describe blocks ([894c0ec](https://redirect.github.com/mskelton/eslint-plugin-playwright/commit/894c0ec261763bb1e073b276c70bbf88b4ebad39)) ### [`v2.10.3`](https://redirect.github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.3) [Compare Source](https://redirect.github.com/mskelton/eslint-plugin-playwright/compare/v2.10.2...v2.10.3) ##### Bug Fixes - **missing-playwright-await:** Fix false positive when not assigning awaited variable ([#​464](https://redirect.github.com/mskelton/eslint-plugin-playwright/issues/464)) ([801f01a](https://redirect.github.com/mskelton/eslint-plugin-playwright/commit/801f01aa8a5e279b65939e06d63f7e0d2b638f93)) </details> <details> <summary>KaTeX/KaTeX (katex)</summary> ### [`v0.16.47`](https://redirect.github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01647-2026-05-16) [Compare Source](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.46...v0.16.47) ##### Bug Fixes - correct size of `[` big delimiter ([#​4217](https://redirect.github.com/KaTeX/KaTeX/issues/4217)) ([7ba0027](https://redirect.github.com/KaTeX/KaTeX/commit/7ba0027d2f04abddd3b215362f867ab8260b09d7)), closes [#​4215](https://redirect.github.com/KaTeX/KaTeX/issues/4215) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.1.3`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1113) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.2...v11.1.3) ##### Patch Changes - `pnpm install` now re-validates `pnpm-lock.yaml` entries against the active `minimumReleaseAge` and `trustPolicy: 'no-downgrade'` policies before any tarball is fetched. Lockfiles resolved elsewhere (committed to the repo, restored from a CI cache, produced by an older pnpm) under a weaker or absent policy can no longer install a freshly-published or trust-downgraded version silently. Violating entries abort the install with `ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION`, `ERR_PNPM_TRUST_DOWNGRADE`, or the generic `ERR_PNPM_LOCKFILE_RESOLUTION_VERIFICATION` when both policies trip in the same batch; `minimumReleaseAgeExclude` and `trustPolicyExclude` are honored. Verification results are cached so repeat installs against an unchanged lockfile take a fast path, and pnpm shows a transient progress line while the registry round-trip runs. When fresh resolution picks an immature version, the behavior depends on `minimumReleaseAgeStrict`: - **Loose mode** — the default, in effect whenever `minimumReleaseAge` keeps its built-in 24-hour value — auto-adds the immature picks to `minimumReleaseAgeExclude` in `pnpm-workspace.yaml` and lets the install proceed. A single info message lists what was persisted. - **Strict mode** in an interactive terminal collects every immature direct AND transitive pick in one pass and prompts once with the full list. Approving adds them to `minimumReleaseAgeExclude` and the install continues; declining aborts before the lockfile, `package.json`, or `node_modules` is touched. - **Strict mode** in CI (or any non-TTY context) aborts with `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing every offending entry, instead of failing on the first one the resolver hit. `minimumReleaseAgeStrict` auto-enables whenever the user explicitly sets `minimumReleaseAge` (CLI flag, env var, global `config.yaml`, or `pnpm-workspace.yaml`); set `minimumReleaseAgeStrict: false` to keep loose-mode auto-collect even with an explicit `minimumReleaseAge` value. Closes [#​10438](https://redirect.github.com/pnpm/pnpm/issues/10438), [#​10488](https://redirect.github.com/pnpm/pnpm/issues/10488), [#​11687](https://redirect.github.com/pnpm/pnpm/issues/11687). - Allow redundant trailing base64 padding in `.npmrc` auth values and report invalid auth base64 with a pnpm error. - Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. - Global installs respect global config build policy (e.g., `dangerouslyAllowAllBuilds` from config.yaml) when GVS is enabled [#​9249](https://redirect.github.com/pnpm/pnpm/issues/9249). The global virtual-store (GVS) default `allowBuilds = {}` was applied before workspace manifest settings were read and before global config values (stripped by `extractAndRemoveDependencyBuildOptions`) were re-applied via `globalDepsBuildConfig`. This caused `hasDependencyBuildOptions` to return `true` (because `{}` is not null), blocking restoration of global config values like `dangerouslyAllowAllBuilds`. As a result, global installs skipped all build scripts even when the config explicitly allowed them. This fix moves the GVS default to **after** workspace manifest reading and `globalDepsBuildConfig` re-application, so that: 1. Workspace manifest `allowBuilds` takes precedence (if present) 2. Global config `dangerouslyAllowAllBuilds` is properly restored (if set and no workspace policy exists) 3. Empty `{}` is only applied as a last resort when no policy is configured anywhere - Honor `--silent` when `verifyDepsBeforeRun: install` auto-installs dependencies before `pnpm run` or `pnpm exec`, preventing install output from being written to stdout [#​11636](https://redirect.github.com/pnpm/pnpm/issues/11636). - Fix lockfile parsing failures when `pnpm-lock.yaml` contains CRLF line endings and multiple YAML documents [#​11612](https://redirect.github.com/pnpm/pnpm/issues/11612). - Anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. `ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. Three changes: - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. On upgrade, two one-time GVS slot churns are possible: - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. In both cases the old slots become prune-eligible. - Resolve the GVS hash's engine portion per-snapshot when a dependency declares its own `engines.runtime`, instead of using an install-wide value. Pnpm's resolver desugars a dep's `engines.runtime` into `dependencies.node: 'runtime:<version>'`, and the bin linker spawns that dep's lifecycle scripts through the pinned Node downloaded into `<pkgDir>/node_modules/node/`. The GVS hash and the side-effects-cache key prefix were still anchored to the install-wide runtime — so a pinning snapshot's slot encoded the wrong Node major, and a reinstall on the same host could read the cached side-effects under a key whose `<platform>;<arch>;node<major>` triple disagreed with the Node the build actually ran on. Per-snapshot resolution now matches what `bins/linker` already does on a per-package basis: - `@pnpm/deps.graph-hasher` adds `readSnapshotRuntimePin(children)` — reads the `node` entry from one snapshot's graph children and extracts the version from a `node@runtime:` value. Pairs with the existing `findRuntimeNodeVersion(snapshotKeys)` install-wide fallback (also now exported from `@pnpm/deps.graph-hasher` rather than `@pnpm/engine.runtime.system-node-version`, where it was a poor fit — `system-node-version` is about probing the host Node, not parsing lockfile-derived strings). - `calcDepState` and `calcGraphNodeHash` consult `readSnapshotRuntimePin(graph[depPath].children)` first and only fall back to the install-wide `nodeVersion` parameter when the snapshot doesn't pin its own Node. Pacquet mirrors the same precedence at the `calc_graph_node_hash` call site in `package-manager/src/virtual_store_layout.rs` — a new `find_own_runtime_node_major(snapshot)` helper reads each snapshot's `dependencies` for a `node` entry with `Prefix::Runtime` and overrides the install-wide engine when present. On upgrade, snapshots of dependencies that declare their own `engines.runtime` re-hash under that dep's pinned Node instead of the install-wide value. The old slots become prune-eligible. Closes [#​11690](https://redirect.github.com/pnpm/pnpm/issues/11690). - Fixed `pnpm publish` failing with a 404 when authentication relied on OIDC trusted publishing alongside an `.npmrc` written by `actions/setup-node` (`_authToken=${NODE_AUTH_TOKEN}`) without `NODE_AUTH_TOKEN` being set. Unresolved `${VAR}` placeholders in auth values are now treated as empty rather than passed through verbatim, so the literal placeholder no longer surfaces as a bearer token when OIDC fallback is the intended auth source [#​11513](https://redirect.github.com/pnpm/pnpm/issues/11513). - Fix `devEngines.packageManager` (singular form, without `onFail`) defaulting to `onFail: "error"` instead of the documented `pmOnFail: "download"`. As a result, a project that pinned a different pnpm version via `devEngines.packageManager` and ran `pnpm install` from a mismatched pnpm version failed with a hard error, even though the migration table from `managePackageManagerVersions: true` to `pmOnFail: download (default)` promises the install would auto-download the wanted version [#​11676](https://redirect.github.com/pnpm/pnpm/issues/11676). The array form of `devEngines.packageManager` keeps its existing per-element defaults (`error` for the last entry, `ignore` for the rest), since those reflect explicit prioritization by the user. Explicit `onFail` values continue to win. - Fix `devEngines.packageManager` not writing `packageManagerDependencies` to `pnpm-lock.yaml` when the lockfile lacks an env-doc entry. Previously the lockfile sync skipped resolution unless an existing `packageManagerDependencies.pnpm` entry needed refreshing, so a fresh install without `onFail: "download"` left the resolved pnpm version unrecorded — contradicting the documented behavior that the resolved version is stored in `pnpm-lock.yaml` [#​11674](https://redirect.github.com/pnpm/pnpm/issues/11674). - Warn when `package.json` contains a legacy `pnpm` field with settings pnpm no longer reads from `package.json` (e.g. `pnpm.overrides`, `pnpm.patchedDependencies`). Previously these were silently ignored after the upgrade from v10, leaving users unaware that their overrides/patched dependencies had stopped taking effect [#​11677](https://redirect.github.com/pnpm/pnpm/issues/11677). ### [`v11.1.2`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1112) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.1...v11.1.2) ##### Patch Changes - `convertEnginesRuntimeToDependencies`: switch the runtime-dependency write to `Object.defineProperty` so the CodeQL `js/prototype-polluting-assignment` rule treats the assignment as safe regardless of the property name (follow-up to [#​11609](https://redirect.github.com/pnpm/pnpm/pull/11609)). - Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (`__proto__`, `constructor`, `prototype`), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser. - Strip `sec-fetch-*` headers from outgoing HTTP requests. These headers are automatically added by undici's `fetch()` implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests [#​11572](https://redirect.github.com/pnpm/pnpm/issues/11572). - Fix `minimumReleaseAge` handling for cached abbreviated metadata. The version-spec cache fast path no longer rethrows `ERR_PNPM_MISSING_TIME` under `strictPublishedByCheck`; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block. When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version `time`), pnpm now re-fetches with `fullMetadata: true` if `minimumReleaseAge` is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning. Closes [#​11619](https://redirect.github.com/pnpm/pnpm/issues/11619). - Fix `pnpm upgrade --interactive --latest -r` not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. `"catalog:foo"`) would incorrectly rewrite `package.json` to `"catalog:"` and place the updated version in the default catalog instead of the named one [#​10115](https://redirect.github.com/pnpm/pnpm/issues/10115). - Fixed `optimisticRepeatInstall` skipping `pnpm-lock.yaml` merge conflict resolution when the existing `node_modules` state appears up to date. - Fix `minimumReleaseAge` / `resolutionMode: time-based` installs failing on lockfiles whose `time:` block is missing entries. The npm-resolver's peek-from-store fast path now surfaces `publishedAt` from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand. </details> <details> <summary>postcss/postcss (postcss)</summary> ### [`v8.5.15`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8515) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.14...8.5.15) - Fixed declaration parsing performance (by [@​homanp](https://redirect.github.com/homanp)). </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.7`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.7) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.6...3.0.7) - update deps (silverwind) - skip readdir when package has a "LICENSE" file (silverwind) - clarify dedup comment: package.json reads are not deduped, only readdir/readFile (silverwind) - skip readdir/readFile for duplicate package paths (silverwind) ### [`v3.0.6`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.6) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.5...3.0.6) - update deps (silverwind) - skip duplicate license reads, preserve wrap indentation (silverwind) - batch generateBundle IO into two phases for \~11% speedup (silverwind) </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.11.1`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17111---2026-05-14) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.11.0...17.11.1) It fixes 2 bugs. - Fixed: `node_modules` ignore for `codeFilename` paths containing a dot-prefixed directory ([#​9282](https://redirect.github.com/stylelint/stylelint/pull/9282)) ([@​tuhtah](https://redirect.github.com/tuhtah)). - Fixed: `declaration-block-no-redundant-longhand-properties` range for contiguous redundant longhand properties ([#​9273](https://redirect.github.com/stylelint/stylelint/pull/9273)) ([@​pamelalozano16](https://redirect.github.com/pamelalozano16)). </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) ##### 🩹 Fixes - **typescript-eslint:** export Compatible\* types from typescript-eslint to resolve pnpm TS error ([#​12340](https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12340)) ##### ❤️ Thank You - Kirk Waiblinger [@​kirkwaiblinger](https://redirect.github.com/kirkwaiblinger) See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.16.13`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.13) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.12...17.16.13) - Speed up findVersion hot loop (silverwind) - Minor simplifications (silverwind) - Fix Go pseudo-version write corruption and selectTag tag ordering (silverwind) - Fix parser/replace edge cases across modes (silverwind) ### [`v17.16.12`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.12) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.11...17.16.12) - Fix several parser/URL edge cases across modes (silverwind) - bump vitest-config-silverwind to 11.3.5 (silverwind) - speed up tests (silverwind) - perf: reduce redundant work in hot paths (silverwind) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.13`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8013-2026-05-14-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.12...v8.0.13) ##### Features - **bundled-dev:** add lazy bundling support ([#​21406](https://redirect.github.com/vitejs/vite/issues/21406)) ([4f0949f](https://redirect.github.com/vitejs/vite/commit/4f0949f3f13e4b2b34d32bf7b2b4de5f26bea192)) - **optimizer:** improve the esbuild plugin converter to pass some properties of build result to `onEnd` ([#​22357](https://redirect.github.com/vitejs/vite/issues/22357)) ([47071ce](https://redirect.github.com/vitejs/vite/commit/47071ce53f21726cf39e999c4407c4828ecbe957)) - update rolldown to 1.0.1 ([#​22444](https://redirect.github.com/vitejs/vite/issues/22444)) ([8c766a6](https://redirect.github.com/vitejs/vite/commit/8c766a6c5ee014969c4e32f29cc265e8e2c96e18)) ##### Bug Fixes - **build:** copy public directory after building same environment with `write=false` ([#​22328](https://redirect.github.com/vitejs/vite/issues/22328)) ([158e8ae](https://redirect.github.com/vitejs/vite/commit/158e8ae8efdf7075ab295727e36b5ff68da3243e)) - **css:** await sass/less/styl worker disposal on teardown (fix [#​22274](https://redirect.github.com/vitejs/vite/issues/22274)) ([#​22275](https://redirect.github.com/vitejs/vite/issues/22275)) ([b7edcb7](https://redirect.github.com/vitejs/vite/commit/b7edcb7d0dd17ddfeef4ace78d610c099216dade)) - **css:** keep deprecated `name`/`originalFileName` in synthetic `assetFileNames` call ([#​22439](https://redirect.github.com/vitejs/vite/issues/22439)) ([8e59c97](https://redirect.github.com/vitejs/vite/commit/8e59c97a44d923c4c06f67287a793c9aa5a4ebaa)) - make `isBundled` per environment ([#​22257](https://redirect.github.com/vitejs/vite/issues/22257)) ([a576326](https://redirect.github.com/vitejs/vite/commit/a5763266170f8606836da5c6f987b4b2fd6ddc55)) - **ssr:** avoid rewriting labels that collide with imports ([#​22451](https://redirect.github.com/vitejs/vite/issues/22451)) ([d9b18e0](https://redirect.github.com/vitejs/vite/commit/d9b18e0387a253628d3d834288e79c5f7e85d566)) ##### Miscellaneous Chores - remove irrelevant commits from changelog ([#​22430](https://redirect.github.com/vitejs/vite/issues/22430)) ([6ea3838](https://redirect.github.com/vitejs/vite/commit/6ea383859aaf0ef8e673b458f164e84aeb6ff51d)) - update changelog ([#​22413](https://redirect.github.com/vitejs/vite/issues/22413)) ([fcdc87c](https://redirect.github.com/vitejs/vite/commit/fcdc87cc6799857e2bab0f44f333a681694fff74)) </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.7`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.7) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7) ##### 🐞 Bug Fixes - **runner**: Limit concurrency per task branch in addition to per leaf callbacks (backport) - by [@​hi-ogawa](https://redirect.github.com/hi-ogawa) in [#​10384](https://redirect.github.com/vitest-dev/vitest/issues/10384) [<samp>(4f0f2)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/4f0f2a1ee) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7) </details> <details> <summary>vuejs/language-tools (vue-tsc)</summary> ### [`v3.3.1`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#331-2026-05-19) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.0...v3.3.1) ##### language-core - **fix:** avoid extraneous children error for conditional slots ([#​6056](https://redirect.github.com/vuejs/language-tools/issues/6056)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### language-service - **refactor:** replace scanner-based missing props hints detection with AST traversal - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### typescript-plugin - **fix:** get component prop details from symbols - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** skip unchecked JS identifiers in component props ([#​6055](https://redirect.github.com/vuejs/language-tools/issues/6055)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### vscode - **fix:** resolve typescript plugin path from resolved server path ([#​6058](https://redirect.github.com/vuejs/language-tools/issues/6058)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ### [`v3.3.0`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#330-2026-05-18) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.2.9...v3.3.0) ##### language-core - **feat:** check required fallthrough attributes ([#​6049](https://redirect.github.com/vuejs/language-tools/issues/6049)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** penetrate `v-if` branch fragments when collecting single root nodes - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **refactor:** rename `Sfc` APIs to `IR` - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### language-service - **fix:** reuse ASTs for define assignment suggestions - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** re-support `html.customData` ([#​5910](https://redirect.github.com/vuejs/language-tools/issues/5910)) - Thanks to [@​Bomberus](https://redirect.github.com/Bomberus)! - **fix:** strip `=""` only for plain boolean props completion edits - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** reset to default data provider after running with vue data provider - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### typescript-plugin - **feat:** refine props completion logic to follow TS behavior ([#​5709](https://redirect.github.com/vuejs/language-tools/issues/5709)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! ##### vscode - **fix:** include `extraFileExtensions` in tsserver `configure` request payload ([#​6048](https://redirect.github.com/vuejs/language-tools/issues/6048)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** write typescript plugins at build time ([#​6050](https://redirect.github.com/vuejs/language-tools/issues/6050)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! - **fix:** avoid infinite diagnostics on Vue files when project diagnostics is enabled ([#​6051](https://redirect.github.com/vuejs/language-tools/issues/6051)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
420a6eb5ab |
chore(deps): update dependency zizmor to v1.25.2 (#37839)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [zizmor](https://docs.zizmor.sh) ([source](https://redirect.github.com/zizmorcore/zizmor)) | `==1.25.1` → `==1.25.2` |  |  | --- ### Release Notes <details> <summary>zizmorcore/zizmor (zizmor)</summary> ### [`v1.25.2`](https://redirect.github.com/zizmorcore/zizmor/releases/tag/v1.25.2) [Compare Source](https://redirect.github.com/zizmorcore/zizmor/compare/v1.25.1...v1.25.2) #### Bug Fixes 🐛[🔗](https://docs.zizmor.sh/release-notes/#bug-fixes) - Fixed a bug where the [unpinned-tools](https://docs.zizmor.sh/audits/#unpinned-tools) audit would incorrectly flag the [aquasecurity/trivy-action](https://redirect.github.com/aquasecurity/trivy-action) action as installing an unpinned tool version, rather than [aquasecurity/setup-trivy](https://redirect.github.com/aquasecurity/setup-trivy) ([#​2018](https://redirect.github.com/zizmorcore/zizmor/issues/2018)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteaBot
|
748d4a8040 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
d8a45db3dd | [skip ci] Updated translations via Crowdin | ||
|
GiteabotandGitHub
|
4c37f4dacb | fix(deps): update module golang.org/x/net to v0.55.0 [security] (#37813) | ||
|
GiteabotandGitHub
|
9d737a6400 |
fix(deps): update module golang.org/x/crypto to v0.52.0 [security] (#37806)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | [`v0.51.0` → `v0.52.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.51.0...refs/tags/v0.52.0) |  |  | --- ### Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent [CVE-2026-39833](https://nvd.nist.gov/vuln/detail/CVE-2026-39833) / [GO-2026-5005](https://pkg.go.dev/vuln/GO-2026-5005) <details> <summary>More information</summary> #### Details The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. #### Severity Unknown #### References - [https://go.dev/issue/79436](https://go.dev/issue/79436) - [https://go.dev/cl/778640](https://go.dev/cl/778640) - [https://go.dev/cl/778641](https://go.dev/cl/778641) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5005) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent [CVE-2026-39832](https://nvd.nist.gov/vuln/detail/CVE-2026-39832) / [GO-2026-5006](https://pkg.go.dev/vuln/GO-2026-5006) <details> <summary>More information</summary> #### Details When adding a key to a remote agent constraint extensions such as restrict-destination-v00@​openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. #### Severity Unknown #### References - [https://go.dev/issue/79435](https://go.dev/issue/79435) - [https://go.dev/cl/778642](https://go.dev/cl/778642) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5006) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh [CVE-2026-46597](https://nvd.nist.gov/vuln/detail/CVE-2026-46597) / [GO-2026-5013](https://pkg.go.dev/vuln/GO-2026-5013) <details> <summary>More information</summary> #### Details An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. #### Severity Unknown #### References - [https://go.dev/issue/79561](https://go.dev/issue/79561) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781620](https://go.dev/cl/781620) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5013) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh [CVE-2026-39828](https://nvd.nist.gov/vuln/detail/CVE-2026-39828) / [GO-2026-5014](https://pkg.go.dev/vuln/GO-2026-5014) <details> <summary>More information</summary> #### Details When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error. #### Severity Unknown #### References - [https://go.dev/issue/79562](https://go.dev/issue/79562) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781621](https://go.dev/cl/781621) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5014) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh [CVE-2026-39835](https://nvd.nist.gov/vuln/detail/CVE-2026-39835) / [GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015) <details> <summary>More information</summary> #### Details SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil. #### Severity Unknown #### References - [https://go.dev/issue/79563](https://go.dev/issue/79563) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781660](https://go.dev/cl/781660) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5015) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh [CVE-2026-39827](https://nvd.nist.gov/vuln/detail/CVE-2026-39827) / [GO-2026-5016](https://pkg.go.dev/vuln/GO-2026-5016) <details> <summary>More information</summary> #### Details An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection. #### Severity Unknown #### References - [https://go.dev/issue/35127](https://go.dev/issue/35127) - [https://go.dev/cl/781320](https://go.dev/cl/781320) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5016) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh [CVE-2026-39830](https://nvd.nist.gov/vuln/detail/CVE-2026-39830) / [GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017) <details> <summary>More information</summary> #### Details A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. #### Severity Unknown #### References - [https://go.dev/issue/79564](https://go.dev/issue/79564) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781640](https://go.dev/cl/781640) - [https://go.dev/cl/781664](https://go.dev/cl/781664) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5017) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh [CVE-2026-39829](https://nvd.nist.gov/vuln/detail/CVE-2026-39829) / [GO-2026-5018](https://pkg.go.dev/vuln/GO-2026-5018) <details> <summary>More information</summary> #### Details The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2. #### Severity Unknown #### References - [https://go.dev/issue/79565](https://go.dev/issue/79565) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781641](https://go.dev/cl/781641) - [https://go.dev/cl/781661](https://go.dev/cl/781661) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5018) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh [CVE-2026-39831](https://nvd.nist.gov/vuln/detail/CVE-2026-39831) / [GO-2026-5019](https://pkg.go.dev/vuln/GO-2026-5019) <details> <summary>More information</summary> #### Details The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@​openssh.com, sk-ssh-ed25519@​openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback. #### Severity Unknown #### References - [https://go.dev/issue/79566](https://go.dev/issue/79566) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781662](https://go.dev/cl/781662) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5019) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh [CVE-2026-39834](https://nvd.nist.gov/vuln/detail/CVE-2026-39834) / [GO-2026-5020](https://pkg.go.dev/vuln/GO-2026-5020) <details> <summary>More information</summary> #### Details When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. #### Severity Unknown #### References - [https://go.dev/issue/79567](https://go.dev/issue/79567) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781663](https://go.dev/cl/781663) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5020) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking auth bypass via unenforced @​revoked status in golang.org/x/crypto/ssh/knownhosts [CVE-2026-42508](https://nvd.nist.gov/vuln/detail/CVE-2026-42508) / [GO-2026-5021](https://pkg.go.dev/vuln/GO-2026-5021) <details> <summary>More information</summary> #### Details Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @​revoked. #### Severity Unknown #### References - [https://go.dev/issue/79568](https://go.dev/issue/79568) - [https://go.dev/cl/781220](https://go.dev/cl/781220) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5021) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh [CVE-2026-46595](https://nvd.nist.gov/vuln/detail/CVE-2026-46595) / [GO-2026-5023](https://pkg.go.dev/vuln/GO-2026-5023) <details> <summary>More information</summary> #### Details Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. #### Severity Unknown #### References - [https://go.dev/issue/79570](https://go.dev/issue/79570) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) - [https://go.dev/cl/781642](https://go.dev/cl/781642) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5023) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent [CVE-2026-46598](https://nvd.nist.gov/vuln/detail/CVE-2026-46598) / [GO-2026-5033](https://pkg.go.dev/vuln/GO-2026-5033) <details> <summary>More information</summary> #### Details For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. #### Severity Unknown #### References - [https://go.dev/issue/79596](https://go.dev/issue/79596) - [https://go.dev/cl/781360](https://go.dev/cl/781360) - [https://groups.google.com/g/golang-announce/c/a082jnz-LvI](https://groups.google.com/g/golang-announce/c/a082jnz-LvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5033) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
42e167b054 |
fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] (#37786)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | `v5.19.0` → `v5.19.1` |  |  | --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
343eaa8940 |
fix(deps): update npm dependencies (#37768)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.45` → `0.16.46`](https://renovatebot.com/diffs/npm/katex/0.16.45/0.16.46) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.2.8` → `3.2.9`](https://renovatebot.com/diffs/npm/vue-tsc/3.2.8/3.2.9) |  |  | |
||
|
GiteabotandGitHub
|
0b7fc8a579 |
fix(deps): update module gitlab.com/gitlab-org/api/client-go/v2 to v2.26.0 (#37771)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.25.0` → `v2.26.0` |  |  | |
||
|
GiteaBot
|
78d744aa01 | [skip ci] Updated translations via Crowdin | ||
|
GiteabotandGitHub
|
81b544c279 |
fix(deps): update module google.golang.org/grpc to v1.81.1 (#37762)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.81.0` → `v1.81.1` |  |  | --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.81.1`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.81.1): Release 1.81.1 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.81.0...v1.81.1) ### Security - xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per [gRFC A41](https://redirect.github.com/grpc/proposal/blob/master/A41-xds-rbac.md). ([#​9111](https://redirect.github.com/grpc/grpc-go/issues/9111)) - Special Thanks: [@​al4an444](https://redirect.github.com/al4an444) ### Bug Fixes - otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. ([#​9081](https://redirect.github.com/grpc/grpc-go/issues/9081)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
|
e60ca35d52 |
fix(deps): update go dependencies (#37752)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | Pending | |---|---|---|---|---|---|---| | code.gitea.io/sdk/gitea | `v0.25.0` → `v0.25.1` |  |  | require | patch | | | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.0` → `v1.0.3` |  |  | require | patch | `v1.0.4` | | [github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi) | `v0.137.0` → `v0.138.0` |  |  | require | minor | | | [github.com/go-co-op/gocron/v2](https://redirect.github.com/go-co-op/gocron) | `v2.21.1` → `v2.21.2` |  |  | require | patch | | | [github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn) | `v0.17.2` → `v0.17.3` |  |  | require | patch | | | [github.com/google/pprof](https://redirect.github.com/google/pprof) | `545e8a4` → `92041b7` |  |  | require | digest | | | [github.com/wneessen/go-mail](https://redirect.github.com/wneessen/go-mail) | `v0.7.2` → `v0.7.3` |  |  | require | patch | | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.24.1` → `v2.25.0` |  |  | require | minor | `v2.27.0` (+2) | | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | [`v0.50.0` → `v0.51.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.50.0...refs/tags/v0.51.0) |  |  | require | minor | | | [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) | [`v0.39.0` → `v0.40.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.39.0...refs/tags/v0.40.0) |  |  | require | minor | | | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | [`v0.53.0` → `v0.54.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.53.0...refs/tags/v0.54.0) |  |  | require | minor | | | [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) | [`v0.36.0` → `v0.37.0`](https://cs.opensource.google/go/x/text/+/refs/tags/v0.36.0...refs/tags/v0.37.0) |  |  | require | minor | | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `v1.50.0` → `v1.50.1` |  |  | require | patch | | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.3`](https://gitea.com/gitea/runner/releases/tag/v1.0.3) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.2...v1.0.3) #### Changelog - fix: isolate per-task runner envs ([#​959](https://redirect.github.com/gitea/runner/issues/959)) - fix(deps): update module github.com/opencontainers/selinux to v1.14.1 ([#​955](https://redirect.github.com/gitea/runner/issues/955)) - fix(deps): update mergo to v1.0.2 (now `dario.cat/mergo`) ([#​954](https://redirect.github.com/gitea/runner/issues/954)) - fix: ensure `dbfs_data` is cleaned up after task completion ([#​952](https://redirect.github.com/gitea/runner/issues/952)) - fix(artifactcache): preserve cache key case to stop redundant uploads ([#​947](https://redirect.github.com/gitea/runner/issues/947)) - fix(deps): update module golang.org/x/term to v0.43.0 ([#​948](https://redirect.github.com/gitea/runner/issues/948)) ### [`v1.0.2`](https://gitea.com/gitea/runner/releases/tag/v1.0.2) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.1...v1.0.2) #### Changelog - fix: overwrite read-only files when copying action directories ([#​942](https://redirect.github.com/gitea/runner/issues/942)) - docs: add apparmor=rootlesskit in security\_opt ([#​937](https://redirect.github.com/gitea/runner/issues/937)) - fix: serialize action-cache reads to prevent worktree race ([#​938](https://redirect.github.com/gitea/runner/issues/938)) - feat: remove emojis from runner logging, add `Starting job container` group ([#​940](https://redirect.github.com/gitea/runner/issues/940)) ### [`v1.0.1`](https://gitea.com/gitea/runner/releases/tag/v1.0.1) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.0...v1.0.1) #### Changelog - [`dff63b3`](https://redirect.github.com/gitea/runner/commit/dff63b3ecc4320d340d3b5511f91a65eb2e2e6c2) fix(deps): update module github.com/go-git/go-git/v5 to v5.19.0 ([#​934](https://redirect.github.com/gitea/runner/issues/934)) - [`a5d9fe9`](https://redirect.github.com/gitea/runner/commit/a5d9fe965120c0b398a6349005dd9a73eb6e511c) fix(deps): update module github.com/opencontainers/selinux to v1.14.0 ([#​928](https://redirect.github.com/gitea/runner/issues/928)) - [`d607f3b`](https://redirect.github.com/gitea/runner/commit/d607f3b342e351197691a08795189972071d6374) test: clean up dead/stale fixtures and bump test container images ([#​932](https://redirect.github.com/gitea/runner/issues/932)) - [`5e59402`](https://redirect.github.com/gitea/runner/commit/5e59402fb2ad128c3f3008d4c41c7d3d03ed3f19) fix: re-fetch cached reusable workflow on every run ([#​930](https://redirect.github.com/gitea/runner/issues/930)) - [`dfeb463`](https://redirect.github.com/gitea/runner/commit/dfeb463904e768bb33086563d620a1925c278618) chore(deps): update docker docker tag to v29 ([#​924](https://redirect.github.com/gitea/runner/issues/924)) </details> <details> <summary>getkin/kin-openapi (github.com/getkin/kin-openapi)</summary> ### [`v0.138.0`](https://redirect.github.com/getkin/kin-openapi/releases/tag/v0.138.0) [Compare Source](https://redirect.github.com/getkin/kin-openapi/compare/v0.137.0...v0.138.0) #### What's Changed - openapi3gen: clear nullable on exported component bodies by [@​0-don](https://redirect.github.com/0-don) in [#​1164](https://redirect.github.com/getkin/kin-openapi/pull/1164) - openapi3: add test for issue [#​927](https://redirect.github.com/getkin/kin-openapi/issues/927) (nullable not respected on $ref schemas) by [@​fenollp](https://redirect.github.com/fenollp) in [#​1165](https://redirect.github.com/getkin/kin-openapi/pull/1165) - test: move public-API tests to external \_test packages by [@​fenollp](https://redirect.github.com/fenollp) in [#​1168](https://redirect.github.com/getkin/kin-openapi/pull/1168) - feat(openapi3): add per-type validation errors with cluster wrappers by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1166](https://redirect.github.com/getkin/kin-openapi/pull/1166) - feat(openapi3conv): canonicalization pass for 3.0 -> 3.x by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1162](https://redirect.github.com/getkin/kin-openapi/pull/1162) - openapi3conv: test Upgrade on many documents by [@​fenollp](https://redirect.github.com/fenollp) in [#​1169](https://redirect.github.com/getkin/kin-openapi/pull/1169) **Full Changelog**: <https://github.com/getkin/kin-openapi/compare/v0.137.0...v0.138.0> </details> <details> <summary>go-co-op/gocron (github.com/go-co-op/gocron/v2)</summary> ### [`v2.21.2`](https://redirect.github.com/go-co-op/gocron/releases/tag/v2.21.2) [Compare Source](https://redirect.github.com/go-co-op/gocron/compare/v2.21.1...v2.21.2) #### What's Changed - fix: defer WithLimitedRuns job removal until task completes ([#​925](https://redirect.github.com/go-co-op/gocron/issues/925)) by [@​SAY-5](https://redirect.github.com/SAY-5) in [#​926](https://redirect.github.com/go-co-op/gocron/pull/926) #### New Contributors - [@​SAY-5](https://redirect.github.com/SAY-5) made their first contribution in [#​926](https://redirect.github.com/go-co-op/gocron/pull/926) **Full Changelog**: <https://github.com/go-co-op/gocron/compare/v2.21.1...v2.21.2> </details> <details> <summary>go-webauthn/webauthn (github.com/go-webauthn/webauthn)</summary> ### [`v0.17.3`](https://redirect.github.com/go-webauthn/webauthn/blob/HEAD/CHANGELOG.md#v0173-2026-05-09) [Compare Source](https://redirect.github.com/go-webauthn/webauthn/compare/v0.17.2...v0.17.3) ##### Dependency Updates This release just contains updates to dependencies. </details> <details> <summary>wneessen/go-mail (github.com/wneessen/go-mail)</summary> ### [`v0.7.3`](https://redirect.github.com/wneessen/go-mail/releases/tag/v0.7.3): : Skippable UTF-8 support, improved Base64LineBreaker, binary size reducing, fixes and more [Compare Source](https://redirect.github.com/wneessen/go-mail/compare/v0.7.2...v0.7.3) Welcome to go-mail v0.7.3! 🎉 This release brings some cool improvements, new features, and fixes to go-mail. We hope you enjoy it! #### Notable changes/improvements/features/fixes ##### Deadline fix for connections to a TLS port without TLS PR [#​521](https://redirect.github.com/wneessen/go-mail/issues/521) fixes a missing deadline in the `Client` that could cause a deadlock for connections to a TLS port without TLS enabled. Thanks to [@​james-d-elliott](https://redirect.github.com/james-d-elliott) for finding and fixing this issue! ##### Preseve EHLO and HELO errors PR [#​528](https://redirect.github.com/wneessen/go-mail/issues/528) fixes an error for cases in which both the HELO and EHLO fail during a client connect. In this case the first error would be overwritten by the 2nd action, potentially deleting valuable information. In go-mail v0.7.3 both errors are now combined. Thanks to [@​Yanhu007](https://redirect.github.com/Yanhu007) for their contribution! ##### Improved Base64LineBreaker In PR [#​512](https://redirect.github.com/wneessen/go-mail/issues/512) [@​srpvpn](https://redirect.github.com/srpvpn) refactored the `Base64LineBreaker` type to be more performant and easier to read by removing the recursion. Thanks for your contribution! ##### Reduce binary size by making text/template and html/template support optional In PR [#​518](https://redirect.github.com/wneessen/go-mail/issues/518) [@​sblinch](https://redirect.github.com/sblinch) introduced a new compile time flag `gomailnotpl` which will make the `text/template` and `html/template` optional. Background is, that using `reflect.Value.Method` or `reflect.Value.MethodByName` prevents Go from performing full dead-code elimination because any exported method of any struct in the codebase could potentially be referenced at runtime. Unfortunately `text/template` and `html/template` do exactly this to allow method invocation from within templates. So in case your code does not need template support, you can use the new compile flag to remove the support for both packages completely and same some bytes in the resulting binary. Thanks for your contribution! ##### Fix nil pointer panic in partWriter PR [#​543](https://redirect.github.com/wneessen/go-mail/issues/543) fixes a potential nil pointer panic in the partWriter in case the underlying `io.Writer` returns an error during a multipart message write. Thanks to [@​UgurTheG](https://redirect.github.com/UgurTheG) for reporting and fixing the issue! ##### Provide access to HELO responses in the SMTP client PR [#​530](https://redirect.github.com/wneessen/go-mail/issues/530) adds support to access the HELO/EHLO responses via the `smtp.Client`. This feature is useful when using an SMTP servers pool behind a load balancer, to know which instance took the job. Thanks to [@​maxatome](https://redirect.github.com/maxatome) for submitting this feature! ##### Multiple addresses support in ReplyTo header PR [#​517](https://redirect.github.com/wneessen/go-mail/issues/517) adds support for multiple `Reply-To` addresses within a `Msg`, as permitted in RFC5322. Thanks to [@​christian-heusel](https://redirect.github.com/christian-heusel) for pointing this out and for comitting the PR! ##### Support to disable SMTPUTF8 in the MAIL FROM even if the server announces it PR [#​548](https://redirect.github.com/wneessen/go-mail/issues/548) adds support for skipping the `SMTPUTF8` extension to `MAIL FROM` commands. By default, when a server announces `SMTPUTF8` support in the EHLO, go-mail will add `SMTPUTF8` to the `MAIL FROM` command. As pointed out in [#​545](https://redirect.github.com/wneessen/go-mail/issues/545), some SMTP servers (e. g. specific MS Exchange versions) announce the SMTPUTF8 extension in the EHLO response but when adding the SMTPUTF8 to the MAIL FROM, they will fail with an error. The PR introduces a new `WithoutSMTPUTF8()` option for the `Client` which will make sure to skip the SMTPUTF8 extension in the MAIL FROM, even if the server announced it previously. Thanks [@​mkalus](https://redirect.github.com/mkalus) for reporting this issue and for their detailed analysis in [#​545](https://redirect.github.com/wneessen/go-mail/issues/545). #### What's Changed - minor fix for func ResetWithSMTPClient and DialAndSendWithContext by [@​sarff](https://redirect.github.com/sarff) in [#​500](https://redirect.github.com/wneessen/go-mail/pull/500) - Refactored `SendWithSMTPClient` to improve error handling and added test cases by [@​wneessen](https://redirect.github.com/wneessen) in [#​502](https://redirect.github.com/wneessen/go-mail/pull/502) - Refactored test and validation logic for message content checks by [@​wneessen](https://redirect.github.com/wneessen) in [#​503](https://redirect.github.com/wneessen/go-mail/pull/503) - Fix a docstring typo by [@​mitar](https://redirect.github.com/mitar) in [#​505](https://redirect.github.com/wneessen/go-mail/pull/505) - Upstream sync: prevent test failures due to expired test certificate by [@​wneessen](https://redirect.github.com/wneessen) in [#​522](https://redirect.github.com/wneessen/go-mail/pull/522) - fix: deadline not set for initial connection read by [@​james-d-elliott](https://redirect.github.com/james-d-elliott) in [#​521](https://redirect.github.com/wneessen/go-mail/pull/521) - Add deadlock test for client connections by [@​wneessen](https://redirect.github.com/wneessen) in [#​525](https://redirect.github.com/wneessen/go-mail/pull/525) - fix: preserve EHLO error when both EHLO and HELO fail by [@​Yanhu007](https://redirect.github.com/Yanhu007) in [#​528](https://redirect.github.com/wneessen/go-mail/pull/528) - refactor: remove recursion from base64LineBreaker.Write by [@​srpvpn](https://redirect.github.com/srpvpn) in [#​512](https://redirect.github.com/wneessen/go-mail/pull/512) - Make text/template support optional to allow dead-code elimination by [@​sblinch](https://redirect.github.com/sblinch) in [#​518](https://redirect.github.com/wneessen/go-mail/pull/518) - fix: prevent nil pointer panic in writeBody when partWriter is nil by [@​UgurTheG](https://redirect.github.com/UgurTheG) in [#​543](https://redirect.github.com/wneessen/go-mail/pull/543) - feat: add (\*smtp.Client).HelloResponse method to get EHLO/HELO response by [@​maxatome](https://redirect.github.com/maxatome) in [#​530](https://redirect.github.com/wneessen/go-mail/pull/530) - feat: add option to skip SMTPUTF8 in "MAIL FROM" commands by [@​wneessen](https://redirect.github.com/wneessen) in [#​548](https://redirect.github.com/wneessen/go-mail/pull/548) - Allow multiple Addresses in ReplyTo Header and add GetReplyTo() by [@​christian-heusel](https://redirect.github.com/christian-heusel) in [#​517](https://redirect.github.com/wneessen/go-mail/pull/517) #### CI/CD maintenance changes - Bump golang.org/x/text from 0.29.0 to 0.30.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​501](https://redirect.github.com/wneessen/go-mail/pull/501) - Bump golang.org/x/text from 0.30.0 to 0.31.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​506](https://redirect.github.com/wneessen/go-mail/pull/506) - Bump golang.org/x/text from 0.31.0 to 0.32.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​509](https://redirect.github.com/wneessen/go-mail/pull/509) - Bump Go and `golang.org/x/text` module versions by [@​wneessen](https://redirect.github.com/wneessen) in [#​526](https://redirect.github.com/wneessen/go-mail/pull/526) - Bump golang.org/x/text from 0.35.0 to 0.36.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​527](https://redirect.github.com/wneessen/go-mail/pull/527) - Updated `.golangci.toml` for linter exclusions on specific use cases by [@​wneessen](https://redirect.github.com/wneessen) in [#​523](https://redirect.github.com/wneessen/go-mail/pull/523) - Updated CI configuration for Go and OS versions in workflows by [@​wneessen](https://redirect.github.com/wneessen) in [#​524](https://redirect.github.com/wneessen/go-mail/pull/524) - Bump golangci/golangci-lint-action from 7.0.0 to 9.2.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​535](https://redirect.github.com/wneessen/go-mail/pull/535) - Bump ossf/scorecard-action from 2.4.0 to 2.4.3 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​534](https://redirect.github.com/wneessen/go-mail/pull/534) - Bump fsfe/reuse-action from 5.0.0 to 6.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​533](https://redirect.github.com/wneessen/go-mail/pull/533) - Bump vmactions/freebsd-vm from 1.1.5 to 1.4.5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​532](https://redirect.github.com/wneessen/go-mail/pull/532) - Bump step-security/harden-runner from 2.10.2 to 2.19.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​531](https://redirect.github.com/wneessen/go-mail/pull/531) - Bump actions/dependency-review-action from 4.5.0 to 4.9.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​540](https://redirect.github.com/wneessen/go-mail/pull/540) - Bump actions/setup-go from 5.2.0 to 6.4.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​539](https://redirect.github.com/wneessen/go-mail/pull/539) - Bump codecov/codecov-action from 5.1.1 to 6.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​538](https://redirect.github.com/wneessen/go-mail/pull/538) - Bump actions/upload-artifact from 4.5.0 to 7.0.1 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​537](https://redirect.github.com/wneessen/go-mail/pull/537) - Bump github/codeql-action from 3.27.9 to 4.35.3 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​536](https://redirect.github.com/wneessen/go-mail/pull/536) - Bump step-security/harden-runner from 2.19.0 to 2.19.1 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​541](https://redirect.github.com/wneessen/go-mail/pull/541) - Bump golang.org/x/text from 0.36.0 to 0.37.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​547](https://redirect.github.com/wneessen/go-mail/pull/547) - Bump actions/dependency-review-action from 4.9.0 to 5.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​546](https://redirect.github.com/wneessen/go-mail/pull/546) - Bump github/codeql-action from 4.35.3 to 4.35.4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​544](https://redirect.github.com/wneessen/go-mail/pull/544) #### New Contributors - [@​mitar](https://redirect.github.com/mitar) made their first contribution in [#​505](https://redirect.github.com/wneessen/go-mail/pull/505) - [@​Yanhu007](https://redirect.github.com/Yanhu007) made their first contribution in [#​528](https://redirect.github.com/wneessen/go-mail/pull/528) - [@​srpvpn](https://redirect.github.com/srpvpn) made their first contribution in [#​512](https://redirect.github.com/wneessen/go-mail/pull/512) - [@​sblinch](https://redirect.github.com/sblinch) made their first contribution in [#​518](https://redirect.github.com/wneessen/go-mail/pull/518) - [@​UgurTheG](https://redirect.github.com/UgurTheG) made their first contribution in [#​543](https://redirect.github.com/wneessen/go-mail/pull/543) - [@​maxatome](https://redirect.github.com/maxatome) made their first contribution in [#​530](https://redirect.github.com/wneessen/go-mail/pull/530) - [@​christian-heusel](https://redirect.github.com/christian-heusel) made their first contribution in [#​517](https://redirect.github.com/wneessen/go-mail/pull/517) **Full Changelog**: <https://github.com/wneessen/go-mail/compare/v0.7.2...v0.7.3> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.25.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.25.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.24.1...v2.25.0) #### 2.25.0 ##### 🚀 Features - feat: Add GraphQL API support for security attributes and categories ([!2856](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2856)) by [Caleb Madara](https://gitlab.com/calebmadara58) ##### 🔄 Other Changes - chore(deps): update dependency golangci-lint to v2.12.1 ([!2880](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2880)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - Resolve lint errors on `main` causing pipeline failures ([!2882](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2882)) by [Patrick Rice](https://gitlab.com/PatrickRice) - chore(deps): update dependency golangci-lint to v2.12.0 ([!2879](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2879)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.25.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.24.1...v2.25.0) (2026-05-11) ##### Features * Add GraphQL API support for security attributes and categories ([8496635](https://gitlab.com/gitlab-org/api/client-go/commit/84966353d99e83e975bd23c83fec1b7023cfd621)) </details> <details> <summary>cznic/sqlite (modernc.org/sqlite)</summary> ### [`v1.50.1`](https://gitlab.com/cznic/sqlite/compare/v1.50.0...v1.50.1) [Compare Source](https://gitlab.com/cznic/sqlite/compare/v1.50.0...v1.50.1) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: silverwind <me@silverwind.io> |
||
|
GiteabotandGitHub
|
4ee8266519 |
chore(deps): update action dependencies (#37751)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pnpm/action-setup](https://redirect.github.com/pnpm/action-setup) | action | patch | `v6.0.5` → `v6.0.8` | | [renovatebot/github-action](https://redirect.github.com/renovatebot/github-action) | action | patch | `v46.1.13` → `v46.1.14` | --- ### Release Notes <details> <summary>pnpm/action-setup (pnpm/action-setup)</summary> ### [`v6.0.8`](https://redirect.github.com/pnpm/action-setup/releases/tag/v6.0.8) [Compare Source](https://redirect.github.com/pnpm/action-setup/compare/v6.0.7...v6.0.8) ##### What's Changed - docs(README): fix `cache_dependency_path` type by [@​haines](https://redirect.github.com/haines) in [#​257](https://redirect.github.com/pnpm/action-setup/pull/257) - fix: drop patchPnpmEnv so standalone+self-update works on Windows by [@​zkochan](https://redirect.github.com/zkochan) in [#​258](https://redirect.github.com/pnpm/action-setup/pull/258) - fix: update pnpm to 11.1.1 by [@​mungodewar](https://redirect.github.com/mungodewar) in [#​248](https://redirect.github.com/pnpm/action-setup/pull/248) ##### New Contributors - [@​mungodewar](https://redirect.github.com/mungodewar) made their first contribution in [#​248](https://redirect.github.com/pnpm/action-setup/pull/248) **Full Changelog**: <https://github.com/pnpm/action-setup/compare/v6.0.7...v6.0.8> ### [`v6.0.7`](https://redirect.github.com/pnpm/action-setup/releases/tag/v6.0.7) [Compare Source](https://redirect.github.com/pnpm/action-setup/compare/v6.0.6...v6.0.7) ##### What's Changed - fix: honor devEngines.packageManager.onFail=error ([#​252](https://redirect.github.com/pnpm/action-setup/issues/252)) by [@​zkochan](https://redirect.github.com/zkochan) in [#​254](https://redirect.github.com/pnpm/action-setup/pull/254) - fix: restore inputs from state in post by [@​haines](https://redirect.github.com/haines) in [#​255](https://redirect.github.com/pnpm/action-setup/pull/255) - fix: self-update bootstrap to packageManager-pinned version ([#​233](https://redirect.github.com/pnpm/action-setup/issues/233)) by [@​zkochan](https://redirect.github.com/zkochan) in [#​256](https://redirect.github.com/pnpm/action-setup/pull/256) ##### New Contributors - [@​haines](https://redirect.github.com/haines) made their first contribution in [#​255](https://redirect.github.com/pnpm/action-setup/pull/255) **Full Changelog**: <https://github.com/pnpm/action-setup/compare/v6.0.6...v6.0.7> ### [`v6.0.6`](https://redirect.github.com/pnpm/action-setup/releases/tag/v6.0.6) [Compare Source](https://redirect.github.com/pnpm/action-setup/compare/v6.0.5...v6.0.6) ##### What's Changed - fix: bin\_dest output points to self-updated pnpm, not bootstrap by [@​zkochan](https://redirect.github.com/zkochan) in [#​249](https://redirect.github.com/pnpm/action-setup/pull/249) **Full Changelog**: <https://github.com/pnpm/action-setup/compare/v6.0.5...v6.0.6> </details> <details> <summary>renovatebot/github-action (renovatebot/github-action)</summary> ### [`v46.1.14`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.14) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.13...v46.1.14) ##### Documentation - Revise Fine-grained Personal Access Tokens section ([#​1030](https://redirect.github.com/renovatebot/github-action/issues/1030)) ([fef7882](https://redirect.github.com/renovatebot/github-action/commit/fef7882e2c7377fd438898944dd399f6d7be271e)) - set `RENOVATE_PLATFORM_COMMIT` to `enabled` ([#​1029](https://redirect.github.com/renovatebot/github-action/issues/1029)) ([9d07dfa](https://redirect.github.com/renovatebot/github-action/commit/9d07dfa4f7a8ee66518d1b08f33ae9814d244dda)) - update references to renovatebot/github-action to v46.1.13 ([9a41b99](https://redirect.github.com/renovatebot/github-action/commit/9a41b990c5902829643afc33fd4d5a6f536b36cf)) ##### Miscellaneous Chores - cleanup ([8abcd0e](https://redirect.github.com/renovatebot/github-action/commit/8abcd0e9f084bb83d0df844052c4b31b39f60ef2)) - **deps:** update commitlint monorepo to v20.5.3 ([a4e124d](https://redirect.github.com/renovatebot/github-action/commit/a4e124de37c0841853e802687889d3ddb86e4f54)) - **deps:** update dependency globals to v17.6.0 ([d5ca6d4](https://redirect.github.com/renovatebot/github-action/commit/d5ca6d4cf379c9db32366fd12dfb619d7baffa36)) - **deps:** update dependency typescript-eslint to v8.59.1 ([1dd2319](https://redirect.github.com/renovatebot/github-action/commit/1dd2319cb41680fb027ac17b8703e7fdb3f35e35)) - enable pnpm `minimumReleaseAge` ([00a8327](https://redirect.github.com/renovatebot/github-action/commit/00a83273b5ee2973abb913a7bc81e3ee6cbcebd2)) ##### Build System - **deps:** lock file maintenance ([f6821a2](https://redirect.github.com/renovatebot/github-action/commit/f6821a23ac87497dc0625f5c60001d5eb85d23ef)) ##### Continuous Integration - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.160.7 ([1189f69](https://redirect.github.com/renovatebot/github-action/commit/1189f69d1f9835d1c90b27a3b0f679e21f0e1d20)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.162.0 ([43d0a48](https://redirect.github.com/renovatebot/github-action/commit/43d0a48b2590acc66b04f9c04fe44d8b66210d76)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.163.0 ([61a1654](https://redirect.github.com/renovatebot/github-action/commit/61a1654b1a1e4ce5e9bb0905af986b1357b0d427)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.163.1 ([4226876](https://redirect.github.com/renovatebot/github-action/commit/42268768581691fe71bebc5d4a54e979b343d643)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.163.2 ([b3318e0](https://redirect.github.com/renovatebot/github-action/commit/b3318e0a24aa6e5849ee6e2783ae9d048b8ffb3e)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.163.4 ([09fe3e9](https://redirect.github.com/renovatebot/github-action/commit/09fe3e9361ed5b46f5871b3d3d30b89138fb8cd7)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.164.0 ([5736585](https://redirect.github.com/renovatebot/github-action/commit/5736585dd1f36606bb51e36580751eb8b2f927aa)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.164.1 ([8b164cc](https://redirect.github.com/renovatebot/github-action/commit/8b164cce79c2d3e1b0378b414055aa32c2e2396b)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.164.2 ([44728cc](https://redirect.github.com/renovatebot/github-action/commit/44728cc6496f5d57c674def5fe4437bf43dfb744)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.165.0 ([bde1da1](https://redirect.github.com/renovatebot/github-action/commit/bde1da1de34c74300c4145d5d36145ab0ac403a3)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.166.0 ([#​1031](https://redirect.github.com/renovatebot/github-action/issues/1031)) ([4b957d1](https://redirect.github.com/renovatebot/github-action/commit/4b957d1cabe8967b8d3d4d1d5e72c336f93acc2c)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.166.2 ([499cfeb](https://redirect.github.com/renovatebot/github-action/commit/499cfeb9d6d64e295dbabdc03d6811302dfb44d0)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.166.3 ([fe8a943](https://redirect.github.com/renovatebot/github-action/commit/fe8a9436e271c3ae9d0134419fbbbf57fe901665)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.167.0 ([f8ca6db](https://redirect.github.com/renovatebot/github-action/commit/f8ca6db77039c7b2df300bf1c0008bb6ca48feb9)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.168.4 ([2e15d66](https://redirect.github.com/renovatebot/github-action/commit/2e15d66203e5e5669337f080d41d707e2e30245c)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.168.5 ([a87ee3d](https://redirect.github.com/renovatebot/github-action/commit/a87ee3d8ae59775aeabb41bff8b9dffa2a9850dd)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.168.6 ([683e7dd](https://redirect.github.com/renovatebot/github-action/commit/683e7dd082e83899dad9e727c8b22e9c472523eb)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.169.0 ([f6166e7](https://redirect.github.com/renovatebot/github-action/commit/f6166e7f7b6e4e444589ac774306a55697362bed)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.169.4 ([f1f81f9](https://redirect.github.com/renovatebot/github-action/commit/f1f81f959e2f65dfc38f6a71c5720914ad73c37c)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.0 ([5473f54](https://redirect.github.com/renovatebot/github-action/commit/5473f54a8f760978d6a2cec08a5e261ce8f0b35e)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.12 ([b47aa13](https://redirect.github.com/renovatebot/github-action/commit/b47aa135111049a8f220c25f98f281cac991a585)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.13 ([7e8834d](https://redirect.github.com/renovatebot/github-action/commit/7e8834d80efbe46cdcd336f7d8335e94bf5d85e6)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.14 ([9b5f9e6](https://redirect.github.com/renovatebot/github-action/commit/9b5f9e6c8f97c2064cef2ba7b7459f424722c8f6)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.15 ([98631e8](https://redirect.github.com/renovatebot/github-action/commit/98631e88b8dfa52ea1da739e21e1969f04e88051)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.16 ([ab997a9](https://redirect.github.com/renovatebot/github-action/commit/ab997a9588a5a8c80507974d19166d0db4087947)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.17 ([24a51e0](https://redirect.github.com/renovatebot/github-action/commit/24a51e0fd8b1677ce32e8c45c661af3f0b5680c6)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.18 ([f82d2cd](https://redirect.github.com/renovatebot/github-action/commit/f82d2cd716eb8043a8f8d8458cdcff924d64e4a1)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.19 ([3d684f2](https://redirect.github.com/renovatebot/github-action/commit/3d684f2e0788a79e4b276480aaf841539b1899de)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.20 ([d7afc6b](https://redirect.github.com/renovatebot/github-action/commit/d7afc6be62e2f314c2e76e6310125bf53563e19d)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.3 ([306f0c9](https://redirect.github.com/renovatebot/github-action/commit/306f0c9105ab6cd95a0d354b1539d51731646012)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.8 ([f0eea19](https://redirect.github.com/renovatebot/github-action/commit/f0eea19bf3bb50cd26effe5e04e7d78d4c7f56b3)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.170.9 ([f3af74e](https://redirect.github.com/renovatebot/github-action/commit/f3af74eb2fa5d6b11658e5b26cf601faf2963d37)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
3d95a2f028 |
fix(deps): update module github.com/google/go-github/v85 to v86 (#37754)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/google/go-github/v85](https://redirect.github.com/google/go-github) | `v85.0.0` → `v86.0.0` |  |  | --- ### Release Notes <details> <summary>google/go-github (github.com/google/go-github/v85)</summary> ### [`v86.0.0`](https://redirect.github.com/google/go-github/releases/tag/v86.0.0) [Compare Source](https://redirect.github.com/google/go-github/compare/v85.0.0...v86.0.0) This release contains the following breaking API changes: - feat!: Refactor request context ([#​4151](https://redirect.github.com/google/go-github/issues/4151)) BREAKING CHANGE: All internal calls now provide `Context` via the `Request` itself. - feat!: Add OIDC authentication support to `PrivateRegistries` ([#​4159](https://redirect.github.com/google/go-github/issues/4159)) BREAKING CHANGE: `PrivateRegistriesService` is updated to API version `2026-03-10` with struct and response changes. ...and the following additional changes: - chore: Bump version of `go-github` to `v86.0.0` ([#​4198](https://redirect.github.com/google/go-github/issues/4198)) - test: Fix invalid JSON payloads in actions workflow runs tests ([#​4197](https://redirect.github.com/google/go-github/issues/4197)) - feat: Add repo download contents sentinel errors ([#​4192](https://redirect.github.com/google/go-github/issues/4192)) - chore: Fix `otel` module name ([#​4187](https://redirect.github.com/google/go-github/issues/4187)) - feat: Add typed Copilot metrics download helpers ([#​4177](https://redirect.github.com/google/go-github/issues/4177)) - feat: Add `deploy_keys_enabled_for_repositories` and secret scanning custom link fields to `Organization` struct ([#​4188](https://redirect.github.com/google/go-github/issues/4188)) - refactor: Use `testJSONBody` helper for request body assertions in tests ([#​4183](https://redirect.github.com/google/go-github/issues/4183)) - build(deps): Bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0 in /tools ([#​4184](https://redirect.github.com/google/go-github/issues/4184)) - fix: Include `RetryAfter` in `AbuseRateLimitError.Error` output ([#​4181](https://redirect.github.com/google/go-github/issues/4181)) - fix: Handle string-typed reviewer `ID` in Ruleset API responses ([#​4178](https://redirect.github.com/google/go-github/issues/4178)) - feat: Add `ArchivedAt` field to `Organization` struct ([#​4179](https://redirect.github.com/google/go-github/issues/4179)) - feat: Add Copilot coding agent and content exclusion org endpoints ([#​4176](https://redirect.github.com/google/go-github/issues/4176)) - chore: Bump go-github from v84 to v85 in /scrape ([#​4174](https://redirect.github.com/google/go-github/issues/4174)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteabotandGitHub
|
aecb2585f0 |
fix(deps): update npm dependencies (#37753)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/view | [`6.42.0` → `6.42.1`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.42.0/6.42.1) |  |  | | [@playwright/test](https://playwright.dev) ([source](https://redirect.github.com/microsoft/playwright)) | [`1.59.1` → `1.60.0`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.59.1/1.60.0) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.6.0` → `25.7.0`](https://renovatebot.com/diffs/npm/@types%2fnode/25.6.0/25.7.0) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.2` → `8.59.3`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.2/8.59.3) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.16` → `1.6.17`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.16/1.6.17) |  |  | | [eslint-plugin-de-morgan](https://redirect.github.com/azat-io/eslint-plugin-de-morgan) | [`2.1.1` → `2.1.2`](https://renovatebot.com/diffs/npm/eslint-plugin-de-morgan/2.1.1/2.1.2) |  |  | | [eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/) ([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css)) | [`3.0.0` → `3.1.0`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.0.0/3.1.0) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.0.8` → `11.1.1`](https://renovatebot.com/diffs/npm/pnpm/11.0.8/11.1.1) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.4` → `3.0.5`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.4/3.0.5) |  |  | | [swagger-ui-dist](https://redirect.github.com/swagger-api/swagger-ui) | [`5.32.5` → `5.32.6`](https://renovatebot.com/diffs/npm/swagger-ui-dist/5.32.5/5.32.6) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.2` → `8.59.3`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.2/8.59.3) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.9` → `17.16.11`](https://renovatebot.com/diffs/npm/updates/17.16.9/17.16.11) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.10` → `8.0.12`](https://renovatebot.com/diffs/npm/vite/8.0.10/8.0.12) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.5` → `4.1.6`](https://renovatebot.com/diffs/npm/vitest/4.1.5/4.1.6) |  |  | --- ### Release Notes <details> <summary>microsoft/playwright (@​playwright/test)</summary> ### [`v1.60.0`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.60.0) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.59.1...v1.60.0) #### 🌐 HAR recording on Tracing [tracing.startHar()](https://playwright.dev/docs/api/class-tracing#tracing-start-har) / [tracing.stopHar()](https://playwright.dev/docs/api/class-tracing#tracing-stop-har) expose HAR recording as a first-class tracing API, with the same `content`, `mode` and `urlFilter` options as `recordHar`. The returned [Disposable](https://playwright.dev/docs/api/class-disposable) makes it easy to scope a recording with `await using`: ```js await using har = await context.tracing.startHar('trace.har'); const page = await context.newPage(); await page.goto('https://playwright.dev'); // HAR is finalized when `har` goes out of scope. ``` #### 🪝 Drop API New [locator.drop()](https://playwright.dev/docs/api/class-locator#locator-drop) simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches `dragenter`, `dragover`, and `drop` with a synthetic \[DataTransfer] in the page context — works cross-browser and is great for testing upload zones: ```js await page.locator('#dropzone').drop({ files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') }, }); await page.locator('#dropzone').drop({ data: { 'text/plain': 'hello world', 'text/uri-list': 'https://example.com', }, }); ``` #### 🎯 Aria snapshots - [expect(page).toMatchAriaSnapshot()](https://playwright.dev/docs/api/class-pageassertions#page-assertions-to-match-aria-snapshot) now works on a [Page](https://playwright.dev/docs/api/class-page), in addition to a [Locator](https://playwright.dev/docs/api/class-locator) — equivalent to asserting against `page.locator('body')`. - New `boxes` option on [locator.ariaSnapshot()](https://playwright.dev/docs/api/class-locator#locator-aria-snapshot) / [page.ariaSnapshot()](https://playwright.dev/docs/api/class-page#page-aria-snapshot) appends each element's bounding box as `[box=x,y,width,height]`, useful for AI consumption. #### 🛑 test.abort() New [test.abort()](https://playwright.dev/docs/api/class-test#test-abort) aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away: ```js test('does not publish to the shared page', async ({ page }) => { await page.route('**/publish', route => { test.abort('Tests must not publish to the shared page. Use the `clone` option.'); return route.abort(); }); // ... }); ``` #### New APIs ##### Browser, Context and Page - Event [browser.on('context')](https://playwright.dev/docs/api/class-browser#browser-event-context) — fired when a new context is created on the browser. - [BrowserContext](https://playwright.dev/docs/api/class-browsercontext) now mirrors lifecycle events from its pages: [browserContext.on('download')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-download), [browserContext.on('frameattached')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-attached), [browserContext.on('framedetached')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-detached), [browserContext.on('framenavigated')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-navigated), [browserContext.on('pageclose')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-page-close), [browserContext.on('pageload')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-page-load). ##### Locators and Assertions - New option `description` in [page.getByRole()](https://playwright.dev/docs/api/class-page#page-get-by-role) / [locator.getByRole()](https://playwright.dev/docs/api/class-locator#locator-get-by-role) / [frame.getByRole()](https://playwright.dev/docs/api/class-frame#frame-get-by-role) / [frameLocator.getByRole()](https://playwright.dev/docs/api/class-framelocator#frame-locator-get-by-role) for matching the [accessible description](https://www.w3.org/TR/wai-aria-1.2/#dfn-accessible-description). - New option `pseudo` in [expect(locator).toHaveCSS()](https://playwright.dev/docs/api/class-locatorassertions#locator-assertions-to-have-css) reads computed styles from `::before` or `::after`. - New option `style` in [locator.highlight()](https://playwright.dev/docs/api/class-locator#locator-highlight) applies extra inline CSS to the highlight overlay, plus new [page.hideHighlight()](https://playwright.dev/docs/api/class-page#page-hide-highlight) to clear all highlights. ##### Network - [webSocketRoute.protocols()](https://playwright.dev/docs/api/class-websocketroute#web-socket-route-protocols) returns the WebSocket subprotocols requested by the page. - New option `noDefaults` in [browserType.connectOverCDP()](https://playwright.dev/docs/api/class-browsertype#browser-type-connect-over-cdp) disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state. ##### Errors and Reporting - New [webError.location()](https://playwright.dev/docs/api/class-weberror#web-error-location) mirrors [consoleMessage.location()](https://playwright.dev/docs/api/class-consolemessage#console-message-location). - [consoleMessage.location()](https://playwright.dev/docs/api/class-consolemessage#console-message-location) now exposes `line` / `column` properties (`lineNumber` / `columnNumber` are deprecated). - New [testInfoError.errorContext](https://playwright.dev/docs/api/class-testinfoerror#test-info-error-error-context) surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an `expect(...)` matcher failure. - [reporter.onError()](https://playwright.dev/docs/api/class-reporter#reporter-on-error) now receives a `workerInfo` argument with details about the worker for fixture teardown errors. ##### Test runner - New `{testFileBaseName}` token in [testProject.snapshotPathTemplate](https://playwright.dev/docs/api/class-testproject#test-project-snapshot-path-template) — file name without extension. - Test runner now errors when a config tries to override a non-option fixture, and rejects `workers: 0` or negative values. #### 🛠️ Other improvements - HTML reporter: - `npx playwright show-report` accepts `.zip` files directly — no need to unzip first. - Steps that contain attachments inside nested children show an indicator on the parent step. - The `repeatEachIndex` is shown in the test header when non-zero. - Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel. #### Breaking Changes ⚠️ - Removed long-deprecated APIs: - `Locator.ariaRef()` — use the standard [locator.ariaSnapshot()](https://playwright.dev/docs/api/class-locator#locator-aria-snapshot) pipeline. - `handle` option on `BrowserContext.exposeBinding` and `Page.exposeBinding`. - `logger` option on `BrowserType.connect` and `BrowserType.connectOverCDP` — use [tracing](https://playwright.dev/docs/trace-viewer) instead. - Context options `videosPath` / `videoSize` — use `recordVideo` instead. #### Browser Versions - Chromium 148.0.7778.96 - Mozilla Firefox 150.0.2 - WebKit 26.4 This version was also tested against the following stable channels: - Google Chrome 147 - Microsoft Edge 147 </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v8.59.3`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8593-2026-05-11) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.2...v8.59.3) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.3) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitest-dev/eslint-plugin-vitest (@​vitest/eslint-plugin)</summary> ### [`v1.6.17`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.17) [Compare Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.16...v1.6.17) ##### 🐞 Bug Fixes - Recommend `toBeTypeOf` instead of `expectTypeOf` in `prefer-expect-type-of` - by [@​sheremet-va](https://redirect.github.com/sheremet-va) in [#​896](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/896) [<samp>(a4bcd)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/a4bcdf5) - **no-standalone-expect**: Allow expect inside vi.defineHelper callbacks - by [@​nami8824](https://redirect.github.com/nami8824) in [#​894](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/894) [<samp>(fd8eb)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/fd8eb3c) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.16...v1.6.17) </details> <details> <summary>azat-io/eslint-plugin-de-morgan (eslint-plugin-de-morgan)</summary> ### [`v2.1.2`](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/blob/HEAD/changelog.md#v212) [Compare Source](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/compare/v2.1.1...v2.1.2) [compare changes](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/compare/v2.1.1...v2.1.2) ##### 🐞 Bug Fixes - Avoid invalid autofixes for grouped boolean expressions ([1173aaa](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/commit/1173aaa)) ##### ❤️ Contributors - Azat S. ([@​azat-io](https://redirect.github.com/azat-io)) </details> <details> <summary>future-architect/eslint-plugin-vue-scoped-css (eslint-plugin-vue-scoped-css)</summary> ### [`v3.1.0`](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/blob/HEAD/CHANGELOG.md#310) [Compare Source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/compare/v3.0.0...v3.1.0) ##### Minor Changes - refactor: replace lodash with es-toolkit and vanilla js ([#​492](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/pull/492)) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.1.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1111) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.0...v11.1.1) ##### Patch Changes - Skip installability validation when scanning workspace projects in `checkDepsStatus` (run by `verifyDepsBeforeRun`). Previously the status check called `findWorkspaceProjects`, which validates each project's `engines` and `os`/`cpu`/`libc` and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no `nodeVersion` threaded through, the engine check also fell back to the system Node from `PATH` and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use `findWorkspaceProjectsNoCheck`; install paths continue to validate. - Fixed `pnpm add <alias>:@​scope/pkg` for [named registries](https://redirect.github.com/pnpm/pnpm/pull/11324). The local resolver was claiming any specifier containing `/` as a local directory, so `pnpm add bit:@​teambit/bit` (with `bit` configured under `namedRegistries`) installed a bogus link to `bit:@​teambit/bit/` instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain. - Updated `@zkochan/cmd-shim` to 9.0.3. The sh shim it writes for `.cmd` / `.bat` targets now escapes the `/C` switch as `//C`, so it survives the path translation Git Bash applies when launching `cmd.exe`. Without this, a bare `/C` was rewritten to `C:\` before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See [pnpm/cmd-shim#55](https://redirect.github.com/pnpm/cmd-shim/pull/55). ### [`v11.1.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1110) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.9...v11.1.0) ##### Minor Changes - Added `pnpm audit signatures` to verify ECDSA registry signatures for installed packages against keys from `/-/npm/v1/keys` [#​7909](https://redirect.github.com/pnpm/pnpm/issues/7909). Scoped registries are respected, and registries without signing keys are skipped. - Added support for installing packages from the [GitHub Packages npm registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry) via a built-in `gh:` prefix (e.g. `pnpm add gh:@​acme/private`), and, more broadly, for arbitrary named registries in the style of [vlt's named-registry aliases](https://docs.vlt.sh/cli/registries). Authentication is picked up from the existing per-URL `.npmrc` entries (e.g. `//npm.pkg.github.com/:_authToken=...`), so no separate auth mechanism is required. Additional aliases — or an override for the built-in `gh` alias, for GitHub Enterprise Server — can be configured under `namedRegistries` in `pnpm-workspace.yaml`: ```yaml namedRegistries: gh: https://npm.pkg.github.example.com/ work: https://npm.work.example.com/ ``` With this, `work:@​corp/lib@^2.0.0` resolves against `https://npm.work.example.com/`. [#​11324](https://redirect.github.com/pnpm/pnpm/issues/11324). - Allow setting sbom spec version using `--sbom-spec-version` [#​11389](https://redirect.github.com/pnpm/pnpm/pull/11389). - Add `--no-runtime` flag (config: `runtime=false`) to skip installing runtime entries (e.g. Node.js downloaded via `devEngines.runtime`) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and `.bin` linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via `pnpm runtime -g set node <version>`) before `pnpm install` runs. - Added the `pnpm bugs` command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's `package.json`; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to `<repository>/issues` when the `bugs` field is missing [#​11279](https://redirect.github.com/pnpm/pnpm/pull/11279). - Added `pnpm owner` command to manage package owners on the registry. ##### Patch Changes - Added "published X ago by Y" information to the `pnpm view` command output, similar to `npm view`. This is useful when comparing against `minimumReleaseAge`. For example, `pnpm view pnpm` now shows: ``` published 17 hours ago by GitHub Actions ``` - `pnpm publish` now honors the configured HTTP/HTTPS proxy (including `https_proxy`/`http_proxy`/`no_proxy` environment variables) when polling the registry's `doneUrl` during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond `403` from a different source IP and the login to never complete [#​11561](https://redirect.github.com/pnpm/pnpm/issues/11561). - `pnpm add -g` now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example: - `pnpm add -g foo bar` installs `foo` and `bar` as two independent globals — removing one does not affect the other. - `pnpm add -g foo,bar qar` bundles `foo` and `bar` into a single isolated install while `qar` is installed on its own. Related: [#​11587](https://redirect.github.com/pnpm/pnpm/issues/11587). - `pnpm runtime set <name> <version>` no longer fails in the root of a multi-package workspace with the `ADDING_TO_ROOT` error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check. - Fix `pnpm --version` hanging for the lifetime of the worker pool after the version was printed. `main.ts`'s `--version` short-circuit returned before reaching the command-handler `finally` that calls `finishWorkers()`, so the worker pool that `switchCliVersion` had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs `finishWorkers()` from its own `finally`, so every exit path tears the pool down. Repro: `pnpm --version` in a workspace whose `devEngines.packageManager` version already matches the running pnpm + `onFail: "download"`. `switchCliVersion` resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs. ### [`v11.0.9`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1109) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.8...v11.0.9) ##### Patch Changes - Fixed installation of GitLab-hosted dependencies. pnpm now downloads the tarball from `https://gitlab.com/<user>/<project>/-/archive/<sha>/<project>-<sha>.tar.gz` instead of the GitLab API endpoint that contained an encoded slash (`%2F`) between user and project. The encoded slash both triggered `406 Not Acceptable` responses from GitLab and produced virtual store directory names that Node refused to import (`ERR_INVALID_MODULE_SPECIFIER`) [#​11533](https://redirect.github.com/pnpm/pnpm/issues/11533). - Honor `NPM_CONFIG_USERCONFIG` (and its lowercase `npm_config_userconfig` form) as a low-priority fallback when locating the user-level `.npmrc`. This restores compatibility with environments that point npm at a custom auth file via that env var — most notably `actions/setup-node`, which writes registry credentials to `${runner.temp}/.npmrc` and exports `NPM_CONFIG_USERCONFIG` to reference it. Without this, GitHub Actions workflows using `actions/setup-node` to authenticate to private registries broke after upgrading to pnpm v11. PNPM-prefixed env vars and `npmrcAuthFile` from the global `config.yaml` continue to take precedence [#​11539](https://redirect.github.com/pnpm/pnpm/issues/11539). - Fix `pnpm pack` not bundling dependencies listed in `bundleDependencies` (or `bundledDependencies`). The npm-packlist upgrade in pnpm 11 changed its API to require the caller to pre-populate the dependency tree, which the wrapper was not doing — `bundleDependencies` were silently dropped from the tarball [#​11519](https://redirect.github.com/pnpm/pnpm/issues/11519). - Fixed the pnpm CLI crashing with a confusing `SyntaxError: Invalid regular expression flags` instead of printing a clear "requires Node.js v22.13" error when launched on an unsupported Node.js version. The Node.js version check in `bin/pnpm.mjs` was effectively dead code because the static `import` of the bundled `dist/pnpm.mjs` was hoisted by the ES module loader and parsed before the check could run [#​11546](https://redirect.github.com/pnpm/pnpm/issues/11546). - Fixed `pnpm --prefix=<dir> install` overwriting the existing `pnpm-workspace.yaml` in `<dir>` with `set this to true or false` placeholders. The renamed `--prefix` option (which maps to `dir`) was not honored when locating the workspace root, so the workspace manifest's `allowBuilds` settings were not loaded into config and got clobbered when ignored builds were auto-populated [#​11535](https://redirect.github.com/pnpm/pnpm/issues/11535). - Fixed `pnpm publish --provenance` failing with a 422 from the registry when the package version contained semver build metadata (e.g. `1.0.0-canary.0+abc1234`). The `+<build>` segment is now stripped before packing so that the version embedded in the tarball, the metadata sent to the registry, and the sigstore provenance subject all agree [#​11518](https://redirect.github.com/pnpm/pnpm/issues/11518). </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.5`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.5) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.4...3.0.5) - update deps, bump rolldown to 1.0.0 (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) </details> <details> <summary>swagger-api/swagger-ui (swagger-ui-dist)</summary> ### [`v5.32.6`](https://redirect.github.com/swagger-api/swagger-ui/releases/tag/v5.32.6) [Compare Source](https://redirect.github.com/swagger-api/swagger-ui/compare/v5.32.5...v5.32.6) ##### Bug Fixes - **deps-dev:** address undici vulnerability ([#​10870](https://redirect.github.com/swagger-api/swagger-ui/issues/10870)) ([35f5a6a](https://redirect.github.com/swagger-api/swagger-ui/commit/35f5a6a84a9b4681809e8d70d32b9de69c779691)) - **docker:** address CVE-2026-27135 nghttp2-libs vulnerability ([#​10879](https://redirect.github.com/swagger-api/swagger-ui/issues/10879)) ([0a63415](https://redirect.github.com/swagger-api/swagger-ui/commit/0a63415dfbaa491f5741d9025407e30a8ebf9592)) </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.3`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8593-2026-05-11) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.2...v8.59.3) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.3) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.16.11`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.11) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.10...17.16.11) - update deps (silverwind) - Generalize action discovery (silverwind) - Fix composite-action tests on Windows (silverwind) - ci: force bun runtime for tsdown on bun jobs (silverwind) - Discover composite actions anywhere under .github (silverwind) ### [`v17.16.10`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.10) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.9...17.16.10) - update deps (silverwind) - Revert "Drop `process.exit()` to let Node shut down naturally ([#​137](https://redirect.github.com/silverwind/updates/issues/137))" (silverwind) - Drop `process.exit()` to let Node shut down naturally ([#​137](https://redirect.github.com/silverwind/updates/issues/137)) (silverwind) - Exclude Node 26 on windows-latest (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) - Minor perf and simplification cleanups (silverwind) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.12`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8012-2026-05-11-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.11...v8.0.12) ##### Features - update rolldown to 1.0.0 ([#​22401](https://redirect.github.com/vitejs/vite/issues/22401)) ([cf0ff41](https://redirect.github.com/vitejs/vite/commit/cf0ff4154b26cffbf18541ade1a50818842731d3)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#​22420](https://redirect.github.com/vitejs/vite/issues/22420)) ([2be6000](https://redirect.github.com/vitejs/vite/commit/2be6000130e3ae2160acc301baa4f7913fbc1f6e)) - **module-runner:** prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains ([#​22369](https://redirect.github.com/vitejs/vite/issues/22369)) ([f5a22e6](https://redirect.github.com/vitejs/vite/commit/f5a22e62ada75286138b7ceb3825e43958ef00e1)) - refer to `rolldownOptions` instead of deprecated `rollupOptions` in messages ([#​22400](https://redirect.github.com/vitejs/vite/issues/22400)) ([b675c7b](https://redirect.github.com/vitejs/vite/commit/b675c7b6697423275ad9dd521d3ce7c8679761a0)) - **worker:** apply `build.target` to worker bundle ([#​22404](https://redirect.github.com/vitejs/vite/issues/22404)) ([3c93fde](https://redirect.github.com/vitejs/vite/commit/3c93fde21f07d44db7669ca7484f4e7a8767afe5)) - **worker:** forward define to worker bundle transform ([#​22408](https://redirect.github.com/vitejs/vite/issues/22408)) ([d4838a0](https://redirect.github.com/vitejs/vite/commit/d4838a0358d9f04a980d4d2ac7263f21a6b28ee2)) ##### Miscellaneous Chores - **deps:** update dependency eslint-plugin-n to v18 ([#​22423](https://redirect.github.com/vitejs/vite/issues/22423)) ([2fe7bd2](https://redirect.github.com/vitejs/vite/commit/2fe7bd2d73beb697a3d149e943ac74b768c9d27f)) - **deps:** update rolldown-related dependencies ([#​22421](https://redirect.github.com/vitejs/vite/issues/22421)) ([66b9eb3](https://redirect.github.com/vitejs/vite/commit/66b9eb35188007e0e9a1bd03b4be820016cad60b)) ### [`v8.0.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8011-2026-05-07-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.10...v8.0.11) ##### Features - update rolldown to 1.0.0-rc.18 ([#​22360](https://redirect.github.com/vitejs/vite/issues/22360)) ([3f80524](https://redirect.github.com/vitejs/vite/commit/3f80524aa1fa40bfa831f1a1bf2641c3979ba396)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#​22334](https://redirect.github.com/vitejs/vite/issues/22334)) ([672c962](https://redirect.github.com/vitejs/vite/commit/672c96288fd5440bbecddc65551e713edeb8d403)) - **deps:** update all non-major dependencies ([#​22382](https://redirect.github.com/vitejs/vite/issues/22382)) ([5c0cfcb](https://redirect.github.com/vitejs/vite/commit/5c0cfcb83dde2c6e25b6c3215dd622956bf29631)) - **glob:** align hmr matcher options with glob enumeration ([#​22306](https://redirect.github.com/vitejs/vite/issues/22306)) ([30028f9](https://redirect.github.com/vitejs/vite/commit/30028f94516fa06dd0212567373169b3b3f6e393)) - make separate object instance for each environment ([#​22276](https://redirect.github.com/vitejs/vite/issues/22276)) ([7c2aa3b](https://redirect.github.com/vitejs/vite/commit/7c2aa3b40ba00ce1299e4f31932c7929f179a80a)) ##### Documentation - **create-vite:** list react-compiler templates in README ([#​22347](https://redirect.github.com/vitejs/vite/issues/22347)) ([7c3a61f](https://redirect.github.com/vitejs/vite/commit/7c3a61f42da6445904e93f0e29e9a2a838fa684a)) - explain mergeConfig skips null/undefined ([#​22325](https://redirect.github.com/vitejs/vite/issues/22325)) ([2151f70](https://redirect.github.com/vitejs/vite/commit/2151f701dc98270c905c540b209fb6d23d53d3ad)) - mention native config loader in CLI options ([#​22348](https://redirect.github.com/vitejs/vite/issues/22348)) ([0420c5d](https://redirect.github.com/vitejs/vite/commit/0420c5d37b6049476b6e6c16662be372575dd683)) - update evan's x handle ([640202a](https://redirect.github.com/vitejs/vite/commit/640202a2167b0c19b94e4d3b8ff87309ae1f44d0)) ##### Miscellaneous Chores - **deps:** update dependency tsdown to ^0.21.10 ([#​22333](https://redirect.github.com/vitejs/vite/issues/22333)) ([3b51e05](https://redirect.github.com/vitejs/vite/commit/3b51e050214c5a817c163838ab8643fe34c7d0c3)) - **deps:** update rolldown-related dependencies ([#​22383](https://redirect.github.com/vitejs/vite/issues/22383)) ([555ff36](https://redirect.github.com/vitejs/vite/commit/555ff36de70a43b3b3dc22f958bf78fe75e11d67)) - **deps:** update transitive packages to fix npm audit alerts ([#​22316](https://redirect.github.com/vitejs/vite/issues/22316)) ([86aee62](https://redirect.github.com/vitejs/vite/commit/86aee6268aa879d74f68a890392c1dee973ebf05)) ##### Code Refactoring - devtools integration ([#​22312](https://redirect.github.com/vitejs/vite/issues/22312)) ([3c8bf06](https://redirect.github.com/vitejs/vite/commit/3c8bf064ec76e311f2d8be3a37dcfdcdd4e4253c)) - remove unnecessary async ([#​22296](https://redirect.github.com/vitejs/vite/issues/22296)) ([b31fd35](https://redirect.github.com/vitejs/vite/commit/b31fd355d93eb166573362bd09c07745b9f76755)) - show direct path type in bad character warning ([#​22339](https://redirect.github.com/vitejs/vite/issues/22339)) ([0c162e9](https://redirect.github.com/vitejs/vite/commit/0c162e96a6545c93808e7338b9adeca2636596fa)) ##### Tests - **create-vite:** use short help alias ([#​22389](https://redirect.github.com/vitejs/vite/issues/22389)) ([994ab66](https://redirect.github.com/vitejs/vite/commit/994ab66bc4dc872278d8353d710ffc4bbd881f8d)) </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.6`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.6) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.5...v4.1.6) ##### 🐞 Bug Fixes - **browser**: Provide project reference in `ToMatchScreenshotResolvePath` - by [@​macarie](https://redirect.github.com/macarie) and [@​sheremet-va](https://redirect.github.com/sheremet-va) in [#​10138](https://redirect.github.com/vitest-dev/vitest/issues/10138) [<samp>(31882)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/31882607c) - Global `sequence.concurrent: true` with top-level `test(..., { concurrent: false })` + depreacte `sequential` test API and options - by [@​hi-ogawa](https://redirect.github.com/hi-ogawa), **Codex** and [@​sheremet-va](https://redirect.github.com/sheremet-va) in [#​10196](https://redirect.github.com/vitest-dev/vitest/issues/10196) [<samp>(2847d)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/2847dfa2a) - **browser**: Simplify orchestrator otel carrier - by [@​hi-ogawa](https://redirect.github.com/hi-ogawa) in [#​10285](https://redirect.github.com/vitest-dev/vitest/issues/10285) [<samp>(18af9)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/18af98cee) ##### 🏎 Performance - Stringify diff objects only once - by [@​sheremet-va](https://redirect.github.com/sheremet-va) in [#​10276](https://redirect.github.com/vitest-dev/vitest/issues/10276) [<samp>(9f7b1)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/9f7b1528c) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.5...v4.1.6) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteaBot
|
2450127c56 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
f01953e764 | [skip ci] Updated translations via Crowdin | ||
|
6a27066269 |
fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test (#37662)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`11.14.0` → `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0) |  |  | --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102) - [https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) - [https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @​zsxsoft on behalf of @​KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) - [https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6) - [https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6) - [https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @​zsxsoft on behalf of @​KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) - [https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) - [https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102) - [https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>mermaid-js/mermaid (mermaid)</summary> ### [`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0) ##### Minor Changes - [#​7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174) [`0aca217`](https://redirect.github.com/mermaid-js/mermaid/commit/0aca21739c0d1fcaaa206e04a6cd574ebc415483) Thanks [@​milesspencer35](https://redirect.github.com/milesspencer35)! - feat(sequence): Add support for decimal start and increment values in the `autonumber` directive - [#​7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512) [`8e17492`](https://redirect.github.com/mermaid-js/mermaid/commit/8e17492f7365ba50896382feb69a23efd9d8a22d) Thanks [@​aruncveli](https://redirect.github.com/aruncveli)! - feat(flowchart): add datastore shape In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with `A@{ shape: datastore, label: "Datastore" }`. - [#​6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440) [`9ad8dde`](https://redirect.github.com/mermaid-js/mermaid/commit/9ad8dde6d049adde85d8ed2d476c09b5820f3f4b) Thanks [@​yordis](https://redirect.github.com/yordis), [@​lgazo](https://redirect.github.com/lgazo)! - feat: add Event Modeling diagram - [#​7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707) [`27db774`](https://redirect.github.com/mermaid-js/mermaid/commit/27db774627be1cee881961dfd0d2cb21cd01b79d) Thanks [@​txmxthy](https://redirect.github.com/txmxthy)! - feat(architecture): expose four fcose layout knobs for `architecture-beta` diagrams (`nodeSeparation`, `idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can tune layout density and spread overlapping siblings without changing diagram source - [#​7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604) [`bf9502f`](https://redirect.github.com/mermaid-js/mermaid/commit/bf9502fb6012a4b724679b401ac928f5ee55161c) Thanks [@​M-a-c](https://redirect.github.com/M-a-c)! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting If you have namespaces in class diagrams that use `.`s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set `class.hierarchicalNamespaces=false` in your mermaid config: ```yaml config: class: hierarchicalNamespaces: false ``` - [#​7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272) [`88cdd3d`](https://redirect.github.com/mermaid-js/mermaid/commit/88cdd3dc0aab9577174561b04e14760c565a232b) Thanks [@​xinbenlv](https://redirect.github.com/xinbenlv)! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors ##### Patch Changes - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`e9b0f34`](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: prevent unbalanced CSS styles in classDefs - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`37ff937`](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: create CSS styles using the CSSOM This removes some invalid CSS and normalizes some CSS formatting. - [#​7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508) [`bfe60cc`](https://redirect.github.com/mermaid-js/mermaid/commit/bfe60cc67b9a6dec64f9161f58e4d24a06c42b65) Thanks [@​biiab](https://redirect.github.com/biiab)! - fix(stateDiagram): `end note` now only closes a note when used on a new line - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`faafb5d`](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix(gantt): add iteration limit for `excludes` field - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`65f8be2`](https://redirect.github.com/mermaid-js/mermaid/commit/65f8be2a42faf869b811469571983cba7eeeca99) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: disallow some CSS at-rules in custom CSS - [#​7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726) [`1502f32`](https://redirect.github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824) Thanks [@​aloisklink](https://redirect.github.com/aloisklink)! - fix(wardley): fix unnecessary sanitization of text - [#​7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578) [`1f98db8`](https://redirect.github.com/mermaid-js/mermaid/commit/1f98db8e326299ac97a2fa60abfd509d8f5f16e2) Thanks [@​Gaston202](https://redirect.github.com/Gaston202)! - fix(class): self-referential class multiplicity labels no longer rendered multiple times Fixes [#​7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560). Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions. - [#​7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592) [`2343e38`](https://redirect.github.com/mermaid-js/mermaid/commit/2343e38498a3b31f8ce5e79f1f009e0b56fbe086) Thanks [@​knsv-bot](https://redirect.github.com/knsv-bot)! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams - [#​7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589) [`7fb9509`](https://redirect.github.com/mermaid-js/mermaid/commit/7fb9509b8b5cb1dc48519dc60cf6cdc6afba0462) Thanks [@​NYCU-Chung](https://redirect.github.com/NYCU-Chung)! - fix(block): prevent column widths from shrinking when mixing different column spans - [#​7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632) [`3f9e0f1`](https://redirect.github.com/mermaid-js/mermaid/commit/3f9e0f15bedc1e2c71ddb6b34192d1a21124cfc2) Thanks [@​ekiauhce](https://redirect.github.com/ekiauhce)! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams - [#​7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642) [`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445) Thanks [@​tractorjuice](https://redirect.github.com/tractorjuice)! - fix(wardley): allow hyphens in unquoted component names Multi-word names containing hyphens — e.g. `real-time processing`, `end-user`, `on-call engineer` — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B` (no-space arrow) still tokenises correctly. - [#​7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523) [`5144ed4`](https://redirect.github.com/mermaid-js/mermaid/commit/5144ed4b138ae0f4836bab4c163c575e0a767dd3) Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using `:n` syntax. - [#​7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262) [`13d9bfa`](https://redirect.github.com/mermaid-js/mermaid/commit/13d9bfa4748e845a9eec7d6265ba496d2278f26e) Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax - [#​7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684) [`e14bb88`](https://redirect.github.com/mermaid-js/mermaid/commit/e14bb88bdb940124cdb0a107025653bf93745c99) Thanks [@​aloisklink](https://redirect.github.com/aloisklink)! - fix: loosen `uuid` dependency range to allow v14 Mermaid does not use any of the vulnerable code in CVE-2026-41907, but this allows users to silence any `npm audit` alerts on it. - [#​7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633) [`9217c0d`](https://redirect.github.com/mermaid-js/mermaid/commit/9217c0d8b221b423af80e420b7adae901acf6c8c) Thanks [@​Felix-Garci](https://redirect.github.com/Felix-Garci)! - fix(block): add support for all arrow types in block diagrams - [#​7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587) [`5e7eb62`](https://redirect.github.com/mermaid-js/mermaid/commit/5e7eb62e3aba6b5df559f5c839a868e5b7f40e72) Thanks [@​MaddyGuthridge](https://redirect.github.com/MaddyGuthridge)! - chore: drop lodash-es in favour of es-toolkit - [#​7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693) [`afaf306`](https://redirect.github.com/mermaid-js/mermaid/commit/afaf3062381d115d66744413151b642f124dd9ba) Thanks [@​dull-bird](https://redirect.github.com/dull-bird)! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels. Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens, even though the grammar referenced `UNICODE_TEXT`. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT` and included it in the `alphaNumToken` grammar rule. Fixes [#​7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120). - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`4755553`](https://redirect.github.com/mermaid-js/mermaid/commit/4755553d5fb6d1217809e43ffb8fc54d6a73e482) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: improve D3 types for mermaidAPI funcs - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`6476973`](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: handle `&` when namespacing CSS rules - [#​7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520) [`8c1a0c1`](https://redirect.github.com/mermaid-js/mermaid/commit/8c1a0c1fd19587c6772d6966fe9d217e5cd1356c) Thanks [@​RodrigojndSantos](https://redirect.github.com/RodrigojndSantos)! - fix(stateDiagram): comments starting with one `%` are no longer treated as comments Switch to using two `%%` if you want to write a comment. - Updated dependencies \[[`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445), [`675a64c`](https://redirect.github.com/mermaid-js/mermaid/commit/675a64ca0e3cde8728ca715991623c3fc055ce88)]: - [@​mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@​1.1.1 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
|
8cd8291ed0 |
fix(deps): update npm dependencies (#37647)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/autocomplete | [`6.20.1` → `6.20.2`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.1/6.20.2) |  |  | | @​codemirror/lint | [`6.9.5` → `6.9.6`](https://renovatebot.com/diffs/npm/@codemirror%2flint/6.9.5/6.9.6) |  |  | | @​codemirror/view | [`6.41.1` → `6.42.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.41.1/6.42.0) |  |  | | [vue](https://vuejs.org/) ([source](https://redirect.github.com/vuejs/core)) | [`3.5.33` → `3.5.34`](https://renovatebot.com/diffs/npm/vue/3.5.33/3.5.34) |  |  | --- ### Release Notes <details> <summary>vuejs/core (vue)</summary> ### [`v3.5.34`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3534-2026-05-06) [Compare Source](https://redirect.github.com/vuejs/core/compare/v3.5.33...v3.5.34) ##### Bug Fixes - **compiler-sfc:** infer Vue ref wrapper types when source is unresolvable ([#​14758](https://redirect.github.com/vuejs/core/issues/14758)) ([7f46fd4](https://redirect.github.com/vuejs/core/commit/7f46fd411b4e3f75ca755ee1318ea8e9aff43f56)), closes [#​14729](https://redirect.github.com/vuejs/core/issues/14729) - **compiler-sfc:** preserve hash hrefs on `<image>` elements ([#​14756](https://redirect.github.com/vuejs/core/issues/14756)) ([090b2e3](https://redirect.github.com/vuejs/core/commit/090b2e3a5149ec951c5313b270e5400a1fc870ce)) - **compiler-sfc:** resolve type re-exports inside declare global ([#​14766](https://redirect.github.com/vuejs/core/issues/14766)) ([acfffe3](https://redirect.github.com/vuejs/core/commit/acfffe34e7724a84c21bb8e51e8a5bc0da35f350)) - **reactivity:** prevent orphan effect when created in a stopped scope ([#​14778](https://redirect.github.com/vuejs/core/issues/14778)) ([c8e2d4a](https://redirect.github.com/vuejs/core/commit/c8e2d4adc9112d2529de0434acc1188dfc399bf4)), closes [#​14777](https://redirect.github.com/vuejs/core/issues/14777) - **runtime-core:** avoid symbol coercion during props validation ([#​8539](https://redirect.github.com/vuejs/core/issues/8539)) ([23d4fb5](https://redirect.github.com/vuejs/core/commit/23d4fb5a6a070df3d2d4a043f0f62c141e376095)), closes [#​8487](https://redirect.github.com/vuejs/core/issues/8487) - **suspense:** avoid DOM leak with out-in transition in v-if fragment ([#​14762](https://redirect.github.com/vuejs/core/issues/14762)) ([9667e0d](https://redirect.github.com/vuejs/core/commit/9667e0d498ab39273614682986a666c3e73024d9)), closes [#​14761](https://redirect.github.com/vuejs/core/issues/14761) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
|
7621b65403 |
chore(deps): update action dependencies (major) (#37638)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [bitnamilegacy/minio](https://redirect.github.com/bitnami/containers) ([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/minio)) | service | major | `2021.12.29` → `2025.7.23` | | [bitnamilegacy/minio](https://redirect.github.com/bitnami/containers) ([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/minio)) | service | major | `2023.12.23` → `2025.7.23` | | [bitnamilegacy/mysql](https://redirect.github.com/bitnami/containers) ([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/mysql)) | service | major | `8.4` → `9.4` | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
|
510b729212 |
fix(deps): update go dependencies (major) (#37639)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/dlclark/regexp2](https://redirect.github.com/dlclark/regexp2) | `v1.12.0` → `v2.0.1` |  |  | | [github.com/google/go-github/v84](https://redirect.github.com/google/go-github) | `v84.0.0` → `v85.0.0` |  |  | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `v1.46.0` → `v2.24.1` |  |  | --- ### Release Notes <details> <summary>dlclark/regexp2 (github.com/dlclark/regexp2)</summary> ### [`v2.0.1`](https://redirect.github.com/dlclark/regexp2/compare/v2.0.0...v2.0.1) [Compare Source](https://redirect.github.com/dlclark/regexp2/compare/v2.0.0...v2.0.1) ### [`v2.0.0`](https://redirect.github.com/dlclark/regexp2/compare/v1.12.0...v2.0.0) [Compare Source](https://redirect.github.com/dlclark/regexp2/compare/v1.12.0...v2.0.0) </details> <details> <summary>google/go-github (github.com/google/go-github/v84)</summary> ### [`v85.0.0`](https://redirect.github.com/google/go-github/releases/tag/v85.0.0) [Compare Source](https://redirect.github.com/google/go-github/compare/v84.0.0...v85.0.0) This release contains the following breaking API changes: - fix!: Resolve inconsistent options for `create` and `update` on custom org role ([#​4075](https://redirect.github.com/google/go-github/issues/4075)) BREAKING CHANGE: `GetOrgRole`, `CreateCustomOrgRole`, and `UpdateCustomOrgRole` have new params and return values. - fix!: Change `id` from `int64` to `string` in `ActivityService.MarkThreadDone` ([#​4056](https://redirect.github.com/google/go-github/issues/4056)) BREAKING CHANGE: `ActivityService.MarkThreadDone` accepts `string` `id` instead of `int64`. ...and the following additional changes: - chore: Bump version of go-github to v85.0.0 ([#​4173](https://redirect.github.com/google/go-github/issues/4173)) - chore: Update `openapi_operations.yaml` ([#​4172](https://redirect.github.com/google/go-github/issues/4172)) - security: Reject cross-host redirects to prevent Authorization leak ([#​4171](https://redirect.github.com/google/go-github/issues/4171)) - chore: Improve GitHub Actions workflows lint and testing ([#​4169](https://redirect.github.com/google/go-github/issues/4169)) - chore: Switch legacy redirect handling to new pattern ([#​4161](https://redirect.github.com/google/go-github/issues/4161)) - feat: Add `CodeSecurity` to `SecurityAndAnalysis` ([#​4155](https://redirect.github.com/google/go-github/issues/4155)) - fix: Reject URL path segments containing ".." in all request methods ([#​4150](https://redirect.github.com/google/go-github/issues/4150)) - feat: Refactor repositories download contents ([#​4153](https://redirect.github.com/google/go-github/issues/4153)) - chore: Bump google.org/x/tools to v0.44.0 in /tools ([#​4168](https://redirect.github.com/google/go-github/issues/4168)) - docs: Fix broken blog post link ([#​4160](https://redirect.github.com/google/go-github/issues/4160)) - build(deps): Bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 in /example ([#​4156](https://redirect.github.com/google/go-github/issues/4156)) - chore: Update openapi\_operations.yaml ([#​4157](https://redirect.github.com/google/go-github/issues/4157)) - feat: Remove Google App Engine standard support ([#​4152](https://redirect.github.com/google/go-github/issues/4152)) - feat: Add `DownloadCopilotMetrics` helper method ([#​4149](https://redirect.github.com/google/go-github/issues/4149)) - docs: Add `apiVersion` to GitHub API link ([#​4147](https://redirect.github.com/google/go-github/issues/4147)) - chore: Simplify `redundantptr` custom linter ([#​4148](https://redirect.github.com/google/go-github/issues/4148)) - docs: Deprecate old Copilot metrics endpoints closed on April 2, 2026 ([#​4137](https://redirect.github.com/google/go-github/issues/4137)) - refactor: Remove redundant `github.Ptr` calls ([#​4145](https://redirect.github.com/google/go-github/issues/4145)) - fix: Add missing `User` fields ([#​4146](https://redirect.github.com/google/go-github/issues/4146)) - fix: Preserve `Marketplace.Stubbed` during client copy ([#​4144](https://redirect.github.com/google/go-github/issues/4144)) - refactor: Simplify array copying ([#​4143](https://redirect.github.com/google/go-github/issues/4143)) - build(deps): Bump golang.org/x/crypto from 0.49.0 to 0.50.0 in /example ([#​4141](https://redirect.github.com/google/go-github/issues/4141)) - build(deps): Bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 in /tools ([#​4142](https://redirect.github.com/google/go-github/issues/4142)) - build(deps): Bump golang.org/x/term from 0.41.0 to 0.42.0 in /example ([#​4140](https://redirect.github.com/google/go-github/issues/4140)) - build(deps): Bump golang.org/x/net from 0.52.0 to 0.53.0 in /scrape ([#​4139](https://redirect.github.com/google/go-github/issues/4139)) - build(deps): Bump go.opentelemetry.io/otel to v1.43.0 ([#​4135](https://redirect.github.com/google/go-github/issues/4135)) - fix: Expand `sanitizeURL` secrets redactions ([#​4126](https://redirect.github.com/google/go-github/issues/4126)) - build(deps): Bump github.com/alecthomas/kong from 1.14.0 to 1.15.0 in /tools ([#​4132](https://redirect.github.com/google/go-github/issues/4132)) - build(deps): Bump actions/setup-go from 6.3.0 to 6.4.0 in the actions group ([#​4131](https://redirect.github.com/google/go-github/issues/4131)) - feat: Add support for custom names and methods that return structs with multiple `[]*T` fields in `gen-iterators.go` ([#​4128](https://redirect.github.com/google/go-github/issues/4128)) - fix: Limit webhook payload size in `ValidatePayloadFromBody` ([#​4125](https://redirect.github.com/google/go-github/issues/4125)) - build(deps): Bump codecov/codecov-action from 5.5.3 to 6.0.0 ([#​4123](https://redirect.github.com/google/go-github/issues/4123)) - fix: Synchronize `requestCount` in rate limit tests ([#​4124](https://redirect.github.com/google/go-github/issues/4124)) - chore: Simplify `generate.sh` by removing `git worktree` and using generator-based check ([#​4120](https://redirect.github.com/google/go-github/issues/4120)) - docs: Improve comments in /examples ([#​4122](https://redirect.github.com/google/go-github/issues/4122)) - chore: Use `golangci-lint-action`; remove `newreposecretwithlibsodium` ([#​4119](https://redirect.github.com/google/go-github/issues/4119)) - feat: Add custom image endpoints for GitHub-hosted runners ([#​4101](https://redirect.github.com/google/go-github/issues/4101)) - chore: Cache custom golangci-lint binaries in GHA workflow ([#​4116](https://redirect.github.com/google/go-github/issues/4116)) - build(deps): Bump github.com/ProtonMail/go-crypto from 1.4.0 to 1.4.1 in /example ([#​4115](https://redirect.github.com/google/go-github/issues/4115)) - build(deps): Bump golang.org/x/tools from 0.29.0 to 0.43.0 in /tools/extraneous-new ([#​4114](https://redirect.github.com/google/go-github/issues/4114)) - build(deps): Bump codecov/codecov-action from 5.5.2 to 5.5.3 ([#​4112](https://redirect.github.com/google/go-github/issues/4112)) - build(deps): Bump github.com/golangci/plugin-module-register from 0.1.1 to 0.1.2 in /tools/extraneous-new ([#​4113](https://redirect.github.com/google/go-github/issues/4113)) - build(deps): Bump github.com/getkin/kin-openapi from 0.133.0 to 0.134.0 in /tools ([#​4111](https://redirect.github.com/google/go-github/issues/4111)) - build(deps): Bump github.com/PuerkitoBio/goquery from 1.11.0 to 1.12.0 in /scrape ([#​4110](https://redirect.github.com/google/go-github/issues/4110)) - chore: Upgrade deps for linters using dependabot ([#​4107](https://redirect.github.com/google/go-github/issues/4107)) - chore: Use `structfield.Settings` in `check-structfield-settings` ([#​4108](https://redirect.github.com/google/go-github/issues/4108)) - build(deps): Bump google.golang.org/grpc from 1.78.0 to 1.79.3 in /example ([#​4109](https://redirect.github.com/google/go-github/issues/4109)) - chore: Remove unnecessary use of `new` and `&SomeStruct{}` and add new `extraneousnew` custom linter ([#​4106](https://redirect.github.com/google/go-github/issues/4106)) - feat: Add `NetworkConfigurationID` and `HostedRunnersURL` to enterprise runner group types ([#​4099](https://redirect.github.com/google/go-github/issues/4099)) - feat: Generate accessors for all fields ([#​4105](https://redirect.github.com/google/go-github/issues/4105)) - feat: Add `ListRunnerGroupHostedRunners` for org runner groups ([#​4100](https://redirect.github.com/google/go-github/issues/4100)) - chore: Enable `default: none` linters; remove duplicated ([#​4097](https://redirect.github.com/google/go-github/issues/4097)) - fix: Use `Cursor` pagination for `*.ListHookDeliveriesIter` ([#​4096](https://redirect.github.com/google/go-github/issues/4096)) - chore: Remove duplicated formatters ([#​4094](https://redirect.github.com/google/go-github/issues/4094)) - chore: Fix typos in comments and tests ([#​4093](https://redirect.github.com/google/go-github/issues/4093)) - chore: Fix typo in CONTRIBUTING.md ([#​4092](https://redirect.github.com/google/go-github/issues/4092)) - chore: Update openapi\_operations.yaml ([#​4091](https://redirect.github.com/google/go-github/issues/4091)) - build(deps): Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.17.0 to 2.18.0 in /example ([#​4084](https://redirect.github.com/google/go-github/issues/4084)) - chore: Bump go.opentelemetry.io/otel to v1.42.0 ([#​4090](https://redirect.github.com/google/go-github/issues/4090)) - build(deps): Bump golang.org/x/crypto from 0.48.0 to 0.49.0 in /example ([#​4081](https://redirect.github.com/google/go-github/issues/4081)) - build(deps): Bump golang.org/x/sync from 0.19.0 to 0.20.0 in /tools ([#​4078](https://redirect.github.com/google/go-github/issues/4078)) - build(deps): Bump golang.org/x/net from 0.51.0 to 0.52.0 in /scrape ([#​4079](https://redirect.github.com/google/go-github/issues/4079)) - test: Add fuzz test for `ParseWebHook` ([#​4076](https://redirect.github.com/google/go-github/issues/4076)) - feat: Add enterprise budgets API ([#​4069](https://redirect.github.com/google/go-github/issues/4069)) - feat: Add list organization fine-grained permissions ([#​4072](https://redirect.github.com/google/go-github/issues/4072)) - feat: Make `script/lint.sh` output simpler to read ([#​4073](https://redirect.github.com/google/go-github/issues/4073)) - chore: Speed up linting ([#​4071](https://redirect.github.com/google/go-github/issues/4071)) - build(deps): Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.41.0 in /otel ([#​4065](https://redirect.github.com/google/go-github/issues/4065)) - build(deps): Bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 in /otel ([#​4068](https://redirect.github.com/google/go-github/issues/4068)) - build(deps): Bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace from 1.40.0 to 1.41.0 in /example ([#​4062](https://redirect.github.com/google/go-github/issues/4062)) - build(deps): Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.41.0 in /example ([#​4064](https://redirect.github.com/google/go-github/issues/4064)) - build(deps): Bump github.com/ProtonMail/go-crypto from 1.3.0 to 1.4.0 in /example ([#​4063](https://redirect.github.com/google/go-github/issues/4063)) - feat: Add `client_id` field to `App` ([#​4060](https://redirect.github.com/google/go-github/issues/4060)) - test: Simplify `CopilotService` tests ([#​4058](https://redirect.github.com/google/go-github/issues/4058)) - test: Fix flaky `TestDo_rateLimit_abuseRateLimitError_xRateLimitReset` ([#​4057](https://redirect.github.com/google/go-github/issues/4057)) - feat: Add support for enterprise audit log streaming API ([#​4035](https://redirect.github.com/google/go-github/issues/4035)) - feat: Add repository-level immutable releases settings ([#​4039](https://redirect.github.com/google/go-github/issues/4039)) - chore: Add `SAS` as a common initialism to `structfield` ([#​4054](https://redirect.github.com/google/go-github/issues/4054)) - fix: Fix data race on Windows ([#​4051](https://redirect.github.com/google/go-github/issues/4051)) - docs: Fix grammar in `README.md` ([#​4053](https://redirect.github.com/google/go-github/issues/4053)) - chore: Simplify form value assertions in tests ([#​4048](https://redirect.github.com/google/go-github/issues/4048)) - chore: Bump go-github from v83 to v84 in /scrape ([#​4050](https://redirect.github.com/google/go-github/issues/4050)) </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go)</summary> ### [`v2.24.1`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.24.1) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.24.0...v2.24.1) #### 2.24.1 ##### 🐛 Bug Fixes - fix: add FormattedText field to OrbitGraphStatus and OrbitStatus ([!2876](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2876)) by [Dmitry Gruzd](https://gitlab.com/dgruzd) #### [2.24.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.24.0...v2.24.1) (2026-05-05) ##### Bug Fixes * add FormattedText field to OrbitGraphStatus and OrbitStatus ([9457ddc](https://gitlab.com/gitlab-org/api/client-go/commit/9457ddc690600ea50953bfb8df632ac0b39cd90c)) ### [`v2.24.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.24.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.23.0...v2.24.0) #### 2.24.0 ##### 🚀 Features - feat: Add search_type as attribute to search endpoints ([!2851](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2851)) by [Heidi Berry](https://gitlab.com/heidi.berry) ### [2.24.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.23.0...v2.24.0) (2026-05-04) ##### Features * Add search_type as attribute to search endpoints ([4d345e9](https://gitlab.com/gitlab-org/api/client-go/commit/4d345e9f76af8ebd016d3d55fbe039250a1fafb4)) ### [`v2.23.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.23.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.22.0...v2.23.0) #### 2.23.0 ##### 🚀 Features - feat: add OrbitService for Knowledge Graph endpoints ([!2870](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2870)) by [Dmitry Gruzd](https://gitlab.com/dgruzd) ##### 🔄 Other Changes - chore(deps): update module buf.build/go/protovalidate to v1.2.0 ([!2865](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2865)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.23.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.22.0...v2.23.0) (2026-05-04) ##### Features * add OrbitService for Knowledge Graph endpoints ([2ff460f](https://gitlab.com/gitlab-org/api/client-go/commit/2ff460f3a809e3ad9f2065b0144dfcb4d4f5e6d3)) ### [`v2.22.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.22.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.21.0...v2.22.0) #### 2.22.0 ##### 🚀 Features - Add package pipeline data. ([!2834](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2834)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) ##### 🔄 Other Changes - chore(deps): update module golang.org/x/text to v0.36.0 ([!2874](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2874)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update golang docker tag ([!2873](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2873)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update docker docker tag to v29.4.1 ([!2869](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2869)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - refactor(no-release): use HTTP status code constants ([!2868](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2868)) by [Oleksandr Redko](https://gitlab.com/alexandear) ### [2.22.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.21.0...v2.22.0) (2026-05-04) ### [`v2.21.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.21.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.20.1...v2.21.0) #### 2.21.0 ##### 🚀 Features - Add BulkImports API functions and tests ([!2846](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2846)) by [Kalyaan Kanugula](https://gitlab.com/kalyaan09) ##### 🔄 Other Changes - Add missing `URLVariables` attribute to group_hooks ([!2866](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2866)) by [Mark Nessen](https://gitlab.com/mness) - docs: fix incorrect phrase 'to that' -> 'so' ([!2861](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2861)) by [Bob Singh](https://gitlab.com/bobsingh.dev) - docs: fix missing 'of' in contributing guide ([!2860](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2860)) by [Bob Singh](https://gitlab.com/bobsingh.dev) - style: remove duplicated wording in Go version sentence ([!2859](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2859)) by [Bob Singh](https://gitlab.com/bobsingh.dev) ### [2.21.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.20.1...v2.21.0) (2026-04-27) ### [`v2.20.1`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#2210-2026-04-27) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.20.0...v2.20.1) #### 2.20.1 ##### 🐛 Bug Fixes - Fix potential panic in MergeRequest.UnmarshalJSON label detail loop ([!2858](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2858)) by [Zubeen](https://gitlab.com/syedzubeen) #### [2.20.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.20.0...v2.20.1) (2026-04-20) #### 2.20.0 ##### 🚀 Features - Add missing system hook api options ([!2847](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2847)) by [Zack Knight](https://gitlab.com/zachkknowbe4) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.4.0 ([!2854](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2854)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update module github.com/google/cel-go to v0.28.0 ([!2855](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2855)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [`v2.20.0`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#2210-2026-04-27) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.19.0...v2.20.0) #### 2.20.1 ##### 🐛 Bug Fixes - Fix potential panic in MergeRequest.UnmarshalJSON label detail loop ([!2858](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2858)) by [Zubeen](https://gitlab.com/syedzubeen) #### [2.20.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.20.0...v2.20.1) (2026-04-20) #### 2.20.0 ##### 🚀 Features - Add missing system hook api options ([!2847](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2847)) by [Zack Knight](https://gitlab.com/zachkknowbe4) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.4.0 ([!2854](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2854)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update module github.com/google/cel-go to v0.28.0 ([!2855](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2855)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [`v2.19.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.19.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.18.0...v2.19.0) #### 2.19.0 ##### 🚀 Features - feat: Add PackageRegistryAccessLevel to Project structs ([!2852](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2852)) by [Caleb Madara](https://gitlab.com/calebmadara58) ### [2.19.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.18.0...v2.19.0) (2026-04-15) ##### Features * Add PackageRegistryAccessLevel to Project structs ([4ce63da](https://gitlab.com/gitlab-org/api/client-go/commit/4ce63da9528e6e0da40fd7240a41236a385d7bfe)) ### [`v2.18.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.18.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.17.0...v2.18.0) #### 2.18.0 ##### 🚀 Features - Feat: Add support for application setting secret_push_protection_available ([!2849](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2849)) by [Rizart Dona](https://gitlab.com/rizart_d) ##### 🔄 Other Changes - fix: Correct Example Section in README ([!2850](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2850)) by [Jonathan Bowe](https://gitlab.com/boweflex) ### [2.18.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.17.0...v2.18.0) (2026-04-14) ##### Bug Fixes * Correct Example Section in README ([c0759d9](https://gitlab.com/gitlab-org/api/client-go/commit/c0759d99b2eefbd4501a0e960530ee5a73ec0084)) ### [`v2.17.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.17.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.16.0...v2.17.0) #### 2.17.0 ##### 🚀 Features - Resolve "Add endpoint support for archiving/unarchiving groups" ([!2848](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2848)) by [Jonathan Bowe](https://gitlab.com/boweflex) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.3.1 ([!2841](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2841)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(no-release): enable gocritic linter ([!2842](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2842)) by [Oleksandr Redko](https://gitlab.com/alexandear) - chore(deps): update module golang.org/x/oauth2 to v0.36.0 ([!2835](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2835)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update module golang.org/x/text to v0.35.0 ([!2837](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2837)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.17.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.16.0...v2.17.0) (2026-04-10) ### [`v2.16.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.16.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.15.0...v2.16.0) #### 2.16.0 ##### 🚀 Features - feat: Add PagesUniqueDomainDefaultEnabled to Settings API ([!2845](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2845)) by [Mohamed Mongy](https://gitlab.com/mohamedmongy96) ### [2.16.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.15.0...v2.16.0) (2026-04-04) ##### Features * Add PagesUniqueDomainDefaultEnabled to Settings API ([d27f3af](https://gitlab.com/gitlab-org/api/client-go/commit/d27f3af69ae8569117c51f716d00b3b116e9f88c)) ### [`v2.15.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.15.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.14.0...v2.15.0) #### 2.15.0 ##### 🚀 Features - feat: Add approved_at field in merge request approvals API ([!2844](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2844)) by [Mohamed Asan N](https://gitlab.com/hassyyy) ### [2.15.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.14.0...v2.15.0) (2026-04-04) ##### Features * Add approved_at field in merge request approvals API ([528ac9e](https://gitlab.com/gitlab-org/api/client-go/commit/528ac9ea36377454fcae3cd7eb27b9d47f69a1cd)) ### [`v2.14.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.14.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.13.0...v2.14.0) #### 2.14.0 ##### 🚀 Features - feat: add support for DisablePasswordAuthenticationForUsersWithSSOIdentities... ([!2839](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2839)) by [Lorenz Vonlanthen](https://gitlab.com/loelu) ### [2.14.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.13.0...v2.14.0) (2026-04-03) ##### Features * add support for DisablePasswordAuthenticationForUsersWithSSOIdentities... ([6b88f05](https://gitlab.com/gitlab-org/api/client-go/commit/6b88f05609dfc6861da406b205fe1c2750c0b3e8)) ### [`v2.13.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.13.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.12.0...v2.13.0) #### 2.13.0 ##### 🚀 Features - feat: Added WithAuthSourceStrategy option to allow configuring multiple token source priority ([!2815](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2815)) by [Павлов Александр](https://gitlab.com/alexpts) ### [2.13.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.12.0...v2.13.0) (2026-04-01) ##### Features * Added WithAuthSourceStrategy option to allow configuring multiple token source priority ([2261c80](https://gitlab.com/gitlab-org/api/client-go/commit/2261c80c289d94a0053997f203544847bc961f12)) ### [`v2.12.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.12.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.11.0...v2.12.0) #### 2.12.0 ##### 🚀 Features - fix: update HostKey field name to FingerprintSHA256 for consistency ([!2840](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2840)) by [Oleksandr Redko](https://gitlab.com/alexandear) - Add push mirror host_keys to the go client. ([!2832](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2832)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) ##### 🔄 Other Changes - Fix: improve URL validation warning logging context and correct typo ([!2830](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2830)) by [Bob Singh](https://gitlab.com/bobsingh.dev) - chore(no-release): fix typos in comments and unexported function ([!2831](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2831)) by [Oleksandr Redko](https://gitlab.com/alexandear) ### [2.12.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.11.0...v2.12.0) (2026-04-01) ##### Bug Fixes * update HostKey field name to FingerprintSHA256 for consistency ([1b7fcfb](https://gitlab.com/gitlab-org/api/client-go/commit/1b7fcfb0ed002b007b8cadcc8e81ba529e48705b)) ### [`v2.11.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.11.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.10.0...v2.11.0) #### 2.11.0 ##### 🚀 Features - Deprecate project approval password auth, add reauth to approve ([!2825](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2825)) by [Heidi Berry](https://gitlab.com/heidi.berry) ##### 🔄 Other Changes - Fix typo in UpdateLabel comment ([!2827](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2827)) by [Bob Singh](https://gitlab.com/bobsingh.dev) - Fix runner comment typo ([!2828](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2828)) by [Bob Singh](https://gitlab.com/bobsingh.dev) ### [2.11.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.10.0...v2.11.0) (2026-03-30) ### [`v2.10.0`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#1380-2026-02-19) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.9.0...v2.10.0) ##### Features - **events:** Add missing parameters for label operations and update documentation links ([11b9f08](https://gitlab.com/gitlab-org/api/client-go/commit/11b9f08b37a4c2ada9413259282f163f28b94051)) - **labels:** add missing params and edit links ([ec1b92b](https://gitlab.com/gitlab-org/api/client-go/commit/ec1b92bff403c10446ab1ff6566a3a638871bb7e)) #### 1.37.0 ##### 🚀 Features - Support system & system\_action fields for merge event attributes ([!2737](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2737)) by [Artem Mikheev](https://gitlab.com/renbou) ##### 🔄 Other Changes - Update links of geo\_sites.go ([!2782](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2782)) by [Mohamed Mongy](https://gitlab.com/mohamedmongy96) - chore(deps): update dependency golangci-lint to v2.10.1 ([!2770](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2770)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update golangci/golangci-lint docker tag to v2.10.1 ([!2771](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2771)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update golangci/golangci-lint docker tag to v2.10.0 ([!2769](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2769)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update dependency golangci-lint to v2.10.0 ([!2768](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2768)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [`v2.9.0`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#1330-2026-02-13) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.8.0...v2.9.0) #### 1.32.0 ##### 🚀 Features - Implement endpoints for runner controller scopes ([!2758](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2758)) by [Timo Furrer](https://gitlab.com/timofurrer) ##### 🔄 Other Changes - test(namespaces): Address test feedback to simplify the test ([!2744](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2744)) by [Patrick Rice](https://gitlab.com/PatrickRice) - chore(deps): update golangci/golangci-lint docker tag to v2.9.0 ([!2755](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2755)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update dependency golangci-lint to v2.9.0 ([!2754](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2754)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [`v2.8.0`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#1130-2026-01-12) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.7.0...v2.8.0) ##### Features - **groups:** add Active parameter to ListGroupProjects ([dec511a](https://gitlab.com/gitlab-org/api/client-go/commit/dec511a199b0adb7ba87f5a02a50651049b68b71)) #### 1.12.0 ##### 🚀 Features - feat: add EmojiEvents field support to Project Webhooks ([!2653](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2653)) by [Yugan](https://gitlab.com/yugannkt) ##### 🔄 Other Changes - chore(deps): update dependency golangci-lint to v2.8.0 ([!2650](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2650)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - refactor(no-release): use errors.New instead of fmt.Errorf ([!2644](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2644)) by [Oleksandr Redko](https://gitlab.com/alexandear) ### [`v2.7.0`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#170-2025-12-06) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.6.0...v2.7.0) ##### Features - **users:** Add support for a user to see only one file diff per page ([e2a9e09](https://gitlab.com/gitlab-org/api/client-go/commit/e2a9e09e79e7949e0b19dcfc97e3b7b533541856)) #### 1.6.0 ##### 🚀 Features - feat: add admin compliance policy settings API ([!2610](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2610)) by [Hannes Lange](https://gitlab.com/hlange4) ##### 🔄 Other Changes - doc: fix typo ([!2603](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2603)) by [Guilhem Bonnefille](https://gitlab.com/gbonnefille) - chore(deps): update golangci/golangci-lint docker tag to v2.7.1 ([!2611](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2611)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update docker docker tag to v29.1.2 ([!2609](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2609)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(deps): update golangci/golangci-lint docker tag to v2.7.0 ([!2608](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2608)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [`v2.6.0`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#01590-2025-11-04) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.5.0...v2.6.0) ##### Features - **integrations:** add group integration API endpoints for Jira ([09e18ee](https://gitlab.com/gitlab-org/api/client-go/commit/09e18ee598bb7805ac8221f6a05426b1785f9011)) #### 0.158.0 ##### 🚀 Features - Add support to send variables for GraphQL queries ([!2562](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2562)) by [rafasf](https://gitlab.com/rafasf) ##### 🔄 Other Changes - chore(deps): update module cel.dev/expr to v0.25.0 ([!2560](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2560)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - chore(no-release): standardize GitLab name capitalization ([!2551](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2551)) by [Zubeen](https://gitlab.com/syedzubeen) - chore(deps): update golangci/golangci-lint docker tag to v2.6.0 ([!2558](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2558)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - refactor: moved comments to interface 2 ([!2557](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2557)) by [Zubeen](https://gitlab.com/syedzubeen) - refactor: moved comments to interface ([!2556](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2556)) by [Zubeen](https://gitlab.com/syedzubeen) - refactor(test): avoid panic in tests with goroutines ([!2553](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2553)) by [Oleksandr Redko](https://gitlab.com/alexandear) ### [`v2.5.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.5.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.4.0...v2.5.0) #### 2.5.0 ##### 🚀 Features - feat(workitems): Implement `UpdateWorkItem()` ([!2793](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2793)) by [Carlos Corona](https://gitlab.com/ccorona2) ##### 🔄 Other Changes - chore(deps): update dependency golangci-lint to v2.11.2 ([!2810](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2810)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) - test(no-release): replace reflect.DeepEqual with testify ([!2809](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2809)) by [Oleksandr Redko](https://gitlab.com/alexandear) - feat: allow OAuth success callback page to self-close when possible ([!2808](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2808)) by [Case Taintor](https://gitlab.com/case.taintor) - chore(deps): update dependency golangci-lint to v2.11.1 ([!2806](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2806)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.5.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.4.0...v2.5.0) (2026-03-09) ##### Features * allow OAuth success callback page to self-close when possible ([dca2e12](https://gitlab.com/gitlab-org/api/client-go/commit/dca2e12095fe0c2f185784469a8ea904db1a1be5)) * **workitems:** Implement `UpdateWorkItem()` ([b93a55e](https://gitlab.com/gitlab-org/api/client-go/commit/b93a55e316ae95db3d23ff404c46c081db0ad3c7)) ### [`v2.4.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.4.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.3.0...v2.4.0) #### 2.4.0 ##### 🚀 Features - Reflect latest runner controller API changes ([!2803](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2803)) by [Timo Furrer](https://gitlab.com/timofurrer) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.3.0 ([!2804](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2804)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.4.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.3.0...v2.4.0) (2026-03-06) ### [`v2.3.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.3.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.2.1...v2.3.0) #### 2.3.0 ##### 🚀 Features - feat: add new endpoint for fetching all the runner manager information ([!2802](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2802)) by [Aayush](https://gitlab.com/Aayush-Saini) ### [2.3.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.2.1...v2.3.0) (2026-03-05) ##### Features * add new endpoint for fetching all the runner manager information ([d4755b7](https://gitlab.com/gitlab-org/api/client-go/commit/d4755b7966efe4d0c9c7c849f4918d8f21e92163)) ### [`v2.2.1`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#230-2026-03-05) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.2.0...v2.2.1) ##### Features - add new endpoint for fetching all the runner manager information ([d4755b7](https://gitlab.com/gitlab-org/api/client-go/commit/d4755b7966efe4d0c9c7c849f4918d8f21e92163)) #### 2.2.1 ##### 🐛 Bug Fixes - fix: Add `/v2` suffix to module path. ([!2801](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2801)) by [Florian Forster](https://gitlab.com/fforster) #### [2.2.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.2.0...v2.2.1) (2026-03-04) ##### Bug Fixes - Add `/v2` suffix to module path. ([4237f6a](https://gitlab.com/gitlab-org/api/client-go/commit/4237f6aa292dd8a8eeeca64adeac1a1f121293a6)), closes [#​2239](https://gitlab.com/gitlab-org/api/client-go/issues/2239) #### 2.2.0 ##### 🚀 Features - feat(workitems): Implement `CreateWorkItem()`. ([!2751](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2751)) by [Florian Forster](https://gitlab.com/fforster) ### [`v2.2.0`](https://gitlab.com/gitlab-org/api/client-go/blob/HEAD/CHANGELOG.md#230-2026-03-05) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.1.0...v2.2.0) ##### Features - add new endpoint for fetching all the runner manager information ([d4755b7](https://gitlab.com/gitlab-org/api/client-go/commit/d4755b7966efe4d0c9c7c849f4918d8f21e92163)) #### 2.2.1 ##### 🐛 Bug Fixes - fix: Add `/v2` suffix to module path. ([!2801](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2801)) by [Florian Forster](https://gitlab.com/fforster) #### [2.2.1](https://gitlab.com/gitlab-org/api/client-go/compare/v2.2.0...v2.2.1) (2026-03-04) ##### Bug Fixes - Add `/v2` suffix to module path. ([4237f6a](https://gitlab.com/gitlab-org/api/client-go/commit/4237f6aa292dd8a8eeeca64adeac1a1f121293a6)), closes [#​2239](https://gitlab.com/gitlab-org/api/client-go/issues/2239) #### 2.2.0 ##### 🚀 Features - feat(workitems): Implement `CreateWorkItem()`. ([!2751](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2751)) by [Florian Forster](https://gitlab.com/fforster) ### [`v2.1.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.1.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.0.0...v2.1.0) #### 2.1.0 ##### 🚀 Features - feat(workitems): Add more fields to WorkItem ([!2795](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2795)) by [Florian Forster](https://gitlab.com/fforster) ##### 🔄 Other Changes - Implement body preserver to enable HTTP response body streaming ([!2746](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2746)) by [Timo Furrer](https://gitlab.com/timofurrer) ### [2.1.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.0.0...v2.1.0) (2026-03-03) ##### Features * **workitems:** Add more fields to WorkItem ([7088f6f](https://gitlab.com/gitlab-org/api/client-go/commit/7088f6f22945efd7b87a473e0e5ec9dade34c811)) ### [`v2.0.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.0.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v1.46.0...v2.0.0) #### 2.0.0 ##### 💥 Breaking Changes - Release client-go 2.0 ([!2763](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2763)) by [Patrick Rice](https://gitlab.com/PatrickRice) ##### 🔄 Other Changes - Addtl 2 0 changes ([!2796](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2796)) by [Patrick Rice](https://gitlab.com/PatrickRice) ### [2.0.0](https://gitlab.com/gitlab-org/api/client-go/compare/v1.46.0...v2.0.0) (2026-03-02) * Release client-go 2.0 ([47b65ee](https://gitlab.com/gitlab-org/api/client-go/commit/47b65ee9079e2cdb328eb381a7b9bd1ef6801dd0)) ##### Bug Fixes * **ci:** update gocover-cobertura to v1.4.0 for Go 1.24+ compatibility ([1d03b20](https://gitlab.com/gitlab-org/api/client-go/commit/1d03b20802fb2fcb64e5c7a322bbea7b475fd11c)) * **group_members:** using ISOTime instead of time.Time for BillableUserMembership.ExpiresAt ([e7e58c6](https://gitlab.com/gitlab-org/api/client-go/commit/e7e58c69c1c22c91aa75f85816dd835e0163b839)) * package protection access level variable type ([5574bbb](https://gitlab.com/gitlab-org/api/client-go/commit/5574bbbf2f63b47d67ddfbf98528a3f1bad8e3c3)) * **workitems:** Handle absent status widget in `WorkItem`. ([859fb26](https://gitlab.com/gitlab-org/api/client-go/commit/859fb26f2896ae803343366ad575656a8b7aafad)) ##### Features * use Nullable[int64] for label priority ([096ed09](https://gitlab.com/gitlab-org/api/client-go/commit/096ed098d18dd1e5445bf5d9a953290f2b08a6dc)) ##### BREAKING CHANGES * Release 2.0 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
|
a603f89fce |
fix(deps): update npm dependencies (#37636)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@typescript-eslint/parser](https://typescript-eslint.io/packages/parser)
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser))
| [`8.59.1` →
`8.59.2`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.1/8.59.2)
|
|
|
| [eslint-plugin-vue](https://eslint.vuejs.org)
([source](https://redirect.github.com/vuejs/eslint-plugin-vue)) |
[`10.9.0` →
`10.9.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.0/10.9.1)
|
|
|
| [jiti](https://redirect.github.com/unjs/jiti) | [`2.6.1` →
`2.7.0`](https://renovatebot.com/diffs/npm/jiti/2.6.1/2.7.0) |
|
|
| [postcss](https://postcss.org/)
([source](https://redirect.github.com/postcss/postcss)) | [`8.5.13` →
`8.5.14`](https://renovatebot.com/diffs/npm/postcss/8.5.13/8.5.14) |
|
|
| [stylelint](https://stylelint.io)
([source](https://redirect.github.com/stylelint/stylelint)) | [`17.10.0`
→
`17.11.0`](https://renovatebot.com/diffs/npm/stylelint/17.10.0/17.11.0)
|
|
|
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint)
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint))
| [`8.59.1` →
`8.59.2`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.1/8.59.2)
|
|
|
| [updates](https://redirect.github.com/silverwind/updates) | [`17.16.8`
→ `17.16.9`](https://renovatebot.com/diffs/npm/updates/17.16.8/17.16.9)
|
|
|
---
### Release Notes
<details>
<summary>typescript-eslint/typescript-eslint
(@​typescript-eslint/parser)</summary>
###
[`v8.59.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8592-2026-05-04)
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.1...v8.59.2)
This was a version bump only for parser to align it with other projects,
there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2)
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning) and
[releases](https://typescript-eslint.io/users/releases) on our website.
</details>
<details>
<summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary>
###
[`v10.9.1`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1091)
[Compare
Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.0...v10.9.1)
##### Patch Changes
- Updated peer dependency version for
[`vue-eslint-parser`](https://redirect.github.com/vuejs/vue-eslint-parser)
to fix parsing errors in Vue SFCs
([#​3075](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3075))
</details>
<details>
<summary>unjs/jiti (jiti)</summary>
###
[`v2.7.0`](https://redirect.github.com/unjs/jiti/blob/HEAD/CHANGELOG.md#v270)
[Compare
Source](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0)
[compare
changes](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0)
##### 🚀 Enhancements
- Add explicit resource management (using/await using) support
([#​422](https://redirect.github.com/unjs/jiti/pull/422))
- Support opt-in `tsconfigPaths`
([#​427](https://redirect.github.com/unjs/jiti/pull/427))
- Support virtual modules option
([#​428](https://redirect.github.com/unjs/jiti/pull/428))
- Add `jiti/static` export
([#​430](https://redirect.github.com/unjs/jiti/pull/430))
##### 🔥 Performance
- **interopDefault:** Add caching to reduce proxy overhead by \~2x
([#​421](https://redirect.github.com/unjs/jiti/pull/421))
##### 🩹 Fixes
- **require:** Passthrough resolve options
([#​412](https://redirect.github.com/unjs/jiti/pull/412))
- **ci:** Skip `--coverage` flag for node 18
([fe264b4](https://redirect.github.com/unjs/jiti/commit/fe264b4))
- **require:** Fallback to transpilation when `tryNative` fails
([#​413](https://redirect.github.com/unjs/jiti/pull/413))
- Fallback for `ENAMETOOLONG` when evaluating esm
([#​429](https://redirect.github.com/unjs/jiti/pull/429))
##### 📦 Build
- Upgrade rspack
([55194fb](https://redirect.github.com/unjs/jiti/commit/55194fb))
- Experimental rolldown config
([8c0243f](https://redirect.github.com/unjs/jiti/commit/8c0243f))
##### 🏡 Chore
- Fix lint issues
([4045c7a](https://redirect.github.com/unjs/jiti/commit/4045c7a))
- Update deps
([e88ac44](https://redirect.github.com/unjs/jiti/commit/e88ac44))
- Update deps
([498e8d7](https://redirect.github.com/unjs/jiti/commit/498e8d7))
- Add missing prettier dep
([650bc48](https://redirect.github.com/unjs/jiti/commit/650bc48))
- Lint ([058d91a](https://redirect.github.com/unjs/jiti/commit/058d91a))
- Init agents.md
([c49c54e](https://redirect.github.com/unjs/jiti/commit/c49c54e))
- Update agents.md
([4deba16](https://redirect.github.com/unjs/jiti/commit/4deba16))
- Update deps
([
|
||
|
GiteabotandGitHub
|
e1f0f9e896 |
fix(deps): update module code.gitea.io/sdk/gitea to v0.25.0 (#37637)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | code.gitea.io/sdk/gitea | `v0.24.1` → `v0.25.0` |  |  | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
|
c81eca9904 |
chore(deps): update action dependencies (#37603)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/labeler](https://redirect.github.com/actions/labeler) | action | minor | `v6.0.1` → `v6.1.0` | | [aws-actions/configure-aws-credentials](https://redirect.github.com/aws-actions/configure-aws-credentials) | action | patch | `v6.1.0` → `v6.1.1` | | [docker.elastic.co/elasticsearch/elasticsearch](https://www.elastic.co/products/elasticsearch) ([source](https://redirect.github.com/elastic/elasticsearch)) | service | patch | `8.19.14` → `8.19.15` | | [renovatebot/github-action](https://redirect.github.com/renovatebot/github-action) | action | patch | `v46.1.12` → `v46.1.13` | --- ### Release Notes <details> <summary>actions/labeler (actions/labeler)</summary> ### [`v6.1.0`](https://redirect.github.com/actions/labeler/releases/tag/v6.1.0) [Compare Source](https://redirect.github.com/actions/labeler/compare/v6.0.1...v6.1.0) #### Enhancements - Add changed-files-labels-limit and max-files-changed configuration options to cap the number of labels added by [@​bluca](https://redirect.github.com/bluca) in [#​923](https://redirect.github.com/actions/labeler/pull/923) #### Bug Fixes - Improve Labeler Action documentation and permission error handling by [@​chiranjib-swain](https://redirect.github.com/chiranjib-swain) in [#​897](https://redirect.github.com/actions/labeler/pull/897) - Preserve manually added labels during workflow runs and refine label synchronization logic by [@​chiranjib-swain](https://redirect.github.com/chiranjib-swain) in [#​917](https://redirect.github.com/actions/labeler/pull/917) #### Dependency Updates - Upgrade brace-expansion from 1.1.11 to 1.1.12 and document breaking changes in v6 by [@​dependabot](https://redirect.github.com/dependabot) in [#​877](https://redirect.github.com/actions/labeler/pull/877) - Upgrade minimatch from 10.0.1 to 10.2.3 by [@​dependabot](https://redirect.github.com/dependabot) in [#​926](https://redirect.github.com/actions/labeler/pull/926) - Upgrade dependencies ([@​actions/core](https://redirect.github.com/actions/core), [@​actions/github](https://redirect.github.com/actions/github), js-yaml, minimatch, [@​typescript-eslint](https://redirect.github.com/typescript-eslint)) by [@​Copilot](https://redirect.github.com/Copilot) in [#​934](https://redirect.github.com/actions/labeler/pull/934) #### New Contributors - [@​chiranjib-swain](https://redirect.github.com/chiranjib-swain) made their first contribution in [#​897](https://redirect.github.com/actions/labeler/pull/897) - [@​bluca](https://redirect.github.com/bluca) made their first contribution in [#​923](https://redirect.github.com/actions/labeler/pull/923) - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​934](https://redirect.github.com/actions/labeler/pull/934) **Full Changelog**: <https://github.com/actions/labeler/compare/v6...v6.1.0> </details> <details> <summary>aws-actions/configure-aws-credentials (aws-actions/configure-aws-credentials)</summary> ### [`v6.1.1`](https://redirect.github.com/aws-actions/configure-aws-credentials/releases/tag/v6.1.1) [Compare Source](https://redirect.github.com/aws-actions/configure-aws-credentials/compare/v6.1.0...v6.1.1) ##### What's Changed - chore(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1722](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1722) - chore(deps-dev): bump [@​types/node](https://redirect.github.com/types/node) from 25.5.0 to 25.5.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1723](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1723) - chore(deps-dev): bump [@​smithy/property-provider](https://redirect.github.com/smithy/property-provider) from 4.2.12 to 4.2.13 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1724](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1724) - chore(deps): bump proxy-agent from 8.0.0 to 8.0.1 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1726](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1726) - chore(deps): bump [@​smithy/node-http-handler](https://redirect.github.com/smithy/node-http-handler) from 4.5.1 to 4.5.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1725](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1725) - chore(deps): bump [@​aws-sdk/client-sts](https://redirect.github.com/aws-sdk/client-sts) from 3.1020.0 to 3.1025.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1727](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1727) - chore(deps): bump basic-ftp from 5.2.0 to 5.2.1 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1728](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1728) - chore(deps): bump basic-ftp from 5.2.1 to 5.2.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1729](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1729) - chore(deps-dev): bump [@​types/node](https://redirect.github.com/types/node) from 25.5.2 to 25.6.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1730](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1730) - chore(deps-dev): bump [@​aws-sdk/credential-provider-env](https://redirect.github.com/aws-sdk/credential-provider-env) from 3.972.24 to 3.972.25 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1733](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1733) - chore(deps): bump [@​aws-sdk/client-sts](https://redirect.github.com/aws-sdk/client-sts) from 3.1025.0 to 3.1030.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1732](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1732) - chore(deps-dev): bump [@​biomejs/biome](https://redirect.github.com/biomejs/biome) from 2.4.10 to 2.4.11 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1734](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1734) - chore(deps): bump basic-ftp from 5.2.2 to 5.3.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1736](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1736) - chore(deps-dev): bump memfs from 4.57.1 to 4.57.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1737](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1737) - chore(deps-dev): bump typescript from 6.0.2 to 6.0.3 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1740](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1740) - chore(deps-dev): bump [@​smithy/property-provider](https://redirect.github.com/smithy/property-provider) from 4.2.13 to 4.2.14 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1741](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1741) - chore(deps-dev): bump [@​aws-sdk/credential-provider-env](https://redirect.github.com/aws-sdk/credential-provider-env) from 3.972.25 to 3.972.28 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1742](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1742) - chore(deps): bump [@​aws-sdk/client-sts](https://redirect.github.com/aws-sdk/client-sts) from 3.1030.0 to 3.1033.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1743](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1743) - chore(deps-dev): bump [@​biomejs/biome](https://redirect.github.com/biomejs/biome) from 2.4.11 to 2.4.12 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1739](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1739) - chore(deps-dev): bump [@​biomejs/biome](https://redirect.github.com/biomejs/biome) from 2.4.12 to 2.4.13 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1747](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1747) - chore(deps): bump postcss from 8.5.6 to 8.5.12 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1752](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1752) - chore(deps): bump [@​smithy/node-http-handler](https://redirect.github.com/smithy/node-http-handler) from 4.6.0 to 4.6.1 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1750](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1750) - chore(deps-dev): bump [@​aws-sdk/credential-provider-env](https://redirect.github.com/aws-sdk/credential-provider-env) from 3.972.28 to 3.972.32 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1751](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1751) - chore(deps): bump [@​aws-sdk/client-sts](https://redirect.github.com/aws-sdk/client-sts) from 3.1033.0 to 3.1038.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1749](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1749) - chore: release 6.1.1 by [@​lehmanmj](https://redirect.github.com/lehmanmj) in [#​1757](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1757) **Full Changelog**: <https://github.com/aws-actions/configure-aws-credentials/compare/v6...v6.1.1> </details> <details> <summary>elastic/elasticsearch (docker.elastic.co/elasticsearch/elasticsearch)</summary> ### [`v8.19.15`](https://redirect.github.com/elastic/elasticsearch/releases/tag/v8.19.15): Elasticsearch 8.19.15 [Compare Source](https://redirect.github.com/elastic/elasticsearch/compare/v8.19.14...v8.19.15) Downloads: <https://elastic.co/downloads/elasticsearch> Release notes: <https://www.elastic.co/guide/en/elasticsearch/reference/8.19/release-notes-8.19.15.html> </details> <details> <summary>renovatebot/github-action (renovatebot/github-action)</summary> ### [`v46.1.13`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.13) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.12...v46.1.13) ##### Documentation - update references to renovatebot/github-action to v46.1.12 ([a871d4d](https://redirect.github.com/renovatebot/github-action/commit/a871d4d5460d222ef1b9b6d9c7c9a9224e582780)) ##### Miscellaneous Chores - **deps:** update dependency [@​commitlint/cli](https://redirect.github.com/commitlint/cli) to v20.5.2 ([67a74d1](https://redirect.github.com/renovatebot/github-action/commit/67a74d123d2876d138af089da96b130b49963b52)) - **deps:** update pnpm to v10.33.1 ([5932d6c](https://redirect.github.com/renovatebot/github-action/commit/5932d6c4e6423886397f74fa3e1f43f75d08b639)) - **deps:** update pnpm to v10.33.2 ([580c97f](https://redirect.github.com/renovatebot/github-action/commit/580c97f45b94ac6c4cf344cae6557fa67ffcf1e6)) ##### Build System - **deps:** lock file maintenance ([d044e7d](https://redirect.github.com/renovatebot/github-action/commit/d044e7df57b284a83ba0184247f960f00ca99d19)) ##### Continuous Integration - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.159.1 ([a7db9c3](https://redirect.github.com/renovatebot/github-action/commit/a7db9c38fdfec235881c95a3f634d0e98351a897)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.159.2 ([f9133ef](https://redirect.github.com/renovatebot/github-action/commit/f9133ef80db08316ae9064a6639804e2781bf4ac)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.160.0 ([212d525](https://redirect.github.com/renovatebot/github-action/commit/212d52574e89808037dd90d27dad2a1ea2f69f22)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.160.1 ([e3443ce](https://redirect.github.com/renovatebot/github-action/commit/e3443ceef9af4bfb10853b55f8a23c5625289bb8)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.160.2 ([833041b](https://redirect.github.com/renovatebot/github-action/commit/833041bb68593fa1d2e2704abedd40037914481b)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.160.4 ([60cc865](https://redirect.github.com/renovatebot/github-action/commit/60cc8654e18da2e1d7164c13b1437fcf26a1dce8)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.160.5 ([2c7567a](https://redirect.github.com/renovatebot/github-action/commit/2c7567a8f829497ca73badab029c722f61e0c561)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.160.6 ([35caad2](https://redirect.github.com/renovatebot/github-action/commit/35caad2c6a948000e0be2215db7dcdbf0c183541)) </details> --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
GiteabotandGitHub
|
243c2d7146 |
chore(deps): update dependency go to v1.26.3 (#37601)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | `1.26.2` → `1.26.3` | --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteaBot
|
cf48aa0188 | [skip ci] Updated translations via Crowdin | ||
|
|
35dfc6b9e1 |
fix(deps): update go dependencies (#37541)
Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
GiteaBot
|
c471af4266 | [skip ci] Updated translations via Crowdin | ||
|
GiteabotandGitHub
|
62300eab3b |
chore(deps): update action dependencies (#37540)
This PR contains the following updates: | Package | Type | Update | Change | Pending | |---|---|---|---|---| | [bitnamilegacy/minio](https://redirect.github.com/bitnami/containers) ([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/minio)) | service | minor | `2021.3.17` → `2021.12.29` | | | [bitnamilegacy/minio](https://redirect.github.com/bitnami/containers) ([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/minio)) | service | minor | `2023.8.31` → `2023.12.23` | | | [bitnamilegacy/mysql](https://redirect.github.com/bitnami/containers) ([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/mysql)) | service | minor | `8.0` → `8.4` | | | [renovatebot/github-action](https://redirect.github.com/renovatebot/github-action) | action | patch | `v46.1.10` → `v46.1.12` | `v46.1.13` | --- ### Release Notes <details> <summary>renovatebot/github-action (renovatebot/github-action)</summary> ### [`v46.1.12`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.12) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.11...v46.1.12) ##### Bug Fixes - **deps:** update dependency [@​actions/core](https://redirect.github.com/actions/core) to v3.0.1 ([e8a6055](https://redirect.github.com/renovatebot/github-action/commit/e8a6055d6d0dc2ca2280adc33c7b58f3fb124d12)) ##### Documentation - update references to renovatebot/github-action to v46.1.11 ([317011a](https://redirect.github.com/renovatebot/github-action/commit/317011a6efe6b58d6056f58ca8b431233eb718ab)) ##### Miscellaneous Chores - **deps:** update dependency typescript-eslint to v8.59.0 ([8e3560a](https://redirect.github.com/renovatebot/github-action/commit/8e3560ab95742bc3c7aaec7c2dd1cc3d0d276ae5)) ##### Continuous Integration - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.142.0 ([0fee00d](https://redirect.github.com/renovatebot/github-action/commit/0fee00dc59830af7f44ea0636b251550e54f5003)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.142.1 ([c7cfc88](https://redirect.github.com/renovatebot/github-action/commit/c7cfc8825059e6fa4bd036b39a06e0477d58f403)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.144.0 ([39e7d09](https://redirect.github.com/renovatebot/github-action/commit/39e7d09c7b2ce19c8c834ffe556e9965c119c885)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.145.0 ([0bbd415](https://redirect.github.com/renovatebot/github-action/commit/0bbd415a9c49a001a228460b287027d8a3739e8a)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.146.0 ([889c739](https://redirect.github.com/renovatebot/github-action/commit/889c7399cadabbf2657b872978141f03c9376640)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.147.0 ([7addce6](https://redirect.github.com/renovatebot/github-action/commit/7addce6f1e02342b36c2cb1a66db30345a2f109d)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.150.0 ([804ce16](https://redirect.github.com/renovatebot/github-action/commit/804ce1618f0c132478fd9c086d6febd009a723d0)) ### [`v46.1.11`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.11) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.10...v46.1.11) ##### Documentation - update references to renovatebot/github-action to v46.1.10 ([0b264d2](https://redirect.github.com/renovatebot/github-action/commit/0b264d27f89fd1eb163fba418b0dbfe86c041395)) ##### Miscellaneous Chores - **deps:** update actions/setup-node action to v6.4.0 ([951a814](https://redirect.github.com/renovatebot/github-action/commit/951a81487afda3e08b127fef395e29498fd9d06c)) - **deps:** update dependency prettier to v3.8.3 ([a763833](https://redirect.github.com/renovatebot/github-action/commit/a763833a7d8da309d202e5fc67bc794efc7dc115)) - **deps:** update dependency typescript-eslint to v8.58.2 ([119d68e](https://redirect.github.com/renovatebot/github-action/commit/119d68e8f6114a37630c0a3a61aac696d593aa52)) ##### Build System - **deps:** lock file maintenance ([f82feed](https://redirect.github.com/renovatebot/github-action/commit/f82feedb561edc809d01476b568febf8d256a51a)) ##### Continuous Integration - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.132.3 ([99cc805](https://redirect.github.com/renovatebot/github-action/commit/99cc805d7583672991fd1bfe2ce488eac225f8f0)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.133.0 ([a63d39b](https://redirect.github.com/renovatebot/github-action/commit/a63d39be1e95f4aaa26c72acbdf1c65673468261)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.135.0 ([955b000](https://redirect.github.com/renovatebot/github-action/commit/955b0000ba399f944be088f7a4409a4c8fc0b699)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.0 ([65167cd](https://redirect.github.com/renovatebot/github-action/commit/65167cdb3f2b345241ea67249f4b238934933bcc)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.1 ([7b21b86](https://redirect.github.com/renovatebot/github-action/commit/7b21b86cedd4f06966dca17027c7c67625e599cd)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.3 ([28a2dc0](https://redirect.github.com/renovatebot/github-action/commit/28a2dc07b816f5893a6496d35b4b02742445c3c4)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.137.0 ([b0cf2a4](https://redirect.github.com/renovatebot/github-action/commit/b0cf2a4c9132b74c57aae8fcbb45a6aacd414022)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.0 ([3700882](https://redirect.github.com/renovatebot/github-action/commit/3700882c45d6eda087650c0edc72ba408f5b7a2e)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.1 ([f516ce2](https://redirect.github.com/renovatebot/github-action/commit/f516ce2f9261f68e96edd1499111ddb5077033bb)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.3 ([3411548](https://redirect.github.com/renovatebot/github-action/commit/3411548d9c9b822a7473c563535824c03a19df6a)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.0 ([5201886](https://redirect.github.com/renovatebot/github-action/commit/5201886b45291615a4f0b21fd08181cfe8123ba6)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.1 ([5856263](https://redirect.github.com/renovatebot/github-action/commit/5856263af8004562a8d50daf5c18b7a1a71920f8)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.4 ([999691d](https://redirect.github.com/renovatebot/github-action/commit/999691d7f3780b09bcd4e90e081bbce6b452ab25)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.5 ([f703a54](https://redirect.github.com/renovatebot/github-action/commit/f703a541309bb776377323a91735fa747d6efc39)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.6 ([3ba85c2](https://redirect.github.com/renovatebot/github-action/commit/3ba85c2979436007460d9ccf3f87bd0a4ef5e1ea)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.7 ([96f2f09](https://redirect.github.com/renovatebot/github-action/commit/96f2f09b9d7c8e6946b489aab3ca6f713a3bfbdc)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.8 ([5af45e5](https://redirect.github.com/renovatebot/github-action/commit/5af45e5b84b145ee1e14929493f8f054d922b441)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.140.0 ([01e9139](https://redirect.github.com/renovatebot/github-action/commit/01e91393d3c71fe95aec074539d4a0d9dc57068b)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.0 ([814a2a4](https://redirect.github.com/renovatebot/github-action/commit/814a2a47c0d23dad8d1f7302ade33a5bd966a8c7)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.1 ([fb3abdf](https://redirect.github.com/renovatebot/github-action/commit/fb3abdf7fa349ce51fd43364aa917f213f4d476c)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.2 ([e3a9af5](https://redirect.github.com/renovatebot/github-action/commit/e3a9af55ac512810165fe6f630d88fa4b02f0dca)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.5 ([4f14b2f](https://redirect.github.com/renovatebot/github-action/commit/4f14b2f81dd01dfd999aed7088db38a5e8042f08)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.6 ([2357784](https://redirect.github.com/renovatebot/github-action/commit/23577849552717b7ae5cdbb05082e5cc99e25dce)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
GiteaBot
|
6b8dd90dc7 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
52d6baf5a8 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
596a8868d7 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
d19f653479 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
683f8c0014 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
0bc2a2836f | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
03205d94da | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
c9669594a8 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
4fa319b9dc | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
12737883ba | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
ffa626b585 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
c5e196dedb | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
79f96b3e24 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
d6496c6156 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
356f589f0b | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
eb020a9d27 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
f250138f57 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
b874e0d8e5 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
48a3a47741 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
d19d4da5ce | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
4ca4217b3d | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
a6282c98d7 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
ce61d6d99d | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
f73e45b4ba | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
0dacd956fb | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
288d1f526a | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
8c9247e717 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
67b457dd00 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
125257eacf | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
a3a3e581aa | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
987d82b038 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
48d5adb39c | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
78ad28d052 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
85dd16b3fc | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
fbbed8c4c4 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
5151e30fb7 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
bf0b377879 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
d3656ebd95 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
0a9c09879d | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
d19db18ee7 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
01351cc6c7 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
b41ccb0627 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
97cb4409fb | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
1e777f92c7 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
1816c7f9c1 | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
4c51acb26b | [skip ci] Updated translations via Crowdin | ||
|
GiteaBot
|
adece922f1 | [skip ci] Updated translations via Crowdin |
