chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@nuxt/icon	^2.2.2 → ^2.2.3			devDependencies	patch
@shikijs/transformers (source)	^4.0.2 → ^4.2.0			devDependencies	minor
@types/node (source)	^24.12.4 → ^24.13.1			devDependencies	minor
@vue/test-utils	^2.4.10 → ^2.4.11			devDependencies	patch
actions/checkout	v6.0.2 → v6.0.3			action	patch
devalue	^5.8.0 → ^5.8.1			dependencies	patch
eslint (source)	^10.3.0 → ^10.4.1			devDependencies	minor
happy-dom	^20.9.0 → ^20.10.2			devDependencies	minor
oxc-parser (source)	^0.130.0 → ^0.135.0			dependencies	minor
pkg-pr-new (source)	0.0.72 → 0.0.75			devDependencies	patch
pnpm (source)	10.33.4+sha512.1c67b3b359b2d408119ba1ed289f34b8fc3c6873412bec6fd264fbdc82489e510fcbecb9ce9d22dae7f3b76269d8441046014bdca53b9979cd7a561ad631b800 → 10.34.1			packageManager	minor
sass-embedded	^1.99.0 → ^1.100.0			devDependencies	minor
shiki (source)	^4.0.2 → ^4.2.0			devDependencies	minor
valibot (source)	^1.4.0 → ^1.4.1			dependencies	patch
vitest (source)	^4.1.6 → ^4.1.8			devDependencies	patch
web-vitals	^5.2.0 → ^5.3.0			dependencies	minor

---

Release Notes

nuxt/icon (@​nuxt/icon)

v2.2.3

Compare Source

   🐞 Bug Fixes

• Scope per-instance customize to unique CSS selector  -  by @​mukundshah and Sébastien Chopin in #​483 (17d93)
• server:
  • Use ufo for query parsing to fix h3 v2 compatibility  -  by @​benjamincanac and @​atinux in #​493 (93172)
  • Guard collection lookup against prototype keys  -  by @​itsmelouis and Sébastien Chopin in #​488 (45025)

    View changes on GitHub

shikijs/shiki (@​shikijs/transformers)

v4.2.0

Compare Source

   🚀 Features

• Add @​shikijs/stream and @​shikijs/magic-move packages  -  by @​antfu in #​1283 (d031f)

   🐞 Bug Fixes

• transformers: Handle YAML comment prefixes correctly for v3  -  by @​AkaHarshit in #​1266 (f694a)
• vitepress-twoslash: Scroll blocking on mobile viewports  -  by @​micaiguai in #​1262 (9e0e8)

    View changes on GitHub

v4.1.0

Compare Source

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in #​1271 (be89a)

    View changes on GitHub

vuejs/test-utils (@​vue/test-utils)

v2.4.11

Compare Source

compare changes

🩹 Fixes

• Drop legacy Mutation Event listener entries (#​2844)
• Handle setData() correctly for components using both setup() and data() (#​2846)
• Export GlobalMountOptions type (#​2851)
• Set spec-compliant event.code on keydown/keyup (#​2850)

❤️ Contributors

• Cédric Exbrayat (@​cexbrayat)
• Renato de Leão (@​renatodeleao)
• Matt Van Horn (@​mvanhorn)
• Carsten Brachem (@​cbrachem)
• Ahmad Hanan (@​AhmadHannan037)
• Paul Cochrane (@​paultcochrane)
• Arpit Jain (@​arpitjain099)

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

eslint/eslint (eslint)

v10.4.1

Compare Source

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#​20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#​20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#​20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#​20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#​20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#​20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#​20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#​20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#​20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#​20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#​20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#​20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#​20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@​0.8.2 (#​20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#​20873) (Copilot)

v10.4.0

Compare Source

capricorn86/happy-dom (happy-dom)

v20.10.2

Compare Source

👷‍♂️ Patch fixes

• Updates external dependencies - By @​capricorn86 in task #​2163

v20.10.1

Compare Source

v20.10.0

Compare Source

oxc-project/oxc (oxc-parser)

v0.134.0

v0.133.0

v0.132.0

v0.131.0

stackblitz-labs/pkg.pr.new (pkg-pr-new)

v0.0.75

Compare Source

v0.0.74

Compare Source

v0.0.73

Compare Source

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

• Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
• Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
• Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Gold Sponsors

sass/embedded-host-node (sass-embedded)

v1.100.0

Compare Source

• Writing two compound selectors adjacent to one another without any whitespace
  between them, such as [class]a, is now deprecated. This was always an error
  in CSS and Sass only supported it by mistake.

  See the Sass website for
  details.

open-circle/valibot (valibot)

v1.4.1

Compare Source

• Fix intersect schema to infer correct input and output types for non-tuple array options instead of never (pull request #​1478)

vitest-dev/vitest (vitest)

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

GoogleChrome/web-vitals (web-vitals)

v5.3.0

Compare Source

• Remove getFirstHiddenTimePolyfill
  (#​729)
• Fixed issue where the same configuration object to multiple metric functions can result in errors
  (#​731)
• Add more robust interactionTarget setting for INP
  (#​744)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	happy-dom@​20.10.2
	pkg-pr-new@​0.0.75
	@​shikijs/​transformers@​4.2.0
	@​types/​node@​24.13.1
	oxc-parser@​0.135.0
	@​vue/​test-utils@​2.4.11
	@​nuxt/​icon@​2.2.3
	eslint@​10.4.1
	@​nuxt/​kit@​4.4.8

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/hints@346

commit: cc21f00

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm happy-dom is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/happy-dom@20.10.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/happy-dom@20.10.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report